FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox. – [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers…

Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD

Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries. AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process…

Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)

The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript starting September 8th, its operational method has also changed from the previous method. The currently distributed javascript file contains a .NET DLL (see Figure 2), and injects the Magniber shell code into currently running processes. The overall operation flow of…

ASEC Weekly Malware Statistics (September 5th, 2022 – September 11th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 5th, 2022 (Monday) to September 11th, 2022 (Sunday). For the main category, info-stealer ranked top with 47.1%, followed by downloader with 32.7%, backdoor with 12.5%, and ransomware with 7.7%. Top 1 – GuLoader GuLoader, which ranked first place with 21.1%, is a downloader malware that downloads additional malware and runs it. It…

Change in Magniber Ransomware (*.cpl → *.jse) – September 8th

After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. While continuously monitoring for changes, the ASEC analysis team found that the distribution format of Magniber has changed from *.CPL (DLL type) to *.JSE (script) format starting from September 8th, 2022. As Magniber is one of the most damaging ransomware to Korean users and is employing various methods to bypass…