Distribution of Bisonal Malware Disguised as Emergency Contacts of Shincheonji Church of Jesus (March 5, 2020) Posted By AhnLab_en , March 5, 2020 ASEC analysis team has found a malware that is being distributed in Korea, a malware disguised as Shincheonji-related. On the surface, the filename of the distributed files appears to be .xlsx (excel) or .ppt (powerpoint) document file, but that is due to utilization of RLO (Right to Left Override) method, which makes the filename to be shown in a different format *.scR. The actual extension of the malware is *.scr. Distributed unicode RLO-modified malicious files Shincheonji Church of Jesus Emergency…
Distribution of Info Leaking Malware Disguised as Quotation (Using Google Drive) Posted By AhnLab_en , March 4, 2020 On March 4, ASEC analysis team confirmed the distribution of an info-stealing (keyboard input leaker) malware disguised as a quotation. The address downloads the secondary malware uses Google drive (https://drive.google.com) which many people use, and this method is used to disguise the behavior as a non-threat behavior. It was discovered that this malware is the same type as the malware below, which took the form of an AutoCAD file (DWG) to disguise. As shown in Figure 1 and 2 below,…
New Ransomware Installed using Fake Windows Update Screen Found in Korea (*.rezm Extension) Posted By AhnLab_en , March 2, 2020 On March 2, 2020, ASEC analysis team discovered a new ransomware that gets installed using Windows update screen. This ransomware uses the same packer as ransomware goes by the name of Bluecrab, Nemty, or Paradise for distribution, and the extension .rezm is added to the encrypted file. Upon running the file, Fake Windows update file is downloaded and run from the addresses below. Then, a screen that pretends as Windows update screen pops up. When this happens, a ransomware is run…
The Evolution of Magniber Ransomware Posted By jaemanshin , March 2, 2020 Recent Changes in Magniber Ransomware Recent Changes in Magniber Ransomware Magniber is one of the most well-known fileless malware that is distributed via Magnitude Exploit Kit. It commonly exploits web browser vulnerabilities, such as Internet Explorer (IE) vulnerability. Magniber underwent sudden changes between September 2019 and February 2020. During September and November 2019, Magniber exploited vulnerability (CVE-2019-1367). However, the vulnerability exploited for attacks has changed over the past few months. According to a recent proof of concept (PoC) revealed by…
New Dynamic Bypass Technique Working in Certain Environments Only Posted By AhnLab_en , February 27, 2020 While monitoring malwares being actively distributed, ASEC analysis team discovered a new dynamic analysis bypass technique. To avoid detection, many of the malwares being distributed check the malware execution environment first, and if it matches the requirement, they crash not to activate. The technique that will be introduced in this blog is a method of using a certain assembly command and checking if a large-sized memory can be allocated. 1. AVX support availability (VXORPS command) If a malware that uses ‘VXORPS’ command…
