Malware Information

ASEC Weekly Malware Statistics (February 14th 2022 – February 20th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 14th, 2022 (Monday) to February 20th, 2022 (Sunday). For the main category, info-stealer ranked top with 74.5%, followed by RAT (Remote Administration Tool) malware with 17.4%, banking malware with 3.9%, ransomware with 2.1%, and downloader with 2.1%. Top 1 – AgentTesla AgentTesla ranked first place with 34.8% once again. It is an info-stealer…

Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers (2)

The ASEC analysis team has uploaded a post on February 21st about distribution of Cobalt Strike via vulnerable MS-SQL servers. As for the current case, the distributed Cobalt Strike had a different process tree compared to the previous distribution method. The current distribution method has the server-related process sqlservr.exe run cmd.exe through a vulnerability similar to the previous method, but it uses mshta.exe and rundll32.exe to run Cobalt Strike in a fileless form. The attacker executed the mshta.exe process through…

LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails

The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead. Makop Ransomware Distributed As Copyright Violation Related Materials Makop Ransomware Disguised as Resume Being Distributed in Korea The emails that are confirmed for the distribution of malware have compressed files with passwords. As shown…

Increased Phishing Attacks Disguised as Microsoft

The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages. As shown in the figure below, one of the collected samples is disguised as the company’s voice message to prompt users to click the attached playback file. Clicking the file redirects users to a phishing webpage disguised as a Microsoft login page. Another sample is an attachment disguised as a file that is sent with a scanner, prompting users to click the attachment. Again, clicking the…

APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)

The ASEC analysis team has recently discovered the distribution of malicious Word (DOC) files to graduate school professors that are disguised as North Korea-related paper requirements. The name of the Word file is shown below. The term ‘KIMA’ mentioned in the filename is the name of the monthly magazine specializing in the field of security, national defense, and military, published by Korea Institute for Military Affairs. March Monthly KIMA Paper_Requirements.doc The attacker performed spear-phishing attacks targeting professors of certain universities….