Types of cyberattack include not only Advanced Persistent Threat (APT) attacks targeting a few specific companies or organizations but also scan attacks targeting multiple random servers connected to the Internet. This means that the infrastructures of threat actors can become the targets of cyberattack alongside companies, organizations, and personal users.…
Author: Ahnlab
AhnLab SEcurity intelligence Center (ASEC) has recently discovered Andariel APT attack cases against Korean corporations and institutes. Targeted organizations included educational institutes and manufacturing and construction businesses in Korea. Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks. The threat actor probably used these malware strains to control and steal data from the infected systems.…
While monitoring the distribution sources of malware in Korea, AhnLab SEcurity intelligence Center (ASEC) recently found that the XWorm v5.6 malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea.
1. Overview
Attackers normally use easily obtainable malware strains such as njRAT and UDP RAT and disguise them as normal programs including games or adult content for distribution.…
AhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through a game emulator. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below.
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack Monero CoinMiner Being Distributed via Webhards XMRig CoinMiner Installed via Game Hacks1.…
AhnLab Security Intelligence Center is publishing the “Online Scam” series to inform about the evolving scam threats. To reduce scam damages, prevention and blocking are crucial.
Many security companies provide features to detect and block scams, financial fraud, and phishing attacks. However, security products alone cannot prevent all scam threats.…
Read More
No one is safe from scams. In fact, scams targeting corporations and organizations employ meticulously social-engineered attack scenarios. Unlike smishing targeting individuals or online shopping scams, such attacks design tailored phishing scenarios based on previously collected information about the target. As such, it is not easy for the victim organization to recognize the scam.…
AhnLab Security Intelligence Center (ASEC) confirmed recent APT attacks by the Andariel group targeting domestic companies and organizations.
The targeted organizations included domestic manufacturing companies, construction firms, and educational institutions.
The attackers used not only backdoors but also keyloggers, infostealers, and proxy tools for the attacks.…
Read More
AhnLab SEcurity intelligence Center (ASEC) has recently discovered ViperSoftX attackers using Tesseract to exfiltrate users’ image files. ViperSoftX is a malware strain responsible for residing on infected systems and executing the attackers’ commands or stealing cryptocurrency-related information.
The malware newly discovered this time utilizes the open-source OCR engine Tesseract.…
In the modern Internet society, one can easily obtain information on devices all over the world connected to the Internet using network and device search engines such as Shodan. Threat actors can use these search engines to engage in malicious behaviors such as collecting information on attack targets or performing port scanning attacks against any devices.…
There are two types of malicious documents that are distributed via email recently: those exploiting equation editor and those including external link URLs. This post will describe the infection flow of the DanaBot malware that is distributed through documents containing external links, the latter method, as well as the evidence and detection process with the AhnLab EDR product’s diagram. Figure…
AhnLab’s Mobile Analysis Team has confirmed cases of romance scams where perpetrators establish rapport by posing as overseas friends or romantic partners. They exploit this connection to solicit money under the guise of cryptocurrency investments.
A romance scam is a type of fraud that involves emotional manipulation to solicit money through various means. …
AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.
Figure 1. A Word document containing an external linkThe RTF file downloads a VBScript with the “.jpg”…
AhnLab SEcurity intelligence Center (ASEC) has discovered evidence of a malware strain being distributed to web servers in South Korea, leading users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool.…
AhnLab SEcurity intelligence Center (ASEC) has recently discovered circumstances of a CHM malware strain that steals user information being distributed to Korean users. The distributed CHM is a type that has been constantly distributed in various formats such as LNK, DOC, and OneNote from the past.…
AhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (*.LNK) of abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea. The confirmed LNK file names are as follows:
National Information Academy 8th Integrated Course Certificate (Final).lnk…With the advancement of scamming technology, determining the authenticity of a site solely based on appearance has become exceedingly difficult. In the past, it was possible to identify fakes by carefully observing discrepancies such as logo size, layout, wording, domain, etc., which scammers often overlooked when creating spoofed websites or emails. …
No one is safe from scams, especially targeted scams that are designed using social engineering techniques.
Targeted scams, unlike individual-targeted phishing or investment frauds, are carefully crafted attack scenarios based on pre-collected information about the target.
These attacks, such as business email compromise (BEC) and spear phishing emails, are difficult for the victim organization to recognize as scams.…
Read More
While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.…
AhnLab Security Intelligence Center (ASEC) confirmed the distribution of malicious code that induces illegal gambling advertising site connections targeting domestic web servers.
The attacker infiltrated the poorly managed domestic Windows IIS (Internet Information Services) web server and stole the server’s credentials using Meterpreter backdoor, port forwarding tools, IIS module malware tools, and ProcDump.…
Read More
AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron.
Electron is a framework that allows one to develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. Apps made with Electron are packaged and usually distributed in Nullsoft Scriptable Install System (NSIS) installer format.…