ASEC

Phishing Email Disguised as Korean Web Portal Page (Daum)

On July 21st, the ASEC analysis team discovered the distribution of phishing email disguised as Daum, one of Korea’s portal websites. The email was made to resemble an estimate request by including RFQ on the title. It uses its attachment to lead the user to a phishing webpage. The attachment is an HTML file, and opening the file automatically redirects the user to the following URL. hxxps://euoi8708twufevry4yuwfywe8y487r.herokuapp[.]com/sreverse.php After redirection, the phishing webpage (see Figure 3 on the left) disguised as…

AppleSeed Being Distributed to Maintenance Company of Military Bases

The ASEC analysis team has recently discovered a case of AppleSeed being distributed to a certain maintenance company of military bases. AppleSeed is a backdoor malware mainly used by the Kimsuky group and is actively being distributed to multiple attack targets as of late. In this case, the malware was distributed with a file under the name of a military base. 20220713_**** base_installation planned dateV004_*** edited_6.xls AppleSeed was distributed as an Excel file (XLS) and protected with a password to…

NSIS Installer Malware Included with Various Malicious Files

The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers. NSIS (Nullsoft Scriptable Install System) is normally used to create installers for certain programs. It can be also used for creating malware strains as it is script-based and thus makes nearly identical forms for NSIS installers. NSIS installer-type malware strains have been used a lot by attackers. The type introduced in this post includes multiple malicious files in a single installer: running one file will infect…

North Korea-related Malicious Document Files Using CVE-2021-40444 Vulnerability

The ASEC analysis team has recently discovered the distribution of malicious files that include a new vulnerability CVE-2021-40444 which was revealed by Microsoft in September. It is noteworthy that the confirmed document files are all North Korea-related materials. North Korea-related malicious files have been evolving in new ways since the past. Seeing that the attackers are using a new vulnerability, they are quickly applying the new techniques in their distribution. CVE-2021-40444 is a vulnerability that allows remote code execution of MSHTML. MSHTML…