Increase in the Frequency of Attacks Toward Defense Companies by Lazarus Group Posted By AhnLab_en , May 8, 2020 Since the last month, attacks against defense companies by Lazarus group have been increasing. They use Office Open XML word document file of Microsoft Office Word program for their attacks. (Sample source: Twitter post) Senior_Design_Engineer.docx – UK BAE Systems (Received in May) Boeing_DSS_SE.docx – US Boeing (Received in May) US-ROK Relations and Diplomatic Security.docx – KR ROK (Received in April) For document files, they connect to the external address and download additional document files (*.dotm, Word Macro-Enabled Template). The downloaded additional…
GandCrab v5.2 with Different Encryption Technique per Extension Posted By jaemanshin , April 15, 2020 As discussed in numbers of our previous posts, GandCrab has been distributed in different ways. So far, GandCrab has transformed itself by updating its version and the latest is v5.2. AhnLab ASEC discovered that its method to check the extension of encryption target and conduct the encryption is different to the previous version. GandCrab v5.2 separates extension list into 3 groups and manages them. The list is as below. Figure 1 – List of extensions in 3 groups As aforementioned, an extension in the first list is excluded from the encryption target if it matches. In case of the second list, it is speculated to be a fake list since none is used after comparison in the internal code. Thus,…
[Caution] makop Ransomware Disguised as a Resume (April 13) Posted By AhnLab_en , April 13, 2020 On April 13, ASEC analysis team discovered makop ransomware disguised and distributed as a resume. It is being distributed in the form of an archive attachment file via email, and there are Hangul Word Processor file (.hwp) icon and an executable (exe) within the archive file. The filename of the distributed file confirmed on the same day contained an unnatural sounding sentence and the word spacing was awkward. From this, we can assume that the malware distributor is not a fluent Korean…
Kimsuky Group launched Attack during South Korean Legislative Election Period Posted By AhnLab_en , April 10, 2020 Yesterday (April 9, 2020), AhnLab revealed that a malware in the form of an election-related document is being distributed. When running it alone, it is difficult to check whether it’s an actual election related document or not, but we found out that it can be checked via macro of another document file. Seeing that its content can be checked only in specific situations, it is assumed that the attacker targeted specific systems. This malware was confirmed to be an attack carried out…
New NEMTY Ransomware v3.1 Being Distributed in Korea (April 1, 2020) Posted By AhnLab_en , April 2, 2020 On April 1, AhnLab ASEC detected distributions of NEMTY REVENUE 3.1, which is the updated version of NEMTY ransomware. Similar to the previous version, the malware was distributed through an email attachment. Detected filenames are ‘resume’, ‘portfolio’, ‘breach of electronic commerce act,’ which are hardly changed compared to the previous version. Request for the retention of data processing and nontranscriptional resource (20200401)_retain resource to prevent unjust gain.exe Notice on violation of electronic commerce act_retain resource to prevent unjust gain.exe Resume_Kim…
