Cobalt Strike Being Distributed to Unsecured MS-SQL Servers (2) Posted By jcleebobgatenet , February 24, 2022 The ASEC analysis team has uploaded a post on February 21st about distribution of Cobalt Strike via unsecured MS-SQL servers. As for the current case, the distributed Cobalt Strike had a different process tree compared to the previous distribution method. The current distribution method has the server-related process sqlservr.exe run cmd.exe through a vulnerability similar to the previous method, but it uses mshta.exe and rundll32.exe to run Cobalt Strike in a fileless form. The attacker executed the mshta.exe process through…
LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails Posted By jcleebobgatenet , February 24, 2022 The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead. Makop Ransomware Distributed As Copyright Violation Related Materials Makop Ransomware Disguised as Resume Being Distributed in Korea The emails that are confirmed for the distribution of malware have compressed files with passwords. As shown…
Increased Phishing Attacks Disguised as Microsoft Posted By jcleebobgatenet , February 23, 2022 The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages. As shown in the figure below, one of the collected samples is disguised as the company’s voice message to prompt users to click the attached playback file. Clicking the file redirects users to a phishing webpage disguised as a Microsoft login page. Another sample is an attachment disguised as a file that is sent with a scanner, prompting users to click the attachment. Again, clicking the…
APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky) Posted By jcleebobgatenet , February 22, 2022 The ASEC analysis team has recently discovered the distribution of malicious Word (DOC) files to graduate school professors that are disguised as North Korea-related paper requirements. The name of the Word file is shown below. The term ‘KIMA’ mentioned in the filename is the name of the monthly magazine specializing in the field of security, national defense, and military, published by Korea Institute for Military Affairs. March Monthly KIMA Paper_Requirements.doc The attacker performed spear-phishing attacks targeting professors of certain universities….
Checking and Remediating Stealthy Malware, PurpleFox Posted By jcleebobgatenet , February 22, 2022 PurpleFox was first discovered in 2018. The attacker hid the malware with a self-developed driver back then, but since 2019, they have been using the customized open-source program ‘Hidden.’ It was also found that the attacker tested the malware multiple times to add various features starting from the middle of 2020. PurpleFox is ultimately a CoinMiner, but it can perform the role of a downloader that installs additional malware as well as spread it to other connected PCs. As for…