Malware Disguised as Normal Installation File of a Korean Development Company – EDR Detection
AhnLab Security Emergency response Center (ASEC) has previously covered the malware that is generated by the installation file of a Korean program development company. Sliver C2 Being Distributed Through Korean Program Development Company When malware is distributed alongside an installation file, users will struggle to notice that malware is being
Tracking and Responding to AgentTesla Using EDR
AhnLab Security Emergency response Center (ASEC) has been uploading a summary of weekly malware statistics every week. https://asec.ahnlab.com/en/53647/ This post will cover how EDR is used to detect, track, and respond to AgentTesla, an Infostealer continuously being distributed among the malware mentioned in the post above. AgentTesla is an Infostealer
Tracking Process Hollowing Malware Using EDR
AhnLab Security Emergency response Center (ASEC) once released a report on the types and distribution trends of .NET packers as shown in the post below. As indicated in the report, most .NET packers do not create actual malicious executables hidden via packing features in the local path, injecting malware in
Tracking 3CX Supply Chain Breach Cases using AhnLab EDR
Last March, 3CX supply chain breach cases were a global issue. AhnLab Security Emergency response Center (ASEC) has confirmed through the AhnLab Smart Defense (ASD) infrastructure that malware related to the 3CX supply chain were installed in Korea on March 9th and March 15th. The 3CX supply chain malware confirmed
AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT
AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month. RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) The LNK file contains a PowerShell
EDR Product Analysis of an Infostealer
AhnLab Security Emergency response Center (ASEC) released an analysis report on an Infostealer that is being distributed through YouTube. Infostealer Being Distributed via YouTube As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users.
Tracking the CHM Malware Using EDR
AhnLab Security Emergency response Center (ASEC) has shared an APT attack case that has recently used CHM (Compiled HTML Help File). Malware Distributed Disguised as a Password File CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs
MDS’ Evasion Feature of Anti-sandboxes That Uses Pop-up Windows
AhnLab Security Emergency response Center (ASEC) is monitoring various anti-sandbox tactics to evade sandboxes. This post will cover the rather persistent anti-sandbox technique that exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior. An anti-sandbox
Tracking Distribution Site of Magniber Ransomware Using EDR
AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January. Redistribution of Magniber Ransomware in Korea (January 28th) A particular finding at the time was that the ransomware used
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)
The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript starting September 8th, its operational method has also changed from
