Analysis Report on the Latest Attack Cases by Kimsuky Group Exploiting PebbleDash and RDP Wrapper
Analysis Overview AhnLab SEcurity intelligence Center (ASEC) recently identified that the Kimsuky group is using the backdoor PebbleDash and RDP Wrapper in multiple attacks. The threat actor uses LNK during initial access to install PowerShell malware on the infected system. Once this process is complete, they install custom-made remote control
Weekly Detection Rule (YARA and Snort) Information – Week 4, October 2024
The following is the information on Yara and Snort rules (week 4, October 2024) collected and shared by the AhnLab TIP service. 0 YARA Rules 8 Snort Rules Detection name Source ET CURRENT_EVENTS Javascript Browser Fingerprinting POST Request https://rules.emergingthreatspro.com/open/ ET TROJAN Suspected PrivateLoader CnC Checkin – Server Response https://rules.emergingthreatspro.com/open/ ET
RAT Malware Operating via Discord Bot
Discord is a social platform where users can create servers to form communities and communicate in real-time, supporting voice, video, and text chat. While it initially gained popularity among gamers, it has now expanded into a space where groups with diverse interests gather to communicate. A Discord Bot is a
WrnRAT Distributed Under the Guise of Gambling Games
AhnLab SEcurity intelligence Center (ASEC) recently discovered that malware was being distributed under the guise of gambling games such as badugi, 2-player go-stop, and hold’em. The threat actor created a website disguised as a gambling game site, and if the game launcher is downloaded, it installs malware that can control
Larva-24009 Threat Actor’s Spear Phishing Attack Case Report
AhnLab SEcurity intelligence Center (ASEC) recently confirmed that the Larva-24009 threat actor is carrying out spear phishing attacks targeting Korean users. The threat actor has been active since around 2023 and has been primarily using spear phishing attacks targeting global users. Yet it has been recently confirmed that there are
Weekly Detection Rule (YARA and Snort) Information – Week 3, October 2024
The following is the information on Yara and Snort rules (week 3, October 2024) collected and shared by the AhnLab TIP service. 3 YARA Rules Detection name Description Source MAL_RANSOM_INC_Aug24 Detects INC ransomware and it’s variants like Lynx https://github.com/Neo23x0/signature-base3 MAL_EXPL_Perfctl_Oct24 Detects exploits used in relation with Perfctl malware campaigns https://github.com/Neo23x0/signature-base3
AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)
AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt”
Warning Against Phishing Emails Impersonating Major Korean Entertainment Agencies
AhnLab SEcurity Intelligence Center (ASEC) releases weekly and quarterly phishing email statistical reports on the ASEC blog, with fake login, delivery, and purchase order request types being the most common. However, it has been confirmed that phishing emails impersonating major Korean entertainment agencies have recently been distributed in Korea. The
Weekly Detection Rule (YARA and Snort) Information – Week 2, October 2024
The following is the information on Yara and Snort rules (week 2, October 2024) collected and shared by the AhnLab TIP service. 6 YARA Rules Detection name Description Source Py_Fuscate_Obfuscation Detects Python scripts which could have been obfuscated through Py-Fuscate https://github.com/The-DFIR-Report/Yara-Rules PK_Aruba_corona Phishing Kit impersonating Aruba S.p.A. https://github.com/t4d/PhishingKit-Yara-Rules PK_BRI_tarip Phishing
Threat Trend Report on Ransomware – September 2024 Ransomware Statistics and Major Issues
This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in September 2024, as well as notable ransomware issues in Korea and other countries. Disclaimer: The number of ransomware samples and targeted systems are based on the detection names designated by AhnLab, and the
