Malware Distributed via Discord along with Illegal Pornography

The ASEC analysis team recently discovered batches of RAT (Remote Administration Tool) malware that is being distributed via Discord messenger. Currently, a downloader malware that downloads these batches of malware is being distributed under the name ‘porn URL.exe’ and when this malware is run, it downloads various RAT malwares externally and installs them. Discord is an instant messenger program that supports text chat, voice chat, and video chat. This program is one of the most popular instant messengers that is…

Magniber Ransomware Changed Vulnerability (CVE-2019-1367 -> CVE-2020-0968) and Attempted to Bypass Behavior Detection

At the beginning of this year, ASEC analysis team published the change of vulnerability which is used by the developer of Magniber to distribute the ransomware. Since September 23, 2019, CVE-2019-1367 vulnerability, which the developer of Magniber used for distribution, stopped operating in the systems with emergency security patch (Version 1903) applied. In response, the developer changed the latest vulnerability to CVE-2020-0968, expanding the infection target range. On top of this occurrence, CVE-2020-0968 security patch (distributed on April 15, 2020)…

PHP WebShell Malware using Image Files

WebShell is a file that is uploaded to a web server which runs file navigation or system shell commands. The attacker can use the web browser to navigate through the files of the server system and issue shell commands. Certain file extensions for uploaded files can be restricted to prevent malicious WebShell files from being uploaded to the server; however, the attacker can bypass such actions with the following method: Upload a file that bypasses the Server-Side Script’s file extension…

Remcos RAT Malware being Distributed as Spam Mail

Remcos is a RAT (Remote Administration Tool) malware that has been distributed through spam mail for the past few years. Remcos is being sold by its developer using the website below, describing it as a RAT tool for remote management, it has been updated regularly until recent days. According to the features described on the Remcos website, it can be used for remote assistance or deleting and tracking sensitive data in case of theft, and the said features are actually…

Info Theft Malware Distribution Phishing Campaign

The ASEC analysis team discovered a phishing site that distributes info-stealer malware by disguising it as a crack program of a normal utility. As shared in the post posted on June 29th (https://asec.ahnlab.com/ko/1339/), the phishing site appears in the top results when the utility program name is searched along with “Crack” on Google. It is assumed that many users were infected when they accessed the said site to download the crack of the utility program. As shown in Figure 2,…