RecordBreaker Infostealer Disguised as a Well-known Korean Software
The RecordBreaker Stealer is one of the main malware distributed disguised as the download of illegal programs such as cracks and keygens. It first appeared last year and has since been actively distributed to normal users. It is also referred to as Raccoon Stealer V2 and is being distributed through
SparkRAT Being Distributed Within a Korean VPN Installer
AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling
Analysis of CLR SqlShell Used to Attack MS-SQL Servers
This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors
AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT
AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month. RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) The LNK file contains a PowerShell
Qakbot Distributed via OneNote and CHM
AhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and the method of distributing through OneNote was covered back in February. The distribution of Qakbot through OneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in this
RecordBreaker Stealer Distributed via Hacked YouTube Accounts
RecordBreaker is a new Infostealer that appeared in 2022 and is known as the new version of Raccoon Stealer. Similar to other Infostealers, such as CryptBot, RedLine, and Vidar, it is a major malware type that usually disguises itself as a software crack or installer. AhnLab Security Emergency response Center
CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers
AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022: they involve the usage of malware developed with Shell Script Compiler (SHC) when installing the XMRig, as well as the
RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)
AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting
Tonto Team Using Anti-Malware Related Files for DLL Side-Loading
The Tonto Team is a threat group that targets mainly Asian countries, and has been distributing Bisonal malware. AhnLab Security Emergency response Center (ASEC) has been tracking the Tonto Team’s attacks on Korean education, construction, diplomatic, and political institutions. Recent cases have revealed that the group is using a file
BlackBit Ransomware Being Distributed in Korea
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year. The ransomware uses .NET Reactor to obfuscate its code, likely to
