[Warning] ‘Amadey’ Malware Targeting Korean Cryptocurrency Companies

Recently, AhnLab ASEC has confirmed numbers of ‘Amadey’ malware attacks targeting Korean cryptocurrency companies. The attack utilizes various email attachments such as DOC, RTF, VBS, and EXE. The following are the name of document files and executable files discovered from the attack:*English translation will be provided for Korean file names Crypto Market Predictor for Desktop V2.13.exe Price list on blockchain 24.03.2019.exe Price list coins 26.03.19.bat 주식회사 크립토???_세무조정계산서(추가).doc (Cryto Co.???_TaxAdjustmentStatement(Added).doc) ?토큰전망분석.doc (Token_Forecast.doc) 추가안내서.hwp.exe (Addtional_Notice.hwp.exe) ??? 상세분석.doc (Detailed_Analysis.doc) ????송금내역.doc (????Payment_Details.doc) ??? 회원님 거래내역.doc (Transaction_Details.doc) ??coin 관련 문의내용.doc (??coin_Inquiry.doc) ??? 음악학원 2월.doc (Music_Institute_Feb.doc) ???? 입고내역.doc (Warehousing_Details.doc) 참고사항.doc. (공백) .vbs (Reference_Details.doc (blank) .vbs) ????_휴먼기업은행 확인건.doc (????_HumanCorp.Bank_CheckList.doc) The malware is mostly spread via email attachment. The macro code inserted in the document file drives the…

Does Operation ShadowHammer Only Target ASUS Certificate?

On March 25, 2019, Kaspersky Lab reported that ASUS’s software update server was compromised, causing the spread of malware that includes valid certificates. Kaspersky Lab named the attack “Operation ShadowHammer“. The security vendor delivered relevant information to ASUS on January 31, 2019, and the initial attack is speculated to have taken place between June to November of 2018. Compromised ASUS Live Update is a utility program mostly installed in ASUS computer and automatically updates the components such as BIOS, UEFI, drivers, and applications. According to Kaspersky’s statistics, over 57,000 Kaspersky product users are known to have downloaded and installed the backdoor version of ASUS Live Update. Still, it is expected that over 1 million users worldwide would be affected. According…

Shadow of WannaCry, 2019 SMB Exploitation

WannaCry (or WannaCryptor), which infected more than 300,000 systems in May 2017 and gripped the whole world in fear, spread rapidly by exploiting a Windows SMB security vulnerability (MS17-010). Precaution is required since the recently discovered malware is a CoinMiner, a type of malware that mines cryptocurrency. This report details the analysis by AhnLab on the attack cases that exploited the SMB vulnerability (MS17-010) from 2018 to the first quarter of 2019. 1. NRSMiner Malware Attack (2018) In March 2018, a company was found infected with NRSMiner malware. By exploiting the SMB vulnerability (MS17-010) like WannaCryptor, this malware scans the internal network of the company and installs the malware that mines the cryptocurrency Monero if the system is vulnerable. NRSMiner…

Malware Installed with Coin Wallet Program Alibaba

ASEC recently discovered an information leaking malware installed along with Alibaba coin (ABBC Coin) wallet program. When ABBCCoin program is run, the coin wallet program is installed in the AppData\Roaming folder and the malware named sys.exe that has downloader feature is dropped and run. Figure 1. ABBCCoin wallet program The downloader malware first uses the Anti Sandbox technique, reading abbc.log in the AppData\Roaming folder that “123456789” is written and checking the content in order to prevent malware from conducting malicious behavior when it is solely run in analysis environment. In other words, the malware is immediately terminated when sys.exe file is solely executed. Its malicious behavior is implemented only when it is executed via dropper. Figure 2. Anti Sandbox technique…

Hacking Tool Ammyy Targeting Corporate Users and Installs on Their PC (Ransomware CLOP)

These days, there have been widespread phishing emails pretending a particular national organization. The Excel document file(ex: certificate.xls, inquiry.xls) attached to the email contains a malicious macro. Recently during their malware monitoring process, AhnLab ASEC detected the code change that the malware began targeting corporates. From the fact that the Ammyy backdoor program and CLOP ransomware are distributed by utilizing the same certificate, AhnLab ASEC assumes that Ammyy backdoor is exploited to target corporate users to steal information from AD server.   Figure 1. Infection flow of the malicious document A malicious Excel file distributed via phishing email is spread, as seen in Figure 1. To be noted, recently changed malware targets the corporate user environment by identifying the workgroup…