Recent Posts

Recent Blog Posts

The PhishLabs Blog

Banking Trojan Dropped Through Spoofed Korean CERT Bulletin

Cyber criminals continue to evolve tactics, sometimes going to great lengths to socially engineer people. In this recently observed sample, we find the long-standing and ever-evolving banking Trojan, Gozi using a Korean Cert to trick users into downloading malware. 

Gozi, which has traditionally infected users through macros and exploit kits has been found going after Korean language speakers through Hancom Word Processor (HWP) files. Hancom Office is extremely popular in Korea where it is used alongside, or instead of, Microsoft Office. HWP files have been used extensively by advanced persistent threat (APT) groups to target government, corporate, and academic targets throughout Korea. Given the comparatively esoteric nature of Hanword when compared to Microsoft Word, it is an uncommon delivery mechanism for banking Trojans like Gozi. The HWP file copies the text of a legitimate KrCERT Bulletin, but points to its own embedded file as the solution.[1] 

Read More

Topics: Banking Trojan, Gozi


What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events


Posts by Topic

see all