CHM Malware Types with Anti-Sandbox Technique and Targeting Companies

Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. Both types were introduced in the ASEC blog in March and May. The type with the anti-sandbox technique checks the user PC environment before dropping malicious VBE file. The HTML code included in the CHM file is shown below. The code creates and runs normal program (EXE) and malicious DLL file. The malicious DLL created…

Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190)

A new vulnerability named Follina (CVE-2022-30190) has been revealed. According to Microsoft, it is a remote code execution vulnerability that occurs when the URL protocol is used to call MSDT in calling applications such as Microsoft Word. With the privileges of the calling application, attackers can run arbitrary codes, install additional programs, and view, change or delete data. 1. Vulnerability Malware Example The vulnerability occurs when a Word file downloads and runs an HTML file responsible for the vulnerability through the…

AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed

On May 26th, the ASEC analysis team discovered the distribution of AppleSeed disguised as a Wi-Fi router firmware installer. Previously discovered AppleSeed strains were mainly distributed by disguising themselves as normal document or image files. The dropper malware that creates AppleSeed either used script formats such as JS (Java Script) and VBS (Visual Basic Script), or had a pif extension to disguise itself as a document file that works as .exe file. For this case, it used the icon and…

ASEC Weekly Malware Statistics (May 23rd, 2022 – May 29th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 23rd, 2022 (Monday) to May 29th, 2022 (Sunday). For the main category, info-stealer ranked top with 76.9%, followed by RAT (Remote Administration Tool) malware with 16.6%, downloader with 5.2%, and ransomware with 1.3%. Top 1 – AgentTesla AgentTesla is an infostealer that has taken first place once again with 32.3%. It is an…

NSIS Installer Malware Included with Various Malicious Files

The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers. NSIS (Nullsoft Scriptable Install System) is normally used to create installers for certain programs. It can be also used for creating malware strains as it is script-based and thus makes nearly identical forms for NSIS installers. NSIS installer-type malware strains have been used a lot by attackers. The type introduced in this post includes multiple malicious files in a single installer: running one file will infect…