APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky) Posted By jcleebobgatenet , February 22, 2022 The ASEC analysis team has recently discovered the distribution of malicious Word (DOC) files to graduate school professors that are disguised as North Korea-related paper requirements. The name of the Word file is shown below. The term ‘KIMA’ mentioned in the filename is the name of the monthly magazine specializing in the field of security, national defense, and military, published by Korea Institute for Military Affairs. March Monthly KIMA Paper_Requirements.doc The attacker performed spear-phishing attacks targeting professors of certain universities….
Checking and Remediating Stealthy Malware, PurpleFox Posted By jcleebobgatenet , February 22, 2022 PurpleFox was first discovered in 2018. The attacker hid the malware with a self-developed driver back then, but since 2019, they have been using the customized open-source program ‘Hidden.’ It was also found that the attacker tested the malware multiple times to add various features starting from the middle of 2020. PurpleFox is ultimately a CoinMiner, but it can perform the role of a downloader that installs additional malware as well as spread it to other connected PCs. As for…
Cobalt Strike Being Distributed to Unsecured MS-SQL Servers Posted By Sanseo , February 21, 2022 The ASEC analysis team has recently discovered the distribution of Cobalt Strike targeting unsecured MS-SQL servers. MS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of attack from the past. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers. The attacker or the malware usually scans port 1433 to check for MS-SQL servers open…
Modified CryptBot Infostealer Being Distributed Posted By jcleebobgatenet , February 21, 2022 CryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools. The distribution pages are exposed at the top of the search result page of search engines such as Google, so the risk of infection is high, and the number of relevant detection cases is also relatively high. The ASEC analysis team had thus advised users on these relevant threats in the previous blog posts. CryptBot Infostealer Constantly Changing and Being Distributed…
PseudoManuscrypt Being Distributed in the Same Method as Cryptbot Posted By jcleebobgatenet , February 18, 2022 The ASEC analysis team has discovered that PseudoManuscrypt malware was being distributed in Korea since May 2021. Introduced in the previous ASEC blog, PseudoManuscrypt is disguised as an installer that is similar to a form of Cryptbot, and is being distributed. Not only is its file form similar to Cryptbot, but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen. The team has confirmed…
