Threat Actors Target South Korean and Aussie Users with Malicious Emails Disguised as Accounting Ledgers

Threat actors are again targeting taxpayers as they prepare their returns in a new phishing campaign that seeks to infect recipients’ machines with Remote Access Trojans.

Bitdefender Antispam Lab spotted the most recent malspam campaign targeting tens of thousands of users at the beginning of May.

98.34 percent of the attacks appear to have originated from IP addresses in Bangladesh, with 76.08% of targeted users in South Korea, 17% in Australia and 1% in the US.

The focus on South Korean users is not by chance, as the May 31 deadline for filing individual income tax returns draws near. The cybercriminals put little effort into creating very legitimate-seeming correspondence. They cut to the chase without creating a sense of urgency or alarming recipients.

The subject line reads “Account Ledger for 2020-2021,” and the email body encourages recipients to verify the attachment.

The attachment contains a malicious software that, once accessed, lets the attackers gain administrative control over the target machine, including monitoring user behavior, accessing confidential or sensitive information, and taking screenshots.

On top of these distinctive characteristics, the malicious software may be used as a gateway to initiate downloads for other malware tools such as ransomware.

This whole package makes a RAT particularly dangerous for users. If paired with a keylogger, the attackers can gain financial and personally identifiable information that can be used for fraud and identity theft. Moreover, after exfiltrating user data, the threat actors may encrypt machines, forcing targets to pay for a decryption key.

Since the beginning of the year, threat actors have been making the most social, political and economic agendas, tailoring their attacks to suit any scenario imaginable. They play a never-ending game of cat and mouse with their targets. While many users have become savvy at spotting phishing emails, the simplicity and most likely familiarity of such correspondence may prove highly profitable for cybercriminals