Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points Posted By Sanseo , July 24, 2023 AhnLab Security Emergency response Center (ASEC) has discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware. The group is known to use the watering hole technique for initial access. [1] The group first hacks Korean websites and modifies the content provided from the site. When a system using a vulnerable version of INISAFE CrossWeb EX V6 visits this website via a…
Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux Systems in Korea Posted By Sanseo , July 11, 2023 Rekoobe is a backdoor known to be used by APT31, a threat group based in China. AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies. 1. Overview Rekoobe is a backdoor that targets Linux environments. It was first discovered in 2015, [1]…
Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky) Posted By ye_eun , July 11, 2023 AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group. Although the exact distribution path of the malware has not been confirmed, it appears…
Kimsuky Threat Group Using Chrome Remote Desktop Posted By Sanseo , July 7, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the Kimsuky threat group using Chrome Remote Desktop. The Kimsuky threat group uses not only their privately developed AppleSeed malware, but also remote control malware such as Meterpreter to gain control over infected systems. [1] Logs of the group using customized VNC or using remote control tools such as RDP Wrapper also continue to be detected. [2] This post will summarize recently identified cases of using Chrome Remote Desktop. The Kimsuky…
Crysis Threat Actor Installing Venus Ransomware Through RDP Posted By Sanseo , July 3, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services. [1] Actual logs from the AhnLab Smart Defense (ASD) infrastructure also show attacks being launched through RDP. Aside from Crysis and Venus, the threat actor also installed a variety of other tools such as Port Scanner and Mimikatz. If the infected…
