Gwisin Ransomware Targeting Korean Companies

The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI. As such, the file alone…

Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy and National Defense Being Distributed‘. Also, there was also a type using mshta. The malicious Word files are distributed in various names as shown below. CV of Kim **(Korean American Organization of **,220711).doc…

Malicious CHM Being Distributed to Korean Universities

The ASEC analysis team discovered that a malicious CHM file targeting certain Korean universities is distributed on a massive scale. The file that is being distributed is the same type as the one discussed in a post uploaded in May. Figure 1 shows the code of the HTM file inside the malicious CHM. It appears that the file is distributed with the name “2022_Improving fundamental science research capability_commencement announcement_hosting_plan Ver1.1.chm”. When users run the malicious CHM file, the HTM file’s…

ASEC Weekly Malware Statistics (July 18th, 2022 – July 24th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 18th, 2022 (Monday) to July 24th, 2022 (Sunday). For the main category, info-stealer ranked top with 44.7%, followed by backdoor with 40.3%, downloader with 14.5%, and ransomware with 0.6%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 27.0%. It is an info-stealer that leaks user credentials…

Phishing Email Disguised as Korean Web Portal Page (Daum)

On July 21st, the ASEC analysis team discovered the distribution of phishing email disguised as Daum, one of Korea’s portal websites. The email was made to resemble an estimate request by including RFQ on the title. It uses its attachment to lead the user to a phishing webpage. The attachment is an HTML file, and opening the file automatically redirects the user to the following URL. hxxps://euoi8708twufevry4yuwfywe8y487r.herokuapp[.]com/sreverse.php After redirection, the phishing webpage (see Figure 3 on the left) disguised as…