Malware Disguised as Normal Installation File of a Korean Development Company – EDR Detection

AhnLab Security Emergency response Center (ASEC) has previously covered the malware that is generated by the installation file of a Korean program development company.

Sliver C2 Being Distributed Through Korean Program Development Company

When malware is distributed alongside an installation file, users will struggle to notice that malware is being executed concurrently. Additionally, due to its characteristic of operating in a fileless format by being injected into a normal program, signature-based anti-malware products find it difficult to detect such malware.

However, Endpoint Detection & Response (EDR), which records and reports all suspicious behaviors occurring on endpoints, can keep up with the evolving evasion techniques of such malware. By detecting suspicious behaviors, like the ones listed below, security admins can be alerted to these techniques.

The threat actor downloaded additional malware and used the normal process Powershell.exe to carry out malicious behaviors by performing an injection on the normal program Notepad (notepad.exe).

As shown above, the malware creator carries out a normal installation to make it difficult for users to detect the malware, and they either develop a variant to bypass signature-based detection or carry out their infection through a normal process using a fileless format. However, EDR detects such suspicious behaviors and provides users with a clear flow chart of the threats.

To learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner below