Analysis on the Malicious SDB File Found in Ammyy Hacking Tool

Early this year, there was a major distribution of Clop ransomware, mainly targeting Korean government agencies. Clop ransomware distributed using a hack tool called ‘Ammyy,’ is unlike common ransomware and attacks after a period of latency. Since the end of May 2019, Clop ransomware has emerged again with the sudden increase in the distribution of Ammyy hack tool. While analyzing Ammyy, ASEC found a malware utilizing the SDB (Shim Database) file, created during the installation and uninstallation of Ammyy. Let’s…

A Closer Look at the FlawedAmmyy’s New Attack Style

Clop ransomware made a full appearance early this year, mainly targeting Korean organizations and corporations. In addition to being targeted ransomware, Clop ransomware uses a hacking tool called FlawedAmmyy RAT (Remote Access Trojan). Despite the boom of Clop ransomware since the end of May, the spread of FlawedAmmyy RAT has only recently surged. In particular, it has been targeting local companies, as shown in the following example. Distributed in early morning disguised as a work-related emailIn August, FlawedAmmyy was distributed to local organizations and corporations via email spamming disguised as a work-related email. Simultaneously, similar spam emails were distributed globally to various users.   Spam email targeting local companies disguised itself as ‘Scan file’ and attached a word file named ‘Scan_…

CLOP Ransomware Is Distributed in Various Format

AhnLab ASEC has pointed out on our blog that same certificate is utilized for distribution process of Ammyy, Ammyy backdoor and CLOP ransomware. In this article, we would like to give a comprehensive view from distribution to the infection. Figure 1 below outlines the general structure of ransomware flow, which already seems complicated  Figure 1 – Flow chart CLOP ransomware has been distributed since early February 2019 by attaching malicious document. On May 30, we detected that the ransomware masqueraded…

Increase of Malware Signed with Valid Digital Certificate

Code signing is a process of signing a file with digital signature based on the personal information of the applicant to enhance trust and secure integrity. The file creator receives digital certificate via Certificate Authority(CA) and signs the file using the certificate.  Since the code signed file is certified by the authorities, it is easy to avoid download validation process in web browser and detection of Anti-Virus(AV) product when executed. Thus, operators sometimes distribute a malicious file with adding the information…

Preemptive Defense Measures against Fileless Magniber Ransomware (V3 Behavior Detection)

After the distribution of Magniber recovery tools developed by AhnLab Analysis Team in 2018, Magniber has been transformed into a fileless format, disabling any kind of recovery. For successful file encryption, this fileless Magniber has evolved to bypass behavior detection and perform indiscriminate injection to unspecified processes that have privileges on infected system. Through these techniques, the subject of ransomware becomes the normal running process of the infected system. Even if the process is terminated, the ransomware is recursively executed by…