LockBit 3.0 Being Distributed via Amadey Bot Posted By Sanseo , November 8, 2022 The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers. It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which…
Surtr Ransomware Being Distributed in Korea Posted By jcleebobgatenet , November 3, 2022 Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name. When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected…
Elbie Ransomware Being Distributed in Korea Posted By jcleebobgatenet , November 2, 2022 The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program. The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2). Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment. The injected and executed ransomware drops a copy into the…
Rapidly Evolving Magniber Ransomware Posted By jcleebobgatenet , October 25, 2022 The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed. Table 1 shows the major characteristics of the distributed Magniber ransomware files by date. It had been distributed as five different file extensions (msi,…
GlobeImposter Ransomware Being Distributed in Korea Posted By jcleebobgatenet , October 12, 2022 The ASEC analysis team has recently identified through internal monitoring that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed. This GlobeImposter ransomware has also been mentioned in AhnLab TIP’s quarterly statistics, specifically in the ‘2022 1st and 2nd Quarter Statistical Report on Malware Targeting MS-SQL,’ and in the 2nd quarter, GlobeImposter took up 52.6% of ransomware targeting MS-SQL. It has been identified that the GlobeImposter ransomware is still appearing in the soon-to-be-released 3rd quarter statistics. This ransomware…
