Distribution of Hangul Word Processor File (HWP) during Academic Conference Season in Korea
On May, ASEC analysis team shared details of Hangul Word Processor file (HWP) malware that is being distributed across various fields (see blog post below). In the past, it was distributed with the titles related to ‘real-estate,’ however, malware today is developed with titles related to thesis and other academic items
Analysis of Connection Between Malicious Hangul Word Processor Files (.hwp) by Theme
In the previous post, ASEC shared information on how the titles of the distributed malicious HWP files changed over the course of 3 months. This post is written as a follow-up to the previous post to shed some light on the new information about relationship between title categories. Connection between
Distribution of HWP Malware via Real-estate Investment Emails (Uses EPS)
Distribution of malicious HWP files that has been increasing since April is still ongoing. In this blog, ASEC will explain about the Hangul Word Processor file (.HWP) disguised as a real-estate investment email (received last week) which is currently being distributed. Once a user opens the Hangul Word Processor
Distribution of Malware Using Word File Disguised as Coin Company Recruitment Table Document
On May 8, AhnLab ASEC analysis team uploaded a post that shed some light on distribution of malware that stole certificate of a Korean gaming company. Since then, AhnLab ASEC confirmed distribution of malware of the same type that went through some modifications. These files are using a variety of
Malware Stealing Certificate from Major Korean Game Company Spread via Document File
Last month, ASEC analysis team uploaded a blog post about malware disguised as a bonus payment invoice (see link below). Another malware of the same type was found recently, and AhnLab has decided to share more information through this post. The document has a history of distribution via email. The
Increase in the Frequency of Attacks Toward Defense Companies by Lazarus Group
Since the last month, attacks against defense companies by Lazarus group have been increasing. They use Office Open XML word document file of Microsoft Office Word program for their attacks. (Sample source: Twitter post) Senior_Design_Engineer.docx – UK BAE Systems (Received in May) Boeing_DSS_SE.docx – US Boeing (Received in May) US-ROK Relations
GandCrab v5.2 with Different Encryption Technique per Extension
As discussed in numbers of our previous posts, GandCrab has been distributed in different ways. So far, GandCrab has transformed itself by updating its version and the latest is v5.2. AhnLab ASEC discovered that its method to check the extension of encryption target and conduct the encryption is different to
![[Caution] makop Ransomware Disguised as a Resume (April 13)](https://asec.ahnlab.com/wp-content/uploads/2020/09/mask_keyboard-1.png)
[Caution] makop Ransomware Disguised as a Resume (April 13)
On April 13, ASEC analysis team discovered makop ransomware disguised and distributed as a resume. It is being distributed in the form of an archive attachment file via email, and there are Hangul Word Processor file (.hwp) icon and an executable (exe) within the archive file. The filename of the distributed file
Kimsuky Group launched Attack during South Korean Legislative Election Period
Yesterday (April 9, 2020), AhnLab revealed that a malware in the form of an election-related document is being distributed. When running it alone, it is difficult to check whether it’s an actual election related document or not, but we found out that it can be checked via macro of another document
New NEMTY Ransomware v3.1 Being Distributed in Korea (April 1, 2020)
On April 1, AhnLab ASEC detected distributions of NEMTY REVENUE 3.1, which is the updated version of NEMTY ransomware. Similar to the previous version, the malware was distributed through an email attachment. Detected filenames are ‘resume’, ‘portfolio’, ‘breach of electronic commerce act,’ which are hardly changed compared to the previous
