Malicious Word Documents Pretending ‘Korea Association for Political and Diplomatic History’ and ‘Policy Advisory Member Profile’ Being Distributed

As shown below, the ASEC analysis team introduced on two occasions that malicious word documents with titles ‘Compensation Claim Form’ and ‘Summer Academic Conference Profile Template’ were being distributed. While monitoring similar attack types, the team found evidence that the creator of the documents distributed new word documents in June and on July 1st. Titles of newly discovered malicious word document The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx – Additional discovery in…

Malicious Word Document Disguised as Profile Template File for Summer Academic Conference Being Distributed

In June this year, the ASEC analysis team introduced a malicious word document assumed as a targeted attack. Recently, the team confirmed that malware of the same type is being distributed with new content. It was distributed through mails with the sender impersonating an admin of a summer academic conference in Korea (see Figure below). The mail had an attachment named ‘[** Summer Academic Conference]_Profile Template.doc’ which prompts the user to fill out the form. The figure below is the…

Nitol Malware Being Distributed in Forum Archive

The ASEC analysis team confirmed that malware is being distributed in a forum archive in Korea. The attacker uploaded 4 posts disguised as sharing utility programs that are used to distribute malware. These posts distribute Nitol malware disguised as certain utility programs. The related attacks have been happening since last June. Each post has a description of a utility program with a torrent file attached. Upon opening the torrent file using the torrent client, files can be downloaded. When downloading…

ASEC Weekly Malware Statistics (June 28th, 2021 – July 4th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from June 28th, 2021 (Monday) to July 4th, 2021 (Sunday). For the main category, info-stealer ranked top with 67%, followed by RAT (Remote Administration Tool) malware with 13.5%, CoinMiner with 7.0%, downloader with 5.9%, Ddos with 3.4%, and ransomware with 3.1%. Top 1 – AgentTesla AgentTesla was ranked first place with 15.8%. It is an…

Detection of JavaScript Vulnerability (CVE-2021-26411) via V3 Behavior Detection (Magniber)

Attackers are using the CVE-2021-26411 JavaScript vulnerability to actively distribute fileless Magniber ransomware via IE browser. Its internal code flow is changing rapidly, and there are still numerous damage reports that involve Magniber ransomware in Korea. As it is being distributed via an IE vulnerability (CVE-2021-26411), it is absolutely crucial for IE users to apply the security patch. Currently, V3 products can detect and block the latest Magniber ransomware using the ‘Behavior Detection’ feature. Figure 1 shows the infection process of…