Summary:
AhnLab Security Intelligence Center (ASEC) has reported the distribution of XLoader malware utilizing DLL side-loading techniques. This method involves placing a malicious DLL alongside a legitimate application, allowing the malware to execute when the application runs. The attack leverages a legitimate file from the Eclipse Foundation, jarsigner, and includes malicious files that perform decryption and injection of the XLoader payload.…Author: Ahnlab
Summary:
LummaC2 is a sophisticated Infostealer malware that disguises itself as legitimate software to evade detection. It captures sensitive information from users and sends it to the attacker’s command and control server, posing a significant threat to both individual and corporate systems.Keypoints:
LummaC2 is distributed disguised as illegal software and inserted into legitimate programs.…Summary:
The Russian hacktivist group NoName057 has been conducting DDoS attacks since March 2022, targeting entities with anti-Russian sentiments. In November 2024, they collaborated with other pro-Russian groups to attack South Korean government websites in response to political remarks regarding Ukraine. Utilizing automated DDoS bots like DDoSia, they incentivize participation through cryptocurrency rewards, aiming to disrupt services and exert psychological pressure during military conflicts.…Summary:
Ransomware attacks are increasingly prevalent in 2024, with threat actors leveraging various methods to infiltrate systems and extort victims. The anonymity provided by cryptocurrency payments complicates law enforcement efforts. The Ransomware-as-a-Service model has further facilitated these attacks, allowing even those with limited technical skills to engage in ransomware activities.…Summary:
This report provides an in-depth analysis of cyber threats and security incidents affecting the financial industry, both in Korea and globally. It highlights malware and phishing attacks, significant data breaches, and ransomware incidents, along with statistics on compromised accounts and the implications for financial institutions.…Summary:
This report highlights the increase in new ransomware samples and targeted systems in October 2024, particularly noting the rise of MEDUSALOCKER ransomware. It also provides insights into the companies affected by various ransomware groups, based on data collected from Dedicated Leak Sites (DLS).Keypoints:
Increase in new ransomware samples in October compared to September.…Short Summary:
This article discusses the implementation of RAT (Remote Access Trojan) malware using a Discord Bot, specifically the PySilon case. It highlights how the malware operates, maintains persistence, and collects sensitive user information while exploiting the Discord platform for communication and control.
Key Points:
Discord is a platform for real-time communication and community building.…Short Summary:
AhnLab SEcurity intelligence Center (ASEC) has identified malware being distributed under the guise of gambling games. This malware, named WrnRAT, is designed to control infected systems and steal information. It is distributed through deceptive websites and disguised as various installers, including those for gambling games and computer optimization programs.…
Short Summary:
The AhnLab Security Intelligence Center (ASEC) reports a rise in phishing emails impersonating major Korean entertainment agencies. These emails trick recipients into clicking a link that downloads a Python-based Infostealer disguised as a PDF. The malware collects sensitive information and sends it to the threat actor’s Telegram chat room.…
Short Summary: BPFDoor is a stealthy backdoor malware that utilizes the Berkeley Packet Filter (BPF) to operate without needing to connect to a command and control server. It has been used by the China-based threat actor Red Menshen in attacks targeting the Middle East and Asia since its discovery in 2021.…
Read More
Short Summary:
A joint analysis by AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) has uncovered a zero-day vulnerability in Microsoft Internet Explorer (IE), exploited by the North Korean threat actor TA-RedAnt. The vulnerability allows for a zero-click attack via a toast ad program that uses the vulnerable IE browser engine, leading to potential malware downloads on victims’ systems.…
Short Summary:
AhnLab Security Intelligence Center (ASEC) has identified attacks targeting improperly managed Linux servers, specifically focusing on HiveOS. Attackers exploit weak SSH credentials to gain initial access, allowing them to install backdoors and mine cryptocurrency, particularly Ravencoin.
