Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky) Posted By jcleebobgatenet , August 2, 2022 The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy and National Defense Being Distributed‘. Also, there was also a type using mshta. The malicious Word files are distributed in various names as shown below. CV of Kim **(Korean American Organization of **,220711).doc…
Malicious CHM Being Distributed to Korean Universities Posted By jcleebobgatenet , August 2, 2022 The ASEC analysis team discovered that a malicious CHM file targeting certain Korean universities is distributed on a massive scale. The file that is being distributed is the same type as the one discussed in a post uploaded in May. Figure 1 shows the code of the HTM file inside the malicious CHM. It appears that the file is distributed with the name “2022_Improving fundamental science research capability_commencement announcement_hosting_plan Ver1.1.chm”. When users run the malicious CHM file, the HTM file’s…
ASEC Weekly Malware Statistics (July 18th, 2022 – July 24th, 2022) Posted By jcleebobgatenet , July 28, 2022 The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 18th, 2022 (Monday) to July 24th, 2022 (Sunday). For the main category, info-stealer ranked top with 44.7%, followed by backdoor with 40.3%, downloader with 14.5%, and ransomware with 0.6%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 27.0%. It is an info-stealer that leaks user credentials…
Phishing Email Disguised as Korean Web Portal Page (Daum) Posted By jcleebobgatenet , July 28, 2022 On July 21st, the ASEC analysis team discovered the distribution of phishing email disguised as Daum, one of Korea’s portal websites. The email was made to resemble an estimate request by including RFQ on the title. It uses its attachment to lead the user to a phishing webpage. The attachment is an HTML file, and opening the file automatically redirects the user to the following URL. hxxps://euoi8708twufevry4yuwfywe8y487r.herokuapp[.]com/sreverse.php After redirection, the phishing webpage (see Figure 3 on the left) disguised as…
Attackers Profiting from Proxyware Posted By Sanseo , July 28, 2022 Proxyware is a program that shares a part of the Internet bandwidth that is currently available on a system to others. Users who install the program are usually paid with a certain amount of cash in exchange for providing the bandwidth. Companies that provide such a service include Peer2Profit and IPRoyal. They gain profit by providing the bandwidth to other companies and claim on their webpages that they have various business partners using the service for distributing software, investigating markets,…