NEMTY Ransomware v2.2 Spotted in Korea Posted By jaemanshin , December 2, 2019 On December 2, 2019, ASEC Analysis Team spotted that new NEMTY ransomware 2.2 version updated from v2.0 are distributed in Korea. All the characteristics of the new version including distribution method disguising as ‘resume’ or’ notice on illegal breach of e-commerce act’, excluded countries, infection target, excluded file and folder. [Name of distributed files] \강주경\이력서\포트폴리오.hwp.exe (translated: \Kang Ju-kyung\Resume\Portfolio.hwp.exe) \강주경\이력서\이력서.hwp.exe (translated: \Kang Ju-kyung\Resume\Resume.hwp.exe) \이시우\___\___.hwp.exe (translated: \Lee Si-woo\___\___.hwp.exe) \장민우\___\___.hwp.exe (translated: \Jang Min-woo\___\___.hwp.exe) The difference from the previous version is that the name…
Rapidly Changing Infection Method of BlueCrab Ransomware (feat. notepad.exe) Posted By jaemanshin , November 5, 2019 AhnLab ASEC Analysis Team has been monitoring BlueCrab(=Sodinokibi) ransomware in form of Javascript distributed via phishing download page. The phishing download page is masquerading as the one to download utilities, and appears on the top of Google search results as Figure 1. This is a well-known technique that has been frequently used by others including GandCrab ransomware. Although the Javascript distribution method remains as is, a new change in Javascript code has been detected. Moreover, the pace of change is…
Be Careful with Excel File Disguised as ‘Wage Statement’ Distributed via Email Posted By jaemanshin , October 18, 2019 Users should be careful as many spam emails with downloader malware targeting Korean companies have been distributed. The titles of detected spam emails are “October Wage Statement” and “Estimate for XX”. These spam mails attach Microsoft Office Excel document files by the name of “QF001_1093_101819.xls” and “P001_102019_4472.xls” or direct to phishing webpage disguised as OneDrive to prompt users to download malware. The sender is “Kim Sun-ah” but the title and content are likely to change. When a malicious excel file is run, the screen appears to prompt users to use the macro. Once it is allowed, the malicious macro is executed. Upon allowing the use of macro, a loading screen pops up while the macro is run. The macro…
New Stealer’s Suspicious Relationship with State-Sponsored Ryuk Ransomware? Posted By jaemanshin , October 17, 2019 AhnLab’s security analysts recently discovered a new stealer targeting to steal personal information. Apart from the new stealer’s purpose and how it works, similarities with the Ryuk ransomware was also an attention grabber. Ryuk ransomware, first found in 2018, is known to target specific countries. The new stealer searches for files on infected systems that match specific conditions, such as extension, size, and names. Then it verifies if certain keywords are present in the files and transmits them to the…
[Warning] Emotet Malware Distributed in the form of Document File Posted By jaemanshin , October 11, 2019 AhnLab ASEC analysis team has confirmed that Word files containing malicious VBA macro are distributed to Korean users. The malicious VBA macro uses WMI to run powershell and download Emotet malware. As the Word file is executed, users will see a figure below that prompts them to run VBA macro. Prompting messages are being distributed in various forms, as seen in Figure 2. A distributed VBA macro is obfuscated by using junk codes and annotations, as seen in Figure 3. Figure 4 is a deobfuscated VBA macro. Our code analysis revealed that the currently distributed macro uses WMI(winmgmts:Win32_Process) to run powershell, whereas the VBA macro discovered in November of 2018 utilized cmd. The powershell command executed via WMI is encoded with Base64, as seen…
