Phishing Email Disguised as a Well-Known Korean Web Portal

The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean web portal to collect user credentials. The phishing email demands the users to upgrade the mailbox storage, prompting them to click the link. Upon clicking the link, the user is redirected to the phishing page that prompts the users to enter their password. The figure below shows the subject and the details of the email, and the link redirects the user to the phishing page….

Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed

On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. xRAT Github Address: https://github.com/tidusjar/xRAT According to the logs collected by AhnLab’s ASD (AhnLab Smart Defense) infrastructure, the attacker installed a variant of Gold Dragon on the first infected PC on January 24th. The basis for assuming that the obtained file is a variant of Gold Dragon is as follows: Injection method is same as the method used…

ASEC Weekly Malware Statistics (January 17th, 2022 – January 23rd, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 17th, 2022 (Monday) to January 23rd, 2022 (Sunday). For the main category, info-stealer ranked top with 64.4%, followed by RAT (Remote Administration Tool) malware with 19.8%, banking malware with 7.9%, downloader with 3.5%, ransomware with 3.0%, and coinminer with 1.5%. Top 1 – AgentTesla AgentTesla ranked first place with 29.7% once again. It…

Phishing Script Files Being Distributed by Impersonating Various Groupware

The ASEC analysis team introduced ‘phishing websites targeting Korean email service users’ last year May through the TI analysis report and ASEC blog post. The team showed back then how the attackers leaked user credentials targeting users of NAVER WORKS, MAILPLUG, hiworks, Chollian, and Daum. Files that disguise themselves as company groupware login webpage to leak user account credentials are one of the common phishing types that have been distributed, with slight changes occurring in email title, content, name of…

Vidar Exploiting Social Media Platform (Mastodon)

The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware. When Vidar is run, it first accesses the C&C server to receive…