| Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
 |
2023-03-16 06:11:08 |
Threat Trend Report on Region-Specific Ransomware (lien direct) |
Background Currently, ransomware creators include individuals, cyber criminal gangs and state-supported groups. Out of these individuals and groups, cyber criminal gangs are the most proactive in ransomware development, while individuals and state-supported groups are less so. Privately developed ransomware is most often for research purposes with the intention of destroying data. Some state-sponsored threat groups also develop ransomware. The purpose of these cases is not for financial gain either but for data destruction, and Wipers, which do not allow recovery,...
|
Ransomware
Threat
Prediction
|
|
★★
|
|
2023-03-15 23:55:25 |
ASEC Weekly Malware Statistics (March 6th, 2023 – March 12th, 2023) (lien direct) |
AhnLab Security response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 6th, 2023 (Monday) to March 12th, 2023 (Sunday). For the main category, Infostealer ranked top with 52.6%, followed by backdoor with 27.6%, downloader with 15.7%, ransomware with 3.0%, CoinMiner with 0.7%, and banking malware with 0.4%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 25.4%. It leaks...
|
Ransomware
Malware
|
|
★★
|
|
2023-03-13 23:31:00 |
Mallox Ransomware Being Distributed in Korea (lien direct) |
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the Mallox ransomware during the team’s monitoring. As covered before, Mallox, which targets vulnerable MS-SQL servers, has historically been distributed at a consistently high rate based on AhnLab’s statistics. The malware disguised as a program related to DirectPlay is a file built in .NET which, as shown in Figure 3, connects to a certain address, downloads additional malware, and runs it in the memory. If this address cannot...
|
Ransomware
Malware
|
|
★★★
|
|
2023-03-08 23:00:00 |
Decryptable iswr Ransomware Being Distributed in Korea (lien direct) |
ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring. A characteristic of iswr is the fact that it adds the iswr extension at the end of filenames after the files have been encrypted. The ransom note of this ransomware has the same format as the STOP ransomware, but when it comes to its encryption method along with the extensions and folders that are targeted, its operation routine differs greatly from...
|
Ransomware
|
|
★★
|
|
2023-03-08 02:35:18 |
ASEC Weekly Malware Statistics (February 27th, 2023 – March 5th, 2023) (lien direct) |
The ASEC (AhnLab Security response Center) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 27th, 2023 (Monday) to March 5th, 2023 (Sunday). For the main category, backdoor ranked top with 51.4%, followed by Infostealer with 31.2%, downloader with 16.5%, and ransomware with 0.9%. Top 1 – RedLine RedLine ranked first place with 41.0%. The malware steals various information such as web browsers, FTP clients, cryptocurrency...
|
Ransomware
Malware
|
|
★★
|
|
2023-03-07 23:03:00 |
GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP (lien direct) |
ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. The threat actor installed various tools alongside GlobeImposter, such as Port Scanner and Mimikatz. Once installed, if these tools are able...
|
Ransomware
Threat
|
|
★★
|
|
2023-03-01 23:39:11 |
(Déjà vu) ASEC Weekly Malware Statistics (February 20th, 2023 – February 26th, 2023) (lien direct) |
The ASEC (AhnLab Security response Center) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 20th, 2023 (Monday) to February 26th, 2023 (Sunday). For the main category, backdoor ranked top with 51.0%, followed by downloader with 24.7%, Infostealer with 22.7%, ransomware with 1.4%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 46.9%. The malware steals various information such as web browsers,...
|
Ransomware
Malware
|
|
★★
|
|
2023-02-23 23:10:00 |
Magniber Ransomware\'s Relaunch Technique (lien direct) |
ASEC (AhnLab Security Emergency Response Center) has been constantly monitoring the Magniber ransomware which has been displaying a high number of distribution cases. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years, but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers. There have been recent reports of systems being reinfected by Magniber. Analysis revealed...
