| Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
 |
2022-12-07 01:25:21 |
Phishing Email Disguised as a Well-Known Korean Airline (lien direct) |
The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader. The subject and the body of the email are shown below. When the attached HTML file is opened, a connection is made to...
|
|
|
★★★
|
|
2022-12-07 01:18:35 |
\'Resume.xll\' File Being Distributed in Korea (LockBit 2.0) (lien direct) |
In mid-2022, the ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel. Since then, this type of malware had not been distributed actively, but for the first time in a long while, we found that it was being distributed with the filename, ‘Resume.xll‘. Post from May 20th, 2022: XLL Malware Distributed...
|
Malware
|
|
★★★
|
|
2022-12-02 00:54:11 |
(Déjà vu) ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday). For the main category, downloader ranked top with 40.3%, followed by Infostealer with 35.8%, backdoor with 16.3%, ransomware with 7.2%, and CoinMiner with 0.4%. Top 1 – AgentTesla AgentTesla is an Infostealer that ranked first place with 17.3%. It leaks user credentials saved in web...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-02 00:40:30 |
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 – November 19th, 2022 ) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide statistical information on each type. Additionally, we will introduce new types that were not detected before as well as emails to be cautious of with keywords to minimize harm to users. The phishing emails covered in this post will...
|
Threat
|
|
★★★
|
|
2022-11-30 01:37:55 |
Domains Used for Magniber Distribution in Korea (lien direct) |
On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber. With the typosquatting method-which exploits typos-when the user accesses the wrongly entered domain, the msi file (Magniber) is downloaded after redirecting to an advertisement page. Examination of Zone.Identifier created at this stage reveals the URL from where...
|
Ransomware
|
|
★★
|
|
2022-11-30 01:03:39 |
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed (lien direct) |
The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website. The phishing website the email is redirected to is disguised as a login page for a Korean email website, and over 50 cases in Korea were confirmed to have accessed the website. Thus users must take particular caution when logging into this email website. The phishing website is disguised as the login page...
|
|
|
★★★
|
|
2022-11-28 05:52:14 |
LockBit Ransomware Being Mass-distributed With Similar Filenames (lien direct) |
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames. Unlike the previous cases introduced in the blog where Word files or copyright claim emails were used, the recent versions are being distributed through phishing mails disguised as job applications. LockBit Ransomware Being Distributed Using Resume and Copyright-related...
|
Ransomware
|
|
★★
|
|
2022-11-28 05:37:32 |
How Is My Phone Number Leaked? (lien direct) |
The PERSONAL INFORMATION PROTECTION ACT is a law to protect the freedom and rights of individuals, and it aims to actualize the individual dignity and value of people. According to the act, personal information is defined as pieces of information that can easily identify an individual when coupled with other pieces of information, and phone numbers are seen as one of the main types of personal information. This post explains the PUP (Potentially Unwanted Program) that collects phone numbers. Figure...
|
|
|
★★
|
|
2022-11-25 00:51:25 |
(Déjà vu) ASEC Weekly Malware Statistics (November 14th, 2022 – November 20th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 14th, 2022 (Monday) to November 20th (Sunday). For the main category, downloader ranked top with 53.2%, followed by backdoor with 24.1%, Infostealer with 21.1%, ransomware with 1.0%, CoinMiner with 0.4%, and banking malware with 0.2%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 30.5%. The malware is...
|
Ransomware
Malware
|
|
★★
|
|
2022-11-25 00:42:22 |
Auto-Publishing and Auto-Reporting Programs for Blog Posts (lien direct) |
Spam programs are illegal programs according to the ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION. The ASEC analysis team previously published a blog post about a spam program sold as a marketing program. Today, we will introduce a program similar to the spam program covered in the past. The file collected under the filename of ‘Naver Blog Report Program.exe’ was developed with C#, just like the spam program covered in the previous blog post. Its...
|
Spam
|
|
|
|
2022-11-25 00:29:36 |
Word Documents Disguised as Normal MS Office URLs Being Distributed (lien direct) |
Recently, there has been a case of malware disguised as a Word document being distributed through certain paths (e.g. KakaoTalk group chats). The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users. The currently identified filenames of the malicious Word documents are as follows.The real names of Koreans found...
