APT Attacks Using PDF Files, Possibly by North Korea Related Group

Targeted attacks using PDF files have been confirmed, and it seems the group related to North Korea is behind these attacks. While the attack group is thought to be either Kimsuky or Thallium, it might be another group that mimicked those two. The related information was already reported in the press, but this post will additionally reveal previously undisclosed IOC and analysis information such as environments for vulnerabilities. The attacker used PDF files as bait. Malicious JavaScript included in the…

JavaScript-based BlueCrab Ransomware Has Stopped?

The distribution of BlueCrab (Sodinokibi and REvil) ransomware exploiting JavaScript has stopped since July 13th, 2021. There have been many cases of the distribution being stopped and then resumed after going through changes, but this is the first time to have it stopped for such a long period. BlueCrab ransomware is distributed through forum posts disguised as file download pages. When users download and run the JS file, the script downloaded through C2 is executed, infecting the system with ransomware….

ASEC Weekly Malware Statistics (August 9th, 2021 – August 15th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known threats. This post will list weekly statistics collected from August 9th, 2021 (Monday) to August 15th, 2021 (Sunday). For the main category, Infostealer ranked top with 66.6%, followed by RAT (Remote Administration Tool) malware with 21.3%, Downloader and CoinMiner with 5.3%, Ransomware with 1.4%, and banking malware with 1.3%. Top 1 – Vidar Vidar was ranked first place with 13.6%. It is an…

NanoCore RAT Disguised as Notification of Foreign Currency Remittance Being Spread!

The ASEC analysis team recently discovered that the NanoCore remote access Trojan (RAT) disguised as notification of foreign currency remittance was distributed. Because the malware is usually spread through phishing mails, users need to take extra caution. The mail impersonates a capital company and is distributed with the title “[** Capital] Notification for Foreign Currency Remittance” as shown below, tricking the user to check the attached file and run it. It is assumed that the sender took an image that…

Infostealer Malware Azorult Being Distributed Through Spam Mails

The ASEC analysis team recently discovered that Azorult malware is being distributed through spam mails. Azorult is a kind of Infostealer that accesses a C&C server to receive DLL files and commands used to leak information, and steals information such as user data files and account information to leak it to the server. Besides account information of web browsers and email clients, screenshots, cryptocurrency information, and files designated by the attacker with certain paths and extensions can be collected as…