Excel 4.0 Macro with Various Images being Distributed

The ASEC analysis team found that malicious Excel files using the Excel 4.0 macro (formula macro) have been continually distributed. The malware has been distributed indiscriminately through e-mails since May, and as it is still being discovered today, users need to take caution. The malicious Excel files include images that prompt users to enable macros. Figures below show the files that are currently being distributed. The malware sets particular cells with Auto_Open in the Name Manager. When macros are enabled,…

Continuously Changing Malicious Word Macro Being Distributed – Trend of TA551

The ASEC analysis team has been continuously updating the blog with information on malicious macro files and has been urging users to take caution. This post will introduce a type of word macro file distributed recently by the attack group TA551, showing changes in an average of 1 week. For the distribution of malware, the group usually sends documents that contain malicious macros using emails. The operation method of the DOC file that downloads additional malware after dropping HTA file…

ASEC Weekly Malware Statistics (July 5th, 2021 – July 11th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 5th, 2021 (Monday) to July 11th, 2021 (Sunday). For the main category, info-stealer ranked top with 53.4%, followed by CoinMiner malware with 15.5%, RAT (Remote Administration Tool) malware with 14.4%, downloader with 12.9%, ransomware with 2.7%, and Ddos with 0.8%. Top 1 – Glupteba Glupteba is a malware developed with Golang, taking…

Kaseya VSA Supply Chain Ransomware Attacks (REvil Gang)

The ransomware attack by leveraging a vulnerability in VSA (a cloud-based management service that can manage various patches and perform client monitoring) made by Kaseya, an IT solutions developer for enterprises and managed service providers (MSPs), turned out to be BlueCrab (Sodinikibi) ransomware that is being actively distributed in korea as well. The figure below shows a desktop infected with the ransomware, which flashes the same screen like that of BlueCrab being widely spread in Korea. Unlike BlueCrab well-known in…

Malicious Word Documents Pretending ‘Korea Association for Political and Diplomatic History’ and ‘Policy Advisory Member Profile’ Being Distributed

As shown below, the ASEC analysis team introduced on two occasions that malicious word documents with titles ‘Compensation Claim Form’ and ‘Summer Academic Conference Profile Template’ were being distributed. While monitoring similar attack types, the team found evidence that the creator of the documents distributed new word documents in June and on July 1st. Titles of newly discovered malicious word document The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx – Additional discovery in…