APT Attack Being Distributed as Windows Help File (*.chm)

APT Attack Being Distributed as Windows Help File (*.chm)

The ASEC analysis team has recently discovered the distribution of malware disguised as a Windows Help File (*.chm), specifically targeting Korean users. The CHM file is a compiled HTML Help file that is executed via the Microsoft® HTML help executable program. The recently discovered CHM file downloads additional malicious files

Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed

Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed

The ASEC analysis team has discovered distribution of malicious HWP file disguised as “Press Release of 20th Presidential Election Early Voting for Sailors” as the presidential election draws near. The attacker distributed the malicious HWP file on February 28th, and though the team could not get the file in the

APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)

APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)

The ASEC analysis team has recently discovered the distribution of malicious Word (DOC) files to graduate school professors that are disguised as North Korea-related paper requirements. The name of the Word file is shown below. The term ‘KIMA’ mentioned in the filename is the name of the monthly magazine specializing

Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed

Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed

On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. xRAT Github Address: https://github.com/tidusjar/xRAT According to the logs collected by AhnLab’s ASD (AhnLab Smart Defense) infrastructure, the attacker installed a variant of Gold Dragon on the first

North Korea-related Hangul Word Processor (HWP) File Being Distributed

North Korea-related Hangul Word Processor (HWP) File Being Distributed

The ASEC analysis team has recently discovered that North Korea-related HWP file was being distributed. The operation method is not through a vulnerability, but instead, a hyperlink is inserted on the screen the user is exposed to upon running the file, prompting the user to click, and upon clicking, executables

APT Attack Cases of Kimsuky Group (PebbleDash)

APT Attack Cases of Kimsuky Group (PebbleDash)

The ASEC analysis team has been keeping an eye on the trend of malware that attempts APT attacks, sharing findings on the blog. In this confirmed case, PebbleDash backdoor was used in the attack, but logs of AppleSeed, Meterpreter, and other additional malware strains were also found. PebbleDash Backdoor The

North Korea-related Malicious Document Files Using CVE-2021-40444 Vulnerability

North Korea-related Malicious Document Files Using CVE-2021-40444 Vulnerability

The ASEC analysis team has recently discovered the distribution of malicious files that include a new vulnerability CVE-2021-40444 which was revealed by Microsoft in September. It is noteworthy that the confirmed document files are all North Korea-related materials. North Korea-related malicious files have been evolving in new ways since the past. Seeing

Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

This document is an analysis report on types of malware recently utilized by the Kimsuky group. The Kimsuky group is mainly known for launching social engineering attacks such as spear phishing. Judging by the names of the attached files, the group seems to be targeting those working in the fields

Malicious Word Files with External Links of Similar Domain Form

Malicious Word Files with External Links of Similar Domain Form

Most malicious Word files that have been discovered in attacks contained macro, however, the ASEC analysis team has discovered a case where an external link connecting to an active C2 was used in a superior attack process to execute the malicious Word macro. This method was introduced in a previous

Phishing PDF Files with CAPTCHA Screen Being Mass-distributed

Phishing PDF Files with CAPTCHA Screen Being Mass-distributed

Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by