3CX DesktopApp Supply Chain Attack Also Detected in Korea Posted By ASEC , April 11, 2023 On March 29, 2023, CrowdStrike announced that a threat group based in North Korea launched a supply chain attack through 3CX DesktopApp. [1] With this app, the threat actor installed an Infostealer in the target system. AhnLab Security Emergency response Center (ASEC) previously announced a 3CX DesktopApp supply chain attack in the following blog post alongside mitigation measures. [2] This post will provide an analysis of the malware used in the attacks and logs of their infection in Korea collected via AhnLab Smart Defense…
Bitter Group Distributes CHM Malware to Chinese Organizations Posted By gygy0101 , April 6, 2023 The Bitter (T-APT-17) group is a threat group that usually targets South Asian government organizations, using Microsoft Office programs to distribute malware such as Word or Excel. AhnLab Security Emergency response Center (ASEC) has identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. CHM files have been used by various threat groups in APT attacks since earlier this year and covered multiple times in ASEC blog posts. The files used in the recent attack were being…
Kimsuky Group Uses ADS to Conceal Malware Posted By Vanish , March 29, 2023 AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware. This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes. Figure 1. Part of the initially executed script The following commands are executed in the terminal to collect and transmit data. hostname systeminfo net user…
Kimsuky Group Distributes Malware Disguised as Profile Template (GitHub) Posted By Vanish , March 29, 2023 AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of a malicious Word file disguised as a profile template from emails impersonating a certain professor. ‘[Attachment] Profile Template.doc’ is the filename of the password-protected Word file that was discovered, with the password itself being included in the body of the email. Figure 1. Original email Figure 2. Part of the Word file contents Figure 3. File properties A malicious VBA macro is contained within the Word file, which, upon…
Emotet Being Distributed via OneNote Posted By kwonxx , March 28, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. This ‘Next’ button is inserted with a malicious script named output1.js. As shown below, the…
