AhnLab SEcurity intelligence Center (ASEC) has previously covered a case where Quasar RAT was distributed through private home trading systems (HTS) in the blog post “Quasar RAT Being Distributed by Private HTS Program“. The same threat actor has been continuously distributing malware, and attack cases have been confirmed even recently.…
Author: Ahnlab
1. Overview
AhnLab SEcurity intelligence Center (ASEC) covered cases of AsyncRAT being distributed via various file extensions (.chm, .wsf, and .lnk). [1] [2]
In the aforementioned blog posts, it can be seen that the threat actor used normal document files disguised as questionnaires to conceal the malware.…
Table of Contents
Overview
Distribution Method and Changes
Distribution Method
Changes to HappyDoor
Detailed Analysis
Summary
Characteristics
Registry Data
Packet Data
Packet Structure and Server Operation Method
Features
Information Theft
Backdoor
Conclusion
Read More
This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. …
HTTP File Server (HFS) is a program that provides a simple type of web service. Because it can provide web services with just an executable file without having to build a web server, it is often used for sharing files, allowing users to connect to the address through web browsers and easily download files.…
AhnLab SEcurity intelligence Center (ASEC) recently discovered a case where an unidentified threat actor exploited a Korean ERP solution to carry out an attack. After infiltrating the system, the threat actor is believed to have attacked the update server of a specific Korean ERP solution to take control of systems within the company.…
AhnLab SEcurity intelligence Center (ASEC) has recently discovered malware being distributed through CMD files and identified it as a downloader called DBatLoader (ModiLoader) that had been distributed before via phishing emails in RAR file format containing an EXE file.
The file contained “FF, FE” which means “UTF-16LE”, so when the internal code was opened with a text editor, the content of the code was not displayed correctly.…
AhnLab SEcurity intelligence Center (ASEC) has discovered the distribution of a new type of malware that is disguised as cracks and commercial tools. Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the installation process.…
Since web servers are externally exposed to provide web services to all available users, they have been major targets for threat actors since the past. AhnLab SEcurity Intelligence Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed, and is sharing the attack cases that have been confirmed through its ASEC Blog.…
AhnLab SEcurity intelligence Center (ASEC) has recently discovered an attack case where a threat actor attacked the ERP server of a Korean corporation and installed a VPN server. In the initial compromise process, the threat actor attacked the MS-SQL service and later installed a web shell to maintain persistence and control the infected system.…
Generally, organizations such as institutes and companies use various security products to prevent security threats. For endpoint systems alone, there are not only anti-malware solutions but also firewalls, APT defense solutions, and products such as EDR. Even in general user environments without separate organizations responsible for security, most of them have basic security products installed.…
AhnLab SEcurity intelligence Center (ASEC) has identified the details of the Kimsuky threat group recently exploiting a vulnerability (CVE-2017-11882) in the equation editor included in MS Office (EQNEDT32.EXE) to distribute a keylogger. The threat actor distributed the keylogger by exploiting the vulnerability to run a page with an embedded malicious script with the mshta process.…
1. Overview
AhnLab Security intelligence Center (ASEC) confirmed that botnets trending since 2019 have been continuously used to install NiceRAT malware. A botnet is a group of devices infected by malware and controlled by a threat actor. Because threat actors mainly launched DDoS attacks using botnets in the past, Nitol and other malware strains used in DDoS attacks were perceived as the key strains that form botnets.…
Bondnet first became known to the public in an analysis report published by GuardiCore in 20171 and Bondnet’s backdoor was covered in an analysis report on XMRig miner targeting SQL servers released by DFIR Report in 20222. There has not been any information on the Bondnet threat actor’s activities thereon, but it was confirmed that they had continued their attacks until recent times.…
Secure SHell (SSH) is a standard protocol for secure terminal connections and is generally used for controlling remote Linux systems. Unlike Windows OS that individual users use for desktops, Linux systems mainly fulfill the role of servers providing web, database, FTP, DNS, and other services. Of course, Windows also supports these services as a server.…
AhnLab SEcurity intelligence Center (ASEC) has been sharing cases of attacks in which threat actors utilize cloud services such as Google Drive, OneDrive, and Dropbox to collect user information or distribute malware. [1][2][3] The threat actors mainly upload malicious scripts, RAT malware strains, and decoy documents onto the cloud servers to perform attacks.…
AhnLab SEcurity intelligence Center (ASEC) is responding to recently discovered cases that are using the SmallTiger malware to attack South Korean businesses. The method of initial access has not yet been identified, but the threat actor distributed SmallTiger into the companies’ systems during the lateral movement phase.…
AhnLab SEcurity intelligence Center (ASEC) recently discovered that Remcos RAT is being distributed via UUEncoding (UUE) files compressed using Power Archiver.
The image below shows a phishing email distributing the Remcos RAT downloader. Recipients must be vigilant as phishing emails are disguised as emails about importing/exporting shipments or quotations.…
AhnLab SEcurity intelligence Center (ASEC) has been publishing the Online Scams series to inform the readers about the ever-evolving scams. Prevention and blocking are the two most important measures to mitigate the damage inflicted by scams. Various security providers are supporting features to detect and block the damage from scams, financial frauds, and phishing.…
MS-SQL servers are one of the main attack vectors used when targeting Windows systems because they use simple passwords and are open publicly to the external Internet. Threat actors find poorly managed MS-SQL servers and scan them before carrying out brute force or dictionary attacks to log in with administrator privileges.…
AhnLab SEcurity intelligence Center (ASEC) recently discovered that phishing files are being distributed via emails. The phishing files (HTML) attached to the emails prompt users to directly paste (CTRL+V) and run the commands.
Figure 1. Phishing emailsThe threat actor sent emails about fee processing, operation instruction reviews, etc.…