Author: Ahnlab

Warning Against ModiLoader (DBatLoader) Spreading via MS Windows CAB Header Batch File (*.cmd)
In December 2024, AhnLab identified the distribution of ModiLoader malware using a unique CAB header batch file method to bypass email security. The malware is delivered via purchase orders and exploits the CAB compression format to execute malicious commands. Affected: AhnLab SEcurity intelligence Center (ASEC)

Keypoints :

ModiLoader (DBatLoader) malware identified in December 2024.…
Read More
DigitalPulse Proxyware Being Distributed Through Ad Pages
AhnLab Security Intelligence Center (ASEC) has identified a new proxyjacking attack that installs proxyware through advertisement pages of freeware software sites. The proxyware, signed with a Netlink Connect certificate, is similar to the DigitalPulse proxyware used in previous attacks. Users may unknowingly install a program called AutoClicker, which hijacks their network bandwidth for the benefit of threat actors.…
Read More
Statistical Report on Phishing Emails in Q4 2024
This article discusses the monitoring of phishing email threats by AhnLab Security Intelligence Center (ASEC) during the fourth quarter of 2024, highlighting the types and statistics of phishing emails with attachments. The primary focus is on the FakePage threat, which impersonates legitimate login pages. Affected: phishing emails

Keypoints :

ASEC monitors phishing email threats using RAPIT and honeypots.…
Read More
Increase in Distribution of AutoIt Compile Malware via Phishing Emails
This article discusses the rise in malware distribution through phishing emails, focusing on the increasing prevalence of AutoIt-compiled malware compared to .NET malware. Notably, XLoader has emerged as the most distributed malware, alongside other threats like SnakeKeylogger and AgentTesla. The article highlights the ease of compiling AutoIt scripts, contributing to its growing use among cybercriminals.…
Read More
Statistical Report on Malware Threat in Q4 2024
This report from AhnLab Security Intelligence Center (ASEC) analyzes malware collected in Q4 2024, categorizing it by type and providing detailed statistics on their distribution methods and features. Notably, CoinMiner and Banking malware are excluded due to low incidence. Affected: Infostealer, Downloader, Backdoor, Ransomware

Keypoints :

AhnLab’s RAPIT system is used to analyze and categorize malware.…
Read More
December 2024 Threat Trend Report on Ransomware
This report highlights the statistics regarding new ransomware samples and targeted systems from November 2024, emphasizing significant ransomware issues in Korea and internationally. It details the number of new samples collected and the businesses affected as reported by ransomware groups. Affected: AhnLab, ATIP, ASD

Keypoints :

The total number of new ransomware samples collected in the past six months is provided.…
Read More

The Andariel group continues its cyberattacks on South Korean software, particularly targeting asset management and document management solutions. They employ malware like SmallTiger and techniques such as brute force attacks and keylogging to compromise systems. Enhanced security measures are recommended for affected organizations. #CyberSecurity #AndarielGroup #MalwareAttacks

Keypoints :

The Andariel group has been attacking South Korean software since the past.…
Read More

Summary :

AhnLab’s ASEC has identified a new DDoS malware strain named cShell targeting poorly managed Linux servers via SSH services. The malware exploits Linux tools to conduct DDoS attacks and maintains persistence through specific installation routines. #DDoS #LinuxSecurity #Malware

Keypoints :

cShell is a DDoS bot targeting poorly managed Linux servers, utilizing weak SSH credentials.…
Read More
Summary: This report highlights the trends in ransomware activity for November 2024, noting a slight decrease in new ransomware samples compared to October. It also provides insights into targeted businesses and the impact of various ransomware groups. The statistics are derived from AhnLab’s detection names and data collected from ransomware groups’ Dedicated Leak Sites.…
Read More
Summary: The article discusses ongoing attacks exploiting the CVE-2023-46604 vulnerability in Apache ActiveMQ, primarily targeting unpatched systems to install CoinMiners and Mauri ransomware. Threat actors utilize various tools and techniques to gain unauthorized access and control over compromised systems, emphasizing the need for timely security updates.…
Read More
Summary: The article discusses a significant rise in phishing emails impersonating the National Tax Service (NTS) during tax filing periods, particularly in 2024. These emails often manipulate sender addresses and include malicious attachments or links. Various file formats are used to execute different malicious behaviors, highlighting the need for users to be vigilant during tax season.…
Read More
Summary: The rise of malware in MSC file format is concerning, particularly due to its ability to exploit vulnerabilities and execute commands without raising suspicion among users. The Kimsuky group has been identified as a key actor in distributing this malware, often disguising it as legitimate documents.…
Read More

Summary:

AhnLab Security Intelligence Center (ASEC) has reported the distribution of XLoader malware utilizing DLL side-loading techniques. This method involves placing a malicious DLL alongside a legitimate application, allowing the malware to execute when the application runs. The attack leverages a legitimate file from the Eclipse Foundation, jarsigner, and includes malicious files that perform decryption and injection of the XLoader payload.…
Read More

Summary:

LummaC2 is a sophisticated Infostealer malware that disguises itself as legitimate software to evade detection. It captures sensitive information from users and sends it to the attacker’s command and control server, posing a significant threat to both individual and corporate systems.

Keypoints:

LummaC2 is distributed disguised as illegal software and inserted into legitimate programs.…
Read More

Summary:

The Russian hacktivist group NoName057 has been conducting DDoS attacks since March 2022, targeting entities with anti-Russian sentiments. In November 2024, they collaborated with other pro-Russian groups to attack South Korean government websites in response to political remarks regarding Ukraine. Utilizing automated DDoS bots like DDoSia, they incentivize participation through cryptocurrency rewards, aiming to disrupt services and exert psychological pressure during military conflicts.…
Read More

Summary:

Ransomware attacks are increasingly prevalent in 2024, with threat actors leveraging various methods to infiltrate systems and extort victims. The anonymity provided by cryptocurrency payments complicates law enforcement efforts. The Ransomware-as-a-Service model has further facilitated these attacks, allowing even those with limited technical skills to engage in ransomware activities.…
Read More