Malware Information

Malicious Excel File Disguised as an Invoice, Possibly Targeting Companies

The ASEC analysis team has recently discovered a malicious Excel file disguised as an invoice. This file is being distributed as an e-mail attachment with the filename of Invoice-[number]_date.xlsb. The following is the malicious e-mail that is being distributed in Korea. Upon running the Excel file, editing is restricted, prompting users to click the image within the file (see figure below). As the macro is designated to this image, the user must click the image for the macro to be…

Malicious HWP File with COVID-19 Relief Fund Related ‘Collection of Personal Information Consent Form’

The ASEC analysis team has discovered a malicious HWP file that hasn’t been distributed for some time. The HWP file that was last posted in April was inserted with a malicious link object inside, and it is the first time this year that a file inserted with malicious EPS was found. The file is also uploaded in VirusTotal, and judging by the fact that the filename is ‘test.hwp’ and ‘123.hwp,’ it is possible that the file was created for testing….

Coinminer Malware Distributed via Discord

While monitoring malware that is being distributed in Korea, the ASEC analysis team confirmed that coinminer malware was being distributed via Discord messenger. The attacker introduces a program that generates Robux, a currency used in a game called Roblox, for free in the following Discord chat room named “Free Robux Generator” and prompts the user to download it. Upon clicking the “Robux Generator – Download,” the compressed file shown below is downloaded. Upon decompressing the file, an executable named “robux…

RTF Malware Disguised as a Cover Letter for a Particular Airline

In early October, the ASEC analysis team has discovered an RTF file-based malware disguised as a cover letter for a particular airline. This is not a type of document file format that appears often as other document-type malware (Word, Excel, etc.), and RTF malware disguised as a particular document hasn’t been discovered in a long time. Filename used in distribution: ****Airline Cover Letter_.rtf An MS Office equation editor program EQNEDT32.EXE related vulnerability (CVE-2017-11882) was used for the RTF file, and…