Follina Vulnerability (CVE-2022-30190) Attack Using ‘Antimicrobial Film Request’ File

On June 7th, the ASEC analysis team swiftly uploaded a brief introduction of a zero-day vulnerability for Microsoft Office files (Follina). As the patch for the vulnerability is not distributed yet, users are advised to take caution. Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190) AhnLab has distributed a detection rule for attack attempts exploiting the vulnerability from the perspectives of file and behavior detections. The vulnerability can be detected by various AhnLab products (V3, MDS, and EDR). While the team…

ASEC Weekly Malware Statistics (May 30th, 2022 – June 5th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 30th, 2022 (Monday) to June 5th, 2022 (Sunday). For the main category, info-stealer ranked top with 89.9%, followed by RAT (Remote Administration Tool) malware with 8.5%, and ransomware, downloader, banking malware with 0.5% each. Top 1 – Formbook Formbook ranked first place with 33.7%. Like other info-stealer, it is mainly distributed through…

CHM Malware Types with Anti-Sandbox Technique and Targeting Companies

Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. Both types were introduced in the ASEC blog in March and May. The type with the anti-sandbox technique checks the user PC environment before dropping malicious VBE file. The HTML code included in the CHM file is shown below. The code creates and runs normal program (EXE) and malicious DLL file. The malicious DLL created…

Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190)

A new vulnerability named Follina (CVE-2022-30190) has been revealed. According to Microsoft, it is a remote code execution vulnerability that occurs when the URL protocol is used to call MSDT in calling applications such as Microsoft Word. With the privileges of the calling application, attackers can run arbitrary codes, install additional programs, and view, change or delete data. 1. Vulnerability Malware Example The vulnerability occurs when a Word file downloads and runs an HTML file responsible for the vulnerability through the…

AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed

On May 26th, the ASEC analysis team discovered the distribution of AppleSeed disguised as a Wi-Fi router firmware installer. Previously discovered AppleSeed strains were mainly distributed by disguising themselves as normal document or image files. The dropper malware that creates AppleSeed either used script formats such as JS (Java Script) and VBS (Visual Basic Script), or had a pif extension to disguise itself as a document file that works as .exe file. For this case, it used the icon and…