Malicious Word File Disguised as ‘Purchase and Sales Agreement for Export-bound Gold Bars’ Posted By jcleebobgatenet , September 7, 2021 The ASEC analysis team discovered a malicious word document disguised as ‘Purchase and Sales Agreement for Export-bound Gold Bars’ and would like to inform the readers about it through this post. Judging by the title and body text of the original document on which the distributed document is based, it appears that the original was created in the past and was recently distributed following a revision. Document Title: 1MT Business Terms-20140428.doc Document Information: Last Printed Date – April 20th, 2014Last Modified…
Changed Form of CryptBot Infostealer Disguised as Software Crack Download Posted By jcleebobgatenet , September 1, 2021 CryptBot Infostealer disguised as commercial software downloads are constantly making changes and are actively being distributed. In the previous post of ASEC blog, the ASEC analysis team has explained the change process of BAT script in malware. This post will discuss the change in its form. CryptBot Infostealer has changed its form from 7z SFX to MS IExpress and used a trick to prevent decompression using regular methods. CryptBot Infostealer is distributed via malicious websites by disguising itself as websites…
Malicious PowerPoint Files Constantly Being Distributed Posted By jcleebobgatenet , August 31, 2021 On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them. When a macro included in the PowerPoint is executed, it used mshta.exe to use blogspot website source inserted with a malicious script to attack. However, a distinct feature of this case is that it became more complicated with…
APT Attacks Using PDF Files, Possibly by North Korea Related Group Posted By jcleebobgatenet , August 30, 2021 Targeted attacks using PDF files have been confirmed, and it seems the group related to North Korea is behind these attacks. While the attack group is thought to be either Kimsuky or Thallium, it might be another group that mimicked those two. The related information was already reported in the press, but this post will additionally reveal previously undisclosed IOC and analysis information such as environments for vulnerabilities. The attacker used PDF files as bait. Malicious JavaScript included in the…
JavaScript-based BlueCrab Ransomware Has Stopped? Posted By jcleebobgatenet , August 25, 2021 The distribution of BlueCrab (Sodinokibi and REvil) ransomware exploiting JavaScript has stopped since July 13th, 2021. There have been many cases of the distribution being stopped and then resumed after going through changes, but this is the first time to have it stopped for such a long period. BlueCrab ransomware is distributed through forum posts disguised as file download pages. When users download and run the JS file, the script downloaded through C2 is executed, infecting the system with ransomware….
