Similar AhnLab Response Cases Regarding Korea-US Joint Cyber Security Advice Posted By AhnLab_en , June 8, 2023 On June 2nd, the Korean NIS (National Intelligence Service), NPA (National Police Agency), and MOFA (Ministry of Foreign Affairs) released a joint security advisory regarding the spear phishing attacks of North Korea’s Kimsuky group with the US FBI (Federal Bureau of Investigation), DoS (Department of State), and NSA (National Security Agency). The government agencies stated that the act was done to raise awareness of members of global think tanks, academic institutions, and media companies on CNE (Computer Network Exploitation) using…
Malware Being Distributed Disguised as a Job Application Letter Posted By AhnLab_en , June 8, 2023 AhnLab Security Emergency response Center (ASEC) has identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes including a process with AhnLab’s product name (V3Lite.exe) and is being distributed through malicious URLs designed to resemble a Korean job-seeking website. Below are the discovered download URLs. The malicious file downloaded from the above URLs has a screen saver file extension (.scr) and an…
Tracking and Responding to AgentTesla Using EDR Posted By cka0 , June 7, 2023 AhnLab Security Emergency response Center (ASEC) has been uploading a summary of weekly malware statistics every week. https://asec.ahnlab.com/en/53647/ This post will cover how EDR is used to detect, track, and respond to AgentTesla, an Infostealer continuously being distributed among the malware mentioned in the post above. AgentTesla is an Infostealer that steals user credentials saved in web browsers, emails, and FTP clients. AhnLab’s EDR products detect certain types of PE files accessing user account credential files and categorize this behavior…
Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections Posted By Sanseo , May 26, 2023 AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded. However, there have been recent cases indicating the resurgence of malware distributing SparkRAT through the installer of the same VPN company. The…
March 2023 Threat Trend Report on Kimsuky Group Posted By ahnlabti , May 24, 2023 The Kimsuky group’s activities in March 2023 showed a decline in comparison to their activities in February. Unlike the past where most major issues were found in the FlowerPower type, this month was focused on the RandomQuery type, which showed the highest amount of activity. The FlowerPower type began to use “Korean domains”, and it has been confirmed that the RandomQuery type has been using various initial distribution methods and using new ways to distribute xRAT. Finally, it has been…
