NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed

Posted By ,

In February and June, the ASEC Analysis team posted in the blog about LockBit 2.0 ransomware being distributed via email. In this blog, we will introduce the new version of the LockBit 3.0 ransomware that is still being distributed through similar method. While in June there were multiple cases of the ransomware being distributed disguised as a copyright-related email, recently it is being distributed as a phishing email disguised as an email on the subject of job applications. As shown in…

FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers

Posted By ,

The ASEC analysis team is constantly monitoring malware distributed to unsecured MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting unsecured MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets unsecured MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox. – [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers…

Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD

Posted By ,

Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries. AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process…

Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)

Posted By ,

The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript starting September 8th, its operational method has also changed from the previous method. The currently distributed javascript file contains a .NET DLL (see Figure 2), and injects the Magniber shell code into currently running processes. The overall operation flow of…

ASEC Weekly Malware Statistics (September 5th, 2022 – September 11th, 2022)

Posted By ,

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 5th, 2022 (Monday) to September 11th, 2022 (Sunday). For the main category, info-stealer ranked top with 47.1%, followed by downloader with 32.7%, backdoor with 12.5%, and ransomware with 7.7%. Top 1 – GuLoader GuLoader, which ranked first place with 21.1%, is a downloader malware that downloads additional malware and runs it. It…