UDP RAT Malware Being Distributed via Webhards

While monitoring the distribution source of malware in Korea, the ASEC analysis team found that UDP RAT malware disguised as an adult game is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea. Attackers normally use easily obtainable malware such as njRAT and UDP RAT and disguise them as normal programs such as games or adult content for distribution. Similar cases were introduced in the previous ASEC blogs multiple times: – njRAT…

VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group

While monitoring Kimsuky-related malware, the ASEC analysis team has recently discovered that VNC malware was installed via AppleSeed remote control malware. VNC, also known as Virtual Network Computing, is a screen sharing system that remotely controls other computers. Similar to the commonly-used RDP, it is used to remotely access and control other systems. Kimsuky group installs AppleSeed backdoor on the target system after the initial compromise, then additionally installs VNC malware via AppleSeed to ultimately control the target system in…

ASEC Weekly Malware Statistics (October 4th, 2021 – October 10th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 4th, 2021 (Monday) to October 10th, 2021 (Sunday). For the main category, info-stealer ranked top with 68.4%, followed by Downloader with 12.6%, RAT (Remote Administration Tool) malware with 8.6%, Backdoor Downloader with 6.3%, Ransomware with 3.7%, and Banking malware with 0.3%. Top 1 –  AgentTesla AgentTesla was ranked first with 23.6%. It is…

Change in Magniber Ransomware Vulnerability (CVE-2021-40444)

Magniber is a fileless ransomware using an IE vulnerability and it is one of the ransomware that causes damage to numerous Korean users. It is difficult to prevent infection if not detected and blocked in advance during the vulnerability occurrence phase, which makes it difficult for anti-malware programs to detect it. Magniber ransomware had been distributed since March 15th, 2021 using CVE-2021-26411 vulnerability up to recently, but on September 16th, it was discovered that it changed to CVE-2021-40444 vulnerability. This…

Makop Ransomware Disguised as Resume Being Distributed in Korea

The ASEC analysis team has recently confirmed that Makop ransomware disguised as a resume is being distributed to Korean users. Makop ransomware is malware that has continuously changed and been distributed since last year. It has been introduced in the previous ASEC blogs and it still takes the form of NSIS (Nullsoft Scriptable Install System). It appears that it disguised as a resume to target recruitment managers amidst the recruitment season of the companies. Given that this ransomware was distributed…