|
Ransomware
Vulnerability
|
|
★★
|
|
2023-02-22 07:19:07 |
(Déjà vu) ASEC Weekly Malware Statistics (February 13th, 2023 – February 19th, 2023) (lien direct) |
The AhnLab Security response Center (ASEC) analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 13th, 2023 (Monday) to February 19th, 2023 (Sunday). For the main category, backdoor ranked top with 50.8%, followed by downloader with 41.0%, Infostealer with 7.3%, ransomware with 0.8%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 49.4%. The malware steals various information such as...
|
Ransomware
Malware
|
|
★★
|
|
2023-02-17 01:00:00 |
Tracking Distribution Site of Magniber Ransomware Using EDR (lien direct) |
AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January. A particular finding at the time was that the ransomware used the <a> tag to bypass domain blocks. In order to detect this, we have researched response measures by tracking the distribution site URL through a different method. The team is working hard to prevent damages through means such...
|
Ransomware
|
|
★★
|
|
2023-02-17 00:00:00 |
Overview of AhnLab\'s Response to Joint Cybersecurity Advisory Between South Korea and the United States on North Korean Ransomware (lien direct) |
On February 10, intelligence agencies from South Korea and the United States announced a cybersecurity advisory in regard to ransomware attacks from North Korea. It is the first joint report between the South Korean National Intelligence Service and the United States’ National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) to raise awareness of cyberattacks from North Korea and protect both countries from ransomware. Title: Ransomware...
|
Ransomware
|
|
★★
|
|
2023-02-16 07:31:05 |
(Déjà vu) ASEC Weekly Malware Statistics (February 6th, 2023 – February 12th, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 6th, 2023 (Monday) to February 12th, 2023 (Sunday). For the main category, downloader ranked top with 54.7%, followed by backdoor with 27.7%, Infostealer with 12.8%, ransomware with 4.6%, and CoinMiner with 0.1%. Top 1 – Amadey This week, Amadey Bot ranked first place with 43.9%. Amadey is a downloader that can receive commands...
|
Ransomware
Malware
|
|
★★
|
|
2023-02-15 00:10:00 |
Continuous Distribution of LockBit 2.0 Ransomware Disguised as Resumes (lien direct) |
The ASEC analysis team has identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format which the team had introduced it with previously. The MalPE format is a type of packing method that disrupts the analysis of the actual malware. It then decrypts and executies its PE files through an internal shell code. We have recently discovered during our monitoring of ransomware that the distribution of LockBit has risen since January. As it was...
|
Ransomware
|
|
★★
|
|
2023-02-15 00:00:00 |
Paradise Ransomware Distributed Through AweSun Vulnerability Exploitation (lien direct) |
The ASEC analysis team has recently discovered the distribution of Paradise ransomware. The threat actors are suspected to be utilizing a vulnerability exploitation of the Chinese remote control program AweSun. In the past, the team also found and covered the distribution of Sliver C2 and BYOVD through a Sunlogin vulnerability, a remote control program developed in China. 1. AweSun Vulnerability Exploitation The installation of Sliver C2 through the AweSun remote control program developed by AweRay was also discovered to have...
|
Ransomware
Vulnerability
Threat
|
|
★★
|
|
2023-02-08 07:30:02 |
(Déjà vu) ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 30th, 2023 (Monday) to February 5th, 2023 (Sunday). For the main category, downloader ranked top with 39.3%, followed by Infostealer with 28.8%, backdoor with 27.0%, ransomware with 2.6%, and CoinMiner with 2.2%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place...
|
Ransomware
Malware
|
|
★★
|
|
2023-02-08 00:20:00 |
Redistribution of Magniber Ransomware in Korea (January 28th) (lien direct) |
On the morning of January 28th, the ASEC analysis team discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files. According to AhnLab's log system as seen in Figure 1, it can be noted that the distribution increased starting from January 27th. MS.Update.Center.Security.KB17347418.msi MS.Update.Center.Security.KB2562020.msi MS.Update.Center.Security.KB44945726.msi Figure 1. Increase in Magniber distribution confirmed by AhnLab's log system The site that is currently distributing Magniber is...
