Play Ransomware Attack Cases Detected by AhnLab EDR
Play ransomware, also known as Balloonfly or PlayCrypt, was first identified in June 2022 and has reportedly attacked over 300 organizations worldwide since then. A notable characteristic of the ransomware, which remains actively in use, is its addition of the “.PLAY” extension to files following encryption. Like other ransomware threat
Proxy Tools Detected by AhnLab EDR
After gaining control over infected systems, threat actors may also perform remote screen control using RDP. This is partly for convenience but can also serve the purpose of maintaining persistence. If the RDP service is not active during the attack process, threat actors may install RDP Wrappers, steal existing account
Infected Systems Controlled Through Remote Administration Tools – Detected by EDR (2)
Remote administration tools, also known as RAT, are software that provide the ability to manage and control terminals at remote locations. Recently, there has been an increase in cases where remote administration tools are installed instead of backdoor malware during the initial access or lateral movement phases to control the
BlueKeep Attack Detected by AhnLab EDR
BlueKeep (CVE-2019-0708) is a vulnerability revealed in May 2019, occurring during the Remote Desktop Protocol (RDP) connection process between a client and server. When a client sends a malicious packet through a specific channel (MS_T120), a Use-After-Free vulnerability occurs, allowing remote code execution.[1] This vulnerability has been discussed on the
BPFDoor Linux Malware Detected by AhnLab EDR
BPFDoor is a backdoor using the Berkeley Packet Filter (BPF), first revealed through a threat report by PWC in 2021 [1]. According to the report, the China-based threat actor Red Menshen has been using BPFDoor for several years in attacks targeting the Middle East and Asia regions, with its source
Linux Persistence Techniques Detected by AhnLab EDR (1)
Persistence techniques refer to methods employed by threat actors to maintain a connection to the target system after infiltration. As a single breach may not be enough to achieve all their goals, threat actors look for ways to re-access the system. Persistence can be maintained by configuring the malware to
SnakeKeylogger Malware Detected by AhnLab EDR
1. Overview SnakeKeylogger, an Infostealer created with .NET, can leak data using emails, FTP, SMTP, or Telegram. The malware has been consistently distributed and was covered in a previous ASEC Blog post. [1] This post will reveal the trace of the malicious behaviors of SnakeKeylogger analyzed in the previous post
Linux Defense Evasion Techniques Detected by AhnLab EDR (2)
The blog post “Linux Defense Evasion Techniques Detected by AhnLab EDR (1)” [1] covered methods where the threat actors and malware strains attacked Linux servers before incapacitating security services such as firewalls and security modules and then concealing the installed malware. This post will cover additional defense evasion techniques against
Linux Defense Evasion Techniques Detected by AhnLab EDR (1)
Generally, organizations such as institutes and companies use various security products to prevent security threats. For endpoint systems alone, there are not only anti-malware solutions but also firewalls, APT defense solutions, and products such as EDR. Even in general user environments without separate organizations responsible for security, most of them
Attacks Against Linux SSH Services Detected by AhnLab EDR
Secure SHell (SSH) is a standard protocol for secure terminal connections and is generally used for controlling remote Linux systems. Unlike Windows OS that individual users use for desktops, Linux systems mainly fulfill the role of servers providing web, database, FTP, DNS, and other services. Of course, Windows also supports
