Malware Information

New Dynamic Bypass Technique Working in Certain Environments Only

While monitoring malwares being actively distributed, ASEC analysis team discovered a new dynamic analysis bypass technique. To avoid detection, many of the malwares being distributed check the malware execution environment first, and if it matches the requirement, they crash not to activate. The technique that will be introduced in this blog is a method of using a certain assembly command and checking if a large-sized memory can be allocated. 1.     AVX support availability (VXORPS command) If a malware that uses ‘VXORPS’ command…

Attack Technique that Utilizes the Differences Between the Extraction Methods of Each Compressor (Prompting Use of WinRAR)

On March 23, ASEC analysis team has found that abnormal malicious archive files have been distributed via email. The attachment in the e-mail is ZIP extension, but it prompts the user to extract it by a specific decompressor using a message “Use Winrar.” Distributing archived malware via email is a known method. As shown in the highlighted text (Use Winrar) in Figure 1, this email prompts the user to decompress the file using ‘WinRAR.’ 2 samples distributed that way have been…

Increase in the Frequency of Attacks Toward Defense Companies by Lazarus Group

Since the last month, attacks against defense companies by Lazarus group have been increasing. They use Office Open XML word document file of Microsoft Office Word program for their attacks. (Sample source: Twitter post) Senior_Design_Engineer.docx – UK BAE Systems (Received in May) Boeing_DSS_SE.docx – US Boeing (Received in May) US-ROK Relations and Diplomatic Security.docx – KR ROK (Received in April) For document files, they connect to the external address and download additional document files (*.dotm, Word Macro-Enabled Template). The downloaded additional…

Distribution of Excel File with Malicious Macro Hidden ‘Deeper’ – very hidden

Malware Info Distribution of Excel File with Malicious Macro Hidden ‘Deeper’ – very hidden by AhnLab ASEC Analysis Team March 11, 2020. An excel file that used a new method to hide a malicious macro has been discovered. This file used excel 4.0 (XLM) macro sheet and took a departure from the previous method of simply hiding a malicious macro. Now, hide property cannot be removed using the normal user interface. Because it doesn’t use VBA macro code method and…

Distribution of Bisonal Malware Disguised as Emergency Contacts of Shincheonji Church of Jesus (March 5, 2020)

ASEC analysis team has found a malware that is being distributed in Korea, a malware disguised as Shincheonji-related. On the surface, the filename of the distributed files appears to be .xlsx (excel) or .ppt (powerpoint) document file, but that is due to utilization of RLO (Right to Left Override) method, which makes the filename to be shown in a different format *.scR. The actual extension of the malware is *.scr.  Distributed unicode RLO-modified malicious files Shincheonji Church of Jesus Emergency…