Researchers have discovered an updated version of Gozi banking trojan which uses Korean Cert to trick users into downloading malware.Gozi banking trojan which uses macros and exploits kits to infect the users has been found targeting Korean language users
Researchers have discovered an updated version of Gozi banking trojan which uses Korean Cert to trick users into downloading malware. Gozi banking trojan which uses macros and exploits kits to infect the users has been found targeting Korean language users through Hancom Word Processor (HWP) files. Hancom office (HWP) is one of most used the application in Korea along with Microsoft office or instead of that. When compared to Microsoft word, in Hancom word processor the banking trojan uses an uncommon method for the delivery mechanism. The HWP file copies the text of a legitimate KrCERT Bulletin but points to its own embedded file as the solution. Chris Schraml, a security researcher from Phishlabs who discovered this said that “ The dropper, titled 한글과 컴퓨터 보안패치_.hwp(Roughly translated via Google as “Korean computer security patch”), relies on a now common social engineering tactic to entice the user- concerns over cybersecurity. With hacking, breaches, and spies making headlines worldwide, end users are more attentive to warnings of potential threats and are eager to protect themselves. This malicious document claims to offer protection from a potential threat”.A box will be shown with a warning that there is a vulnerability in the Hangul Word Processor which could allow attackers to run arbitrary code through a specially crafted document or website.After that user are requested to open the file embedded with the document which is a patch to fix the vulnerability but actually do the exact opposite by infecting the system with malware.The patch is an OLE package when clicked the system will show a warning message saying that “The package you are about to open will run a program contained in the package. That program could do anything! It may harm your computer!. Unless you are absolutely certain about the nature, source and content of this package, please press the cancel button”.If the user clicks ok, the file will start to download the second stage payload of Gozi banking malware.Earlier in October, it was reported that Gozi was seen targeting Japanese banks.
Always follow these Basic Instructions to Prevent Yourself From Infection Like This :
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Maintain updated Antivirus software on all systems.
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.