Key Points:
ASEC monitors attacks on Linux servers using honeypots, particularly targeting SSH services.…
Short Summary: AhnLab’s ASEC has identified supply chain attacks targeting Korean game companies by the group Larva-24008. The attackers compromised a game security module to distribute malware, primarily targeting game companies. The malware was signed with a valid certificate, allowing it to be distributed through official channels, leading to the installation of remote control malware on affected systems.…
Read More
Short Summary: Notion, a widely used collaboration tool, has been targeted by threat actors who disguise malware as legitimate software. Recent cases have shown malware like LummaC2 and SectopRAT being distributed through fake installers, leading to potential data theft and system control.
Key Points:
Notion is a popular collaboration tool that can be exploited by attackers.…
Read More
Short Summary:
AhnLab Security Intelligence Center (ASEC) has reported on an attack involving MS-SQL servers, where threat actors exploited weak credentials and installed GotoHTTP, a remote control tool, to gain unauthorized access and control over the systems.
Key Points:
AhnLab ASEC monitored MS-SQL servers and identified an attack using GotoHTTP.…
Short Summary: AhnLab SEcurity intelligence Center (ASEC) has identified an attack involving the Supershell backdoor on poorly managed Linux SSH servers. This backdoor, developed in Go by a Chinese-speaking developer, enables remote control of infected systems and is often accompanied by attempts to exploit weak passwords through dictionary attacks.…
Read More
Short Summary:
This article discusses Binary Managed Object Files (BMOFs) and their use in distributing the XMRig CoinMiner malware. BMOFs, while not inherently malicious, can be exploited for persistence in malware attacks through Permanent Event Subscriptions in Windows Management Instrumentation (WMI).
Key Points:
BMOFs are compiled versions of Managed Object Files (MOFs) used in Windows Management Instrumentation (WMI).…
Short Summary: AhnLab SEcurity intelligence Center (ASEC) has identified a malicious MSC file exploiting Amazon services, leading to the distribution of malware that downloads and executes harmful files on user systems.
Key Points:
Malicious MSC files exploit a vulnerability in apds.dll.
Payloads are inserted into the section of the MSC file.…
Read More
“`html
Short Summary: AhnLab Security Intelligence Center has reported the distribution of SnakeKeylogger malware via phishing emails. This Infostealer malware, developed in .NET, exfiltrates sensitive data through various channels, including email and FTP. Key Points: SnakeKeylogger is an Infostealer type of malware. It is distributed via phishing emails with executable attachments.…“`html
Short Summary: The article discusses a phishing scam that impersonates PayPal to distribute malware. The malware, named Xworm, is delivered through a URL file that accesses a network shared folder to download an executable file. The article highlights the detection of the malware’s activities using AhnLab’s EDR system, which tracks the infiltration path and malicious behaviors of the malware.…“`html Short Summary:
AhnLab Security Emergency response Center (ASEC) has reported the distribution of malicious LNK files targeting Korean financial companies. These files are being sent via emails with malicious URLs, leading to the download of a compressed file that contains both a legitimate PDF and a malicious LNK file.…
Overview: An update has been released to address vulnerabilities found in Cyberdyne products. Users of the affected versions are advised to update to the latest version.
Affected Products: All versions of ECM/cloudium.
Resolved Vulnerability: RPO (Relative Path Overwrite) vulnerability that allows arbitrary command execution through specific parameters during file upload.…
Read More
LummaC2 is an Infostealer that is being actively distributed, disguised as illegal programs (e.g. cracks, keygens, and game hacking programs) available from distribution websites, YouTube, and LinkedIn using the SEO poisoning technique. Recently, it has also been distributed via search engine ads, posing as web pages of Notion, Slack, Capcut, etc.…
AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malicious LNK files targeting domestic financial companies.
Attacks using LNK files have been a consistent method over time, necessitating user vigilance.
The recently identified LNK files are believed to be distributed via emails containing malicious URLs.…
Read More
The phishing technique used for distributing malware has been consistently employed over time.
