Ransomware

Gwisin Ransomware Targeting Korean Companies

The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI. As such, the file alone…

LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed

The ASEC analysis team has once again discovered the distribution of LockBit ransomware using phishing e-mail, and disguising itself as copyright claims e-mail which was introduced in the previous blog. The filename of the attachment in e-mail had password included, which is similar to that of phishing e-mail distributed last February (see the link below). LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails As shown in Figure 2, the phishing e-mail has a compressed file as an attachment that…

XLL Malware Distributed Through Email

Malware strains have been created and distributed in various forms and types. As such, the ASEC analysis team is actively monitoring and analyzing such changes to allow AhnLab products to detect them. This post will introduce XLL malware that was discovered being distributed last year. XLL files are Microsoft Excel add-in files that operate with the extension .xll and can be opened by Excel. One thing to note is that the files are opened with MS Excel. This means users…

SystemBC Being Used by Various Attackers

SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot. Because it can also act as a downloader to…

LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails

The ASEC analysis team has recently discovered ransomware that is being distributed emails after disguising itself as resumes or copyright-related claims. The malicious emails with such content have been steadily distributed from the past. Unlike previous emails that distributed Makop ransomware, current cases have LockBit instead. Makop Ransomware Distributed As Copyright Violation Related Materials Makop Ransomware Disguised as Resume Being Distributed in Korea The emails that are confirmed for the distribution of malware have compressed files with passwords. As shown…