RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) Posted By bghjmun , April 26, 2023 AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK files that were discovered this time contain PowerShell commands that can perform malicious…
Tonto Team Using Anti-Malware Related Files for DLL Side-Loading Posted By gygy0101 , April 26, 2023 The Tonto Team is a threat group that targets mainly Asian countries, and has been distributing Bisonal malware. AhnLab Security Emergency response Center (ASEC) has been tracking the Tonto Team’s attacks on Korean education, construction, diplomatic, and political institutions. Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks. Figure 1. Overall operation process The Tonto Team’s involvement in the distribution of the CHM malware in Korea has been…
8220 Gang Uses Log4Shell Vulnerability to Install CoinMiner Posted By Sanseo , April 21, 2023 Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Among the systems targeted for the attack, there were Korean energy-related companies with unpatched and vulnerable systems, hence being preyed upon by multiple attackers. Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability that can remotely execute a Java object in servers that use Log4j by…
BlackBit Ransomware Being Distributed in Korea Posted By AhnLab_en , April 20, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year. The ransomware uses .NET Reactor to obfuscate its code, likely to deter analysis. It is possible to observe similar characteristics between the functioning ransomware and the LokiLocker ransomware. The BlackBit ransomware goes through the following preparations before performing its encryption process….
February 2023 Threat Trend Report on Kimsuky Group Posted By ahnlabti , April 18, 2023 Overview The Kimsuky group’s activities in February 2023 were very significant in comparison to their activities in January. Many new types were discovered, including a variant of FlowerPower which stole information stored in browsers via the GitHub API, a DLL version of xRAT, and a new type of RAT called TutRAT. The number of Fully Qualified Domain Names (FQDNs) tripled compared to the previous month, most of which were FlowerPower, Random Query, and AppleSeed types. There was also an actual…
