Distribution of Word File (External + RTF) Modified to Avoid Detection Posted By jcleebobgatenet , November 10, 2022 Malicious MS Office Word documents have long been used for the distribution of additional RTF malware by exploiting the fact that Word files allow external connection. However, AhnLab has identified the files that seem to have been made to avoid anti-malware detection are being distributed in Korea. Similar to past cases, an email disguised as a work email with a Word document attachment is used, but a unique factor exists in the webSettings.xml.rels file which can be identified within the…
Method that Tricks Users to Perceive Attachment of PDF File as Safe File Posted By jcleebobgatenet , May 25, 2022 The ASEC analysis team has discovered the distribution of info-stealer malware using Attachment feature of PDF files. This attack method was discovered previously, but as the malware of this type has resurfaced and is being actively distributed, the team would like to share the information. Note that the attacker used a simple trick of using the attachment’s name to deceive users. Acrobat Reader has a feature of adding attachments to PDF files. Files with extensions such as .bin/.exe/.bat/.chm are blacklisted…
Lokibot Malware Disguised as National Tax Service Email Being Distributed Posted By jcleebobgatenet , December 8, 2021 The ASEC analysis team has recently discovered that malicious emails disguised as Hometax are consistently being distributed. The sender address used in the email is hometaxadmin@hometax.go[.]kr or hometaxadmin@hometax[.]kr, identical to the case found last year, and the email contains electronic tax invoice related materials. This type of email has consistently been distributed. In last year’s case, the email had PPT file as an attachment that has malicious macro included, but recently, it is being distributed in the form of a…
Lokibot Malware Disguised as Phishing E-mail Requesting for Estimate Posted By jcleebobgatenet , May 4, 2021 ASEC analysis team has discovered the distribution of Lokibot malware disguised as an estimate request e-mail. Lokibot malware has been distributed continually over several years, and a closer look at the weekly malware statistics uploaded to the ASEC blog reveals the fact that Lokibot consistently remained high on the weekly statistics list. The recently-discovered Lokibot malware is being distributed as an attachment file within the phishing mail, and its notable characteristic is the CAB/LZH archive file format. The e-mail is…
Caution – Emails with the Title ‘Request for Purchase Order’ being Distributed to Companies Posted By jcleebobgatenet , January 28, 2021 Multiple malicious emails with the title ‘Request for Purchase Order’ are being distributed to multiple companies. These spam mail attacks, which were first distributed in the second half of last year to random companies with the purpose of stealing user account, are still being distributed. To steal a user’s company email account, the attacker either prompted the users to access a phishing web page, or distributed executable of Lokibot, the info-stealer malware. So far, two titles are found in the…
