SOC Prime Bias: High

14 Jul 2026 15:12 UTC

Phishing Emails Masquerading as Money Transfer Confirmations

Author Photo
SOC Prime Team linkedin icon Follow
Phishing Emails Masquerading as Money Transfer Confirmations
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Threat actors are sending phishing emails disguised as payment confirmation messages to deliver malicious XLS attachments. These files abuse CVE-2017-0199 to retrieve an HTA file, which then launches an obfuscated PowerShell script through WMI. In the final stage, Remcos RAT is downloaded and executed through steganographic techniques to enable remote access and data theft.

Investigation

AhnLab Security Intelligence Center (ASEC) identified a campaign that impersonated employees of Korean companies. The investigation followed the full infection chain, starting with the XLS lure, moving through HTA execution and WMI-driven PowerShell obfuscation, and ending with deployment of Remcos RAT through payloads hidden with steganography.

Mitigation

Users should carefully verify sender domains and inspect links and attachments before opening them. Organizations should apply patches for known issues such as CVE-2017-0199 and monitor for suspicious file extensions or unauthorized WMI-based process creation. Security controls should also be configured to block unauthorized HTA or PowerShell execution launched from Office applications.

Response

If this activity is detected, isolate the affected host immediately to stop further command-and-control communication from Remcos RAT. Conduct forensic analysis to determine the scope of any data theft and review email logs to identify additional potential victims. Credentials should also be reset for any users involved in the original phishing interaction.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to execute an obfuscated PowerShell command to download a payload, using WMI to hide the execution lineage. Instead of running powershell.exe directly from a shell, the attacker uses a WMI provider to call the Win32_Process.Create() method. This causes the WmiPrvSE.exe process to act as the parent, making the execution appear as a legitimate system management task. The command string is specifically crafted to include the targeted method name to ensure we test the rule’s ability to see the WMI method call in the telemetry.

  • Regression Test Script:

    # Simulation script to trigger the WMI-based process creation detection
    # This uses PowerShell to call the WMI method that the rule is looking for.
    
    $command = "powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command 'Write-Output AttackSuccess'"
    $wmi = [wmiclass]"Win32_Process"
    
    Write-Host "[*] Attempting to trigger detection via Win32_Process.Create()..."
    
    # Calling the method directly via WMI
    $result = $wmi.Create($command, $null, $null)
    
    if ($result.ReturnValue -eq 0) {
        Write-Host "[+] Success: Process created. Check SIEM for Event ID 10 containing 'Win32_Process.Create()'." -ForegroundColor Green
    } else {
        Write-Host "[-] Failure: WMI method call failed. Return Value: $($result.ReturnValue)" -ForegroundColor Red
    }
  • Cleanup Commands:

    # Cleanup: Terminate any suspicious PowerShell processes spawned during the test
    Get-Process powershell | Where-Object { $_.CommandLine -like "*AttackSuccess*" } | Stop-Process -Force
    Write-Host "[*] Cleanup complete."