Rapidly Changing Infection Method of BlueCrab Ransomware (feat. notepad.exe)
AhnLab ASEC Analysis Team has been monitoring BlueCrab(=Sodinokibi) ransomware in form of Javascript distributed via phishing download page. The phishing download page is masquerading as the one to download utilities, and appears on the top of Google search results as Figure 1. This is a well-known technique that has been
Be Careful with Excel File Disguised as ‘Wage Statement’ Distributed via Email
Users should be careful as many spam emails with downloader malware targeting Korean companies have been distributed. The titles of detected spam emails are “October Wage Statement” and “Estimate for XX”. These spam mails attach Microsoft Office Excel document files by the name of “QF001_1093_101819.xls” and “P001_102019_4472.xls” or direct to
New Stealer’s Suspicious Relationship with State-Sponsored Ryuk Ransomware?
AhnLab’s security analysts recently discovered a new stealer targeting to steal personal information. Apart from the new stealer’s purpose and how it works, similarities with the Ryuk ransomware was also an attention grabber. Ryuk ransomware, first found in 2018, is known to target specific countries. The new stealer searches for
[Warning] Emotet Malware Distributed in the form of Document File
AhnLab ASEC analysis team has confirmed that Word files containing malicious VBA macro are distributed to Korean users. The malicious VBA macro uses WMI to run powershell and download Emotet malware. As the Word file is executed, users will see a figure below that prompts them to run VBA macro. Prompting messages are being
Trick or Treat! Corporate targeting Trickbot
Trickbot, orginally a banking Trojan, aims to collect and leak corporate confidential information. Recently, attackers have distributed fake Word files and obfuscated scripts to trick corporate users in downloading the Trickbot downloader. Thereby, extra attention is required to prevent downloading Tickbot. When the user opens the Word document attachment in
Operation of SMB Vulnerability, Fileless WannaMine
A distribution method of CoinMiner has become more diversified. In early 2019, AhnLab ASEC Analysis Team introduced CoinMiner that exploits SMB vulnerability(MS17-010 EternalBlue) for distribution. Recently, it was confirmed that a fileless CoinMiner malware named “WannaMine” exploits not only SMB vulnerabilities for distribution, but also Windows Management Instrumentation (WMI), ADMIN$ shared
Discovery of the Ammyy RAT and CLOP Ransomware
A recent rise in attacks using malicious macros in attachments has been spotted in South Korea. In February 2019, a remote control hacking tool called Flawed Ammyy RAT began to be distribute through email attachments. This hacking tool has been active since 2016 and has been distributed worldwide via email.
Analysis on the Malicious SDB File Found in Ammyy Hacking Tool
Early this year, there was a major distribution of Clop ransomware, mainly targeting Korean government agencies. Clop ransomware distributed using a hack tool called ‘Ammyy,’ is unlike common ransomware and attacks after a period of latency. Since the end of May 2019, Clop ransomware has emerged again with the sudden
A Closer Look at the FlawedAmmyy’s New Attack Style
Clop ransomware made a full appearance early this year, mainly targeting Korean organizations and corporations. In addition to being targeted ransomware, Clop ransomware uses a hacking tool called FlawedAmmyy RAT (Remote Access Trojan). Despite the boom of Clop ransomware since the end of May, the spread of FlawedAmmyy RAT has
CLOP Ransomware Is Distributed in Various Format
AhnLab ASEC has pointed out on our blog that same certificate is utilized for distribution process of Ammyy, Ammyy backdoor and CLOP ransomware. In this article, we would like to give a comprehensive view from distribution to the infection. Figure 1 below outlines the general structure of ransomware flow, which
