| Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
 |
2023-01-17 00:29:17 |
Phishing Web Server Identified Through an Impostor National Tax Service Email (lien direct) |
The ASEC analysis team recently discovered that a phishing email impersonating the National Tax Service was being distributed. This phishing email emphasizes the urgency of the company email password expiring on the same day, and it is being sent with a message urging recipients to extend their password duration before the account is locked. Figure 1. Original email Figure 2. Phishing site for entering account information Figure 3. Source code of the login page Clicking the hyperlink inserted to the...
|
|
|
★★
|
|
2023-01-13 04:32:36 |
(Déjà vu) ASEC Weekly Malware Statistics (January 2nd, 2023 – January 8th, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 2nd, 2023 (Monday) to January 8th, 2023 (Sunday). For the main category, downloader ranked top with 55.9%, followed by Infostealer with 21.3%, backdoor with 14.2%, ransomware with 7.9%, and CoinMiner with 0.8%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 32.3%. The malware is distributed via malware disguised...
|
Ransomware
Malware
|
|
★★
|
|
2023-01-13 00:52:34 |
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack (lien direct) |
The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware...
|
Malware
Tool
Threat
|
|
★★
|
|
2023-01-10 00:51:27 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 25th, 2022 – December 31st, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 25th, 2022 to December 31st, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-01-10 00:20:05 |
Web Page Disguised as a Kakao Login Page (lien direct) |
The ASEC analysis team recently identified a fake Kakao login page attempting to gain access to the account credentials of specific individuals. The specific route through which users first arrive on these pages is unknown, but it is assumed that users were led to log in via web on a page whose link is provided in phishing emails. When the user arrives on the web page, the ID of the Kakao account is autocompleted, as shown in Figure 1 below....
|
|
|
★★
|
|
2023-01-05 23:47:00 |
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game (lien direct) |
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. Unlike backdoors and RATs (Remote Access Trojans), which are mostly based on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness, so they offer remote desktops, also known as GUI environments. Even though they may...
|
Malware
Tool
Threat
|
|
★★
|
|
2023-01-05 23:43:53 |
(Déjà vu) ASEC Weekly Malware Statistics (December 26th, 2022 – January 1st, 2023) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 26th, 2022 (Monday) to January 1st, 2023 (Sunday). For the main category, downloader ranked top with 48.8%, followed by backdoor with 24.2%, Infostealer with 18.4%, CoinMiner with 4.8%, ransomware with 3.4%, and lastly banking malware with 0.5%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This...
|
Ransomware
Malware
|
|
★★
|
|
2023-01-04 01:52:19 |
Shc Linux Malware Installing CoinMiner (lien direct) |
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl. 1. Shc (Shell Script Compiler) Shc is an abbreviation for Shell Script Compiler and is responsible for...
|
Malware
|
|
★★
|
|
2023-01-03 06:58:47 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 – December 24th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 18th, 2022 to December 24th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2023-01-03 00:36:00 |
How Infostealer Threat Actors Make a Profit (lien direct) |
Infostealer is a type of information-stealing malware with the goal of stealing user credentials such as the user account information, cryptocurrency wallet address, and files that are saved in programs such as web browsers and email clients. According to the ASEC report for Q3 2022, Infostealers make up more than half of malware types with executable formats reported by client companies or collected by AhnLab. As the downloader types also actually install Infostealers or backdoor-type malware, it can be said...
|
Malware
Threat
|
|
★★
|
|
2023-01-02 01:18:00 |
(Déjà vu) ASEC Weekly Malware Statistics (December 19th, 2022 – December 25th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 19th, 2022 (Monday) to December 25th, 2022 (Sunday). For the main category, Infostealer ranked top with 37.3%, followed by downloader with 35.7%, backdoor with 23.9%, and ransomware with 3.1%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 23.3%. The malware is distributed via malware disguised as PUP installer....
|
Ransomware
Malware
|
|
★★
|
|
2022-12-27 23:35:42 |
Types of Recent .NET Packers and Their Distribution Trends in Korea (lien direct) |
0. Overview This post is a summary of the TI report, ‘Report on the Trends and Types of Recent .NET Packers.’ Please refer to the report in the hyperlink for more details on the topic. Recently, packers made with .NET are being found in various places both in and outside Korea. Thus, the ASEC analysis team aims to introduce the five most commonly distributed .NET packers and their distribution trends in Korea. We will overview the types of malware distributed...
