Distribution of Avaddon Ransomware using RigEK in Korea (extension: *.avdn)

In early June, a new ransomware dubbed Avaddon was introduced in two articles (see link below). Since June 8, the number of distributed malware using RigEK (Rig Exploit Kit) has increased exponentially in Korea, and Avaddon ransomware is also being distributed. (June 7) sensorstechforum.com/avaddon-virus-remove/ (June 8) www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/ The following figure shows the number of V3 behavior-detection logs for RigEK. 1153 represents No. of behavior-detection rule and this figure shows that the number of cases started skyrocketing starting from June 8. Users…

Snake Ransomware Designed to Operate Only in Specific Business Environments

Snake ransomware that targets specific companies is currently being distributed. Although there are no found cases in Korea as of yet, Korean companies must be on guard as it is targeting companies across nations such as Germany, Italy, Japan and etc. Snake is ransomware developed with Go language. The number of malware developed with Go has been on the continual rise, and recently distributed malwares use obfuscation methods to disrupt analysis. Like the others, function names of Snake ransomware have…

Watch Out… Malware Disguised as Software Activation Tools are on the Loose!

AhnLab has recently identified a malware being distributed in the wild disguised as a software activation tool. The malicious campaign is targeted towards users trying to get access to pirated​ softwares. The attacker distributed malicious executable files disguised as software activation tools. Examples of these tools include KMSAuto and KMSPico. It can be commonly downloaded from​ illegal software download sites and P2P file-sharing sites. When the user executes the malicious executable file, a fake password input appears. When the user enters the password…

Distribution of Hangul Word Processor File (HWP) during Academic Conference Season in Korea

On May, ASEC analysis team shared details of Hangul Word Processor file (HWP) malware that is being distributed across various fields (see blog post below). In the past, it was distributed with the titles related to ‘real-estate,’ however, malware today is developed with titles related to thesis and other academic items based on the scheduled academic conferences in Korea. So far, AhnLab discovered 2 filenames that are being used by malicious HWP files, and among the topics discussed in the blog…

Analysis of Connection Between Malicious Hangul Word Processor Files (.hwp) by Theme

In the previous post, ASEC shared information on how the titles of the distributed malicious HWP files changed over the course of 3 months. This post is written as a follow-up to the previous post to shed some light on the new information about relationship between title categories. Connection between Theme 1, Theme 2, and Theme 3 Similarities were found between HWP files of Theme 1 (COVID19), Theme 2 (Real-estate), and the themes that were mentioned in the previous post….