InfoStealer

Infostealer Being Distributed via YouTube

The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post. [ASEC 블로그] 유튜브를 통해 유포 중인 RedLine 인포스틸러 When…

New Infostealer ‘ColdStealer’ Being Distributed

The ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of infostealer. The malware disguises itself as a software download for cracks and tools, a distribution method that was mentioned multiple times in previous ASEC blog posts. There are two cases for this type of malware distribution: 1. Distributing a single type of malware such as CryptBot or RedLine2. Dropper-type malware decompressing and executing various internal malware strains ColdStealer was distributed with the…

Vidar Exploiting Social Media Platform (Mastodon)

The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware. When Vidar is run, it first accesses the C&C server to receive…

Infostealer Disguised as Well-Known Korean Web Portal File

The ASEC analysis team has discovered an infostelaer type malware disguised as a file related to a Korean web portal. The team found the NAVER.zip file in the malicious URL used in recent phishing emails with the compressed file including an executable named ‘NaverProtector.exe’. The email with the malicious URL contains information about Kakao account as shown below. When users click the <Lift Protection> button, they are redirected to hxxp://mail2.daum.confirm-pw[.]link/kakao/?email=[email address] and will have their account credentials stolen by the…

Infostealer Malware Azorult Being Distributed Through Spam Mails

The ASEC analysis team recently discovered that Azorult malware is being distributed through spam mails. Azorult is a kind of Infostealer that accesses a C&C server to receive DLL files and commands used to leak information, and steals information such as user data files and account information to leak it to the server. Besides account information of web browsers and email clients, screenshots, cryptocurrency information, and files designated by the attacker with certain paths and extensions can be collected as…