Malware Information

Distribution of Magniber Ransomware Stops (Since November 29th)

Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted. Recently, the creator of Magniber undertook various attempts to evade antivirus detection via injections, change in file extensions, and UAC bypassing technique. With the ASEC analysis team’s…

How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page?

Many corporations and users both in and outside Korea use Microsoft accounts to use major services offered by Microsoft, including Outlook, Office, OneDrive, and Windows. Users use integrated login to easily access all Microsoft services linked to their account. What does this mean for the threat actor? There is no better target for attacks because there is a large volume of information that can be gained using just one account. Particularly in the case of users that handle sensitive information…

Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE)

In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions, with its distribution still being continued to this day. RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github As of November 30th, 2022, when the keywords based on the last…

Phishing Email Disguised as a Well-Known Korean Airline

The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader. The subject and the body of the email are shown below. When the attached HTML file is opened, a connection is made to…