Phishing emails typically disguise files as invoices, quotes, tax bills, or summons to trick users into executing malware.
Recently, ASEC (AhnLab Security Intelligence Center) identified a case where a file disguised as a PayPal invoice was used to lure users into executing it.…
Read More
LummaC2 is an information-stealing malware that uses SEO poisoning techniques to distribute itself.
It is actively spread disguised as illegal programs such as cracks, keygens, and game hacks on sites like YouTube and LinkedIn.
Recently, it has been distributed by masquerading as websites for Notion, Slack, and Capcut, appearing in search engine ads.…
Read More
The blog post “Linux Defense Evasion Techniques Detected by AhnLab EDR (1)” [1] covered methods where the threat actors and malware strains attacked Linux servers before incapacitating security services such as firewalls and security modules and then concealing the installed malware.
This post will cover additional defense evasion techniques against Linux systems not covered in the past post.…
AhnLab SEcurity intelligence Center (ASEC) has previously introduced the dangers of malware disguised as crack programs through a post titled “Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)”. [1]
Malware strains disguised as crack programs are primarily distributed through file-sharing platforms, blogs, and torrents, leading to the infection of multiple systems.…
AhnLab SEcurity intelligence Center (ASEC) has previously covered a case where Quasar RAT was distributed through private home trading systems (HTS) in the blog post “Quasar RAT Being Distributed by Private HTS Program“. The same threat actor has been continuously distributing malware, and attack cases have been confirmed even recently.…
AhnLab Security Intelligence Center (ASEC) has previously warned about the dangers of malicious code disguised as crack programs, such as XMRig and OurcusRAT.
These malicious codes disguised as crack programs are often distributed through web hard drives, blogs, and torrents, leading to multiple system infections.
The attackers continuously manage the infected systems by regularly updating the malware.…
Read More
AhnLab Security Intelligence Center (ASEC) has previously covered cases of attacks using the Quasar RAT through private Home Trading Systems (HTS) in a blog post.
The same attacker continues to distribute malware, and recent attack cases have been confirmed.
The malware, named HPlus, is distributed through an HTS called Quasar RAT, and the overall infection flow is similar to previous cases, but with the difference that an MSI installer is used instead of an NSIS installer.…
Read More
1. Overview
AhnLab SEcurity intelligence Center (ASEC) covered cases of AsyncRAT being distributed via various file extensions (.chm, .wsf, and .lnk). [1] [2]
In the aforementioned blog posts, it can be seen that the threat actor used normal document files disguised as questionnaires to conceal the malware.…
Table of Contents
Overview
Distribution Method and Changes
Distribution Method
Changes to HappyDoor
Detailed Analysis
Summary
Characteristics
Registry Data
Packet Data
Packet Structure and Server Operation Method
Features
Information Theft
Backdoor
Conclusion
Read More
This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. …
HTTP File Server (HFS) is a program that provides a simple type of web service. Because it can provide web services with just an executable file without having to build a web server, it is often used for sharing files, allowing users to connect to the address through web browsers and easily download files.…
AhnLab Security Intelligence Center (ASEC) has previously introduced cases where AsyncRAT was distributed through various file extensions (.chm, .wsf, .lnk) to hide malicious code. Attackers have been observed using legitimate document files with “survey” content as bait files to conceal malicious code.
Recently, cases have been identified where malicious code is disguised as e-books for distribution.…
Read More
AhnLab SEcurity intelligence Center (ASEC) recently discovered a case where an unidentified threat actor exploited a Korean ERP solution to carry out an attack. After infiltrating the system, the threat actor is believed to have attacked the update server of a specific Korean ERP solution to take control of systems within the company.…
HFS(HTTP File Server) is a program that provides a simple form of web service.
It allows users to provide web services without the need to build a web server, by simply running the executable file.
