SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2023-03-23 23:00:00	Chinaz ddos bot malware distribué aux serveurs SSH Linux [ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers] (lien direct)	Ahnlab Security Emergency Response Center (ASEC) a récemment découvert que les logiciels malveillants du bot DDOServeurs Linux SSH.En tant que l'un des groupes de menaces chinoises découverts pour la première fois vers 2014, le groupe Chinaz installe divers bots DDOLe groupe comprend Xorddos, Aesddos, Billgates et Mrblack.Cet article couvrira le bot DDOS connu sous le nom de chinaz ou chinaz ddoscient.1. Attaquez ... AhnLab Security Emergency response Center (ASEC) has recently discovered the ChinaZ DDoS Bot malware being installed on inadequately managed Linux SSH servers. As one of the Chinese threat groups that were first discovered around 2014, the ChinaZ group installs various DDoS bots on Windows and Linux systems. [1] Major DDoS bots assumed to have been created by the ChinaZ threat group include XorDDoS, AESDDos, BillGates, and MrBlack. This article will cover the DDoS bot known as ChinaZ or ChinaZ DDoSClient. 1. Attack...	Malware Threat		★★
	2023-03-23 22:00:00	OneNote Malware déguisé en formulaire de compensation (Kimsuky) [OneNote Malware Disguised as Compensation Form (Kimsuky)] (lien direct)	Ahnlab Security Emergency Response Center (ASEC) a découvert la distribution d'un malware Onenote déguisé en forme liée à une formeà la compensation.Le fichier confirmé est usurpé l'identité du même centre de recherche que le logiciel malveillant de type LNK couvert dans l'article ci-dessous.Sur la base de l'activité malveillante identique effectuée par les fichiers VBS, l'équipe a déduit que le même acteur de menace est derrière les deux incidents.Malware distribué déguisé en fichier de mot de passe comme indiqué dans la figure ci-dessous, une page discutant de la compensation ... AhnLab Security Emergency response Center (ASEC) has discovered the distribution of a OneNote malware disguised as a form related to compensation. The confirmed file is impersonating the same research center as the LNK-type malware covered in the post below. Based on the identical malicious activity performed by the VBS files, the team has deduced that the same threat actor is behind both incidents. Malware Distributed Disguised as a Password File As shown in the figure below, a page discussing compensation...	Malware Threat		★★
	2023-03-23 02:00:00	Avertissement pour la vulnérabilité d'escalade des privilèges Office Microsoft Office (CVE-2023-23397) [Warning for Microsoft Office Outlook Privilege Escalation Vulnerability (CVE-2023-23397)] (lien direct)	aperçu Microsoft a découvert une vulnérabilité dans Outlook pour Windows qui est exploité pour voler les informations d'identification NTLM.Microsoft a attribué le code CVE-2023-23397 à cette vulnérabilité.La société lui a donné un score CVSS inhabituellement élevé de 9,8, CVSS étant le score d'évaluation du niveau de gravité.Détails de la vulnérabilité Outlook a une fonctionnalité \\ 'rappel \' qui alerte les utilisateurs des horaires de leur calendrier.L'alerte suivante est également affichée lorsque la période de planification s'est écoulée.Figure 1. Fonctionnement du rappel Outlook le ... Overview Microsoft has discovered a vulnerability in Outlook for Windows that is being exploited to steal NTLM credentials. Microsoft has assigned the code CVE-2023-23397 to this vulnerability. The company gave it an unusually high CVSS score of 9.8, with CVSS being the evaluation score for the severity level. Vulnerability Details Outlook has a \'Reminder\' feature which alerts users of schedules on their calendar. The following alert is also displayed when the schedule period has elapsed. Figure 1. Outlook Reminder feature The...	Vulnerability General Information		★★