|
Ransomware
|
|
★★★
|
|
2023-02-06 12:00:00 |
DarkSide Ransomware With Self-Propagating Feature in AD Environments (lien direct) |
In order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data file are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same path that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The ransomware is structured to only operate when a specific argument matches. It will then register itself to the task scheduler and run itself periodically. The following...
|
Ransomware
|
|
★★★
|
|
2023-02-02 00:02:43 |
(Déjà vu) ASEC Weekly Malware Statistics (January 23rd, 2023 – January 29th, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 23rd, 2023 (Monday) to January 29th, 2023 (Sunday). For the main category, downloader ranked top with 44.2%, followed by Infostealer with 34.3%, backdoor with 18.5%, ransomware with 2.6%, and CoinMiner with 0.4%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 24.0%. The malware is distributed via malware disguised...
|
Ransomware
Malware
|
|
★★
|
|
2023-01-31 23:29:34 |
TZW Ransomware Being Distributed in Korea (lien direct) |
Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension. This ransomware is being propagated with the version info marked as “System Boot Info”, disguising itself as a normal program file related to boot information. It was created in a .NET format and includes a loader and the actual ransomware data within it. It ultimately loads and executes the ransomware file through...
|
Ransomware
|
|
★★
|
|
2023-01-30 00:57:25 |
(Déjà vu) ASEC Weekly Malware Statistics (January 16th, 2023 – January 22nd, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 16th, 2022 (Monday) to January 22nd, 2023 (Sunday). For the main category, Infostealer ranked top with 43.0%, followed by downloader with 30.06%, backdoor with 19.9%, ransomware with 3.8%, CoinMiner 2.4%, and baking malware with 0.3%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 20.3%. The malware is distributed...
|
Ransomware
Malware
|
|
★★
|
|
2023-01-20 05:04:47 |
(Déjà vu) ASEC Weekly Malware Statistics (January 9th, 2023 – January 15th, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday). For the main category, downloader ranked top with 38.4%, followed by Infostealer with 37.0%, backdoor with 18.2%, ransomware with 4.0%, CoinMiner with 1.5%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with...
|
Ransomware
Malware
|
|
★★
|
|
2023-01-13 04:32:36 |
(Déjà vu) ASEC Weekly Malware Statistics (January 2nd, 2023 – January 8th, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 2nd, 2023 (Monday) to January 8th, 2023 (Sunday). For the main category, downloader ranked top with 55.9%, followed by Infostealer with 21.3%, backdoor with 14.2%, ransomware with 7.9%, and CoinMiner with 0.8%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 32.3%. The malware is distributed via malware disguised...
|
Ransomware
Malware
|
|
★★
|
|
2023-01-05 23:43:53 |
(Déjà vu) ASEC Weekly Malware Statistics (December 26th, 2022 – January 1st, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 26th, 2022 (Monday) to January 1st, 2023 (Sunday). For the main category, downloader ranked top with 48.8%, followed by backdoor with 24.2%, Infostealer with 18.4%, CoinMiner with 4.8%, ransomware with 3.4%, and lastly banking malware with 0.5%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This...
|
Ransomware
Malware
|
|
★★
|
|
2023-01-02 01:18:00 |
(Déjà vu) ASEC Weekly Malware Statistics (December 19th, 2022 – December 25th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 19th, 2022 (Monday) to December 25th, 2022 (Sunday). For the main category, Infostealer ranked top with 37.3%, followed by downloader with 35.7%, backdoor with 23.9%, and ransomware with 3.1%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 23.3%. The malware is distributed via malware disguised as PUP installer....