It is often used for file sharing purposes, and users can easily download files by accessing the address through a web browser.…
Read More
AhnLab SEcurity intelligence Center (ASEC) has recently discovered malware being distributed through CMD files and identified it as a downloader called DBatLoader (ModiLoader) that had been distributed before via phishing emails in RAR file format containing an EXE file.
The file contained “FF, FE” which means “UTF-16LE”, so when the internal code was opened with a text editor, the content of the code was not displayed correctly.…
AhnLab SEcurity intelligence Center (ASEC) has discovered the distribution of a new type of malware that is disguised as cracks and commercial tools. Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the installation process.…
In a previous blog post, we discussed evasion techniques used by attackers and malware to hide from security services and modules after attacking a Linux server.
This blog post covers additional Linux defense evasion techniques that were not discussed in the previous post.
One example of a technique used to hide malware is for the malware to delete itself during execution to avoid detection by administrators.…
Read More
Overview of the report on the analysis of the HappyDoor malware by the Kimsuky group
Methods and changes in the distribution of the HappyDoor malware
Detailed analysis of the changes in HappyDoor
Features of the HappyDoor malware
Registry data and packet data used by HappyDoor
Structure and operation of packet data and server
Information theft and backdoor functionality of HappyDoor
Conclusion of the analysis report
Read More
https://asec.ahnlab.com/ko/67128/…
Since web servers are externally exposed to provide web services to all available users, they have been major targets for threat actors since the past. AhnLab SEcurity Intelligence Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed, and is sharing the attack cases that have been confirmed through its ASEC Blog.…
AhnLab Security Intelligence Center (ASEC) recently confirmed that unidentified attackers have been exploiting domestic ERP solutions to carry out attacks.
The attackers are believed to have attacked the update server of a specific domestic ERP solution in order to gain control over the systems within the company after infiltrating the system.…
Read More
AhnLab Security Intelligence Center (ASEC) has identified a new type of malware disguised as cracks and commercial tools.
This new type of malware differs from traditional malware as it immediately displays an installer UI and initiates malicious activities when the user clicks on the installation button.…
Read More
AhnLab Security Intelligence Center (ASEC) confirmed the distribution of malicious code through CMD files and identified it as the DBatLoader (ModiLoader) downloader malware, which was previously distributed in the form of RAR files containing EXE files in phishing emails.
The CMD file contains the characters “FF, FE” which represent “UTF-16LE” and when opened in a text editor, the code contents are not displayed correctly.…
Read More
The web server has been a typical target for attackers because it is publicly accessible for providing web services to a large number of users.
AhnLab Security Intelligence Center (ASEC) monitors attacks targeting vulnerable web servers that have not been patched or are inadequately managed, and publishes confirmed attack cases through their blog.…
Read More
AhnLab SEcurity intelligence Center (ASEC) has recently discovered an attack case where a threat actor attacked the ERP server of a Korean corporation and installed a VPN server. In the initial compromise process, the threat actor attacked the MS-SQL service and later installed a web shell to maintain persistence and control the infected system.…
Generally, organizations such as institutes and companies use various security products to prevent security threats. For endpoint systems alone, there are not only anti-malware solutions but also firewalls, APT defense solutions, and products such as EDR. Even in general user environments without separate organizations responsible for security, most of them have basic security products installed.…
AhnLab SEcurity intelligence Center (ASEC) has identified the details of the Kimsuky threat group recently exploiting a vulnerability (CVE-2017-11882) in the equation editor included in MS Office (EQNEDT32.EXE) to distribute a keylogger. The threat actor distributed the keylogger by exploiting the vulnerability to run a page with an embedded malicious script with the mshta process.…
1. Overview
AhnLab Security intelligence Center (ASEC) confirmed that botnets trending since 2019 have been continuously used to install NiceRAT malware. A botnet is a group of devices infected by malware and controlled by a threat actor. Because threat actors mainly launched DDoS attacks using botnets in the past, Nitol and other malware strains used in DDoS attacks were perceived as the key strains that form botnets.…