Malware Information

Qakbot Being Distributed via Virtual Disk Files (*.vhd)

There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to the use of VHD files. Such use of disk image files (IMG, ISO, VHD) is seen to be Qakbot’s method of bypassing Mark of the Web (MOTW). Disk image files can bypass the MOTW feature because when the files inside…

Vidar Stealer Exploiting Various Platforms

Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2. The link below is a post about a case where malicious behaviors were performed using Mastodon. Even afterward, Vidar saw continuous version updates while actively being distributed. In the recent samples in circulation, various other platforms such as Steam and TikTok were used aside from Telegram and Mastodon….

Nitol DDoS Malware Installing Amadey Bot

The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware. Amadey is being actively distributed again this year, and even until very recently, it has been propagating itself on websites disguised as cracks and keygens for normal software and installing other malware on…

Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames

On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames. C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a9245f8e13f41d799e775b71fdff.msi Table 1. COVID-19 related filenames in circulation In the past, Magniber exploited Internet Explorer’s vulnerability to infect user PCs via Drive by Download which only required users to visit a web page. However, after Microsoft stopped supporting Internet Explorer, Magniber’s…

STOP Ransomware Being Distributed in Korea

The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022). The files that are currently being distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string as shown below. When the ransomware is executed, it first…