	2023-03-23 01:50:00	AVERTISSEMENT POUR LE PROGRAMME DE GESTION D'ACTIF [Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation] (lien direct)	logiciel vulnérable et aperçu TCO! Stream est une solution de gestion des actifs développée par la société coréenne, MLSoft.Composé d'un serveur et d'un client, les administrateurs peuvent utiliser le programme de console pour effectuer des travaux de gestion des actifs en accédant au serveur.TCO! Stream offre diverses fonctionnalités pour la gestion des actifs, mais il existe un processus qui s'exécute constamment sur le client afin de recevoir des commandes du serveur.Les commandes sont effectuées via ce processus.Cette solution de gestion est exposée à des attaques de vulnérabilité qui pourraient ... Vulnerable Software and Overview TCO!Stream is an asset management solution developed by the Korean company, MLsoft. Consisting of a server and a client, administrators can use the console program to perform asset management work by accessing the server. TCO!Stream offers various features for asset management, but there is a process that runs constantly on the client in order to receive commands from the server. Commands are performed through this process. This management solution is exposed to vulnerability attacks that could...	Vulnerability General Information		★★
	2023-03-23 00:20:00	Avertissement pour la solution de certification (VESTCERT) Vulnérabilité et recommandation de mise à jour [Warning for Certification Solution (VestCert) Vulnerability and Update Recommendation] (lien direct)	logiciel vulnérable et aperçu Vestcert est un programme de certification utilisé lors de l'accès aux sites Web, et est un module non actifxDéveloppé par la société coréenne, YETTIESOFT. & # 160; Ce programme est enregistré en tant que programme de démarrage et sera relancé par le service de Yettiesoft (Gozi) même s'il est résilié.Il reste constamment actif en tant que processus une fois qu'il est installé, il peut donc être exposé à des attaques de vulnérabilité. & # 160; Ainsi, il doit être mis à jour vers la dernière version.Description de la vulnérabilité Cette vulnérabilité était la première ... Vulnerable Software and Overview VestCert is a certification program used while accessing websites, and is a non-ActiveX module developed by the Korean company, Yettiesoft. This program is registered as a Startup Program and will be relaunched by Yettiesoft’s service (Gozi) even if it is terminated. It remains constantly active as a process once it is installed, so it can be exposed to vulnerability attacks. Thus, it needs to be updated to the latest version. Description of the Vulnerability This vulnerability was first...	Vulnerability General Information		★★
	2023-03-23 00:00:00	Caractéristique d'évasion MDS \\ 'des boîtes anti-sands qui utilisent des fenêtres contextuelles [MDS\\' Evasion Feature of Anti-sandboxes That Uses Pop-up Windows] (lien direct)	Ahnlab Security Emergency Response Center (ASEC) surveille diverses tactiques anti-sandbox pour échapper aux bacs à sands.Cet article couvrira la technique anti-sandbox plutôt persistante qui exploite la forme de bouton des fichiers de mots icedid malveillants et la caractéristique d'évasion des MDS des Ahnlab & # 8217; qui est destiné à détecter un comportement malveillant.Une technique anti-sandbox qui exploite le formulaire de bouton est contenue dans le fichier mot icedid malveillant (convert.dot);Cependant, un processus en 2 étapes doit être effectué par un utilisateur avant le malveillant ... AhnLab Security Emergency response Center (ASEC) is monitoring various anti-sandbox tactics to evade sandboxes. This post will cover the rather persistent anti-sandbox technique that exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior. An anti-sandbox technique that exploits the button form is contained within the malicious IcedID Word file (convert.dot); however, a 2-step process is required to be done by a user before the malicious...	General Information		★★
	2023-03-22 23:50:00	ASEC Weekly Malware Statistics (13 mars 2023 & # 8211; 19 mars 2023) [ASEC Weekly Malware Statistics (March 13th, 2023 – March 19th, 2023)] (lien direct)	L'équipe d'analyse du centre d'intervention d'urgence (ASEC) AHNLAB utilise le système d'analyse automatique ASEC Rapit pour catégoriser et répondreaux logiciels malveillants connus.Ce message répertorie les statistiques hebdomadaires collectées du 13 mars 2023 (lundi) au 19 mars 2023 (dimanche).Pour la catégorie principale, InfostEaler s'est d'abord classé avec 43,8%, suivi de la porte dérobée avec 34,5%, du téléchargeur avec 18,7%, des ransomwares avec 1,7%, des logiciels malveillants bancaires avec 0,9% et de la co -minner avec 0,4%.Top 1 & # 8211; & # 160;Redline Redline s'est classée en première place avec 23,4%.Le malware vole ... AhnLab Security Emergency response Center (ASEC) analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 13th, 2023 (Monday) to March 19th, 2023 (Sunday). For the main category, Infostealer ranked first with 43.8%, followed by backdoor with 34.5%, downloader with 18.7%, ransomware with 1.7%, banking malware with 0.9%, and CoinMiner with 0.4%. Top 1 – Redline RedLine ranked first place with 23.4%. The malware steals...	Ransomware Malware General Information		★★
