Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft) Posted By ye_eun , September 6, 2023 AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors. The threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside malware within a compressed file. The malicious LNK…
Analysis of Andariel’s New Attack Activities Posted By Sanseo , August 31, 2023 Contents1. Past attack cases…. 1.1. Cases of Innorix Agent abuse…….. 1.1.1. NukeSped variant – Volgmer…….. 1.1.2. Andardoor…….. 1.1.3. 1th Troy Reverse Shell…. 1.2. Cases of attacks against Korean corporations…….. 1.2.1. TigerRat…….. 1.2.2. Black RAT…….. 1.2.3. NukeSped variants2. Cases of recent attacks…. 2.1. Cases of Innorix Agent abuse…….. 2.1.1. Goat RAT…. 2.2. Cases of attacks against Korean corporations…….. 2.2.1. AndarLoader…….. 2.2.2. DurianBeacon3. Connections to recent attack cases4. Connections to past attack cases of the Andariel group5. Conclusion The Andariel threat group…
Analysis of MS-SQL Server Proxyjacking Cases Posted By Sanseo , August 25, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system. The threat actors have been installing LoveMiner on MS-SQL servers for quite some time, and their…
Analysis of APT Attack Cases Targeting Web Services of Korean Corporations Posted By Sanseo , August 22, 2023 Web servers are vulnerable to attacks because they are publicly accessible to a wide range of users for the purpose of delivering web services. This accessibility makes them a prime target for threat actors. AhnLab Security Emergency response Center (ASEC) is monitoring attacks targeting vulnerable web servers that have not been patched or are poorly managed. In this post, we have compiled APT attack cases where the web servers of Korean corporations were continuously targeted over the years. We have…
Hakuna Matata Ransomware Targeting Korean Companies Posted By Sanseo , August 16, 2023 Recently, AhnLab Security Emergency response Center (ASEC) has identified that the Hakuna Matata ransomware is being used to attack Korean companies. Hakuna Matata is a ransomware that has been developed relatively recently. The first report related to Hakuna Matata was identified on July 6th, 2023 on Twitter. [1] On July 14th, 2023, a post of a threat actor promoting Hakuna Matata on the dark web was shared on Twitter as well. [2] Also, out of the ransomware strains uploaded on VirusTotal,…
