Malware Information

Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea

The ASEC analysis team introduced readers to malware that takes the form of a Windows help file (*.chm) about two weeks ago. The malicious CHM file that was recently discovered is disguised as a notice for people infected with COVID-19 and is being distributed to Korean users. The attacker is probably distributing the file in such a form because Korea has recently seen a surge in COVID-19 case numbers. The name of the file that is being distributed is shown…

Malicious Word Documents Using MS Media Player (Impersonating AhnLab)

Last week, the ASEC analysis team uploaded a post named “Malicious Word File Targeting Corporate Users Being Distributed” that contained information about a malicious Word file. Currently, documents of the same type are being distributed with text that impersonates AhnLab. The Word files confirmed this time download another Word file containing malicious VBA macro via the external URL and run it. Another difference is that the additionally downloaded Word file uses the Windows Media Player() function instead of AutoOpen() to…

APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire. The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the…

APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)

The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file is attached to it. It asks the readers to fill out the resume, prompting them to run the file. The compressed file contains a malicious VBS script file. The activities of ‘2022 Resume Template.vbs’ are as follows: Collects and sends information Creates…

ASEC Weekly Malware Statistics (March 21st, 2022 – March 27th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 21st, 2022 (Monday) to March 27th, 2022 (Sunday). For the main category, info-stealer ranked top with 75.4%, followed by RAT (Remote Administration Tool) with 16.7%, downloader with 4.8%, banking malware with 2.4%, ransomware with 0.8%. Top 1 – AgentTesla AgentTesla ranked first place with 25.4%. It is an info-stealer that leaks user credentials…