Others

Change in Magniber Ransomware (*.msi → *.cpl) – July 20th

Since February 2022, Magniber has been using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution. The ransomware includes a valid certificate and was distributed as DLL form inside the MSI file. However, starting from July 20th (Wednesday), it is now being distributed as a CPL file extension instead of MSI. As the cases of using an MSI file for distribution are decreasing, the attacker of Magniber likely has changed the method of distribution. (July…

Why Remediation Alone Is Not Enough When Infected by Malware

In January 2022, a prominent Korean company in the manufacturing industry had many of its internal systems infected by the Darkside ransomware. As the ransomware was found to be distributed using the AD group policy, AhnLab attempted to conduct a DC server forensic analysis. However, as the virtual environment operating system of the DC server operating in the virtual environment was damaged, the server could not be secured. Among the systems that were restored by the previous backup after the infection,…

BitRAT Disguised as Officer Installer Being Distributed

The ASEC analysis team previously uploaded a post about BitRAT that was distributed under the disguise of Windows OS license verification tool. The BitRAT is now being distributed as Office Installer with different files, preying upon potential victims. The following image shows a post that contains the malware. It is titled, [New][Cheap]Office 2021 Installer + Permanent License Verification. The downloaded file is a compressed file named ‘Program.zip’, just like the one introduced in the previous blog post (see Figure 3…

Distribution of Magniber Ransomware Stops (Since February 5th)

The ASEC analysis team constantly monitors ‘malvertising’ which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution. The malvertising distribution method of Magniber in Internet Explorer is to attempt at infecting the target by only accessing via a vulnerability, and in Chromium-based browsers (E.g. Edge, Chrome), it disguises itself as a browser update installer (.appx) and prompts the…

Case of Infection With Lockis Ransomware in a Company, Caused by Not Using Anti-Malware’s Lock Policy

Around November, one of AhnLab’s clients suffered an infection from the Lockis ransomware to several of their servers. As the targeted company suffered a malware infection despite the fact it was using the anti-malware program V3, AhnLab A-FIRST conducted a forensic analysis to find out the cause of infection.  As stated in “ASEC Blog: Hacking Tool Used Together With Lockis Ransomware,” the Lockis ransomware is a variant of the GlobeImposter ransomware that first appeared on September 16th. AhnLab has been…