Kimsuky Group Using Meterpreter to Attack Web Servers Posted By Sanseo , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of malware targeting web servers by Kimsuky group. Kimsuky is a threat group deemed supported by North Korea and has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a Korean energy corporation in 2014. Since 2017, their attacks have been targeting countries other than South Korea as well. [1] ASEC has been providing the analysis of various cases of Kimsuky…
Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers Posted By AhnLab_en , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. Sqlps is SQL Server PowerShell and is included in the SQL Server installation procedure[1]. SQL Server Powershell allows users to use the Powershell cmdlet which is needed to manage SQL Server instances. The attacker exploited this trait in distributing the malware. Figures 1…
Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel Posted By AhnLab_en , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered that the Kimsuky group had created a webmail website that looks identical to certain national policy research institutes. Earlier this year, ASEC had covered similar issues in the posts ‘Web Page Disguised as a Kakao[1]/Naver[2] Login Page’. The previous attacker set the fake login page with autocompleted IDs of trade, media, and North Korea-related individuals and organizations. In addition to that, the recently discovered web page used a similar tactic of…
SparkRAT Being Distributed Within a Korean VPN Installer Posted By Sanseo , May 18, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots. 1. Case of Distribution The VPN provider, whose installer contained SparkRAT appears to…
Infostealer Being Distributed to Japanese Users Posted By Sanseo , May 18, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered Infostealers disguised as an adult game being distributed to Japanese users. Although the distribution route has not been confirmed as of yet, it can be assumed that the Infostealers are being distributed via torrent or illegal file-sharing websites since it is being disguised as an adult game. The method of distributing malware by disguising it as an adult game is often employed here in Korea as well. Instead of using known…