	2023-03-22 23:30:00	ASEC Weekly Phishing Email Trends Threat (5 mars 2023 & # 8211; 11 mars 2023) [ASEC Weekly Phishing Email Threat Trends (March 5th, 2023 – March 11th, 2023)] (lien direct)	Ahnlab Security Emergency Response Center (ASEC) surveille les menaces par e-mail avec le système d'analyse automatique ASEC (Rapit) et le pot de miel.Ce message couvrira les cas de distribution des e-mails de phishing au cours de la semaine du 5 mars 2023 au 11 mars 2023 et fournira des informations statistiques sur chaque type.Généralement, le phishing est cité comme une attaque qui fuit les utilisateurs & # 8217;Connexion des informations de connexion en déguisant ou en imitant un institut, une entreprise ou un individu grâce à des méthodes d'ingénierie sociale.Sur une note plus large, ... AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note,...	Threat General Information		★★
	2023-03-22 23:00:00	Ransomware du Nevada distribué en Corée [Nevada Ransomware Being Distributed in Korea] (lien direct)	Ahnlab Security Emergency Response Center (ASEC) a découvert que les cas de ransomware du Nevada sont distribués au cours de l'équipe & # 8217Surveillance interne.Le Nevada est un logiciel malveillant écrit en utilisant Rust comme base et sa tendance à ajouter le & # 8220; .nevada & # 8221;L'extension des fichiers qu'il infecte est son trait déterminant.Après avoir chiffré les répertoires, il génère des notes de rançon avec le nom de fichier & # 8220; readme.txt & # 8221;Dans chaque répertoire.Ces notes contiennent un lien de navigateur TOR pour les paiements de rançon.1. Caractéristiques principales du ransomware du Nevada comme indiqué dans le ... AhnLab Security Emergency response Center (ASEC) discovered cases of the Nevada ransomware being distributed during the team’s internal monitoring. Nevada is a malware written using Rust as its basis and its tendency of adding the “.NEVADA” extension to the files it infects is its defining trait. After encrypting directories, it generates ransom notes with the filename “README.txt” in each directory. These notes contain a Tor browser link for ransom payments. 1. Main Features of Nevada Ransomware As shown in the...	Ransomware Malware General Information		★★
	2023-03-17 01:38:00	ShellBot Malware Being Distributed to Linux SSH Servers (lien direct)	AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems. 1. Attack Campaigns Against Linux SSH Servers Unlike desktop, which is the main...	Malware		★★
	2023-03-17 00:00:00	Malware Distributed Disguised as a Password File (lien direct)	AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in...	Malware		★★
	2023-03-16 06:12:33	2022 Threat Trend Report on Kimsuky (lien direct)	In comparison to 2021, 2022 was a year filled with invisible activities, new attack types, Fully Qualified Domain Names (FQDN), and attack preparations. AhnLab identified a significantly higher number of these activities in comparison to 2021. One of these cases involved an incorrect configuration of C2 servers, causing the files within the said servers to be exposed and allowing AhnLab to procure samples, server information files, and variant samples that had never been known externally. The threat actors are using...	Threat Prediction		★★
	2023-03-16 06:12:08	Unique characteristics of Kimsuky group\'s spear phishing emails (lien direct)	A unique difference with the past cases was discovered during the analysis of the Kimsuky group’s spear phishing URLs. Until now, the group used Fully Qualified Domain Names (FQDN) disguised as famous Korean web portals. An analysis of the URLs collected during the past two months revealed multiple new FQDNs including keywords related to certain Korean banks, instead of the past FQDNs disguised as web portals. Unique characteristics of Kimsuky group’s spear phishing emails			★★
