Detection of Vulnerability (CVE-2021-26411) via V3 Memory Scan (Magniber)

Starting from March 2021, Magniber ransomware that operates in a fileless form has used the script that utilizes CVE-2021-26411 vulnerability instead of using CVE-2020-0968 vulnerability. There are still numerous damage reports that involve Magniber ransomware in Korea, and as the malware is being distributed via IE vulnerability (CVE-2021-26411), it is absolutely crucial for users of IE to apply the security patch. Detecting and blocking the latest Magniber is possible with V3’s ‘Process Memory Scan’ feature. Magniber ransomware infects via IE browser…

Snake Keylogger Being Distributed via Spam E-mails

Recently, there has been an exponential increase in the distribution of Snake Keylogger via spam e-mails. Snake Keylogger is an info-leaking malware that is developed with .NET, and as seen from the weekly statistics below, it consecutively made its way into the Top 5 malware as of recent. Considering the fact that it’s an info-stealing malware that is mostly distributed via spam e-mails, it is similar to that of AgentTesla malware. Like AgentTesla, Snake Keylogger also supports info-leaking feature through…

Distribution of Hangul Word Processor (HWP) File with Title of North Korea-related Question

Previously, ASEC analysis team discovered the surge in the distribution of malicious Word files containing North Korea-related materials and shared detailed information about this trend. And today, ASEC analysis team has discovered the distribution of malware disguised as HWP files that contain North Korea-related questions. Judging by the information within the HWP file, the malware developer must have modified the document with North Korea-related questions that were used on December 15, 2020, during the debate on North Korea. This malicious HWP…

Analysis of Dridex Malware Distribution Method Armed with Bypass Detection

Dridex, also known as Cridex and Bugat, is a typical info-stealing malware that steals financial information. It is distributed on a massive scale by cybercrime organizations and it mainly uses macros within Microsoft Office Word or Excel document files that are included in spam mails. The most noticeable characteristic of Dridex malware is that it operates by modularizing files depending on features such as downloader, loader, and botnet. As such, there have been cases of ransomwares such as DoppelPaymer or…

Distribution of Malicious Word Document Disguised as a Military Security Monthly Magazine (April 2021)

On March 29th, ASEC analysis team has introduced malicious word documents containing North Korea related materials. Upon opening the file, it connects to the ‘External URL’ written within XML and downloads additional files. Recently the team has found out that malicious word documents using the mentioned method and disguised as a military security monthly magazine (April 2021) are currently being distributed. The names of the files are as follows: MonthlyKIMA2021_AprilMilitarySecurity0330.docx MonthlyKIMA2021_AprilMilitarySecurity0331.docx The document file is protected, and upon unlocking the…