BlackBit Ransomware Being Distributed in Korea Posted By AhnLab_en , April 20, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year. The ransomware uses .NET Reactor to obfuscate its code, likely to deter analysis. It is possible to observe similar characteristics between the functioning ransomware and the LokiLocker ransomware. The BlackBit ransomware goes through the following preparations before performing its encryption process….
February 2023 Threat Trend Report on Kimsuky Group Posted By ahnlabti , April 18, 2023 Overview The Kimsuky group’s activities in February 2023 were very significant in comparison to their activities in January. Many new types were discovered, including a variant of FlowerPower which stole information stored in browsers via the GitHub API, a DLL version of xRAT, and a new type of RAT called TutRAT. The number of Fully Qualified Domain Names (FQDNs) tripled compared to the previous month, most of which were FlowerPower, Random Query, and AppleSeed types. There was also an actual…
January 2023 Threat Trend Report on Kimsuky Group Posted By ahnlabti , April 18, 2023 Overview The Kimsuky group’s activities in January 2023 were not so different from the past, and there were no prominent issues. However, it had been identified that AppleSeed and a tunnel program called ngrok were being distributed on a normal Korean website. The types of Fully Qualified Domain Name (FQDN) were mainly FlowerPower, AppleSeed, and Random Query. Attack Statistics Like the 2022 Threat Trend Report on Kimsuky Group published on February 27, the FQDN of the FlowerPower type was…
Shadow Force Group’s Viticdoor and CoinMiner Posted By ahnlabti , April 18, 2023 The Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea. Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked. In March 2020, AhnLab published an analysis report on Operation Shadow Force. It was introduced as a single campaign as there was the possibility of it being the activities of an existing threat group. However, no relevant threat…
Trigona Ransomware Attacking MS-SQL Servers Posted By Sanseo , April 17, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware. [1] 1. Poorly Managed MS-SQL Servers Poorly managed MS-SQL servers typically refer to those that are exposed to external connections and have simple account credentials, rendering them vulnerable to brute force…
