Distribution of Remcos RAT Disguised as Tax Invoice Posted By jcleebobgatenet , March 7, 2022 The ASEC analysis team has discovered Remcos RAT being distributed under the disguise of a tax invoice. The content and the type of phishing email are similar to the type that has been consistently discussed in previous blogs. Within the email, it has a short message written in awkward grammar. As users who are doing tax-related work may run the executable without a second thought about what’s written within the email, caution is advised. Upon decompressing the attachment ‘Tax.gz’, an…
ASEC Weekly Malware Statistics (February 21st, 2022 – February 27th, 2022) Posted By jcleebobgatenet , March 3, 2022 The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 21st, 2022 (Monday) to February 27th, 2022 (Sunday). For the main category, info-stealer ranked top with 77.9%, followed by RAT (Remote Administration Tool) malware with 15%, downloader with 2.9%, ransomware with 2.1%, banking malware with 1.7%, and backdoor with 0.4%. Top 1 – Formbook Formbook is an infostealer malware that ranked first place with…
Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd) Posted By jcleebobgatenet , March 2, 2022 In the morning of February 22nd, the ASEC analysis team has discovered the redistribution of Magniber that disguised itself as normal Windows Installers (MSI) instead of the previous Windows app (APPX) The distributed Magniber files have MSI as their extension, disguised as Windows update files. Critical.Update.Win10.0-kb4215776.msi Critical.Update.Win10.0-kb6253668.msi Critical.Update.Win10.0-kb5946410.msi MSI package files are install frameworks that are also used for normal Windows updates. The malware was distributed by including the Magniber ransomware DLL within the MSI package file. By default, MSI…
Change in Distribution Method of Malware Disguised as Estimate (VBS Script) Posted By jcleebobgatenet , February 28, 2022 Last year, the ASEC analysis team has discovered the distribution of Formbook that used a certain company’s name in its filename. Recently, the team has discovered that it is being distributed via VBS file. The email used for distribution still contains details about a request for an estimate, and by using a certain company’s name in the attachment, it prompts the user to execute it. The compressed file attached to the email does not contain an executable but a VBS…
CoinMiner Being Distributed to Unsecured MS-SQL Servers Posted By Sanseo , February 28, 2022 The ASEC analysis team is constantly monitoring malware distributed to unsecured MS-SQL servers. The previous blogs explained the distribution cases of Cobalt Strike and Remcos RAT, but the majority of the discovered attacks are CoinMiners. – [ASEC Blog] Remcos RAT Being Distributed to Vulnerable MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers (2) This blog will explain a specific form of CoinMiner that has been consistently distributed since last…
