Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) Posted By jcleebobgatenet , November 11, 2022 The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware software. Out of these changes, this blog will cover the script format found from September 8th to September 29th, 2022, which bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files….
Penetration and Distribution Method of Gwisin Attacker Posted By jcleebobgatenet , November 10, 2022 The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. How Gwisin Attacker Penetrates a Server Unlike other…
LockBit 3.0 Being Distributed via Amadey Bot Posted By Sanseo , November 8, 2022 The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers. It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which…
Surtr Ransomware Being Distributed in Korea Posted By jcleebobgatenet , November 3, 2022 Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name. When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected…
Elbie Ransomware Being Distributed in Korea Posted By jcleebobgatenet , November 2, 2022 The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program. The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2). Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment. The injected and executed ransomware drops a copy into the…
