With the advancement of scam technology, it has become increasingly difficult to determine the authenticity based solely on the appearance of the screen.
In the past, scammers would create fake websites or emails with differences in logo size, layout, wording, etc., which could be identified as fake if observed carefully.…
Read More
Author: Ahnlab
AhnLab SEcurity intelligence Center (ASEC) confirmed that abnormally sized link files (*.LNK) that spread backdoor-type malware are being steadily distributed. It is confirmed that the recently confirmed link file (*.LNK) is being distributed to domestic users, especially people related to North Korea. The confirmed LNK file name is as follows.…
AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of phishing files identical to Korean portal website login screens. Cases impersonating multiple Korean portal websites, logistics and shipping brands, and webmail login pages have been very common from the past.
* In the left/right comparison images used in this post, the left side shows the phishing page and the right side shows the normal page.…
AhnLab Security Intelligence Center (ASEC) has recently confirmed cases of the TargetCompany ransomware group installing Mallox ransomware on MS-SQL servers.
The TargetCompany ransomware group primarily targets poorly managed MS-SQL servers to install Mallox ransomware.
These attacks have been ongoing for years, but this analysis focuses on the newly discovered malicious code and its connection to previous attacks involving Tor2Mine coin miners and BlueSky ransomware.…
Read More
AhnLab SEcurity intelligence Center (ASEC) recently discovered that the Metasploit Meterpreter backdoor has been installed via the Redis service. Redis is an abbreviation of Remote Dictionary Server, which is an open-source in-memory data structure storage that is also used as a database. It is presumed that the threat actors abused inappropriate settings or ran commands through vulnerability attacks.…
Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known to have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2] which targeted online gambling websites.…
AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file.…
Online investment scams these days are no longer an issue limited to specific nations, now becoming a social issue prevalent around the globe. Scammers (criminals) deceive their victims through illegal and immoral means, extorting financial assets including cash and virtual assets from them. They are usually a part of a structured criminal syndicate, where they devise sophisticated scenarios to commit “transnational” fraud crimes.…
AhnLab SEcurity intelligence Center (ASEC) recently found that there are a growing number of cases where threat actors use YouTube to distribute malware. The attackers do not simply create YouTube channels and distribute malware—they are stealing well-known channels that already exist to achieve their goal. In one of the cases, the targeted channel had more than 800,000 subscribers.…
Recently, AhnLab SEcurity intelligence Center (ASEC) discovered the distribution of Rhadamanthys under the guise of an installer for groupware. The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines. ASEC Blog has previously covered malware distributed through such ad features of search engines in the article titled “Hey, This Isn’t the Right Site!”…
AhnLab SEcurity intelligence Center (ASEC) recently confirmed that “mimeTools.dll,” a basic plugin for Notepad++, had been altered and distributed. The malicious mimeTools.dll file was included in the installation file of a specific version of the Notepad++ package and disguised as a normal package file. mimeTools is a module that performs encoding functions such as Base64, as shown in the image below, and is included by default without the user having to add it separately.…
AhnLab SEcurity intelligence Center (ASEC) has recently confirmed that the number of cases where attackers are using YouTube for the purpose of distributing malware is increasing. Rather than simply creating YouTube accounts and distributing malware, attackers are hijacking already existing famous YouTube accounts and distributing malware.…
“Hey, This Isn’t the Right Site!” Distribution of Malware Exploiting Google Ads Tracking – ASEC BLOG
____________________
Summary: AhnLab Security Intelligence Center (ASEC) has discovered a malware strain that exploits Google Ads tracking to distribute malicious files. The malware disguises itself as installers for popular groupware like Notion and Slack, and once installed, it downloads malicious payloads from the attacker’s server.
____________________
Key Point:* The malware is distributed through Google Ads tracking, tricking users into thinking they are accessing a legitimate website.*…
AhnLab SEcurity intelligence Center (ASEC) recently discovered the Kimsuky group distributing malware disguised as an installer from a Korean public institution. The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”.…
AhnLab SEcurity intelligence Center (ASEC) recently used Google’s advertising tracking function to detect exactly how malware is being distributed. In a confirmed case, malware disguised as a groupware installation program used by many people, such as Notion and Slack, was distributed. The distributed malware downloads malicious files and payloads from the attacker’s server, and the confirmed file names are as follows.…
💻 The StealC malware is disguised as an installer and is being distributed widely.
📥 It is downloaded through platforms like Discord, GitHub, and Dropbox, often redirecting victims to malicious webpages.
🕵️♂️ StealC is an Infostealer that collects key information like system and browser data, cryptocurrency wallets, and more.…
Read More
Web browsers are some of the programs most commonly and frequently used by PC users. Users generally use browsers to look up information, send and receive emails, and use web services such as shopping. This is the case for both individual users and employees conducting business in companies.…
AhnLab SEcurity intelligence Center (ASEC) recently discovered the Andariel group’s continuous attacks on Korean companies. It is notable that installations of MeshAgent were found in some cases. Threat actors often exploit MeshAgent along with other similar remote management tools because it offers diverse remote control features.…
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of CryptoWire, a ransomware that was once viral in 2018.
Figure 1. CryptoWire Github
CryptoWire is mainly distributed via phishing emails and is made using Autoit script.
Main FeaturesThe ransomware copies and pastes itself in the path “CProgram FilesCommon Files,” and registers a schedule to the task scheduler to maintain persistence.…
Sextortion scam is defined as the crime of blackmailing victims using their sensitive information to inflict great psychological distress and extort them. Victims not only suffer from immediate financial losses but also immense shock and terror, some to the point of having their daily lives severely impacted.…