Distribution of Magniber Ransomware Stops (Since August 25th) Posted By Bellyoon , October 11, 2023 Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. After the blocking rules of the injection technique used by Magniber were distributed, ASEC published a post about the relevant information on August 10th. Subsequently, the number of cases diminished as the creator of Magniber conducted various detection bypass tests, and as of August 25th, the…
Infostealer with Abnormal Certificate Being Distributed Posted By KDH , October 10, 2023 Recently, there has been a high distribution rate of malware using abnormal certificates. Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings. As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates. Of course, these certificates fail in signature verification since…
Malicious LNK File Being Distributed, Impersonating the National Tax Service Posted By gygy0101 , September 21, 2023 AhnLab Security Emergency response Center (ASEC) has discovered circumstances of a malicious LNK file impersonating the National Tax Service being distributed. Distribution using LNK files is a method that has been used in the past, and recently, there have been multiple cases of distribution to Korean users. The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file…
HiddenGh0st Malware Attacking MS-SQL Servers Posted By Sanseo , September 21, 2023 Gh0st RAT is a remote control malware developed by the C. Rufus Security Team from China. Due to its source code being publicly available, malware developers use it as a reference as they continue developing numerous variants that are still actively used in attacks. Although the source code is public, Gh0st RAT is mainly used by threat actors based in China. Cases of Gh0stCringe RAT, a variant of Gh0st RAT, being distributed targeting database servers (MS-SQL, MySQL servers) were disclosed…
BlueShell Used in APT Attacks Against Korean and Thai Targets Posted By Sanseo , September 11, 2023 BlueShell is a backdoor developed in Go. It is available on GitHub and supports Windows, Linux, and Mac operating systems. Currently, it seems the original GitHub repository has been deleted, but the BlueShell source code can be downloaded from other repositories. Notably, the ReadMe file containing the guidelines is in Chinese, and this suggests that the creator may be a Chinese speaker. There aren’t many cases where BlueShell is known to have been used in the attacks unlike SparkRAT, Silver…
