Malware Information

Distribution of Malware via Resume/Copyright-Related Emails (Ransomware, Infostealer)

ASEC analysis team has confirmed the malware under the disguise of a resume is still being distributed. This time, it disguised as resume and copyright-related files. The file that is being recently distributed also takes the form of NSIS (Nullsoft Scriptable Install System) and is being distributed under various filenames as translated below. Outline on the original image (the image I created) and the image you are currently using.exe You have violated copyright laws and here is the summary of…

Distribution of Malware Disguised as ‘2021 Ministry of National Defense Work Report Revised’

On January 24, ASEC discovered the distribution of malware disguised as ‘2021 Ministry of National Defense Work Report Revised.’ As shown below, the extension of the distributed malware is *.pif, but it is an executable file just like the EXE extension. Once run, a file that is identical to that of a PDF document file accessible on the website of Ministry of National Defense is shown to the user. However, it is designed to run malware (DLL format) along with…

BlueCrab Ransomware Installing Hacking Tool CobaltStrike in Corporate Environments

The ASEC analysis team confirmed that during the BlueCrab ransomware (=Sodinokibi, REvil) infection process, which is distributed in JS form, the CobaltStrike hacking tool was distributed under certain conditions. CobaltStrike hacking tool is a limited tool used for mock hacking test purposes under legitimate purposes; however, it has been actively used in malware since the recent source code leak. Since recently confirmed BlueCrab ransomware distribution JS file checks the corporate Active Directory (AD) environment and installs the CobaltStrike hacking tool…

BlueCrab Ransomware’s Continuous Attempts to Bypass Detection

BlueCrab Ransomware (=Sodinokibi Ransomware) is a ransomware that is being vigorously distributed to Korean users. It distributes through a fake forum web page created using various search keywords. The infection process begins at the moment when a user runs the JS file downloaded from the distribution page. The distribution page appears in the front pages of a search engine, allowing it to be easily accessible. Because of this, cases of infection are being continuously reported by users. ASEC analysis team…

Caution – Emails with the Title ‘Request for Purchase Order’ being Distributed to Companies

Multiple malicious emails with the title ‘Request for Purchase Order’ are being distributed to multiple companies. These spam mail attacks, which were first distributed in the second half of last year to random companies with the purpose of stealing user account, are still being distributed. To steal a user’s company email account, the attacker either prompted the users to access a phishing web page, or distributed executable of Lokibot, the info-stealer malware. So far, two titles are found in the…