RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Product & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
Threat ResearchJuly 30, 2019

Ransomware in exotic email attachments

Blog 3 of 5 part series on advanced research into modern phishing attacks

Tomislav Pericin headshot
Tomislav Peričin, Chief Software Architect & Co-Founder at ReversingLabsTomislav Peričin
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
Ransomware in exotic email attachments

In the software arena, winning the mind share means becoming widespread to the point of being considered a de facto standard. And when it comes to the ways in which information is shared, this means being the object format everyone gravitates to. While aspirational for many software vendors, such success is impossible to predict, difficult to achieve, and challenging to maintain.

Sometimes the solution that's first to market is the one that takes the share majority. Sometimes it's the one that solves the problem the best. And sometimes it’s the one that speaks the language of its users.

Localization is why certain object formats can only be seen within certain regions or particular language-speaking groups. Because of their limited reach, those formats are thought of as exotic or globally unknown.

In a world as diverse as ours, a security company must do much more than just localize its software. It must both speak the language of its users, and cater to their information-sharing needs. To keep its users safe, a security solution must be able to inspect both the popular and the exotic.

As an illustration of the dangers lurking in exotic email attachments, let us dissect one such regional attack. The following email has recently been received by a company based in Korea.

Screenshot of an email in Mozilla Thunderbird written in Korean. The subject is about stopping the use of an image. The sender claims to be a photographer named Kim Min-jae and warns the recipient not to use the attached photo without permission due to copyright concerns. The email includes a file attachment named “원본이미지.egg”

When run through an automated language translation service, the message reads something like this.

Screenshot of the same email in Mozilla Thunderbird, translated into English. The sender, Kim Min-jae, identifies as a photographer and warns that using the attached image without permission violates copyright law. They acknowledge using others’ photos in the past but request the recipient stop and check the attached photo.

Sounds quite convincing. Because of that, it has a high chance of tricking an unvigilant reader into opening the attachment. That is where a security solutions’ breadth and depth are truly tested.

What exactly is an EGG file?

EGG is a perfect example of a regionally successful object format. It was made by a South Korean company at the time when archivers battled for dominance. From its inception, it supported Unicode, which allowed it to gain traction in the local market. It quickly expanded to business and home users alike, gaining just enough of the mind share to be thought of as the de facto standard. While all this happened in the early 90’s, it did survive through the ZIP popularity surge at the turn of the century. EGG is still around today, and it can be opened by the majority of South Korean computers.

The attached archive is titled “Original image”, and the file with the same name can be found within the EGG archive as well. But its extension is a deceptive one. The “image” within is using the double extension trick in order to deceive the reader. A large number of space characters is used to hide the executable extension from being displayed in the software for extracting archives. Since the executable extension might not be visible, the unvigilant reader could assume that the file is a simple image, and open it. That wouldn’t be a good move, because in this case, the attachment is actually GandCrab ransomware. Opening the attachment would result in major problems for the organization, as most of their files would be encrypted and held for ransom. Luckily, that didn’t happen.

ReversingLabs A1000 visualizes the email headers and allows analysts to browse email contents. Email body is clearly separated from the attachments, as shown below.

Email file structure displayed in a threat analysis platform; lists four MIME components including one labeled "attachments" with 231.3 KB size, flagged as suspicious.

In the attachments folder, the A1000 lists all email attachments, along with their original Korean file names. They are recursively analyzed in order to increase the inspection surface. Our advanced static decomposition technology supports the EGG file format, alongside more than 360 others, and its extraction yields the actual malicious payload.

Threat analysis result of the ".egg" file from the email, detected as Win32.Trojan.Gandcrab with 5 out of 42 AV engines flagging it, containing binary resources like icons and cursors.

Since the archive format is an exotic object format, not many security solutions support it out of the box. ReversingLabs Titanium platform not only supports the format, but it also uses the decomposed results to determine the final classification, and ultimately convict the malicious email.

a threat analysis report showing that the file "원본이미지.jpg" is actually a PE/Exe file linked to Win32.Trojan.Gandcrab, with capabilities like registry access, screenshot capture, and file deletion, detected by 25 of 30 antivirus engines.

EGG archives are just one of many exotic object formats that organizations working globally will eventually see in their environment. The modern way of life entails adapting to the ways information is exchanged. Regardless of the object format that is shared, ReversingLabs Titanium platform is there to inspect the contents, and ensure that the users are protected.

IOC:
MIME - c0a947372f0b76335ce55908c5f028ada7d280b4a26ce42e0bd14f28ad0040c0

Read our prior blog in the series on Catching deceptive links before the phish.

Arm your team against phishing attacks
Arm your team against phishing attacks

Keep learning

  • Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
  • Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
  • Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:Threat Research

More Blog Posts

Graphalgo supply chain campaign respawned.

Graphalgo fake recruiter campaign returns

An attack targeting crypto developers has been respawned — with an LLC and new techniques to hide malware.

Learn More about Graphalgo fake recruiter campaign returns
Graphalgo fake recruiter campaign returns
TeamPCP supply chain attack

The TeamPCP supply chain attack evolves

The malicious campaign started with Trivy and Checkmarx and has shifted to LiteLLM — and now telnix. Here's how.

Learn More about The TeamPCP supply chain attack evolves
The TeamPCP supply chain attack evolves
Malicious npm packages use fake install logs to load RAT

Fake install logs in npm packages load RAT

The final-stage malware in the Ghost campaign is a RAT designed to steal crypto wallets and sensitive data.

Learn More about Fake install logs in npm packages load RAT
Fake install logs in npm packages load RAT
Inside the NuGet hack toolset

Inside the NuGet hackers' toolset

RL discovered two packages containing scripts that complete a typosquatting toolchain. Here's how it worked.

Learn More about Inside the NuGet hackers' toolset
Inside the NuGet hackers' toolset

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top