| Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
 |
2023-02-15 03:30:00 |
PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator (lien direct) |
A major method through which threat actors distribute malware is by uploading them to sites disguised as cracks or illegal software. After a threat actor uploads their malware disguised as a crack or serial keygen for some paid software, users become infected by the malware while installing this illegal software. The ASEC analysis team is monitoring malware that is being distributed through illegal software like software cracks or serial keygens. Many of the malware distributed in this way are Infostealers...
|
Malware
Threat
|
|
★★
|
|
2023-02-15 03:01:49 |
Qakbot Being Distributed via OneNote (lien direct) |
Back in January, AhnLab ASEC published an analysis report on a malware strain that was being distributed through Microsoft (MS) OneNote. As mentioned in the report, there has recently been an increasing number of cases where commodity malware like Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware. If you look at the Qakbot distribution via OneNote case that happened on February 1st, the threat actor distributed the OneNote...
|
Malware
Threat
|
|
★★
|
|
2023-02-15 00:00:00 |
Paradise Ransomware Distributed Through AweSun Vulnerability Exploitation (lien direct) |
The ASEC analysis team has recently discovered the distribution of Paradise ransomware. The threat actors are suspected to be utilizing a vulnerability exploitation of the Chinese remote control program AweSun. In the past, the team also found and covered the distribution of Sliver C2 and BYOVD through a Sunlogin vulnerability, a remote control program developed in China. 1. AweSun Vulnerability Exploitation The installation of Sliver C2 through the AweSun remote control program developed by AweRay was also discovered to have...
|
Ransomware
Vulnerability
Threat
|
|
★★
|
|
2023-02-13 00:26:58 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (January 29th, 2023 – February 4th, 2023) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 29th, 2023 to February 4th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-02-13 00:12:00 |
Web Page Disguised as a Naver Login Page (lien direct) |
On January 3rd, the ASEC analysis team covered a situation where a fake Kakao login page was used to steal the account credentials of certain individuals. Web Page Disguised as a Kakao Login Page The team has confirmed that the threat actor used a vulnerable website to create a domain. The same method described in the above post was used to create a fake Naver login page, and we will be covering it in this post. Emails impersonating Naver Help...
|
Threat
|
|
★★★
|
|
2023-02-07 02:00:00 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (January 22nd, 2023 – January 28th, 2023) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 22nd, 2023 to January 28th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-02-06 01:00:00 |
Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations (lien direct) |
Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against systems with either unpatched vulnerabilities or...
|
Malware
Tool
Vulnerability
Threat
|
|
★★
|
|
2023-01-31 05:29:32 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (January 15th, 2023 – January 21st, 2023) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 15th, 2023 to January 21st, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-01-31 00:32:00 |
Attack Cases of CoinMiners Mining Ethereum Classic Coins (lien direct) |
The ASEC analysis team is monitoring CoinMiners that are targeting Korean and overseas users. We have covered cases of various types of CoinMiner attacks over multiple blog posts in the past. This post aims to introduce the recently discovered malware that mine Ethereum Classic coins. 0. Overview CoinMiners are installed without user awareness and use the system’s resources to mine cryptocurrency, leading to low system performance. Threat actors that distribute CoinMiners tend to mine coins that guarantee anonymity, such as...
|
Malware
Threat
Guideline
|
|
★★
|
|
2023-01-27 01:51:14 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (January 8th, 2023 – January 14th, 2023) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 8th, 2023 to January 14th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-01-17 00:41:31 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 – January 7th, 2023) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-01-17 00:31:00 |
Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers) (lien direct) |
On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique is called the template Injection method. and a similar attack case was covered in a previous blog post. When the Word document is opened, it downloads and executes an additional malicious Word macro document from the threat actor’s C&C server....
|
Malware
Threat
|
|
★★
|
|
2023-01-13 00:52:34 |
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack (lien direct) |
The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware...
|
Malware
Tool
Threat
|
|
★★
|
|
2023-01-10 00:51:27 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 25th, 2022 – December 31st, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 25th, 2022 to December 31st, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-01-05 23:47:00 |
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game (lien direct) |
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. Unlike backdoors and RATs (Remote Access Trojans), which are mostly based on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness, so they offer remote desktops, also known as GUI environments. Even though they may...
|
Malware
Tool
Threat
|
|
★★
|
|
2023-01-03 06:58:47 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 – December 24th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 18th, 2022 to December 24th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-01-03 00:36:00 |
How Infostealer Threat Actors Make a Profit (lien direct) |
Infostealer is a type of information-stealing malware with the goal of stealing user credentials such as the user account information, cryptocurrency wallet address, and files that are saved in programs such as web browsers and email clients. According to the ASEC report for Q3 2022, Infostealers make up more than half of malware types with executable formats reported by client companies or collected by AhnLab. As the downloader types also actually install Infostealers or backdoor-type malware, it can be said...
|
Malware
Threat
|
|
★★
|
|
2022-12-26 05:08:29 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 11th, 2022 – December 17th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 11th, 2022 to December 17th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-22 01:49:54 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 – December 10th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from December 4th, 2022 to December 10th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-22 01:03:21 |
Nitol DDoS Malware Installing Amadey Bot (lien direct) |
The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware. Amadey is being actively distributed again this year, and even until very recently, it has been propagating itself on websites disguised as cracks and keygens for normal software and installing other malware on...
|
Malware
Threat
|
|
★★★
|
|
2022-12-12 23:20:32 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 – December 3rd, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 27th, 2022 to December 3rd, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-12 23:00:14 |
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page? (lien direct) |
Many corporations and users both in and outside Korea use Microsoft accounts to use major services offered by Microsoft, including Outlook, Office, OneDrive, and Windows. Users use integrated login to easily access all Microsoft services linked to their account. What does this mean for the threat actor? There is no better target for attacks because there is a large volume of information that can be gained using just one account. Particularly in the case of users that handle sensitive information...
|
Threat
|
|
★★
|
|
2022-12-08 01:29:09 |
ASEC Weekly Phishing Email Threat Trend (November 20th, 2022 – November 26th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 20th, 2022 to November 26th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-02 00:40:30 |
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 – November 19th, 2022 ) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide statistical information on each type. Additionally, we will introduce new types that were not detected before as well as emails to be cautious of with keywords to minimize harm to users. The phishing emails covered in this post will...
|
Threat
|
|
★★★
|
|
2022-11-25 00:18:51 |
Malicious Word Document Being Distributed in Disguise of a News Survey (lien direct) |
The ASEC analysis team discovered that the Word document type identified in the blog, 'Malicious Word Files Targeting Specific Individuals Related to North Korea,' has recently been using FTP to leak user credentials. The filename of the identified Word document is 'CNA[Q].doc', disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password. The identified Word file contains information related to North Korea like the...
|
Threat
|
|
★★★
|
|
2022-11-16 03:54:04 |
DAGON LOCKER Ransomware Being Distributed (lien direct) |
It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor. As the...
|
Ransomware
Threat
|
|
|
|
2022-10-31 01:57:31 |
A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (lien direct) |
In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware. This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in...
|
Malware
Hack
Vulnerability
Threat
Medical
|
APT 38
|
|
