Lazarus Group Uses the DLL Side-Loading Technique (mi.dll)

While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process. https://attack.mitre.org/techniques/T1574/002/ The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. In other words, it is a malware…

GlobeImposter Ransomware Being Distributed in Korea

The ASEC analysis team has recently identified through internal monitoring that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed. This GlobeImposter ransomware has also been mentioned in AhnLab TIP’s quarterly statistics, specifically in the ‘2022 1st and 2nd Quarter Statistical Report on Malware Targeting MS-SQL,’ and in the 2nd quarter, GlobeImposter took up 52.6% of ransomware targeting MS-SQL. It has been identified that the GlobeImposter ransomware is still appearing in the soon-to-be-released 3rd quarter statistics. This ransomware…

ASEC Weekly Malware Statistics (September 26th, 2022 – October 2nd, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 26th, 2022 (Monday) to October 2nd, 2022 (Sunday). For the main category, downloader ranked top with 38.2%, followed by info-stealer with 35.1%, ransomware with 14.7%, backdoor with 11.6%, and CoinMiner with 0.4%. Top 1 –  BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 16.7%. BeamWinHTTP is distributed via malware disguised…

Qakbot Being Distributed as ISO Files Instead of Excel Macro

There is a recent increase in the distribution method of malware through ISO files. Among the malware, it has been identified that Qakbot, an online banking malware, has had its distribution method changed from Excel 4.0 Macro to ISO files. The ASEC blog introduced cases of ISO file usage for not only Qakbot, but also AsyncRAT, IcedID, and BumbleBee malware. As such, we can see that cases of using ISO files for malware distribution are increasing. The phishing mail that…

Change in Magniber Ransomware (*.js → *.wsf) – September 28th

The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection methods…