CoinMiner’s Attempt to Bypass AMSI by V3 Memory Scan

The ASEC analysis team confirmed the distribution of CoinMiner that can disable the AMSI detection feature. Added in Windows 10, AMSI is a feature supported by Microsoft that allows applications and services to be linked with anti-malware software to detect malware. Currently, V3 Lite 4.0 and V3 365 Clinic 4.0 are utilizing the AMSI feature to respond to various types of malware including BlueCrab ransomware. The CoinMiner that can disable AMSI is being distributed in the fileless form utilizing the…

ASEC Weekly Malware Statistics (May 10th, 2021 – May 16th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 10th, 2021 (Monday) to May 16th, 2021 (Sunday). For the main category, info-stealer ranked top with 71.2%, followed by RAT (Remote Administration Tool) malware with 19.9%, CoinMiner with 3.7%, ransomware with 2.8%, and downloader with 2.0%. Backdoor and banking malware each accounted for 0.2%. Top 1 – AgentTesla AgentTesla was ranked first…

HawkEye Keylogger Being Distributed via Spam Mails

HawkEye keylogger is an info-stealing malware that is mainly distributed via spam mails. Although AgentTesla, Formbook, and Lokibot are currently the most distributed info-stealing malware, HawkEye used to match these types of malware in terms of mass distribution until recently. Despite the recent plummet in distribution, HawkEye malware has been maintaining a certain level of activity throughout this year. It is assumed that HawkEye mostly uses spam mail with attachment files as its distribution method, and the following figures are…

Vidar Info-Stealer Abusing Game Platform

The ASEC analysis team has recently found out that the Vidar info-stealer malware is abusing a game matching program named Faceit to create C&C server URL. Vidar is malware that has been steadily distributed from the past disguised as spam mail, PUP, and KMSAuto authentication tool. Before it performs info-stealing activities, it connects to C&C server to receive commands and download additional DLL files to collect user information. In the past, the malware simply connected to C&C server and received…

Hancitor Word Document Installing CobaltStrike Hacking Tool in AD Environment

Hancitor is a downloader malware distributed through spam mails, which has been steadily distributed since 2016. Recently, a type that installs CobaltStrike through additional payloads is being distributed, therefore, the users must take caution. The malware is distributed via attachment files or download links in spam mail and it usually targets Microsoft Office document files. The recently discovered type is a Word document file with a malicious VBA macro included. When the document is opened, the following image is displayed….