|
Malware
|
|
|
|
2022-11-25 00:18:51 |
Malicious Word Document Being Distributed in Disguise of a News Survey (lien direct) |
The ASEC analysis team discovered that the Word document type identified in the blog, 'Malicious Word Files Targeting Specific Individuals Related to North Korea,' has recently been using FTP to leak user credentials. The filename of the identified Word document is 'CNA[Q].doc', disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password. The identified Word file contains information related to North Korea like the...
|
Threat
|
|
★★★
|
|
2022-11-25 00:06:13 |
Wiki Ransomware Being Distributed in Korea (lien direct) |
Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program. Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%\system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to be registered as one of the...
|
Ransomware
|
|
|
|
2022-11-24 23:58:36 |
Koxic Ransomware Being Distributed in Korea (lien direct) |
It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure. When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows. The...
|
Ransomware
|
|
|
|
2022-11-16 03:54:28 |
(Déjà vu) ASEC Weekly Malware Statistics (November 7th, 2022 – November 13th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 7th, 2022 (Monday) to November 13th (Sunday). For the main category, downloader ranked top with 37.8%, followed by Infostealer with 27.1%, banking malware with 22.9%, backdoor with 11.2%, ransomware with 0.5%, and CoinMiner with 0.5%. Top 1 – Emotet Emotet which has resurfaced after six months ranked first place with 22.9%. Emotet...
|
Ransomware
Malware
|
|
|
|
2022-11-16 03:54:04 |
DAGON LOCKER Ransomware Being Distributed (lien direct) |
It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor. As the...
|
Ransomware
Threat
|
|
|
|
2022-11-14 01:42:56 |
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks (lien direct) |
The dropper malware which camouflaged itself as a crack is being actively distributed again after a period of dormancy. When this malware is executed, the affected system becomes infected with numerous malware programs simultaneously. This is effectively a malware “bomb.” Malware disguised as cracks for commercial software have been prevalent, which were either distributed in a “singular malware” format or “dropper malware” format. The ASEC analysis team is closely monitoring such malware distribution activities and has covered them multiple times...
|
Malware
|
|
|
|
2022-11-11 05:47:58 |
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) (lien direct) |
The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware software. Out of these changes, this blog will cover the script format found from September 8th to September 29th, 2022, which bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files....
|
Ransomware
|
|
|
|
2022-11-11 05:38:02 |
Emotet Being Distributed Again via Excel Files After 6 Months (lien direct) |
Over multiple blog posts, the ASEC analysis team has released information on the distribution of Emotet which had been modified in many different ways. It has recently been identified that the Emotet malware has become active again. Around six months have elapsed since the last active distribution. This post will examine the differences between the current Excel file and the one that had been distributed in the past. The common characteristics include the fact that it is distributed through an...
|
Malware
|
|
|
|
2022-11-11 05:26:49 |
(Déjà vu) HackHound IRC Bot Being Distributed via Webhards (lien direct) |
Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. Generally, attackers distribute malware through illegal programs such as adult games and crack versions of games. Those who use webhards as a distribution path typically install RAT type malware such as njRAT, UdpRAT, and DDoS IRC Bot. As shown in the cases covered...
|
Malware
|
|
|
|
2022-11-10 05:50:39 |
(Déjà vu) ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 31st, 2022 (Monday) to November 6th (Sunday). For the main category, downloader ranked top with 64.8%, followed by infostealer with 25.9%, backdoor with 6.6%, ransomware with 2.2%, and CoinMiner with 0.4%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 39.6%. The malware is distributed via malware disguised...
|
Ransomware
Malware
|
|
|
|
2022-11-10 05:49:52 |
Distribution of Word File (External + RTF) Modified to Avoid Detection (lien direct) |
Malicious MS Office Word documents have long been used for the distribution of additional RTF malware by exploiting the fact that Word files allow external connection. However, AhnLab has identified the files that seem to have been made to avoid anti-malware detection are being distributed in Korea. Similar to past cases, an email disguised as a work email with a Word document attachment is used, but a unique factor exists in the webSettings.xml.rels file which can be identified within the...
|
Malware
|
|
|
|
2022-11-10 05:49:05 |
Penetration and Distribution Method of Gwisin Attacker (lien direct) |
The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. How Gwisin Attacker Penetrates a Server Unlike other...
|
Ransomware
|
|
|
|
2022-11-08 00:35:33 |
(Déjà vu) LockBit 3.0 Being Distributed via Amadey Bot (lien direct) |
The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers. It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which...