|
Malware
|
|
★★★★
|
|
2022-12-26 05:08:29 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 11th, 2022 – December 17th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 11th, 2022 to December 17th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-26 04:51:42 |
(Déjà vu) ASEC Weekly Malware Statistics (December 12th, 2022 – December 18th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 12th, 2022 (Monday) to December 18th, 2022 (Sunday). For the main category, downloader ranked top with 61.9%, followed by Infostealer with 24.7%, backdoor with 12.5%, and ransomware with 0.9%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with 28.9%. Like...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-26 04:08:49 |
Caution! Malware Signed With Microsoft Certificate (lien direct) |
Microsoft announced details on the distribution of malware signed with a Microsoft certificate.[1] According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later). To prevent security risks, Windows only allows the loading of kernel mode drivers that are signed. If a driver is not signed, it cannot...
|
Malware
|
|
★★★
|
|
2022-12-22 01:49:54 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 – December 10th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from December 4th, 2022 to December 10th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-22 01:46:08 |
Phishing Attacks Impersonating Famous Korean Banking Apps (lien direct) |
The ASEC analysis team recently identified that multiple malicious domains targeting normal websites of the financial sector had been created. From early November, we detected multiple distribution cases of phishing emails impersonating Naver Help. Through these, we had been monitoring the malicious URL that was included in these emails. The sender’s username was ‘Naver Center’ and the emails had a variety of topics to deceive users, including notifications for changes to contact details, creation of a new one-time password, login...
|
|
|
★★★
|
|
2022-12-22 01:22:41 |
Qakbot Being Distributed via Virtual Disk Files (*.vhd) (lien direct) |
There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to the use of VHD files. Such use of disk image files (IMG, ISO, VHD) is seen to be Qakbot’s method of bypassing Mark of the Web (MOTW). Disk image files can bypass the MOTW feature because when the files inside...
|
Malware
|
|
★★★★
|
|
2022-12-22 01:16:00 |
Vidar Stealer Exploiting Various Platforms (lien direct) |
Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2. The link below is a post about a case where malicious behaviors were performed using Mastodon. Even afterward, Vidar saw continuous version updates while actively being distributed. In the recent samples in circulation, various other platforms such as Steam and TikTok were used aside from Telegram and Mastodon....
|
Malware
|
|
★★★
|
|
2022-12-22 01:03:21 |
Nitol DDoS Malware Installing Amadey Bot (lien direct) |
The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware. Amadey is being actively distributed again this year, and even until very recently, it has been propagating itself on websites disguised as cracks and keygens for normal software and installing other malware on...
|
Malware
Threat
|
|
★★★
|
|
2022-12-15 06:10:39 |
(Déjà vu) ASEC Weekly Malware Statistics (December 5th, 2022 – December 11th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 5th, 2022 (Monday) to December 11th, 2022 (Sunday). For the main category, downloader ranked top with 44.3%, followed by Infostealer with 28.2%, backdoor with 18.3%, ransomware with 8.5%, and CoinMiner with 0.7%. Top 1 – Amadey This week, Amadey Bot ranked first place with 15.9%. Amadey is a downloader that can receive commands...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-15 06:04:55 |
Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames (lien direct) |
On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames. C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a9245f8e13f41d799e775b71fdff.msi Table 1. COVID-19 related filenames in circulation In the past, Magniber exploited Internet Explorer’s vulnerability to infect user PCs via Drive by Download which only required users to visit a web page. However, after Microsoft stopped supporting Internet Explorer, Magniber’s...
|
Ransomware
Vulnerability
|
|
★★★
|
|
2022-12-15 06:02:24 |
STOP Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022). The files that are currently being distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string as shown below. When the ransomware is executed, it first...
|
Ransomware
Malware
|
|
★
|
|
2022-12-12 23:20:32 |
(Déjà vu) ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 – December 3rd, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 27th, 2022 to December 3rd, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-12 23:00:14 |
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page? (lien direct) |
Many corporations and users both in and outside Korea use Microsoft accounts to use major services offered by Microsoft, including Outlook, Office, OneDrive, and Windows. Users use integrated login to easily access all Microsoft services linked to their account. What does this mean for the threat actor? There is no better target for attacks because there is a large volume of information that can be gained using just one account. Particularly in the case of users that handle sensitive information...
