Changed Form of CryptBot Infostealer Disguised as Software Crack Download

CryptBot Infostealer disguised as commercial software downloads are constantly making changes and are actively being distributed. In the previous post of ASEC blog, the ASEC analysis team has explained the change process of BAT script in malware. This post will discuss the change in its form. CryptBot Infostealer has changed its form from 7z SFX to MS IExpress and used a trick to prevent decompression using regular methods. CryptBot Infostealer is distributed via malicious websites by disguising itself as websites…

Malicious PowerPoint Files Constantly Being Distributed

On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them. When a macro included in the PowerPoint is executed, it used mshta.exe to use blogspot website source inserted with a malicious script to attack. However, a distinct feature of this case is that it became more complicated with…

APT Attacks Using PDF Files, Possibly by North Korea Related Group

Targeted attacks using PDF files have been confirmed, and it seems the group related to North Korea is behind these attacks. While the attack group is thought to be either Kimsuky or Thallium, it might be another group that mimicked those two. The related information was already reported in the press, but this post will additionally reveal previously undisclosed IOC and analysis information such as environments for vulnerabilities. The attacker used PDF files as bait. Malicious JavaScript included in the…

JavaScript-based BlueCrab Ransomware Has Stopped?

The distribution of BlueCrab (Sodinokibi and REvil) ransomware exploiting JavaScript has stopped since July 13th, 2021. There have been many cases of the distribution being stopped and then resumed after going through changes, but this is the first time to have it stopped for such a long period. BlueCrab ransomware is distributed through forum posts disguised as file download pages. When users download and run the JS file, the script downloaded through C2 is executed, infecting the system with ransomware….

ASEC Weekly Malware Statistics (August 9th, 2021 – August 15th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known threats. This post will list weekly statistics collected from August 9th, 2021 (Monday) to August 15th, 2021 (Sunday). For the main category, Infostealer ranked top with 66.6%, followed by RAT (Remote Administration Tool) malware with 21.3%, Downloader and CoinMiner with 5.3%, Ransomware with 1.4%, and banking malware with 1.3%. Top 1 – Vidar Vidar was ranked first place with 13.6%. It is an…