AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT Posted By Bellyoon , May 8, 2023 AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month. The LNK file contains a PowerShell command and performs malicious behavior without the knowledge of the individual who uses the normal pdf file by creating and executing script files along with normal files in the temp path. If a malicious LNK file is injected into a…
Tracking 3CX Supply Chain Breach Cases using AhnLab EDR Posted By muhan , May 8, 2023 Last March, 3CX supply chain breach cases were a global issue. AhnLab Security Emergency response Center (ASEC) has confirmed through the AhnLab Smart Defense (ASD) infrastructure that malware related to the 3CX supply chain were installed in Korea on March 9th and March 15th. The 3CX supply chain malware confirmed in this instance had loaded malicious DLLs disguised with the names of regular DLLs, ffmpeg.dll and d3dcompiler_47.dll, on the normal 3CXDesktopApp.exe process, allowing for malicious behavior to be carried out….
EDR Product Analysis of an Infostealer Posted By eastston , March 30, 2023 AhnLab Security Emergency response Center (ASEC) released an analysis report on an Infostealer that is being distributed through YouTube. Infostealer Being Distributed via YouTube As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer infection. AhnLab EDR keeps logs of…
Tracking Distribution Site of Magniber Ransomware Using EDR Posted By cka0 , February 17, 2023 AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January. A particular finding at the time was that the ransomware used the <a> tag to bypass domain blocks. In order to detect this, we have researched response measures by tracking the distribution site URL through a different method. The team is working hard to prevent damages through means such…
Qakbot Being Distributed via OneNote Posted By muhan , February 15, 2023 Back in January, AhnLab ASEC published an analysis report on a malware strain that was being distributed through Microsoft (MS) OneNote. As mentioned in the report, there has recently been an increasing number of cases where commodity malware like Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware. If you look at the Qakbot distribution via OneNote case that happened on February 1st, the threat actor distributed the OneNote…
