Coinminer Malware Distributed via Discord Posted By Sanseo , October 25, 2021 While monitoring malware that is being distributed in Korea, the ASEC analysis team confirmed that coinminer malware was being distributed via Discord messenger. The attacker introduces a program that generates Robux, a currency used in a game called Roblox, for free in the following Discord chat room named “Free Robux Generator” and prompts the user to download it. Upon clicking the “Robux Generator – Download,” the compressed file shown below is downloaded. Upon decompressing the file, an executable named “robux…
RTF Malware Disguised as a Cover Letter for a Particular Airline Posted By jcleebobgatenet , October 25, 2021 In early October, the ASEC analysis team has discovered an RTF file-based malware disguised as a cover letter for a particular airline. This is not a type of document file format that appears often as other document-type malware (Word, Excel, etc.), and RTF malware disguised as a particular document hasn’t been discovered in a long time. Filename used in distribution: ****Airline Cover Letter_.rtf An MS Office equation editor program EQNEDT32.EXE related vulnerability (CVE-2017-11882) was used for the RTF file, and…
APT Attacks Using Malicious Word File of a Particular Thesis Posted By jcleebobgatenet , October 25, 2021 The ASEC analysis team has discovered the distribution of malicious Word files disguised as a particular thesis in September. The discovered file is being distributed with the filename of “Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc” and it has malicious macro included. The internal macro code is in a similar form to the following files shared in the past. It thus appears that the same attacker is behind all of them. Compensation Claim Form.doc (June 29th, ASEC…
Malicious PowerPoint Macro using Outlook.exe Being Distributed Posted By jcleebobgatenet , October 25, 2021 The ASEC analysis team has recently discovered a change in malicious PowerPoint files that are continually being distributed. As same as before, they use the method of executing a malicious script using mshta.exe, but added is the utilization of outlook.exe during the process. Malicious PowerPoint files are being distributed as attachments of phishing e-mails as shown below, and they contain information related to purchase inquiries. Also, the malicious PowerPoint file is disguised as a PDF extension like in the previous…
Forensic Analysis of Breaches that Used Cobalt Strike and MS Exchange Server Vulnerability Posted By jcleebobgatenet , October 25, 2021 The ASEC analysis team is consistently monitoring the activities of Cobalt Strike, one of the trending cybersecurity issues that were discussed in previous blog posts regarding its distribution to Korean companies. (The link to a previous blog post can be found at the bottom of this post.) While monitoring Cobalt Strike, the team detected its activities from specific IPs on July 15th and August 2nd, then suggested and conducted a forensic analysis for the client of these IPs. Upon tracking the…