|
Ransomware
Malware
|
|
★★
|
|
2022-12-26 04:51:42 |
(Déjà vu) ASEC Weekly Malware Statistics (December 12th, 2022 – December 18th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 12th, 2022 (Monday) to December 18th, 2022 (Sunday). For the main category, downloader ranked top with 61.9%, followed by Infostealer with 24.7%, backdoor with 12.5%, and ransomware with 0.9%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with 28.9%. Like...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-15 06:10:39 |
(Déjà vu) ASEC Weekly Malware Statistics (December 5th, 2022 – December 11th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 5th, 2022 (Monday) to December 11th, 2022 (Sunday). For the main category, downloader ranked top with 44.3%, followed by Infostealer with 28.2%, backdoor with 18.3%, ransomware with 8.5%, and CoinMiner with 0.7%. Top 1 – Amadey This week, Amadey Bot ranked first place with 15.9%. Amadey is a downloader that can receive commands...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-15 06:04:55 |
Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames (lien direct) |
On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames. C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a9245f8e13f41d799e775b71fdff.msi Table 1. COVID-19 related filenames in circulation In the past, Magniber exploited Internet Explorer’s vulnerability to infect user PCs via Drive by Download which only required users to visit a web page. However, after Microsoft stopped supporting Internet Explorer, Magniber’s...
|
Ransomware
Vulnerability
|
|
★★★
|
|
2022-12-15 06:02:24 |
STOP Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022). The files that are currently being distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string as shown below. When the ransomware is executed, it first...
|
Ransomware
Malware
|
|
★
|
|
2022-12-08 02:10:30 |
(Déjà vu) ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 28th, 2022 (Monday) to December 4th, 2022 (Sunday). For the main category, Infostealer ranked top with 34.8%, followed by downloader with 28.2%, backdoor with 21.1%, ransomware with 14.6%, and CoinMiner with 0.3%. Top 1 – SmokeLoader SmokeLoader is an infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-02 00:54:11 |
(Déjà vu) ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday). For the main category, downloader ranked top with 40.3%, followed by Infostealer with 35.8%, backdoor with 16.3%, ransomware with 7.2%, and CoinMiner with 0.4%. Top 1 – AgentTesla AgentTesla is an Infostealer that ranked first place with 17.3%. It leaks user credentials saved in web...
|
Ransomware
Malware
|
|
★★
|
|
2022-11-30 01:37:55 |
Domains Used for Magniber Distribution in Korea (lien direct) |
On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber. With the typosquatting method-which exploits typos-when the user accesses the wrongly entered domain, the msi file (Magniber) is downloaded after redirecting to an advertisement page. Examination of Zone.Identifier created at this stage reveals the URL from where...
|
Ransomware
|
|
★★
|
|
2022-11-28 05:52:14 |
LockBit Ransomware Being Mass-distributed With Similar Filenames (lien direct) |
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames. Unlike the previous cases introduced in the blog where Word files or copyright claim emails were used, the recent versions are being distributed through phishing mails disguised as job applications. LockBit Ransomware Being Distributed Using Resume and Copyright-related...
|
Ransomware
|
|
★★
|
|
2022-11-25 00:51:25 |
(Déjà vu) ASEC Weekly Malware Statistics (November 14th, 2022 – November 20th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 14th, 2022 (Monday) to November 20th (Sunday). For the main category, downloader ranked top with 53.2%, followed by backdoor with 24.1%, Infostealer with 21.1%, ransomware with 1.0%, CoinMiner with 0.4%, and banking malware with 0.2%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 30.5%. The malware is...
|
Ransomware
Malware
|
|
★★
|
|
2022-11-25 00:06:13 |
Wiki Ransomware Being Distributed in Korea (lien direct) |
Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program. Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%\system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to be registered as one of the...
|
Ransomware
|
|
|
|
2022-11-24 23:58:36 |
Koxic Ransomware Being Distributed in Korea (lien direct) |
It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure. When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows. The...
|
Ransomware
|
|
|
|
2022-11-16 03:54:28 |
(Déjà vu) ASEC Weekly Malware Statistics (November 7th, 2022 – November 13th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 7th, 2022 (Monday) to November 13th (Sunday). For the main category, downloader ranked top with 37.8%, followed by Infostealer with 27.1%, banking malware with 22.9%, backdoor with 11.2%, ransomware with 0.5%, and CoinMiner with 0.5%. Top 1 – Emotet Emotet which has resurfaced after six months ranked first place with 22.9%. Emotet...
