New Ransomware Installed using Fake Windows Update Screen Found in Korea (*.rezm Extension)

On March 2, 2020, ASEC analysis team discovered a new ransomware that gets installed using Windows update screen. This ransomware uses the same packer as ransomware goes by the name of Bluecrab, Nemty, or Paradise for distribution, and the extension .rezm is added to the encrypted file. Upon running the file, Fake Windows update file is downloaded and run from the addresses below. Then, a screen that pretends as Windows update screen pops up. When this happens, a ransomware is run…

The Evolution of Magniber Ransomware

Recent Changes in Magniber Ransomware Recent Changes in Magniber Ransomware Magniber is one of the most well-known fileless malware that is distributed via Magnitude Exploit Kit. It commonly exploits web browser vulnerabilities, such as Internet Explorer (IE) vulnerability. Magniber underwent sudden changes between September 2019 and February 2020. During September and November 2019, Magniber exploited vulnerability (CVE-2019-1367). However, the vulnerability exploited for attacks has changed over the past few months. According to a recent proof of concept (PoC) revealed by…

New Dynamic Bypass Technique Working in Certain Environments Only

While monitoring malwares being actively distributed, ASEC analysis team discovered a new dynamic analysis bypass technique. To avoid detection, many of the malwares being distributed check the malware execution environment first, and if it matches the requirement, they crash not to activate. The technique that will be introduced in this blog is a method of using a certain assembly command and checking if a large-sized memory can be allocated. 1.     AVX support availability (VXORPS command) If a malware that uses ‘VXORPS’ command…

Behavior Detection on Fileless BlueKeep Vulnerability

On May 14. 2019, Microsoft announced an emergency security update for patching the BlueKeep (CVE-2019-0708) vulnerability. The company also provided unprecedented updates on the discontinued OS(Windows XP, Windows Vista, Windows Server 2003) and warned that the BlueKeep could be exploited as a ‘Wormable’ vulnerability just like EternalBlue from 2017. BlueKeep is a vulnerability that allows remote code execution due to ‘Use-After-Free’ which happens when a client sends a malicious packet to the specific channel(MS_T120) during the Remote Desktop Protocol (RDP)…

NEMTY Ransomware v2.2 Spotted in Korea

On December 2, 2019, ASEC Analysis Team spotted that new NEMTY ransomware 2.2 version updated from v2.0 are distributed in Korea. All the characteristics of the new version including distribution method disguising as ‘resume’ or’ notice on illegal breach of e-commerce act’, excluded countries, infection target, excluded file and folder. [Name of distributed files] \강주경\이력서\포트폴리오.hwp.exe (translated: \Kang Ju-kyung\Resume\Portfolio.hwp.exe) \강주경\이력서\이력서.hwp.exe (translated: \Kang Ju-kyung\Resume\Resume.hwp.exe) \이시우\___\___.hwp.exe (translated: \Lee Si-woo\___\___.hwp.exe) \장민우\___\___.hwp.exe (translated: \Jang Min-woo\___\___.hwp.exe) The difference from the previous version is that the name…