	2023-03-16 06:11:08	Threat Trend Report on Region-Specific Ransomware (lien direct)	Background Currently, ransomware creators include individuals, cyber criminal gangs and state-supported groups. Out of these individuals and groups, cyber criminal gangs are the most proactive in ransomware development, while individuals and state-supported groups are less so. Privately developed ransomware is most often for research purposes with the intention of destroying data. Some state-sponsored threat groups also develop ransomware. The purpose of these cases is not for financial gain either but for data destruction, and Wipers, which do not allow recovery,...	Ransomware Threat Prediction		★★
	2023-03-15 23:55:25	ASEC Weekly Malware Statistics (March 6th, 2023 – March 12th, 2023) (lien direct)	AhnLab Security response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 6th, 2023 (Monday) to March 12th, 2023 (Sunday). For the main category, Infostealer ranked top with 52.6%, followed by backdoor with 27.6%, downloader with 15.7%, ransomware with 3.0%, CoinMiner with 0.7%, and banking malware with 0.4%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 25.4%. It leaks...	Ransomware Malware		★★
	2023-03-14 01:00:02	ASEC Weekly Phishing Email Threat Trends (February 26th, 2023 – March 4th, 2023) (lien direct)	AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 26th, 2023 to March 4th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the...	Threat		★★★
	2023-03-13 23:31:00	Mallox Ransomware Being Distributed in Korea (lien direct)	AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the Mallox ransomware during the team’s monitoring. As covered before, Mallox, which targets vulnerable MS-SQL servers, has historically been distributed at a consistently high rate based on AhnLab’s statistics. The malware disguised as a program related to DirectPlay is a file built in .NET which, as shown in Figure 3, connects to a certain address, downloads additional malware, and runs it in the memory. If this address cannot...	Ransomware Malware		★★★
	2023-03-13 00:49:37	CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) (lien direct)	AhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed to have been created by the Kimsuky group. This malware type is the same as the one covered in the following ASEC blog posts and the analysis report on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information. Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022 APT Attack Being Distributed as Windows Help File (*.chm) –...	Malware		★★★
	2023-03-10 00:55:42	Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) (lien direct)	ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike. 1. Netcat From a malware standpoint, a characteristic of Netcat is its...	Malware Threat		★★★
	2023-03-09 00:00:00	PlugX Malware Being Distributed via Vulnerability Exploitation (lien direct)	The ASEC (AhnLab Security Emergency response Center) has recently discovered the installation of the PlugX malware through the Chinese remote control programs Sunlogin and Awesun’s remote code execution vulnerability. Sunlogin’s remote code execution vulnerability (CNVD-2022-10270 / CNVD-2022-03672) is still being used for attacks even now ever since its exploit code was disclosed. The team previously made a post about how Sliver C2, XMRig CoinMiner, and Gh0st RAT were being distributed through the Sunlogin RCE vulnerability. Additionally, since Gh0st RAT was...	Malware Vulnerability		★★★
	2023-03-08 23:30:00	CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) (lien direct)	The ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as...	Malware Threat Cloud	APT 37	★★
	2023-03-08 23:00:00	Decryptable iswr Ransomware Being Distributed in Korea (lien direct)	ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring. A characteristic of iswr is the fact that it adds the iswr extension at the end of filenames after the files have been encrypted. The ransom note of this ransomware has the same format as the STOP ransomware, but when it comes to its encryption method along with the extensions and folders that are targeted, its operation routine differs greatly from...	Ransomware		★★
	2023-03-08 02:35:18	ASEC Weekly Malware Statistics (February 27th, 2023 – March 5th, 2023) (lien direct)	The ASEC (AhnLab Security response Center) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 27th, 2023 (Monday) to March 5th, 2023 (Sunday). For the main category, backdoor ranked top with 51.4%, followed by Infostealer with 31.2%, downloader with 16.5%, and ransomware with 0.9%. Top 1 – RedLine RedLine ranked first place with 41.0%. The malware steals various information such as web browsers, FTP clients, cryptocurrency...	Ransomware Malware		★★