|
Threat
|
|
★★
|
|
2022-12-08 02:10:30 |
(Déjà vu) ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022) (lien direct) |
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 28th, 2022 (Monday) to December 4th, 2022 (Sunday). For the main category, Infostealer ranked top with 34.8%, followed by downloader with 28.2%, backdoor with 21.1%, ransomware with 14.6%, and CoinMiner with 0.3%. Top 1 – SmokeLoader SmokeLoader is an infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-08 01:39:28 |
Phishing Email Impersonating Quasi-governmental Organization Being Distributed (lien direct) |
The ASEC analysis team has recently detected the distribution of a phishing email impersonating a non-profit quasi-governmental organization. Since the email is using a webpage disguised as a login page of GobizKOREA serviced by Korea SMEs and Startups Agency (KOSME), users who are working in the trading industry should take extra caution. The figure below shows the email’s subject and body. It tells the reader that a new inquiry from a buyer was registered. Since all five hyperlinks in the...
|
|
|
★★
|
|
2022-12-08 01:29:09 |
ASEC Weekly Phishing Email Threat Trend (November 20th, 2022 – November 26th, 2022) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 20th, 2022 to November 26th, 2022 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users' login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act...
|
Threat
|
|
★★
|
|
2022-12-07 01:41:18 |
Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) (lien direct) |
In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions, with its distribution still being continued to this day. RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github As of November 30th, 2022, when the keywords based on the last...
|
Malware
Tool
|
|
★★★
|
|
2022-12-07 01:25:21 |
Phishing Email Disguised as a Well-Known Korean Airline (lien direct) |
The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader. The subject and the body of the email are shown below. When the attached HTML file is opened, a connection is made to...
|
|
|
★★★
|
|
2022-12-07 01:18:35 |
\'Resume.xll\' File Being Distributed in Korea (LockBit 2.0) (lien direct) |
In mid-2022, the ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel. Since then, this type of malware had not been distributed actively, but for the first time in a long while, we found that it was being distributed with the filename, ‘Resume.xll‘. Post from May 20th, 2022: XLL Malware Distributed...
|
Malware
|
|
★★★
|
|
2022-12-02 00:54:11 |
(Déjà vu) ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday). For the main category, downloader ranked top with 40.3%, followed by Infostealer with 35.8%, backdoor with 16.3%, ransomware with 7.2%, and CoinMiner with 0.4%. Top 1 – AgentTesla AgentTesla is an Infostealer that ranked first place with 17.3%. It leaks user credentials saved in web...
|
Ransomware
Malware
|
|
★★
|
|
2022-12-02 00:40:30 |
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 – November 19th, 2022 ) (lien direct) |
The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide statistical information on each type. Additionally, we will introduce new types that were not detected before as well as emails to be cautious of with keywords to minimize harm to users. The phishing emails covered in this post will...
|
Threat
|
|
★★★
|
|
2022-11-30 01:37:55 |
Domains Used for Magniber Distribution in Korea (lien direct) |
On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber. With the typosquatting method-which exploits typos-when the user accesses the wrongly entered domain, the msi file (Magniber) is downloaded after redirecting to an advertisement page. Examination of Zone.Identifier created at this stage reveals the URL from where...
|
Ransomware
|
|
★★
|
|
2022-11-30 01:03:39 |
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed (lien direct) |
The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website. The phishing website the email is redirected to is disguised as a login page for a Korean email website, and over 50 cases in Korea were confirmed to have accessed the website. Thus users must take particular caution when logging into this email website. The phishing website is disguised as the login page...
|
|
|
★★★
|
|
2022-11-28 05:52:14 |
LockBit Ransomware Being Mass-distributed With Similar Filenames (lien direct) |
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames. Unlike the previous cases introduced in the blog where Word files or copyright claim emails were used, the recent versions are being distributed through phishing mails disguised as job applications. LockBit Ransomware Being Distributed Using Resume and Copyright-related...
|
Ransomware
|
|
★★
|
|
2022-11-28 05:37:32 |
How Is My Phone Number Leaked? (lien direct) |
The PERSONAL INFORMATION PROTECTION ACT is a law to protect the freedom and rights of individuals, and it aims to actualize the individual dignity and value of people. According to the act, personal information is defined as pieces of information that can easily identify an individual when coupled with other pieces of information, and phone numbers are seen as one of the main types of personal information. This post explains the PUP (Potentially Unwanted Program) that collects phone numbers. Figure...
|
|
|
★★
|
|
2022-11-25 00:51:25 |
(Déjà vu) ASEC Weekly Malware Statistics (November 14th, 2022 – November 20th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 14th, 2022 (Monday) to November 20th (Sunday). For the main category, downloader ranked top with 53.2%, followed by backdoor with 24.1%, Infostealer with 21.1%, ransomware with 1.0%, CoinMiner with 0.4%, and banking malware with 0.2%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 30.5%. The malware is...
