AhnLab Detection

CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)

AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining. Figure 1. Execution of command from threat actor   Figure 1 shows that the threat actor used the same command consistently on the infiltrated system. It shows a PowerShell script was detected being…

Downloader Disguised With Contents on Violation of Intellectual Property Rights (Detected by MDS)

On August 28, AhnLab Security Emergency response Center (ASEC) discovered circumstances of a downloader in distribution disguised with contents regarding the violation of intellectual property rights, targeting unspecified masses in Korea. The distributed malware included a code that detects virtual environments to evade sandbox-based security solutions and was a .NET-type that downloads the MainBot malware. Judging from the file information collected by AhnLab Smart Defense (ASD) and VirusTotal, it seems that Korea and Taiwan were the target destinations for distribution….

Tracking Fileless Malware Distributed Through Spam Mails

AhnLab Security Emergency response Center (ASEC) has discovered a phishing campaign that propagates through spam mails and executes a PE file (EXE) without creating the file into the user PC. The malware attachment in the hta extension ultimately executes malware strains such as AgentTesla, Remcos, and LimeRAT. This blog post will explain the distribution process flow from the spam mail to the final binary, as well as the techniques employed.  Figure 1 shows the main text of the spam mail…

GuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products)

AhnLab Security Emergency response Center (ASEC) has identified circumstances of GuLoader being distributed as attachments in emails disguised with tax invoices and shipping statements. The recently identified GuLoader variant was included in a RAR (Roshal Archive Compressed) compressed file. When a user executes GuLoader, it ultimately downloads known malware strains such as Remcos, AgentTesla, and Vidar. AhnLab’s MDS products provide a Mail Transfer Agent (MTA) feature to block malware distributed via email. Figure 3 below shows the GuLoader malware detection…

Changes Detected in CHM Malware Distribution

AhnLab Security Emergency response Center (ASEC) has previously covered a CHM malware type impersonating Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. This post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products. Figure 1 shows the detection diagram in EDR products on the execution method of the CHM malware impersonating financial institutes and insurance companies. The diagram for the initial distribution…