	2023-03-07 23:03:00	GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP (lien direct)	ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. The threat actor installed various tools alongside GlobeImposter, such as Port Scanner and Mimikatz. Once installed, if these tools are able...	Ransomware Threat		★★
	2023-03-06 23:30:00	Lazarus Group Attack Case Using Vulnerability of Certificate Software Commonly Used by Public Institutions and Universities (lien direct)	Since two years ago (March 2021), the Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. As such, ASEC (AhnLab Security Emergency Response Center) has been pursuing and analyzing the Lazarus threat group’s activities and related malware. The affected company in this case had been infiltrated by the Lazarus group in May 2022 and was re-infiltrated recently through the same software’s 0-Day vulnerability. During the infiltration in May 2022,...	Malware Vulnerability Threat Medical	APT 38	★★★
	2023-03-06 02:06:58	ASEC Weekly Phishing Email Threat Trends (February 19th, 2023 – February 25th, 2023) (lien direct)	The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 19th, 2023 to February 25th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...	Threat		★★
	2023-03-01 23:39:11	(Déjà vu) ASEC Weekly Malware Statistics (February 20th, 2023 – February 26th, 2023) (lien direct)	The ASEC (AhnLab Security response Center) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 20th, 2023 (Monday) to February 26th, 2023 (Sunday). For the main category, backdoor ranked top with 51.0%, followed by downloader with 24.7%, Infostealer with 22.7%, ransomware with 1.4%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 46.9%. The malware steals various information such as web browsers,...	Ransomware Malware		★★
	2023-02-26 23:00:00	(Déjà vu) ASEC Weekly Phishing Email Threat Trends (February 12th, 2023 – February 18th, 2023) (lien direct)	The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 12th, 2023 to February 18th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...	Threat		★
	2023-02-23 23:10:00	Magniber Ransomware\'s Relaunch Technique (lien direct)	ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers. There have been recent reports of systems being reinfected by Magniber. Analysis revealed...	Ransomware Vulnerability		★★
	2023-02-23 22:59:00	Emails Impersonating Shipping Companies Distributed as \'Guide on Submitting Import Clearance Info\' (lien direct)	ASEC (AhnLab Security Emergency response Center) has recently discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’. Considering that the attached HTML’s filename starts with ‘DHL_Korea’, it can be concluded that the email is being distributed to Korean targets. Figure 1. Original email This disguised email has a login page in the attached HTML file. When a user logs in this page, an Excel file...			★★
	2023-02-23 02:00:00	Anti-Forensic Techniques Used By Lazarus Group (lien direct)	Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. Overview Definition of Anti-Forensics Anti-forensics refers to the tampering of evidence in...	Malware Threat Medical	APT 38	★★
	2023-02-23 01:03:51	ChromeLoader Disguised as Illegal Game Programs Being Distributed (lien direct)	Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games. Some of the filenames used in...	Malware		★★
	2023-02-23 00:00:00	Distribution of Malware Exploiting Vulnerable Innorix: Andariel (lien direct)	The ASEC (AhnLab Security Emergency response Center) analysis team has discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent. The collected malware is a backdoor that attempts to connect to a C&C server. The exploited Innorix Agent is a file transfer solution client. Details about the vulnerability were posted by the Korea Internet & Security Agency (KISA)[1] where the INNORIX Agent versions that required the security updates were identified as version 9.2.18.450 and an earlier version,...	Malware Vulnerability		★★
