Trick or Treat! Corporate targeting Trickbot Posted By jaemanshin , September 11, 2019 Trickbot, orginally a banking Trojan, aims to collect and leak corporate confidential information. Recently, attackers have distributed fake Word files and obfuscated scripts to trick corporate users in downloading the Trickbot downloader. Thereby, extra attention is required to prevent downloading Tickbot. When the user opens the Word document attachment in the email, it will tell the user to click the “Enable Content” button with the message, “Document created in the previous version,” as shown in Figure 1. However, this is…
Operation of SMB Vulnerability, Fileless WannaMine Posted By jaemanshin , September 6, 2019 A distribution method of CoinMiner has become more diversified. In early 2019, AhnLab ASEC Analysis Team introduced CoinMiner that exploits SMB vulnerability(MS17-010 EternalBlue) for distribution. Recently, it was confirmed that a fileless CoinMiner malware named “WannaMine” exploits not only SMB vulnerabilities for distribution, but also Windows Management Instrumentation (WMI), ADMIN$ shared folders, remote service registration and operation through SMB. Figure 1 describes the overall process of WannaMine. Figure 1. Process of WannaMine (To be translated) When the “sysupdater0.bat” file is executed…
Discovery of the Ammyy RAT and CLOP Ransomware Posted By jaemanshin , September 2, 2019 A recent rise in attacks using malicious macros in attachments has been spotted in South Korea. In February 2019, a remote control hacking tool called Flawed Ammyy RAT began to be distribute through email attachments. This hacking tool has been active since 2016 and has been distributed worldwide via email. It was mainly mentioned in the media in 2018. Also, a variant of the Cryptomix ransomware, CLOP, was discovered at a similar time. CLOP is a new variant that had…
Analysis on the Malicious SDB File Found in Ammyy Hacking Tool Posted By jaemanshin , September 2, 2019 Early this year, there was a major distribution of Clop ransomware, mainly targeting Korean government agencies. Clop ransomware distributed using a hack tool called ‘Ammyy,’ is unlike common ransomware and attacks after a period of latency. Since the end of May 2019, Clop ransomware has emerged again with the sudden increase in the distribution of Ammyy hack tool. While analyzing Ammyy, ASEC found a malware utilizing the SDB (Shim Database) file, created during the installation and uninstallation of Ammyy. Let’s…
A Closer Look at the FlawedAmmyy’s New Attack Style Posted By jaemanshin , August 9, 2019 Clop ransomware made a full appearance early this year, mainly targeting Korean organizations and corporations. In addition to being targeted ransomware, Clop ransomware uses a hacking tool called FlawedAmmyy RAT (Remote Access Trojan). Despite the boom of Clop ransomware since the end of May, the spread of FlawedAmmyy RAT has only recently surged. In particular, it has been targeting local companies, as shown in the following example. Distributed in early morning disguised as a work-related emailIn August, FlawedAmmyy was distributed to local organizations and corporations via email spamming disguised as a work-related email. Simultaneously, similar spam emails were distributed globally to various users. Spam email targeting local companies disguised itself as ‘Scan file’ and attached a word file named ‘Scan_…
