Infostealer Distributed via CHM Files Posted By eastston , July 28, 2023 AhnLab Security Emergency response Center (ASEC) previously covered CHM-type malware strains impersonating security companies and financial institutes. This post will cover recently identified CHM strains impersonating Korean financial institutes and insurance companies as they were found being distributed to steal information. The distribution occurred on the 17th (Monday), when statements are regularly sent to users whose payment schedule to financial institutes falls on the 25th of each month. It is certainly possible for those who have the same schedule to…
PurpleFox Being Distributed via MS-SQL Servers Posted By muhan , July 24, 2023 Using AhnLab Smart Defense (ASD) infrastructure, AhnLab Security Emergency response Center (ASEC) has recently discovered the PurpleFox malware being installed on poorly managed MS-SQL servers. PurpleFox is a Loader that downloads additional malware and is known to mainly install CoinMiners. Particular caution is advised because the malware also includes a rootkit feature to conceal itself. The initial infiltration method of the recently identified PurpleFox malware involves targeting poorly managed MS-SQL servers. The threat actor executed PowerShell through sqlservr.exe, which is…
Distribution of NetSupport Malware Using Email Posted By ohmintaek , July 7, 2023 NetSupport RAT is being used by various threat actors. These are distributed through spam emails and phishing pages disguised as documents such as Invoices, shipment documents, and PO (purchase orders). Distribution via phishing pages has been covered on this Blog in the past. [1] AhnLab Security Emergency response Center(ASEC) discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. This post will cover the action flow from its distribution via phishing emails and its…
Tracking Process Hollowing Malware Using EDR Posted By ohmintaek , June 1, 2023 AhnLab Security Emergency response Center (ASEC) once released a report on the types and distribution trends of .NET packers as shown in the post below. As indicated in the report, most .NET packers do not create actual malicious executables hidden via packing features in the local path, injecting malware in normal processes to run them instead. .NET packers are being exploited as initial distribution files or as mid-process loaders for various malware types such as Remcos, FormBook, ScrubCypt, AsyncRAT, etc. It…
Tracking Traces of Malware Disguised as Hancom Office Document File and Being Distributed (RedEyes) Posted By eastston , June 1, 2023 AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware disguised as Hancom Office document files. The malware that is being distributed is named “Who and What Threatens the World (Column).exe” and is designed to deceive users by using an icon that is similar to that of Hancom Office. Decompressing the compressed file reveals a relatively large file with a size of 36,466,238 bytes. AhnLab Endpoint Detection and Response (EDR) is capable of detecting such attack techniques through its…
