Malware Information

APT Attack Being Distributed as Windows Help File (*.chm)

The ASEC analysis team has recently discovered the distribution of malware disguised as a Windows Help File (*.chm), specifically targeting Korean users. The CHM file is a compiled HTML Help file that is executed via the Microsoft® HTML help executable program. The recently discovered CHM file downloads additional malicious files when run. A window that contains ordinary content is shown during this process, tricking the user into thinking that the file may not be malicious. The malware is compressed and…

BitRAT Disguised as Windows Product Key Verification Tool Being Distributed

The ASEC analysis team has recently discovered BitRAT which is being distributed via webhards. Because the attacker disguised the malware as Windows 10 license verification tool from the development stage, users who download illegal crack tools from webhard and install it to verify Windows license are at risk of having BitRAT installed into their PC. The following shows a post that was uploaded to webhard, one that harbors the malware. The title is [New][Quick Install]Windows License Verification[One-click]. A compressed file…

ASEC Weekly Malware Statistics (March 7th, 2022 – March 13th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 7th, 2022 (Monday) to March 13th, 2022 (Sunday). For the main category, info-stealer ranked top with 71.2%, followed by RAT (Remote Administration Tool) with 12.4%, downloader with 6.8%, banking malware with 5.9%, ransomware with 2.7%, and backdoor with 0.3%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 29.4%….

Malicious Word Files Disguised as Product Introduction

The ASEC analysis team has discovered a word document that is in the same category as the document introduced in the post <Word File Disguised as a Design Modification Request for Information Theft>, uploaded in December last year. The title of the document confirmed in this case is ‘Product Introduction.doc’. Given that the document includes descriptions for certain products, the attacker likely targeted companies related to distribution and shopping. The document contains an image that is the same as the…

Gh0stCringe RAT Being Distributed to Vulnerable Database Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable database servers (MS-SQL, MySQL servers). This blog will explain the RAT malware named Gh0stCringe[1]. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. It was first discovered in December 2018, and it is known to have been distributed via SMB vulnerability (using the SMB vulnerability tool of ZombieBoy).[2] Since then, no direct relationship has been found, but it was mentioned…