CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server

The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed. The attackers used JexBoss, a vulnerability exploitation tool, to install a WebShell before gaining control over the target system with the Meterpreter malware. Ordinarily,…

FormBook Malware Being Distributed as .NET

AhnLab’s ani-malware software, V3, detects and responds to malware with a variety of detection features including the App Isolate Scan feature. The App Isolate Scan detects and quarantines suspicious processes. This allows quarantining malware such as Infostealer and downloader in a virtual environment for detection. Therefore, V3 can protect users from security threats by quarantining unknown malware that have not been collected by Ahnlab infrastructure or malware with unidentified static and dynamic behavior patterns in advance. The FormBook malware mentioned…

ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader ranked top with 44.4%, followed by info-stealer with 41.7%, backdoor with 12.5%, ransomware with 0.9%, and CoinMiner with 0.5%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place…

Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed

On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email. The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program,…

Rapidly Evolving Magniber Ransomware

The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed. Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi,…