Distribution of Malicious Excel (XLS) Files Disguised as Court Decision Document: KONNI Group

AhnLab ASEC has gathered Excel files that leak user info using malicious macro. The Excel file prompts the user to run macro, and when macro is run, it re-runs the Excel document that contains a court decision stating that the user ‘must pay a fine for abetting a breach on the Act On Door-To-Door Sales, etc. to make it difficult for the users to realize that their PC is infected. Its operation method is similar to the malware that APT…

Cryptocurrency Mining Malware Goes After Users Looking for Pirated Software

Recently, AhnLab warned users of cryptocurrency mining malware that are being distributed in the wild. Cryptocurrency mining malware, also known as CoinMiner malware, is going after users that are actively searching for pirated software. As a medium to spread the malware, the attacker created a phishing site that is searchable by Google and other search engines. When the user enters a certain keyword, such as ‘HWP document program crack for Mac’ or ‘crack Autocad 2006 64 Bit Keygen,’ to look…

Distribution of Avaddon Ransomware using RigEK in Korea (extension: *.avdn)

In early June, a new ransomware dubbed Avaddon was introduced in two articles (see link below). Since June 8, the number of distributed malware using RigEK (Rig Exploit Kit) has increased exponentially in Korea, and Avaddon ransomware is also being distributed. (June 7) sensorstechforum.com/avaddon-virus-remove/ (June 8) www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/ The following figure shows the number of V3 behavior-detection logs for RigEK. 1153 represents No. of behavior-detection rule and this figure shows that the number of cases started skyrocketing starting from June 8. Users…

Snake Ransomware Designed to Operate Only in Specific Business Environments

Snake ransomware that targets specific companies is currently being distributed. Although there are no found cases in Korea as of yet, Korean companies must be on guard as it is targeting companies across nations such as Germany, Italy, Japan and etc. Snake is ransomware developed with Go language. The number of malware developed with Go has been on the continual rise, and recently distributed malwares use obfuscation methods to disrupt analysis. Like the others, function names of Snake ransomware have…

Watch Out… Malware Disguised as Software Activation Tools are on the Loose!

AhnLab has recently identified a malware being distributed in the wild disguised as a software activation tool. The malicious campaign is targeted towards users trying to get access to pirated​ softwares. The attacker distributed malicious executable files disguised as software activation tools. Examples of these tools include KMSAuto and KMSPico. It can be commonly downloaded from​ illegal software download sites and P2P file-sharing sites. When the user executes the malicious executable file, a fake password input appears. When the user enters the password…