|
Ransomware
Malware
|
|
|
|
2022-11-03 05:23:46 |
(Déjà vu) ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday). For the main category, Infostealer ranked top with 43.2%, followed by downloader with 34.7%, backdoor with 19.4%, and ransomware with 2.2%. Top 1 – Agent Tesla AgentTesla is an Infostealer that ranked first place with 22.1%. It is an Infostaler that leaks user credentials saved in...
|
Ransomware
Malware
|
|
|
|
2022-11-03 05:23:28 |
Surtr Ransomware Being Distributed in Korea (lien direct) |
Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name. When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected...
|
Ransomware
|
|
|
|
2022-11-02 01:49:15 |
Appleseed Being Distributed to Nuclear Power Plant-Related Companies (lien direct) |
The ASEC analysis team has recently discovered a case of AppleSeed being distributed to nuclear power plant-related companies. AppleSeed is a backdoor malware used by Kimsuky, one of the organizations affiliated with North Korea, and this malware is being actively distributed to many companies. The filenames of the AppleSeed dropper were identified by the ASEC analysis team as follows, and a double file extension was used to deceive users. When the file is executed, the encoded data inside is decoded...
|
Malware
|
|
|
|
2022-11-02 01:22:25 |
Elbie Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program. The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2). Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment. The injected and executed ransomware drops a copy into the...
|
Ransomware
|
|
|
|
2022-10-31 01:58:18 |
AgentTesla Being Distributed via VBS (lien direct) |
The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing. The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified. The compressed file contains the VBS, and...
|
|
|
|
|
2022-10-31 01:57:31 |
A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (lien direct) |
In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware. This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in...
|
Malware
Hack
Vulnerability
Threat
Medical
|
APT 38
|
|
|
2022-10-27 00:16:33 |
(Déjà vu) ASEC Weekly Malware Statistics (October 17th, 2022 – October 23rd, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 17th, 2022 (Monday) to October 23rd (Sunday). For the main category, info-stealer ranked top with 52.7%, followed by downloader with 37.0%, backdoor with 8.8%, ransomware with 1.0%, and banking malware with 0.5%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 23.4%. It is an info-stealer that leaks...
|
Ransomware
Malware
|
|
|
|
2022-10-27 00:05:57 |
Qakbot Malware Being Distributed in Korea (lien direct) |
The ASEC analysis team has identified the Qakbot malware that was introduced in the past is being distributed to Korean users. The overall operation process, including the fact that it uses ISO files, is similar to the previous version, but a process to bypass behavior detection was added. The email distributed to Korean users is as shown below. It has hijacked a normal existing email and replied to it with a malicious file in the attachment, and this distribution process...
|
Malware
|
|
|
|
2022-10-26 23:59:32 |
CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server (lien direct) |
The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed. The attackers used JexBoss, a vulnerability exploitation tool, to install a WebShell before gaining control over the target system with the Meterpreter malware. Ordinarily,...
|
Vulnerability
|
|
|
|
2022-10-26 23:52:48 |
FormBook Malware Being Distributed as .NET (lien direct) |
The FormBook malware that was recently detected by a V3 software had been downloaded to the system and executed while the user was using a web browser. FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. FormBook operates by injecting into a running process memory, and the targets of injection are explorer.exe and arbitrary...
|
Spam
Malware
|
|
|
|
2022-10-25 01:04:42 |
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed (lien direct) |
On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email. The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program,...
|
Malware
|
|
|
|
2022-10-25 00:52:47 |
(Déjà vu) ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader ranked top with 44.4%, followed by info-stealer with 41.7%, backdoor with 12.5%, ransomware with 0.9%, and CoinMiner with 0.5%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place...
|
Ransomware
Malware
|
|
|
|
2022-10-25 00:43:50 |
Rapidly Evolving Magniber Ransomware (lien direct) |
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed. Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi,...
|
Ransomware
|
|
|
|
2022-10-24 23:58:37 |
Analysis on Attack Techniques and Cases Using RDP (lien direct) |
Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems. This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used. RDP is commonly used in most attacks, and this is because it is useful for initial compromise or lateral movement in comparison to remote control tools that require additional...
|
|
|
|
|
2022-10-21 03:56:17 |
GuLoader Malware Disguised as a Word File Being Distributed in Korea (lien direct) |
The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is as follows, and has an HTML file attached. When the user opens the attached HTML file, a compressed file is downloaded from the URL below. The compressed file contains an IMG file and the GuLoader malware is inside this IMG file. GuLoader...
