Malware Information

Infostealer Disguised as Well-Known Korean Web Portal File

The ASEC analysis team has discovered an infostelaer type malware disguised as a file related to a Korean web portal. The team found the NAVER.zip file in the malicious URL used in recent phishing emails with the compressed file including an executable named ‘NaverProtector.exe’. The email with the malicious URL contains information about Kakao account as shown below. When users click the <Lift Protection> button, they are redirected to hxxp://mail2.daum.confirm-pw[.]link/kakao/?email=[email address] and will have their account credentials stolen by the…

Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome

The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities. For the last couple of years, the attacker behind Magniber has been exploiting IE vulnerabilities to deploy ransomware. And as shown in the previous blog below, it is still being distributed by exploiting the IE vulnerabilities. What’s new, however, is that Magniber’s distribution has been confirmed on browsers other than IE: Microsoft Edge and Google Chrome. This blog post aims to explain…

Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

This document is an analysis report on types of malware recently utilized by the Kimsuky group. The Kimsuky group is mainly known for launching social engineering attacks such as spear phishing. Judging by the names of the attached files, the group seems to be targeting those working in the fields related to North Korea and foreign affairs. According to the scan logs of AhnLab’s ASD infrastructure, the threat group has been mainly targeting personal users rather than companies, but has…

Distribution of Redline Stealer Disguised as Software Crack

In the previous blog post, the AhnLab ASEC analysis team has mentioned malware that is searched through keywords such as cracks and serials of commercial software, urging users to take caution. While investigating a recent breach case of the internal network of a certain company, the team has discovered that the company was infected with Redline Stealer disguised as a crack for commercial software and had its VPN website and account credentials leaked. The company where the damage occurred provided…

Case of Infection With Lockis Ransomware in a Company, Caused by Not Using Anti-Malware’s Lock Policy

Around November, one of AhnLab’s clients suffered an infection from the Lockis ransomware to several of their servers. As the targeted company suffered a malware infection despite the fact it was using the anti-malware program V3, AhnLab A-FIRST conducted a forensic analysis to find out the cause of infection.  As stated in “ASEC Blog: Hacking Tool Used Together With Lockis Ransomware,” the Lockis ransomware is a variant of the GlobeImposter ransomware that first appeared on September 16th. AhnLab has been…