Malware Information

Auto-Publishing and Auto-Reporting Programs for Blog Posts

Spam programs are illegal programs according to the ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION. The ASEC analysis team previously published a blog post about a spam program sold as a marketing program. Today, we will introduce a program similar to the spam program covered in the past. The file collected under the filename of ‘Naver Blog Report Program.exe’ was developed with C#, just like the spam program covered in the previous blog post. Its…

Word Documents Disguised as Normal MS Office URLs Being Distributed

Recently, there has been a case of malware disguised as a Word document being distributed through certain paths (e.g. KakaoTalk group chats). The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users. The currently identified filenames of the malicious Word documents are as follows.The real names of Koreans found…

Malicious Word Document Being Distributed in Disguise of a News Survey

The ASEC analysis team discovered that the Word document type identified in the blog, ‘Malicious Word Files Targeting Specific Individuals Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’, disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password. The identified Word file contains information related to North Korea like the…

Wiki Ransomware Being Distributed in Korea

Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program. Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%\system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to be registered as one of the…

Koxic Ransomware Being Distributed in Korea

It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure. When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows. The…