Malware Information

Malicious Word Files Disguised as Product Introduction

The ASEC analysis team has discovered a word document that is in the same category as the document introduced in the post <Word File Disguised as a Design Modification Request for Information Theft>, uploaded in December last year. The title of the document confirmed in this case is ‘Product Introduction.doc’. Given that the document includes descriptions for certain products, the attacker likely targeted companies related to distribution and shopping. The document contains an image that is the same as the…

Gh0stCringe RAT Being Distributed to Vulnerable Database Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable database servers (MS-SQL, MySQL servers). This blog will explain the RAT malware named Gh0stCringe[1]. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. It was first discovered in December 2018, and it is known to have been distributed via SMB vulnerability (using the SMB vulnerability tool of ZombieBoy).[2] Since then, no direct relationship has been found, but it was mentioned…

ASEC Weekly Malware Statistics (February 28th, 2022 – March 6th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 28th, 2022 (Monday) to March 6th, 2022 (Sunday). For the main category, info-stealer ranked top with 67.0%, followed by RAT (Remote Administration Tool) malware with 19.0%, downloader with 6.8%, banking malware with 4.1%, ransomware with 2.7%, and backdoor with 0.5%. Top 1 – Formbook Formbook is an infostealer that ranked first place with 28.1%….

Infostealer Being Distributed via YouTube

The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post. [ASEC 블로그] 유튜브를 통해 유포 중인 RedLine 인포스틸러 When…

Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed

The ASEC analysis team has discovered distribution of malicious HWP file disguised as “Press Release of 20th Presidential Election Early Voting for Sailors” as the presidential election draws near. The attacker distributed the malicious HWP file on February 28th, and though the team could not get the file in the hand, it appears this file runs a batch file through the internal OLE object to execute powershell according to AhnLab’s ASD (AhnLab Smart Defense) infrastructure log. Filename used in distribution:…