Shadow Force Group’s Viticdoor and CoinMiner Posted By ahnlabti , April 18, 2023 The Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea. Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked. In March 2020, AhnLab published an analysis report on Operation Shadow Force. It was introduced as a single campaign as there was the possibility of it being the activities of an existing threat group. However, no relevant threat…
Attack Cases of CoinMiners Mining Ethereum Classic Coins Posted By Sanseo , January 31, 2023 The ASEC analysis team is monitoring CoinMiners that are targeting Korean and overseas users. We have covered cases of various types of CoinMiner attacks over multiple blog posts in the past. This post aims to introduce the recently discovered malware that mine Ethereum Classic coins. 0. Overview CoinMiners are installed without user awareness and use the system’s resources to mine cryptocurrency, leading to low system performance. Threat actors that distribute CoinMiners tend to mine coins that guarantee anonymity, such as…
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack Posted By Sanseo , January 13, 2023 The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware…
CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server Posted By Sanseo , October 27, 2022 The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed. The attackers used JexBoss, a vulnerability exploitation tool, to install a WebShell before gaining control over the target system with the Meterpreter malware. Ordinarily,…
Monero CoinMiner Being Distributed via Webhards Posted By Sanseo , August 8, 2022 Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. Generally, attackers distribute malware with illegal programs such as adult games and crack versions of games. Those who use webhards as a distribution path typically install RAT type malware such as njRAT, UdpRAT, and DDoS IRC Bot. The team has recently discovered the…