Severity

Medium

Analysis Summary

Threat actor TA505 is impersonating Airlines disguising as domestic e-ticket (e-ticket) certificates from the morning of July 25, ahead of the summer vacation season.

The attacker is the ‘** Airline e-Ticket Certificate.’ , And using the sophisticated Korean language in the body of the e-mail content, the e-mail recipient is encouraged to open the attached file.

Attached file is’ e-ticket (random number) .iso ‘file name is attached to the compressed file, the icon and extension when decompressed as a PDF document disguised as a screen saver file’ e-ticket certificate _66016630.pdf. scr ‘or’ L207123.lnk ‘will be downloaded.

The ‘e-ticket voucher _66016630.pdf.scr’ file is malicious code based on .Net. The C2 server acts as an additional payload download.

Impact

• System Access
• Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

• 0571bb4ecf3dbf5d5185eabd7d03d455
• 1d87a127b31c8a67f6902bdc6366374b
• 22e41b97813c028fd7c4ae6d32572534
• 279215fc358060825372c2de68dd5c4f
• 3f45a8fbec15305de1d4a296006c5b01
• 44215ae4681773954b404ddfae416248
• 4d0511050aa5e48d3cac0e697e168fb3
• 57484338303a48dffadf466f74db4bab
• 5f6c61cccf8cb547a3979e1d49a7ef81
• 62b1ad72a7cb1699cebe7b71518f65be
• 7928e36c8a45f98d5adf2016740b77eb
• 91bce06fe0ee40afb9ba7ea12ae00a77
• ad78c04d0e7990d32d09becb82426d37
• c3e961ad583d9c4bd3892456eb6516d5
• c43496f70be5263a4bab6c853e610951
• c9ce180f2fa6097798224c7cc3abdfaf
• cf07da2872c29a4682380a66080fcd61
• d6438345c12dd000ff2d55a7a3b8ccb6
• deb3a3d09a656ac14eb83574d2fcd2b3
• f834018fee0597d8be54b7174bc5048d

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the link/attachments sent by unknown senders.