Spear phishing emails were used in recent attacks against South Korean corporations researchers say.
Attacks hid the file extensions of the malicious HTML-based attachments with long file names, a tactic which surfaced a decade ago.
“Those with keen eyes would notice that the malware inside the archive is using double extensions combined with a very long file name to hide the real extension,” F-Secure researcher Broderick Aquilino said.
“This is a common social engineering tactic that started during the era of mass mailing worms almost a decade ago. Therefore, we believe the archive is most likely sent as [an] attachment in spear phishing emails.”
F-Secure analysed malware which appeared to reach victims on 17 March, though it was set to wipe files three days later when South Korean companies reported downed websites, blocked servers and infections that erased computer files.
According to The New York Times, NongHyup and Jeju, major banks in South Korea, reported malware outbreaks that destroyed computer files. The Times also reported that Shinhan Bank's internet banking servers were temporarily blocked on Wednesday.
The computers of employees of KBS and MBC, television stations in South Korea, reportedly froze, as well, in addition to KBS' website becoming inoperable.
Symantec found four variants of a data-wiping trojan dubbed Jokra that were used in the attacks.
Two strains of the malware were designed to immediately wipe data upon execution, while the others were set to carry out the tasks at 2 pm and 3 pm last Wednesday.