ASEC Weekly Malware Statistics (July 5th, 2021 – July 11th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 5th, 2021 (Monday) to July 11th, 2021 (Sunday). For the main category, info-stealer ranked top with 53.4%, followed by CoinMiner malware with 15.5%, RAT (Remote Administration Tool) malware with 14.4%, downloader with 12.9%, ransomware with 2.7%, and Ddos with 0.8%. Top 1 – Glupteba Glupteba is a malware developed with Golang, taking…

Kaseya VSA Supply Chain Ransomware Attacks (REvil Gang)

The ransomware attack by leveraging a vulnerability in VSA (a cloud-based management service that can manage various patches and perform client monitoring) made by Kaseya, an IT solutions developer for enterprises and managed service providers (MSPs), turned out to be BlueCrab (Sodinikibi) ransomware that is being actively distributed in korea as well. The figure below shows a desktop infected with the ransomware, which flashes the same screen like that of BlueCrab being widely spread in Korea. Unlike BlueCrab well-known in…

Malicious Word Documents Pretending ‘Korea Association for Political and Diplomatic History’ and ‘Policy Advisory Member Profile’ Being Distributed

As shown below, the ASEC analysis team introduced on two occasions that malicious word documents with titles ‘Compensation Claim Form’ and ‘Summer Academic Conference Profile Template’ were being distributed. While monitoring similar attack types, the team found evidence that the creator of the documents distributed new word documents in June and on July 1st. Titles of newly discovered malicious word document The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx – Additional discovery in…

Malicious Word Document Disguised as Profile Template File for Summer Academic Conference Being Distributed

In June this year, the ASEC analysis team introduced a malicious word document assumed as a targeted attack. Recently, the team confirmed that malware of the same type is being distributed with new content. It was distributed through mails with the sender impersonating an admin of a summer academic conference in Korea (see Figure below). The mail had an attachment named ‘[** Summer Academic Conference]_Profile Template.doc’ which prompts the user to fill out the form. The figure below is the…

Nitol Malware Being Distributed in Forum Archive

The ASEC analysis team confirmed that malware is being distributed in a forum archive in Korea. The attacker uploaded 4 posts disguised as sharing utility programs that are used to distribute malware. These posts distribute Nitol malware disguised as certain utility programs. The related attacks have been happening since last June. Each post has a description of a utility program with a torrent file attached. Upon opening the torrent file using the torrent client, files can be downloaded. When downloading…