Malware Execution Method Using DNS TXT Record Posted By suuzzane , June 30, 2023 AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware. This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware. DNS TXT record is a feature that allows domain administrators to input text into the DNS. Originally intended for the purpose of entering human-readable notes, the DNS TXT record is now being used…
Malware Disguised as HWP Document File (Kimsuky) Posted By ye_eun , June 23, 2023 AhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously distributed in CHM and OneNote file formats, being distributed as an executable. Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware. The identified malware is distributed as a compressed file which contains a readme.txt along with an executable disguised…
RedEyes Group Wiretapping Individuals (APT37) Posted By muhan , June 21, 2023 1. Overview RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the…
Kimsuky Distributing CHM Malware Under Various Subjects Posted By gygy0101 , June 21, 2023 AhnLab Security Emergency response Center (ASEC) has continuously been tracking the Kimsuky group’s APT attacks. This post will cover the details confirmed during the past month of May. While the Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. Also, unlike in the past when the document files contained North Korea-related topics, the group is now attempting to attack using a variety of subjects. (1) Cases of…
Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox) Posted By eastston , June 21, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the Mallox ransomware with the BAT file extension being distributed to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox. The distributions include cases that use PowerShell and sqlps. The sqlps distribution was covered on the…
