Koxic Ransomware Being Distributed in Korea Posted By jcleebobgatenet , November 25, 2022 It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure. When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows. The…
DAGON LOCKER Ransomware Being Distributed Posted By jcleebobgatenet , November 16, 2022 It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor. As the…
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) Posted By jcleebobgatenet , November 11, 2022 The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware software. Out of these changes, this blog will cover the script format found from September 8th to September 29th, 2022, which bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files….
Penetration and Distribution Method of Gwisin Attacker Posted By jcleebobgatenet , November 10, 2022 The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. How Gwisin Attacker Penetrates a Server Unlike other…
LockBit 3.0 Being Distributed via Amadey Bot Posted By Sanseo , November 8, 2022 The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers. It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which…
