Threat actor TA505 is impersonating Airlines disguising as domestic e-ticket (e-ticket) certificates from the morning of July 25, ahead of the summer vacation season.
The attacker is the ‘** Airline e-Ticket Certificate.’ , And using the sophisticated Korean language in the body of the e-mail content, the e-mail recipient is encouraged to open the attached file.
Attached file is’ e-ticket (random number) .iso ‘file name is attached to the compressed file, the icon and extension when decompressed as a PDF document disguised as a screen saver file’ e-ticket certificate _66016630.pdf. scr ‘or’ L207123.lnk ‘will be downloaded.
The ‘e-ticket voucher _66016630.pdf.scr’ file is malicious code based on .Net. The C2 server acts as an additional payload download.
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)