	2023-02-22 07:19:07	(Déjà vu) ASEC Weekly Malware Statistics (February 13th, 2023 – February 19th, 2023) (lien direct)	The AhnLab Security response Center (ASEC) analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 13th, 2023 (Monday) to February 19th, 2023 (Sunday). For the main category, backdoor ranked top with 50.8%, followed by downloader with 41.0%, Infostealer with 7.3%, ransomware with 0.8%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 49.4%. The malware steals various information such as...	Ransomware Malware		★★
	2023-02-21 01:00:00	HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) (lien direct)	In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. 1. Overview The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the...	Malware Vulnerability Threat Cloud	APT 37	★★★
	2023-02-21 00:30:00	(Déjà vu) ASEC Weekly Phishing Email Threat Trends (February 5th, 2023 – February 11th, 2023) (lien direct)	The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 5th, 2023 to February 11th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...	Threat		★★
	2023-02-17 01:00:00	Tracking Distribution Site of Magniber Ransomware Using EDR (lien direct)	AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January. A particular finding at the time was that the ransomware used the <a> tag to bypass domain blocks. In order to detect this, we have researched response measures by tracking the distribution site URL through a different method. The team is working hard to prevent damages through means such...	Ransomware		★★
	2023-02-17 00:00:00	Overview of AhnLab\'s Response to Joint Cybersecurity Advisory Between South Korea and the United States on North Korean Ransomware (lien direct)	On February 10, intelligence agencies from South Korea and the United States announced a cybersecurity advisory in regard to ransomware attacks from North Korea. It is the first joint report between the South Korean National Intelligence Service and the United States’ National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) to raise awareness of cyberattacks from North Korea and protect both countries from ransomware. Title: Ransomware...	Ransomware		★★
	2023-02-16 07:31:05	(Déjà vu) ASEC Weekly Malware Statistics (February 6th, 2023 – February 12th, 2023) (lien direct)	The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 6th, 2023 (Monday) to February 12th, 2023 (Sunday). For the main category, downloader ranked top with 54.7%, followed by backdoor with 27.7%, Infostealer with 12.8%, ransomware with 4.6%, and CoinMiner with 0.1%. Top 1 – Amadey This week, Amadey Bot ranked first place with 43.9%. Amadey is a downloader that can receive commands...	Ransomware Malware		★★
	2023-02-15 03:30:00	PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator (lien direct)	A major method through which threat actors distribute malware is by uploading them to sites disguised as cracks or illegal software. After a threat actor uploads their malware disguised as a crack or serial keygen for some paid software, users become infected by the malware while installing this illegal software. The ASEC analysis team is monitoring malware that is being distributed through illegal software like software cracks or serial keygens. Many of the malware distributed in this way are Infostealers...	Malware Threat		★★
	2023-02-15 03:01:49	Qakbot Being Distributed via OneNote (lien direct)	Back in January, AhnLab ASEC published an analysis report on a malware strain that was being distributed through Microsoft (MS) OneNote. As mentioned in the report, there has recently been an increasing number of cases where commodity malware like Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware. If you look at the Qakbot distribution via OneNote case that happened on February 1st, the threat actor distributed the OneNote...	Malware Threat		★★
	2023-02-15 00:17:34	Malware Disguised as Normal Documents (Kimsuky) (lien direct)	The ASEC analysis team has recently discovered that the malware introduced in the post, <Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)>, is being distributed to broadcasting and ordinary companies as well as those in the security-related field. Identical to the malware introduced in the blog post above, all the malware documents utilize the template injection technique and download malicious word macro documents to execute themselves. The distributed filenames are as follows: To facilitate the execution of the malicious...	Malware		★★
