A cyberattack targeting Korean users has been identified, involving emails that impersonate Microsoft security alerts to distribute malware. The attack, linked to the North Korean hacking group APT37, uses spear-phishing emails with the subject “Security Check Notice Due to Repeated Occurrence of One-Time Authentication Codes.” These emails, falsely appearing to come from the “MS Account Team,” aim to create anxiety about account security, prompting recipients to open an attached file. This file, disguised as a legitimate security notice, installs malware named ‘NarwahlRAT’ when opened. The malware is designed to resemble the popular Naver Whale browser, specifically targeting Korean users, and includes code related to KakaoTalk. NarwahlRAT can perform over 30 functions, such as keylogging, screen capturing, audio recording, file collection from USB devices, and executing remote commands. This attack mirrors previous techniques used by APT37, emphasizing the need for enhanced behavior-based detection systems to combat future variants.
Are You Mistaking Malicious Emails for Security Alerts?
