Case of Infection With Lockis Ransomware in a Company, Caused by Not Using Anti-Malware’s Lock Policy

Around November, one of AhnLab’s clients suffered an infection from the Lockis ransomware to several of their servers. As the targeted company suffered a malware infection despite the fact it was using the anti-malware program V3, AhnLab A-FIRST conducted a forensic analysis to find out the cause of infection.  As stated in “ASEC Blog: Hacking Tool Used Together With Lockis Ransomware,” the Lockis ransomware is a variant of the GlobeImposter ransomware that first appeared on September 16th. AhnLab has been…

Hacking Tool Used With Lockis Ransomware

AhnLab A-FIRST conducted a forensic analysis of the damaged system infected with Lockis ransomware around November. Lockis ransomware is a variant of GlobeImposter ransomware that the Russian attack group TA505 uses, and it first appeared on September 16th. The number of variants of the GlobeImposter ransomware has constantly been increasing since its first appearance in February 2017, and a total of 192 variants have been discovered so far. The attacker is known to use attack techniques such as sending malicious…

ASEC Weekly Malware Statistics (December 20th, 2021 – December 26th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 20th, 2021 (Monday) to December 26th, 2021 (Sunday). For the main category, info-stealer ranked top with 51.9%, followed by RAT (Remote Administration Tool) malware with 36.3%, downloader with 8.1%, coinminer with 2.2%, and ransomware with 1.5%. Top 1 – RedLine RedLine malware ranked first place with 21.5%. The malware steals various information such…

North Korea-related Hangul Word Processor (HWP) File Being Distributed

The ASEC analysis team has recently discovered that North Korea-related HWP file was being distributed. The operation method is not through a vulnerability, but instead, a hyperlink is inserted on the screen the user is exposed to upon running the file, prompting the user to click, and upon clicking, executables inside the file will run. Executables inside the file as such are often found in normal HWP files, and it can be considered a normal feature that is possible via…

Dridex Distributed with “Merry Christmas!” Excel File

The ASEC analysis team has discovered Excel files with Dridex downloader being distributed during the Christmas season. The team has continuously been uploading posts in the ASEC blog about the distribution of Dridex with the Excel file macro (see links below). Dridex is a banking malware that collects a user’s banking credentials and performs malicious behaviors by receiving commands from the attacker. It is usually distributed through spam emails and performs malicious behaviors after downloading the main module through a…