Emotet Being Distributed Using Excel Files

The ASEC analysis team has discovered the constant distribution of Excel files that started last month. These files are made to download Emotet, and they prompt users to enable macros (see figure below). As the files have Auto_Open designated in the macro name box for a cell that exists in a hidden sheet, the formula in the cell is automatically run when the user clicks the Enable Content button. The cell designated with Auto_Open contains a command that runs mshta…

ASEC Weekly Malware Statistics (January 10th, 2022 – January 16th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 10th, 2022 (Monday) to January 16th, 2022 (Sunday). For the main category, info-stealer ranked top with 55.1%, followed by RAT (Remote Administration Tool) malware with 38.2%, downloader with 3.9%, ransomware with 1.4%, and backdoor with 1.4%. Top 1 – AgentTesla AgentTesla ranked first place with 28.0% once again. It is an info-stealer malware…

DDoS IRC Bot Malware (GoLang) Being Distributed via Webhards

While monitoring the distribution source of malware in Korea, the ASEC analysis team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards are platforms commonly used for the distribution of malware in Korea, where njRAT and UDP Rat were distributed in the past. UDP RAT Malware Being Distributed via Webhards The cases that are recently being discovered are similar to the case discussed in the post above, and it appears that the…

ASEC Weekly Malware Statistics (January 3rd, 2022 – January, 9th 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 3rd, 2022 (Monday) to January 9th, 2022 (Sunday). For the main category, info-stealer ranked top with 54.2%, followed by RAT (Remote Administration Tool) malware with 30.1%, downloader with 12.0%, ransomware with 2.4%, and backdoor with 1.2%. Top 1 – AgentTesla AgentTesla ranked first place with 28.9% once again. It is an info-stealer malware…

Infostealer Disguised as Well-Known Korean Web Portal File

The ASEC analysis team has discovered an infostelaer type malware disguised as a file related to a Korean web portal. The team found the NAVER.zip file in the malicious URL used in recent phishing emails with the compressed file including an executable named ‘NaverProtector.exe’. The email with the malicious URL contains information about Kakao account as shown below. When users click the <Lift Protection> button, they are redirected to hxxp://mail2.daum.confirm-pw[.]link/kakao/?email=[email address] and will have their account credentials stolen by the…