Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed
On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. xRAT Github Address: https://github.com/tidusjar/xRAT According to the logs collected by AhnLab’s ASD (AhnLab Smart Defense) infrastructure, the attacker installed a variant of Gold Dragon on the first
North Korea-related Hangul Word Processor (HWP) File Being Distributed
The ASEC analysis team has recently discovered that North Korea-related HWP file was being distributed. The operation method is not through a vulnerability, but instead, a hyperlink is inserted on the screen the user is exposed to upon running the file, prompting the user to click, and upon clicking, executables
APT Attack Cases of Kimsuky Group (PebbleDash)
The ASEC analysis team has been keeping an eye on the trend of malware that attempts APT attacks, sharing findings on the blog. In this confirmed case, PebbleDash backdoor was used in the attack, but logs of AppleSeed, Meterpreter, and other additional malware strains were also found. PebbleDash Backdoor The
North Korea-related Malicious Document Files Using CVE-2021-40444 Vulnerability
The ASEC analysis team has recently discovered the distribution of malicious files that include a new vulnerability CVE-2021-40444 which was revealed by Microsoft in September. It is noteworthy that the confirmed document files are all North Korea-related materials. North Korea-related malicious files have been evolving in new ways since the past. Seeing
Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
This document is an analysis report on types of malware recently utilized by the Kimsuky group. The Kimsuky group is mainly known for launching social engineering attacks such as spear phishing. Judging by the names of the attached files, the group seems to be targeting those working in the fields
Malicious Word Files with External Links of Similar Domain Form
Most malicious Word files that have been discovered in attacks contained macro, however, the ASEC analysis team has discovered a case where an external link connecting to an active C2 was used in a superior attack process to execute the malicious Word macro. This method was introduced in a previous
Phishing PDF Files with CAPTCHA Screen Being Mass-distributed
Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by
Discovery of Continuous Distribution of North Korea-related Malicious Word Files
The ASEC analysis team has discovered the continuous distribution of malicious Word files containing North Korea-related materials. The macro code inside the Word file is similar to the one that was introduced in the previous post, <‘Malicious Word File Disguised as ‘Purchase and Sales Agreement for Export-bound Gold Bars’>. The
Malicious HWP File with COVID-19 Relief Fund Related ‘Collection of Personal Information Consent Form’
The ASEC analysis team has discovered a malicious HWP file that hasn’t been distributed for some time. The HWP file that was last posted in April was inserted with a malicious link object inside, and it is the first time this year that a file inserted with malicious EPS was
APT Attacks Using Malicious Word File of a Particular Thesis
The ASEC analysis team has discovered the distribution of malicious Word files disguised as a particular thesis in September. The discovered file is being distributed with the filename of “Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc” and it has malicious macro included. The internal macro code is
