APT

Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD

Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries. AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process…

Gwisin Ransomware Targeting Korean Companies

The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI. As such, the file alone…

AppleSeed Being Distributed to Maintenance Company of Military Bases

The ASEC analysis team has recently discovered a case of AppleSeed being distributed to a certain maintenance company of military bases. AppleSeed is a backdoor malware mainly used by the Kimsuky group and is actively being distributed to multiple attack targets as of late. In this case, the malware was distributed with a file under the name of a military base. 20220713_**** base_installation planned dateV004_*** edited_6.xls AppleSeed was distributed as an Excel file (XLS) and protected with a password to…

AppleSeed Disguised as Purchase Order and Request Form Being Distributed

The ASEC analysis team has recently discovered the distribution of AppleSeed disguised as purchase orders and request forms. AppleSeed is a backdoor malware mainly used by the Kimsuky group. It stays in the system and performs malicious behaviors by receiving commands from attackers. The malware is currently being distributed under the following filenames. Purchase order-**-2022****-001-National Tax Service additionally implementing security sensors in 5 regional tax offices_***.jse Request form(general manager ***).jse The JSE (JScript Encoded File) file consists of JavaScript, and…

APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire. The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the…