Checking and Remediating Stealthy Malware, PurpleFox

PurpleFox was first discovered in 2018. The attacker hid the malware with a self-developed driver back then, but since 2019, they have been using the customized open-source program ‘Hidden.’ It was also found that the attacker tested the malware multiple times to add various features starting from the middle of 2020. PurpleFox is ultimately a CoinMiner, but it can perform the role of a downloader that installs additional malware as well as spread it to other connected PCs. As for…

Cobalt Strike Being Distributed to Unsecured MS-SQL Servers

The ASEC analysis team has recently discovered the distribution of Cobalt Strike targeting unsecured MS-SQL servers. MS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of attack from the past. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers. The attacker or the malware usually scans port 1433 to check for MS-SQL servers open…

Modified CryptBot Infostealer Being Distributed

CryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools. The distribution pages are exposed at the top of the search result page of search engines such as Google, so the risk of infection is high, and the number of relevant detection cases is also relatively high. The ASEC analysis team had thus advised users on these relevant threats in the previous blog posts. CryptBot Infostealer Constantly Changing and Being Distributed…

PseudoManuscrypt Being Distributed in the Same Method as Cryptbot

The ASEC analysis team has discovered that PseudoManuscrypt malware was being distributed in Korea since May 2021. Introduced in the previous ASEC blog, PseudoManuscrypt is disguised as an installer that is similar to a form of Cryptbot, and is being distributed. Not only is its file form similar to Cryptbot, but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen. The team has confirmed…

Distribution of Magniber Ransomware Stops (Since February 5th)

The ASEC analysis team constantly monitors ‘malvertising’ which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution. The malvertising distribution method of Magniber in Internet Explorer is to attempt at infecting the target by only accessing via a vulnerability, and in Chromium-based browsers (E.g. Edge, Chrome), it disguises itself as a browser update installer (.appx) and prompts the…