Tracking 3CX Supply Chain Breach Cases using AhnLab EDR

Last March, 3CX supply chain breach cases were a global issue. AhnLab Security Emergency response Center (ASEC) has confirmed through the AhnLab Smart Defense (ASD) infrastructure that malware related to the 3CX supply chain were installed in Korea on March 9th and March 15th. The 3CX supply chain malware confirmed in this instance had loaded malicious DLLs disguised with the names of regular DLLs, ffmpeg.dll and d3dcompiler_47.dll, on the normal 3CXDesktopApp.exe process, allowing for malicious behavior to be carried out….

Tracking the CHM Malware Using EDR

AhnLab Security Emergency response Center (ASEC) has shared an APT attack case that has recently used CHM (Compiled HTML Help File). Malware Distributed Disguised as a Password File CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs with the inclusion of CHM. The inserted script is executed through hh.exe which is a default OS application. MITRE ATT&CK refers to this technique where a threat actor uses a…

DarkSide Ransomware With Self-Propagating Feature in AD Environments

In order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data file are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same path that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The ransomware is structured to only operate when a specific argument matches. It will then register itself to the task scheduler and run itself periodically. The following…