Malware Information

Kimsuky Group Distributes Malware Disguised as Profile Template (GitHub)

AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of a malicious Word file disguised as a profile template from emails impersonating a certain professor. ‘[Attachment] Profile Template.doc’ is the filename of the password-protected Word file that was discovered, with the password itself being included in the body of the email. Figure 1. Original email Figure 2. Part of the Word file contents Figure 3. File properties A malicious VBA macro is contained within the Word file, which, upon…

Emotet Being Distributed via OneNote

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. This ‘Next’ button is inserted with a malicious script named output1.js. As shown below, the…

New Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks

A new Infostealer called “LummaC2” is being distributed disguised as illegal programs such as cracks and keygens. Other malware such as CryptBot, RedLine, Vidar, and RecordBreaker (Raccoon V2) are distributed in a similar manner and have been covered here on ASEC Blog. It appears that the LummaC2 Stealer has been available for purchase on the dark web since the beginning of this year, and since March, it has been distributed by a threat group disguised as a crack. Although this…

Tracking the CHM Malware Using EDR

AhnLab Security Emergency response Center (ASEC) has shared an APT attack case that has recently used CHM (Compiled HTML Help File). Malware Distributed Disguised as a Password File CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs with the inclusion of CHM. The inserted script is executed through hh.exe which is a default OS application. MITRE ATT&CK refers to this technique where a threat actor uses a…

Overview of AhnLab’s Response to “Korea-Germany Joint Cyber Security Advice”

On March 20, Korea’s National Intelligence Service (NIS) and Germany’s Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz, BfV) released a joint security advisory related to the Kimsuky hacker group. According to the joint security advisory, the Kimsuky hacker group exploited the extension feature of Chromium browsers and the app developer support feature for Android in an attack campaign to steal account credentials. Although their primary targets are Korean Peninsula and North Korea experts, it was stated…