ASEC Weekly Phishing Email Threat Trends (May 7th, 2023 – May 13th, 2023) Posted By ASEC , May 23, 2023 AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from May 7th, 2023 to May 13th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note,…
Kimsuky Group Using Meterpreter to Attack Web Servers Posted By Sanseo , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of malware targeting web servers by Kimsuky group. Kimsuky is a threat group deemed supported by North Korea and has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a Korean energy corporation in 2014. Since 2017, their attacks have been targeting countries other than South Korea as well. [1] ASEC has been providing the analysis of various cases of Kimsuky…
Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers Posted By AhnLab_en , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. Sqlps is SQL Server PowerShell and is included in the SQL Server installation procedure[1]. SQL Server Powershell allows users to use the Powershell cmdlet which is needed to manage SQL Server instances. The attacker exploited this trait in distributing the malware. Figures 1…
Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel Posted By AhnLab_en , May 22, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered that the Kimsuky group had created a webmail website that looks identical to certain national policy research institutes. Earlier this year, ASEC had covered similar issues in the posts ‘Web Page Disguised as a Kakao[1]/Naver[2] Login Page’. The previous attacker set the fake login page with autocompleted IDs of trade, media, and North Korea-related individuals and organizations. In addition to that, the recently discovered web page used a similar tactic of…
SparkRAT Being Distributed Within a Korean VPN Installer Posted By Sanseo , May 18, 2023 AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots. 1. Case of Distribution The VPN provider, whose installer contained SparkRAT appears to…
