New Stealer’s Suspicious Relationship with State-Sponsored Ryuk Ransomware?

AhnLab’s security analysts recently discovered a new stealer targeting to steal personal information. Apart from the new stealer’s purpose and how it works, similarities with the Ryuk ransomware was also an attention grabber. Ryuk ransomware, first found in 2018, is known to target specific countries.  The new stealer searches for files on infected systems that match specific conditions, such as extension, size, and names. Then it verifies if certain keywords are present in the files and transmits them to the…

[Warning] Emotet Malware Distributed in the form of Document File

AhnLab ASEC analysis team has confirmed that Word files containing malicious VBA macro are distributed to Korean users. The malicious VBA macro uses WMI to run powershell and download Emotet malware. As the Word file is executed, users will see a figure below that prompts them to run VBA macro. Prompting messages are being distributed in various forms, as seen in Figure 2. A distributed VBA macro is obfuscated by using junk codes and annotations, as seen in Figure 3. Figure 4 is a deobfuscated VBA macro.    Our code analysis revealed that the currently distributed macro uses WMI(winmgmts:Win32_Process) to run powershell, whereas the VBA macro discovered in November of 2018 utilized cmd. The powershell command executed via WMI is encoded with Base64, as seen…

Trick or Treat! Corporate targeting Trickbot

Trickbot, orginally a banking Trojan, aims to collect and leak corporate confidential information. Recently, attackers have distributed fake Word files and obfuscated scripts to trick corporate users in downloading the Trickbot downloader. Thereby, extra attention is required to prevent downloading Tickbot. When the user opens the Word document attachment in the email, it will tell the user to click the “Enable Content” button with the message, “Document created in the previous version,” as shown in Figure 1. However, this is…

Operation of SMB Vulnerability, Fileless WannaMine

A distribution method of CoinMiner has become more diversified. In early 2019, AhnLab ASEC Analysis Team introduced CoinMiner that exploits SMB vulnerability(MS17-010 EternalBlue) for distribution. Recently, it was confirmed that a fileless CoinMiner malware named “WannaMine” exploits not only SMB vulnerabilities for distribution, but also Windows Management Instrumentation (WMI), ADMIN$ shared folders, remote service registration and operation through SMB. Figure 1 describes the overall process of WannaMine. Figure 1. Process of WannaMine (To be translated) When the “sysupdater0.bat” file is executed…

Discovery of the Ammyy RAT and CLOP Ransomware

A recent rise in attacks using malicious macros in attachments has been spotted in South Korea. In February 2019, a remote control hacking tool called Flawed Ammyy RAT began to be distribute through email attachments. This hacking tool has been active since 2016 and has been distributed worldwide via email. It was mainly mentioned in the media in 2018. Also, a variant of the Cryptomix ransomware, CLOP, was discovered at a similar time. CLOP is a new variant that had…