|
Ransomware
Malware
|
|
★★
|
|
2022-11-25 00:42:22 |
Auto-Publishing and Auto-Reporting Programs for Blog Posts (lien direct) |
Spam programs are illegal programs according to the ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION. The ASEC analysis team previously published a blog post about a spam program sold as a marketing program. Today, we will introduce a program similar to the spam program covered in the past. The file collected under the filename of ‘Naver Blog Report Program.exe’ was developed with C#, just like the spam program covered in the previous blog post. Its...
|
Spam
|
|
|
|
2022-11-25 00:29:36 |
Word Documents Disguised as Normal MS Office URLs Being Distributed (lien direct) |
Recently, there has been a case of malware disguised as a Word document being distributed through certain paths (e.g. KakaoTalk group chats). The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users. The currently identified filenames of the malicious Word documents are as follows.The real names of Koreans found...
|
Malware
|
|
|
|
2022-11-25 00:18:51 |
Malicious Word Document Being Distributed in Disguise of a News Survey (lien direct) |
The ASEC analysis team discovered that the Word document type identified in the blog, 'Malicious Word Files Targeting Specific Individuals Related to North Korea,' has recently been using FTP to leak user credentials. The filename of the identified Word document is 'CNA[Q].doc', disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password. The identified Word file contains information related to North Korea like the...
|
Threat
|
|
★★★
|
|
2022-11-25 00:06:13 |
Wiki Ransomware Being Distributed in Korea (lien direct) |
Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program. Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%\system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to be registered as one of the...
|
Ransomware
|
|
|
|
2022-11-24 23:58:36 |
Koxic Ransomware Being Distributed in Korea (lien direct) |
It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure. When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows. The...
|
Ransomware
|
|
|
|
2022-11-16 03:54:28 |
(Déjà vu) ASEC Weekly Malware Statistics (November 7th, 2022 – November 13th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 7th, 2022 (Monday) to November 13th (Sunday). For the main category, downloader ranked top with 37.8%, followed by Infostealer with 27.1%, banking malware with 22.9%, backdoor with 11.2%, ransomware with 0.5%, and CoinMiner with 0.5%. Top 1 – Emotet Emotet which has resurfaced after six months ranked first place with 22.9%. Emotet...
|
Ransomware
Malware
|
|
|
|
2022-11-16 03:54:04 |
DAGON LOCKER Ransomware Being Distributed (lien direct) |
It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor. As the...
|
Ransomware
Threat
|
|
|
|
2022-11-14 01:42:56 |
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks (lien direct) |
The dropper malware which camouflaged itself as a crack is being actively distributed again after a period of dormancy. When this malware is executed, the affected system becomes infected with numerous malware programs simultaneously. This is effectively a malware “bomb.” Malware disguised as cracks for commercial software have been prevalent, which were either distributed in a “singular malware” format or “dropper malware” format. The ASEC analysis team is closely monitoring such malware distribution activities and has covered them multiple times...
|
Malware
|
|
|
|
2022-11-11 05:47:58 |
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) (lien direct) |
The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware software. Out of these changes, this blog will cover the script format found from September 8th to September 29th, 2022, which bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files....
|
Ransomware
|
|
|
|
2022-11-11 05:38:02 |
Emotet Being Distributed Again via Excel Files After 6 Months (lien direct) |
Over multiple blog posts, the ASEC analysis team has released information on the distribution of Emotet which had been modified in many different ways. It has recently been identified that the Emotet malware has become active again. Around six months have elapsed since the last active distribution. This post will examine the differences between the current Excel file and the one that had been distributed in the past. The common characteristics include the fact that it is distributed through an...
|
Malware
|
|
|
|
2022-11-11 05:26:49 |
(Déjà vu) HackHound IRC Bot Being Distributed via Webhards (lien direct) |
Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. Generally, attackers distribute malware through illegal programs such as adult games and crack versions of games. Those who use webhards as a distribution path typically install RAT type malware such as njRAT, UdpRAT, and DDoS IRC Bot. As shown in the cases covered...
|
Malware
|
|
|
|
2022-11-10 05:50:39 |
(Déjà vu) ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 31st, 2022 (Monday) to November 6th (Sunday). For the main category, downloader ranked top with 64.8%, followed by infostealer with 25.9%, backdoor with 6.6%, ransomware with 2.2%, and CoinMiner with 0.4%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 39.6%. The malware is distributed via malware disguised...
|
Ransomware
Malware
|
|
|
