Malware Information

njRAT Being Distributed via Webhards

Webhards is a platform used to distribute malware, and it is mainly used by attackers that mainly target Korean users. The ASEC analysis team has been monitoring malware types distributed through webhards and has uploaded multiple blog posts about them in the past. Various types of malware are used recently such as UdpRat or DDoS IRC Bot developed with GoLang, but njRAT had been used in multiple attacks in the past. njRAT Malware Distributed via Major Korean Webhard 파일 공유…

Distribution of Remcos RAT Disguised as Tax Invoice

The ASEC analysis team has discovered Remcos RAT being distributed under the disguise of a tax invoice. The content and the type of phishing email are similar to the type that has been consistently discussed in previous blogs. Within the email, it has a short message written in awkward grammar. As users who are doing tax-related work may run the executable without a second thought about what’s written within the email, caution is advised. Upon decompressing the attachment ‘Tax.gz’, an…

ASEC Weekly Malware Statistics (February 21st, 2022 – February 27th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 21st, 2022 (Monday) to February 27th, 2022 (Sunday). For the main category, info-stealer ranked top with 77.9%, followed by RAT (Remote Administration Tool) malware with 15%, downloader with 2.9%, ransomware with 2.1%, banking malware with 1.7%, and backdoor with 0.4%. Top 1 – Formbook Formbook is an infostealer malware that ranked first place with…

Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)

In the morning of February 22nd, the ASEC analysis team has discovered the redistribution of Magniber that disguised itself as normal Windows Installers (MSI) instead of the previous Windows app (APPX) The distributed Magniber files have MSI as their extension, disguised as Windows update files. Critical.Update.Win10.0-kb4215776.msi Critical.Update.Win10.0-kb6253668.msi Critical.Update.Win10.0-kb5946410.msi MSI package files are install frameworks that are also used for normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file. By default, MSI…

Change in Distribution Method of Malware Disguised as Estimate (VBS Script)

Last year, the ASEC analysis team has discovered the distribution of Formbook that used a certain company’s name in its filename. Recently, the team has discovered that it is being distributed via VBS file. The email used for distribution still contains details about a request for an estimate, and by using a certain company’s name in the attachment, it prompts the user to execute it. The compressed file attached to the email does not contain an executable but a VBS…