	2023-02-15 00:10:00	Continuous Distribution of LockBit 2.0 Ransomware Disguised as Resumes (lien direct)	The ASEC analysis team has identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format which the team had introduced it with previously. The MalPE format is a type of packing method that disrupts the analysis of the actual malware. It then decrypts and executies its PE files through an internal shell code. We have recently discovered during our monitoring of ransomware that the distribution of LockBit has risen since January. As it was...	Ransomware		★★
	2023-02-15 00:00:00	Paradise Ransomware Distributed Through AweSun Vulnerability Exploitation (lien direct)	The ASEC analysis team has recently discovered the distribution of Paradise ransomware. The threat actors are suspected to be utilizing a vulnerability exploitation of the Chinese remote control program AweSun. In the past, the team also found and covered the distribution of Sliver C2 and BYOVD through a Sunlogin vulnerability, a remote control program developed in China. 1. AweSun Vulnerability Exploitation The installation of Sliver C2 through the AweSun remote control program developed by AweRay was also discovered to have...	Ransomware Vulnerability Threat		★★
	2023-02-13 00:26:58	(Déjà vu) ASEC Weekly Phishing Email Threat Trends (January 29th, 2023 – February 4th, 2023) (lien direct)	The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 29th, 2023 to February 4th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...	Threat		★★
	2023-02-13 00:12:00	Web Page Disguised as a Naver Login Page (lien direct)	On January 3rd, the ASEC analysis team covered a situation where a fake Kakao login page was used to steal the account credentials of certain individuals. Web Page Disguised as a Kakao Login Page The team has confirmed that the threat actor used a vulnerable website to create a domain. The same method described in the above post was used to create a fake Naver login page, and we will be covering it in this post. Emails impersonating Naver Help...	Threat		★★★
	2023-02-13 00:10:00	AsyncRAT Being Distributed as Windows Help File (*.chm) (lien direct)	The distribution method of malware has been diversifying as of late. Among these methods, a malware strain that uses the Windows Help file (*.chm) has been on the rise since last year, and has been covered multiple times in ASEC blog posts like the ones listed below. Recently, the distribution of AsyncRAT through CHM has been confirmed. The overall operation process is shown in Figure 1, and each step will be explained below. First, unlike the types covered in the...	Malware		★★
	2023-02-13 00:06:00	Dalbit (m00nlight): Chinese Hacker Group\'s APT Attack Campaign (lien direct)	0. Overview This report is a continuation of the “Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies” post that was uploaded on August 16, 2022 and follows the group’s activities since that post. This group has always relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of PDB information. Additionally, the amount of information that could be collected was limited unless the affected Korean companies specifically asked for an investigation since...			★★
	2023-02-08 07:30:02	(Déjà vu) ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023) (lien direct)	The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 30th, 2023 (Monday) to February 5th, 2023 (Sunday). For the main category, downloader ranked top with 39.3%, followed by Infostealer with 28.8%, backdoor with 27.0%, ransomware with 2.6%, and CoinMiner with 2.2%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place...	Ransomware Malware		★★
	2023-02-08 00:20:00	Redistribution of Magniber Ransomware in Korea (January 28th) (lien direct)	On the morning of January 28th, the ASEC analysis team discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files. According to AhnLab's log system as seen in Figure 1, it can be noted that the distribution increased starting from January 27th. MS.Update.Center.Security.KB17347418.msi MS.Update.Center.Security.KB2562020.msi MS.Update.Center.Security.KB44945726.msi Figure 1. Increase in Magniber distribution confirmed by AhnLab's log system The site that is currently distributing Magniber is...	Ransomware		★★★

Last update at: 2024-06-13 15:07:01
See our sources.

To see everything: Our RSS (filtrered)