Malware Information

Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application

The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases. The names of some CHM files that are currently distributed…

Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade

On April 29th, the ASEC analysis team discovered the distribution of a malicious Word file related to North Korea’s military parade. The distributor uploaded the file on a Korean web server which is assumed to have been breached. Besides the malicious Word file, the server also had 2 normal HWP files, likely used for distributing malicious HWP files with the OLE object or EPS vulnerability method. – [Analysis] North Korea’s Position on Use of Nuclear Weapons and Implications of Changes…

Word Files Related to Diplomacy and National Defense Being Distributed

The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related file names. The Word files contain malicious VBA macro codes and are the same file type introduced in <Discovery of Continuous Distribution of North Korea-related Malicious Word Files>. The names of the distributed files that were recently discovered are as follows: 220426-North Korea’s Diplomatic Policy and Our Responses(Professor Jeong).doc (April 26th) North Korea’s Diplomatic Policy and Our Responses.doc (April 26th) China’s Diplomatic Policy and…

ASEC Weekly Malware Statistics (April 18th, 2022 – April 24th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 18th, 2022 (Monday) to April 24th, 2022 (Sunday). For the main category, info-stealer ranked top with 70.5%, followed by RAT (Remote Administration Tool) with 17.8%, downloader with 7.4%, banking malware with 1.8%, ransomware with 2.5%. Top 1 –  AgentTesla AgentTesla is an infostealer that ranked first place with 27%. It is an info-stealer…

New Malware of Lazarus Threat Actor Group Exploiting INITECH Process

The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team has been monitoring the infection cases. In systems of the organizations infected with the malware, it was found that malicious behaviors stemmed from the process of INITECH (inisafecrosswebexsvc.exe), the security company. The team initially secured the following information of inisafecrosswebexsvc.exe from the…