Continuously Changing Malicious Word Macro Being Distributed – Trend of TA551 (2) Posted By jcleebobgatenet , September 29, 2021 The ASEC analysis team is back to continuously introduce DOC macro documents used by the TA551 group in attacks. The operation flow of macro documents hasn’t changed since its introduction in July. However, we have confirmed that in the most recent case, BazarLoader was distributed at the last step after the macro was run. First, to quote BazarLoader analysis report published in May by AhnLab: Excerpt from ATIP – BazarLoader Analysis Report ‘Abstract’ BazarLoader is a malware that downloads and…
Kaseya VSA Supply Chain Ransomware Attacks (REvil Gang) Posted By jcleebobgatenet , July 16, 2021 The ransomware attack by leveraging a vulnerability in VSA (a cloud-based management service that can manage various patches and perform client monitoring) made by Kaseya, an IT solutions developer for enterprises and managed service providers (MSPs), turned out to be BlueCrab (Sodinikibi) ransomware that is being actively distributed in korea as well. The figure below shows a desktop infected with the ransomware, which flashes the same screen like that of BlueCrab being widely spread in Korea. Unlike BlueCrab well-known in…
Detection of JavaScript Vulnerability (CVE-2021-26411) via V3 Behavior Detection (Magniber) Posted By jcleebobgatenet , July 7, 2021 Attackers are using the CVE-2021-26411 JavaScript vulnerability to actively distribute fileless Magniber ransomware via IE browser. Its internal code flow is changing rapidly, and there are still numerous damage reports that involve Magniber ransomware in Korea. As it is being distributed via an IE vulnerability (CVE-2021-26411), it is absolutely crucial for IE users to apply the security patch. Currently, V3 products can detect and block the latest Magniber ransomware using the ‘Behavior Detection’ feature. Figure 1 shows the infection process of…
Makop Ransomware Distributed As Copyright Violation Related Materials Posted By jcleebobgatenet , May 13, 2021 The ASEC analysis team has recently shared information about the distribution of Makop ransomware disguised as job applications. This week, the team confirmed that the ransomware is being distributed via e-mails that contain materials related to copyright violation. Unlike the last time, the compressed file is attached with the .dat extension instead of .zip and to avoid the e-mail attachment scan, the date the mail was distributed was used as a password. Inside the attached file, there is a file…
[Caution] Makop Ransomware Disguised as Job Application E-mail Being Distributed! Posted By jcleebobgatenet , April 30, 2021 ASEC analysis team has recently discovered ransomware disguised as job application being distributed via e-mail. It appears that the attacker is targeting recruitment managers of various companies amidst the recruitment season of the first half of the year. Hence, recruiters must pay particular attention when managing their e-mail accounts. The distributed e-mails had titles with names which can be perceived as the applicant’s name, and compressed attachments. The names of the distributed files are as follows: ● ResumeandPortfolio_210412 (If you…
