▲ Attack Flowchart Analyzed by Genians
A new type of malware that infiltrates South Korean users' PCs by impersonating the Microsoft (MS) security team has been discovered.
Suspected to be the work of a North Korea-linked hacking group, this malware is capable of taking full control of a victim's system with over 30 functions, ranging from recording keyboard inputs to activating microphone audio, requiring extra caution.
According to the domestic security firm Genians on Monday (June 15), it has been identified that a malware dubbed "NarwhalRAT," suspected to be the work of the North Korea-linked hacking group APT37, is being distributed targeting South Korean users.
The attack begins with a spear-phishing email claiming that "abnormal signs of repeated one-time password (OTP) generation have been detected on your MS account."
While the sender's name appears as "Microsoft Account Team," it has been confirmed that the actual sender domain is not an official MS domain.
The email mentions the possibility of account theft and encourages the recipient to check an attached security guide.
When the compressed file is extracted, a malicious shortcut (.lnk) file that looks like a Hangul (word processor) document appears.
When executed, it opens what appears to be a normal security guide document, but in the background, the installation of the malware proceeds.
Genians named the malware "NarwhalRAT" by combining "Narwhal" with the fact that it creates a folder named "naverwhale" as a working directory inside the computer after installation.
The "naverwhale" folder is interpreted as an attempt to disguise itself as the Naver Whale browser, which is widely used in South Korea, suggesting that South Korean users are the primary target.
The internal code also includes logic to separately process KakaoTalk-related windows for information collection.
By filtering out auxiliary windows to increase the accuracy of collected data, this is analyzed as evidence that the malware was developed with the South Korean user environment in mind.
NarwhalRAT can selectively activate over 30 functions, including recording keyboard inputs, capturing screens, recording microphone audio, collecting files from USB storage devices, and executing remote commands, according to the attacker's remote instructions.
It is structured to monitor in real-time which programs the victim is using and which services they are accessing through screen and keyboard input tracking.
The collected data is not transmitted externally immediately but is temporarily stored in the working directory and then sent in batches.
This is interpreted as a method to avoid real-time network detection.
Genians analyzed that this attack shows high similarity in structure and methods to a Python-based backdoor attack case by the North Korea-linked hacking group APT37, which was disclosed in May of last year.
The firm explained that the final author name of the decoy document used in the spear-phishing was identical as "Lailey," and that significant parts, such as the structure of the malicious shortcut file, the batch file obfuscation method, and the persistence mechanism based on the task scheduler, were consistent.
Genians advised, "As there is a possibility that it will continue to be used in similar variant forms in the future, it is necessary to strengthen behavior-based detection systems along with file-based detection."
(Photo: Provided by Genians, Yonhap News)
※ Please note: This article was translated by AI and may contain errors.