RecordBreaker Infostealer Disguised as a .NET Installer Posted By KDH , June 20, 2023 Malware that are being distributed disguised as cracks are evolving. In the past, malware was simply distributed as the executable itself. However, there was a gradual shift towards also including normal files within a compressed file. More recently, there was a sample where a normal installer was downloaded and executed. If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance is the…
Tsunami DDoS Malware Distributed to Linux SSH Servers Posted By Sanseo , June 20, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner. When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS bots or CoinMiners. DDoS bot has been covered here in…
Warning: Malware Disguised as a Security Update Installer Being Distributed Posted By securityresponseteam , June 19, 2023 AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. A brief description of the software is provided below in the table. Figure 1. Installer disguised as Security Upgrade Inno Setup A program developed by JrSoftware that serves as a tool…
Damages to Multiple Korean Websites Created by a Certain Website Development Company Posted By eastston , June 19, 2023 AhnLab Security Emergency response Center (ASEC) has discovered instances of websites created by a certain Korean website development company being targeted by attacks and being used to distribute malware. This specific website development company has created websites for a wide range of companies including manufacturing, trade, electrical, electronics, education, construction, medical, and travel industries. The breached websites were used to distribute malware, and they were also used to perform other features such as transmitting the information that was stolen through…
Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution Posted By sujeong , June 15, 2023 As covered before here on the ASEC Blog, the Lazarus threat group exploits the vulnerabilities of INISAFE CrossWeb EX and MagicLine4NX in their attacks. New Malware of Lazarus Threat Actor Group Exploiting INITECH Process (Apr 26, 2022) A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (Oct 31, 2022) While monitoring the activities of the Lazarus threat group, AhnLab Security Emergency response Center (ASEC) recently discovered that the zero-day vulnerability of VestCert…
