Increase of Malware Signed with Valid Digital Certificate

Code signing is a process of signing a file with digital signature based on the personal information of the applicant to enhance trust and secure integrity. The file creator receives digital certificate via Certificate Authority(CA) and signs the file using the certificate.  Since the code signed file is certified by the authorities, it is easy to avoid download validation process in web browser and detection of Anti-Virus(AV) product when executed. Thus, operators sometimes distribute a malicious file with adding the information…

Preemptive Defense Measures against Fileless Magniber Ransomware (V3 Behavior Detection)

After the distribution of Magniber recovery tools developed by AhnLab Analysis Team in 2018, Magniber has been transformed into a fileless format, disabling any kind of recovery. For successful file encryption, this fileless Magniber has evolved to bypass behavior detection and perform indiscriminate injection to unspecified processes that have privileges on infected system. Through these techniques, the subject of ransomware becomes the normal running process of the infected system. Even if the process is terminated, the ransomware is recursively executed by…

BlueCrab: The Successor of GandCrab with Different Execution Method Depending on Use of V3Lite

A newly emerged BlueCrab ransomware is distributed in various ways, similar to GandCrab. Its distribution methods include phishing email with a malicious document attached and phishing utility download page. AhnLab ASEC has been monitoring the distribution code of Javascript disguising as a utility program. When Javascript file(.js) downloaded from the phishing utility download page is executed, BlueCrab ransomware is run at the same time. The current execution flow of Javascript is shown in Figure 1. BlueCrab ransomware is injected into Powershell.exe and…

Distribution and Operation of Malware ‘Crypter’ Exploiting Spam Mail

A malicious spam mail attack that distributes malware by attaching document or archive file has been one of the most popular method among the operators. AhnLab ASEC Analysis Team analyzed spam mails received from numbers of customers and confirmed that majority of files downloaded by malicious documents attached to the email were information stealer malware of ‘Crypter’ family: HawkEye, Nanocore, FormBook, Lokibot, Remcos. Malware Crypter complicates the signature detection of Anti-Virus(AV) by utilizing encryption algorithm and saving malware inside the…

CoinMiner Infecting MBR is Distributed in Korea (DarkCloud Bootkit)

In February 2019, AhnLab ASEC discovered the spread of CoinMiner malware that disables both domestic & foreign security products and manipulates MBR(Master Boot Record) of the infected system. This type of malware is known as “DarkCloud Bootkit” overseas. Unlike existing CoinMiner malware, it is equipped with features infecting MBR and prevents normal users from checking the infected MBR code by patching the “ZwCreateSection” API. AhnLab ASEC has been performing behavior detection to defend systems against attempts to infect MBR. According to the company’s data, there has been an exponential growth in the number of detections for MBR infection since March 20, 2019. Perhaps, not all attempts to infect MBR are by “DarkCloud Bootkit” malware. However, the fact that it was…