APT

APT Attacks Using PDF Files, Possibly by North Korea Related Group

Targeted attacks using PDF files have been confirmed, and it seems the group related to North Korea is behind these attacks. While the attack group is thought to be either Kimsuky or Thallium, it might be another group that mimicked those two. The related information was already reported in the press, but this post will additionally reveal previously undisclosed IOC and analysis information such as environments for vulnerabilities. The attacker used PDF files as bait. Malicious JavaScript included in the…

Word Document Titled ‘BIO Form’ Being Distributed

Since last month, the ASEC analysis team has been continuously uploading posts about APT attacks using word documents. Recently, it found that the malware of the same type is being constantly distributed in the name of ‘BIO form.’ By looking at the distribution history of previous word documents, we can assume that this file is also targeting professors or research center directors related to North Korea while disguising itself as a biography form. The recently discovered file that is being…

Attacker Distributing Malicious Word Document Written as Compensation Claim Form

A malicious word document file written as ‘compensation claim form’ is being distributed again. This is speculated to be a targeted APT attack. The exact malware that used the identical document format was also discovered back in March, and the ASEC team published a post that analyzes the malware in the ASEC blog. The currently discovered word document was made recently and it contains the same content as the previous attack, but it operates differently. In this post, the team…

APT Attacks on Domestic Companies Using Library Files

Recently, there have been continuous attacks targeting domestic companies. Most of the malicious files collected from the companies’ breached systems have been dynamic library (DLL) files, but the files used in the attacks this time are different from general DLL files. The collected files had their normal libraries modified maliciously through a variety of methods. It has not been found how the malicious files were created in the system and what the initial attack path was. Also, due to the…