|
Malware
|
|
|
|
2022-10-21 02:30:43 |
Attackers Abusing Various Remote Control Tools (lien direct) |
Overview Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major malware programs used by attackers. Backdoor malware is installed...
|
Ransomware
Malware
|
|
|
|
2022-10-18 23:44:15 |
(Déjà vu) ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 3rd, 2022 (Monday) to October 9th, 2022 (Sunday). For the main category, downloader ranked top with 45.0%, followed by info-stealer with 39.6%, backdoor with 14.6%, ransomware with 0.4%, and CoinMiner with 0.4%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place...
|
Ransomware
Malware
|
|
|
|
2022-10-12 04:48:14 |
Lazarus Group Uses the DLL Side-Loading Technique (mi.dll) (lien direct) |
While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process. https://attack.mitre.org/techniques/T1574/002/ The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. In other words, it is a malware...
|
|
APT 38
|
|
|
2022-10-12 04:24:38 |
GlobeImposter Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team has recently identified through internal monitoring that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed. This GlobeImposter ransomware has also been mentioned in AhnLab TIP’s quarterly statistics, specifically in the ‘2022 1st and 2nd Quarter Statistical Report on Malware Targeting MS-SQL,’ and in the 2nd quarter, GlobeImposter took up 52.6% of ransomware targeting MS-SQL. It has been identified that the GlobeImposter ransomware is still appearing in the soon-to-be-released 3rd quarter statistics. This ransomware...
|
Ransomware
Malware
|
|
|
|
2022-10-12 04:18:45 |
(Déjà vu) ASEC Weekly Malware Statistics (September 26th, 2022 – October 2nd, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 26th, 2022 (Monday) to October 2nd, 2022 (Sunday). For the main category, downloader ranked top with 38.2%, followed by info-stealer with 35.1%, ransomware with 14.7%, backdoor with 11.6%, and CoinMiner with 0.4%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 16.7%. BeamWinHTTP is distributed via malware disguised...
|
Ransomware
Malware
|
|
|
|
2022-10-12 04:01:25 |
Qakbot Being Distributed as ISO Files Instead of Excel Macro (lien direct) |
There is a recent increase in the distribution method of malware through ISO files. Among the malware, it has been identified that Qakbot, an online banking malware, has had its distribution method changed from Excel 4.0 Macro to ISO files. The ASEC blog introduced cases of ISO file usage for not only Qakbot, but also AsyncRAT, IcedID, and BumbleBee malware. As such, we can see that cases of using ISO files for malware distribution are increasing. The phishing mail that...
|
Malware
|
|
|
|
2022-10-05 01:33:03 |
Change in Magniber Ransomware (*.js → *.wsf) – September 28th (lien direct) |
The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection methods...
|
Ransomware
|
|
|
|
2022-09-28 04:06:47 |
(Déjà vu) ASEC Weekly Malware Statistics (September 19th, 2022 – September 25th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 19th, 2022 (Monday) to September 25th, 2022 (Sunday). For the main category, info-stealer ranked top with 51.3%, followed by backdoor with 21.1%, downloader with 17.2%, and ransomware with 10.3%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 20.7%. It is an info-stealer that leaks user credentials saved...
|
Ransomware
Malware
|
|
|
|
2022-09-28 03:48:50 |
LockBit 3.0 Ransomware Distributed via Word Documents (lien direct) |
The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases. There is an external link in the...
|
Ransomware
|
|
|
|
2022-09-28 03:39:14 |
(Déjà vu) ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 12th, 2022 (Monday) to September 18th, 2022 (Sunday). For the main category, info-stealer ranked top with 41.5%, followed by downloader with 27.5%, backdoor with 19.9%, ransomware with 8.2%, and banking malware with 2.9%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 18.1%. It is an info-stealer that...
|
Ransomware
Malware
|
|
|
|
2022-09-27 03:55:32 |
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed (lien direct) |
In February and June, the ASEC Analysis team posted in the blog about LockBit 2.0 ransomware being distributed via email. In this blog, we will introduce the new version of the LockBit 3.0 ransomware that is still being distributed through similar method. While in June there were multiple cases of the ransomware being distributed disguised as a copyright-related email, recently it is being distributed as a phishing email disguised as an email on the subject of job applications. As shown in...
|
Ransomware
|
|
|
