Lazarus Group Targeting Windows IIS Web Servers Posted By muhan , May 23, 2023 AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. Ordinarily, when threat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for the version to install a web shell or execute malicious commands. The AhnLab Smart Defense (ASD) log displayed below in Figure 1 shows that Windows server systems are…
DarkCloud Infostealer Being Distributed via Spam Emails Posted By Sanseo , May 23, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being distributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud. 1. Distribution Method The threat actor sent the following email to induce users to download and execute the attachment. The contents of this email prompt users to check the attached copy of the payment statement sent to the company account. When the attachment…
Kimsuky Group Using Meterpreter to Attack Web Servers Posted By Sanseo , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of malware targeting web servers by Kimsuky group. Kimsuky is a threat group deemed supported by North Korea and has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a Korean energy corporation in 2014. Since 2017, their attacks have been targeting countries other than South Korea as well. [1] ASEC has been providing the analysis of various cases of Kimsuky…
Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers Posted By AhnLab_en , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. Sqlps is SQL Server PowerShell and is included in the SQL Server installation procedure[1]. SQL Server Powershell allows users to use the Powershell cmdlet which is needed to manage SQL Server instances. The attacker exploited this trait in distributing the malware. Figures 1…
Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel Posted By AhnLab_en , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered that the Kimsuky group had created a webmail website that looks identical to certain national policy research institutes. Earlier this year, ASEC had covered similar issues in the posts ‘Web Page Disguised as a Kakao[1]/Naver[2] Login Page’. The previous attacker set the fake login page with autocompleted IDs of trade, media, and North Korea-related individuals and organizations. In addition to that, the recently discovered web page used a similar tactic of…
