Method that Tricks Users to Perceive Attachment of PDF File as Safe File

The ASEC analysis team has discovered the distribution of info-stealer malware using Attachment feature of PDF files. This attack method was discovered previously, but as the malware of this type has resurfaced and is being actively distributed, the team would like to share the information. Note that the attacker used a simple trick of using the attachment’s name to deceive users. Acrobat Reader has a feature of adding attachments to PDF files. Files with extensions such as .bin/.exe/.bat/.chm are blacklisted…

Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics

The ASEC analysis team has discovered that a malware strain disguised as press releases is being distributed. When this malware is run, it loads a normal document file and attempts to access malicious URLs. If the access is successful, the script existing on the webpage is run. It appears the script is of a similar type to the VBS code found in the ASEC blog post <APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)>. The list of…

ASEC Weekly Malware Statistics (May 9th, 2022 – May 15th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 9th, 2022 (Monday) to May 15th, 2022 (Sunday). For the main category, info-stealer ranked top with 79.4%, followed by RAT (Remote Administration Tool) malware with 16.7%, banking malware with 1.6%, ransomware with 1.6%, and downloader with 0.8%. Top 1 –  AgentTesla AgentTesla is an infostealer that has taken first place once again with…

Why Remediation Alone Is Not Enough When Infected by Malware

In January 2022, a prominent Korean company in the manufacturing industry had many of its internal systems infected by the Darkside ransomware. As the ransomware was found to be distributed using the AD group policy, AhnLab attempted to conduct a DC server forensic analysis. However, as the virtual environment operating system of the DC server operating in the virtual environment was damaged, the server could not be secured. Among the systems that were restored by the previous backup after the infection,…

Emotet Being Distributed Using Various Files

The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files (.lnk). One feature that the secured EML files share is that they all disguise themselves as replies to the user’s email to distribute the malware strain. The Excel file attached in the email of Figure 1 uses…