RTF Malware Disguised as a Cover Letter for a Particular Airline

In early October, the ASEC analysis team has discovered an RTF file-based malware disguised as a cover letter for a particular airline. This is not a type of document file format that appears often as other document-type malware (Word, Excel, etc.), and RTF malware disguised as a particular document hasn’t been discovered in a long time. Filename used in distribution: ****Airline Cover Letter_.rtf An MS Office equation editor program EQNEDT32.EXE related vulnerability (CVE-2017-11882) was used for the RTF file, and…

APT Attacks Using Malicious Word File of a Particular Thesis

The ASEC analysis team has discovered the distribution of malicious Word files disguised as a particular thesis in September. The discovered file is being distributed with the filename of “Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc” and it has malicious macro included. The internal macro code is in a similar form to the following files shared in the past. It thus appears that the same attacker is behind all of them. Compensation Claim Form.doc (June 29th, ASEC…

Malicious PowerPoint Macro using Outlook.exe Being Distributed

The ASEC analysis team has recently discovered a change in malicious PowerPoint files that are continually being distributed. As same as before, they use the method of executing a malicious script using mshta.exe, but added is the utilization of outlook.exe during the process. Malicious PowerPoint files are being distributed as attachments of phishing e-mails as shown below, and they contain information related to purchase inquiries. Also, the malicious PowerPoint file is disguised as a PDF extension like in the previous…

Forensic Analysis of Breaches that Used Cobalt Strike and MS Exchange Server Vulnerability

The ASEC analysis team is consistently monitoring the activities of Cobalt Strike, one of the trending cybersecurity issues that were discussed in previous blog posts regarding its distribution to Korean companies. (The link to a previous blog post can be found at the bottom of this post.) While monitoring Cobalt Strike, the team detected its activities from specific IPs on July 15th and August 2nd, then suggested and conducted a forensic analysis for the client of these IPs. Upon tracking the…

Malware Being Distributed via Webhards (October 8)

The ASEC analysis team is consistently monitoring the source of distribution of Korean malware, and recently, the team introduced UDP Rat and webhard posts that were used to distribute it. Since the upload of the post, the uploader who is speculated to be the attacker has been distributing similar malware disguised as adult games via other webhards, and they are still available for download. – UDP RAT Malware Being Distributed via Webhards The figure above shows that unlike the cases before…