|
Ransomware
Malware
|
|
|
|
2022-11-16 03:54:04 |
DAGON LOCKER Ransomware Being Distributed (lien direct) |
It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor. As the...
|
Ransomware
Threat
|
|
|
|
2022-11-11 05:47:58 |
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) (lien direct) |
The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware software. Out of these changes, this blog will cover the script format found from September 8th to September 29th, 2022, which bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files....
|
Ransomware
|
|
|
|
2022-11-10 05:50:39 |
(Déjà vu) ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 31st, 2022 (Monday) to November 6th (Sunday). For the main category, downloader ranked top with 64.8%, followed by infostealer with 25.9%, backdoor with 6.6%, ransomware with 2.2%, and CoinMiner with 0.4%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 39.6%. The malware is distributed via malware disguised...
|
Ransomware
Malware
|
|
|
|
2022-11-10 05:49:05 |
Penetration and Distribution Method of Gwisin Attacker (lien direct) |
The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. How Gwisin Attacker Penetrates a Server Unlike other...
|
Ransomware
|
|
|
|
2022-11-08 00:35:33 |
(Déjà vu) LockBit 3.0 Being Distributed via Amadey Bot (lien direct) |
The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers. It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which...
|
Ransomware
Malware
|
|
|
|
2022-11-03 05:23:46 |
(Déjà vu) ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday). For the main category, Infostealer ranked top with 43.2%, followed by downloader with 34.7%, backdoor with 19.4%, and ransomware with 2.2%. Top 1 – Agent Tesla AgentTesla is an Infostealer that ranked first place with 22.1%. It is an Infostaler that leaks user credentials saved in...
|
Ransomware
Malware
|
|
|
|
2022-11-03 05:23:28 |
Surtr Ransomware Being Distributed in Korea (lien direct) |
Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name. When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected...
|
Ransomware
|
|
|
|
2022-11-02 01:22:25 |
Elbie Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program. The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2). Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment. The injected and executed ransomware drops a copy into the...
|
Ransomware
|
|
|
|
2022-10-27 00:16:33 |
(Déjà vu) ASEC Weekly Malware Statistics (October 17th, 2022 – October 23rd, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 17th, 2022 (Monday) to October 23rd (Sunday). For the main category, info-stealer ranked top with 52.7%, followed by downloader with 37.0%, backdoor with 8.8%, ransomware with 1.0%, and banking malware with 0.5%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 23.4%. It is an info-stealer that leaks...
|
Ransomware
Malware
|
|
|
|
2022-10-25 00:52:47 |
(Déjà vu) ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader ranked top with 44.4%, followed by info-stealer with 41.7%, backdoor with 12.5%, ransomware with 0.9%, and CoinMiner with 0.5%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place...
|
Ransomware
Malware
|
|
|
|
2022-10-25 00:43:50 |
Rapidly Evolving Magniber Ransomware (lien direct) |
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed. Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi,...
|
Ransomware
|
|
|
|
2022-10-21 02:30:43 |
Attackers Abusing Various Remote Control Tools (lien direct) |
Overview Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major malware programs used by attackers. Backdoor malware is installed...
|
Ransomware
Malware
|
|
|
|
2022-10-18 23:44:15 |
(Déjà vu) ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 3rd, 2022 (Monday) to October 9th, 2022 (Sunday). For the main category, downloader ranked top with 45.0%, followed by info-stealer with 39.6%, backdoor with 14.6%, ransomware with 0.4%, and CoinMiner with 0.4%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place...
|
Ransomware
Malware
|
|
|
|
2022-10-12 04:24:38 |
GlobeImposter Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team has recently identified through internal monitoring that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed. This GlobeImposter ransomware has also been mentioned in AhnLab TIP’s quarterly statistics, specifically in the ‘2022 1st and 2nd Quarter Statistical Report on Malware Targeting MS-SQL,’ and in the 2nd quarter, GlobeImposter took up 52.6% of ransomware targeting MS-SQL. It has been identified that the GlobeImposter ransomware is still appearing in the soon-to-be-released 3rd quarter statistics. This ransomware...
|
Ransomware
Malware
|
|
|
