Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics Posted By jcleebobgatenet , May 25, 2022 The ASEC analysis team has discovered that a malware strain disguised as press releases is being distributed. When this malware is run, it loads a normal document file and attempts to access malicious URLs. If the access is successful, the script existing on the webpage is run. It appears the script is of a similar type to the VBS code found in the ASEC blog post <APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)>. The list of…
ASEC Weekly Malware Statistics (May 9th, 2022 – May 15th, 2022) Posted By jcleebobgatenet , May 23, 2022 The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 9th, 2022 (Monday) to May 15th, 2022 (Sunday). For the main category, info-stealer ranked top with 79.4%, followed by RAT (Remote Administration Tool) malware with 16.7%, banking malware with 1.6%, ransomware with 1.6%, and downloader with 0.8%. Top 1 – AgentTesla AgentTesla is an infostealer that has taken first place once again with…
Why Remediation Alone Is Not Enough When Infected by Malware Posted By jcleebobgatenet , May 20, 2022 In January 2022, a prominent Korean company in the manufacturing industry had many of its internal systems infected by the Darkside ransomware. As the ransomware was found to be distributed using the AD group policy, AhnLab attempted to conduct a DC server forensic analysis. However, as the virtual environment operating system of the DC server operating in the virtual environment was damaged, the server could not be secured. Among the systems that were restored by the previous backup after the infection,…
Emotet Being Distributed Using Various Files Posted By jcleebobgatenet , May 20, 2022 The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files (.lnk). One feature that the secured EML files share is that they all disguise themselves as replies to the user’s email to distribute the malware strain. The Excel file attached in the email of Figure 1 uses…
Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) Posted By jcleebobgatenet , May 19, 2022 In December last year, the vulnerability (CVE-2021-44228) of Java-based logging utility Log4j became a worldwide issue. It is a remote code execution vulnerability that can include the remote Java object address in the log message and send it to the server using Log4j to run the Java object in the server. The ASEC analysis team is monitoring the Lazarus group’s attacks on targets in Korea. In April, the team discovered an attack group suspected of being Lazarus distributing NukeSped by…
