CLOP Ransomware Is Distributed in Various Format Posted By jaemanshin , June 27, 2019 AhnLab ASEC has pointed out on our blog that same certificate is utilized for distribution process of Ammyy, Ammyy backdoor and CLOP ransomware. In this article, we would like to give a comprehensive view from distribution to the infection. Figure 1 below outlines the general structure of ransomware flow, which already seems complicated Figure 1 – Flow chart CLOP ransomware has been distributed since early February 2019 by attaching malicious document. On May 30, we detected that the ransomware masqueraded…
Increase of Malware Signed with Valid Digital Certificate Posted By jaemanshin , June 4, 2019 Code signing is a process of signing a file with digital signature based on the personal information of the applicant to enhance trust and secure integrity. The file creator receives digital certificate via Certificate Authority(CA) and signs the file using the certificate. Since the code signed file is certified by the authorities, it is easy to avoid download validation process in web browser and detection of Anti-Virus(AV) product when executed. Thus, operators sometimes distribute a malicious file with adding the information…
Preemptive Defense Measures against Fileless Magniber Ransomware (V3 Behavior Detection) Posted By jaemanshin , May 31, 2019 After the distribution of Magniber recovery tools developed by AhnLab Analysis Team in 2018, Magniber has been transformed into a fileless format, disabling any kind of recovery. For successful file encryption, this fileless Magniber has evolved to bypass behavior detection and perform indiscriminate injection to unspecified processes that have privileges on infected system. Through these techniques, the subject of ransomware becomes the normal running process of the infected system. Even if the process is terminated, the ransomware is recursively executed by…
BlueCrab: The Successor of GandCrab with Different Execution Method Depending on Use of V3Lite Posted By jaemanshin , May 17, 2019 A newly emerged BlueCrab ransomware is distributed in various ways, similar to GandCrab. Its distribution methods include phishing email with a malicious document attached and phishing utility download page. AhnLab ASEC has been monitoring the distribution code of Javascript disguising as a utility program. When Javascript file(.js) downloaded from the phishing utility download page is executed, BlueCrab ransomware is run at the same time. The current execution flow of Javascript is shown in Figure 1. BlueCrab ransomware is injected into Powershell.exe and…
Distribution and Operation of Malware ‘Crypter’ Exploiting Spam Mail Posted By jaemanshin , May 2, 2019 A malicious spam mail attack that distributes malware by attaching document or archive file has been one of the most popular method among the operators. AhnLab ASEC Analysis Team analyzed spam mails received from numbers of customers and confirmed that majority of files downloaded by malicious documents attached to the email were information stealer malware of ‘Crypter’ family: HawkEye, Nanocore, FormBook, Lokibot, Remcos. Malware Crypter complicates the signature detection of Anti-Virus(AV) by utilizing encryption algorithm and saving malware inside the…
