Malware Information

Elbie Ransomware Being Distributed in Korea

The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program. The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2). Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment. The injected and executed ransomware drops a copy into the…

AgentTesla Being Distributed via VBS

The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing. The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified. The compressed file contains the VBS, and…

A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique

In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware.  This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in…

Qakbot Malware Being Distributed in Korea

The ASEC analysis team has identified the Qakbot malware that was introduced in the past is being distributed to Korean users. The overall operation process, including the fact that it uses ISO files, is similar to the previous version, but a process to bypass behavior detection was added. The email distributed to Korean users is as shown below. It has hijacked a normal existing email and replied to it with a malicious file in the attachment, and this distribution process…

CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server

The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed. The attackers used JexBoss, a vulnerability exploitation tool, to install a WebShell before gaining control over the target system with the Meterpreter malware. Ordinarily,…