CoinMiner Infecting MBR is Distributed in Korea (DarkCloud Bootkit)

In February 2019, AhnLab ASEC discovered the spread of CoinMiner malware that disables both domestic & foreign security products and manipulates MBR(Master Boot Record) of the infected system. This type of malware is known as “DarkCloud Bootkit” overseas. Unlike existing CoinMiner malware, it is equipped with features infecting MBR and prevents normal users from checking the infected MBR code by patching the “ZwCreateSection” API. AhnLab ASEC has been performing behavior detection to defend systems against attempts to infect MBR. According to the company’s data, there has been an exponential growth in the number of detections for MBR infection since March 20, 2019. Perhaps, not all attempts to infect MBR are by “DarkCloud Bootkit” malware. However, the fact that it was…

[Warning] ‘Amadey’ Malware Targeting Korean Cryptocurrency Companies

Recently, AhnLab ASEC has confirmed numbers of ‘Amadey’ malware attacks targeting Korean cryptocurrency companies. The attack utilizes various email attachments such as DOC, RTF, VBS, and EXE. The following are the name of document files and executable files discovered from the attack:*English translation will be provided for Korean file names Crypto Market Predictor for Desktop V2.13.exe Price list on blockchain 24.03.2019.exe Price list coins 26.03.19.bat 주식회사 크립토???_세무조정계산서(추가).doc (Cryto Co.???_TaxAdjustmentStatement(Added).doc) ?토큰전망분석.doc (Token_Forecast.doc) 추가안내서.hwp.exe (Addtional_Notice.hwp.exe) ??? 상세분석.doc (Detailed_Analysis.doc) ????송금내역.doc (????Payment_Details.doc) ??? 회원님 거래내역.doc (Transaction_Details.doc) ??coin 관련 문의내용.doc (??coin_Inquiry.doc) ??? 음악학원 2월.doc (Music_Institute_Feb.doc) ???? 입고내역.doc (Warehousing_Details.doc) 참고사항.doc. (공백) .vbs (Reference_Details.doc (blank) .vbs) ????_휴먼기업은행 확인건.doc (????_HumanCorp.Bank_CheckList.doc) The malware is mostly spread via email attachment. The macro code inserted in the document file drives the…

Does Operation ShadowHammer Only Target ASUS Certificate?

On March 25, 2019, Kaspersky Lab reported that ASUS’s software update server was compromised, causing the spread of malware that includes valid certificates. Kaspersky Lab named the attack “Operation ShadowHammer“. The security vendor delivered relevant information to ASUS on January 31, 2019, and the initial attack is speculated to have taken place between June to November of 2018. Compromised ASUS Live Update is a utility program mostly installed in ASUS computer and automatically updates the components such as BIOS, UEFI, drivers, and applications. According to Kaspersky’s statistics, over 57,000 Kaspersky product users are known to have downloaded and installed the backdoor version of ASUS Live Update. Still, it is expected that over 1 million users worldwide would be affected. According…

Shadow of WannaCry, 2019 SMB Exploitation

WannaCry (or WannaCryptor), which infected more than 300,000 systems in May 2017 and gripped the whole world in fear, spread rapidly by exploiting a Windows SMB security vulnerability (MS17-010). Precaution is required since the recently discovered malware is a CoinMiner, a type of malware that mines cryptocurrency. This report details the analysis by AhnLab on the attack cases that exploited the SMB vulnerability (MS17-010) from 2018 to the first quarter of 2019. 1. NRSMiner Malware Attack (2018) In March 2018, a company was found infected with NRSMiner malware. By exploiting the SMB vulnerability (MS17-010) like WannaCryptor, this malware scans the internal network of the company and installs the malware that mines the cryptocurrency Monero if the system is vulnerable. NRSMiner…

Malware Installed with Coin Wallet Program Alibaba

ASEC recently discovered an information leaking malware installed along with Alibaba coin (ABBC Coin) wallet program. When ABBCCoin program is run, the coin wallet program is installed in the AppData\Roaming folder and the malware named sys.exe that has downloader feature is dropped and run. Figure 1. ABBCCoin wallet program The downloader malware first uses the Anti Sandbox technique, reading abbc.log in the AppData\Roaming folder that “123456789” is written and checking the content in order to prevent malware from conducting malicious behavior when it is solely run in analysis environment. In other words, the malware is immediately terminated when sys.exe file is solely executed. Its malicious behavior is implemented only when it is executed via dropper. Figure 2. Anti Sandbox technique…