#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

AhnLab | Breaking Cybersecurity News | The Hacker News

Category — AhnLab
South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware

South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware

Jul 03, 2024 Malware / Threat Intelligence
An unnamed South Korean enterprise resource planning (ERP) vendor's product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor. The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of Andariel , a sub-cluster within the infamous Lazarus Group. The similarities stem from the North Korean adversary's prior use of the ERP solution to distribute malware like HotCroissant – which is identical to Rifdoor – in 2017 by inserting a malicious routine into a software update program. In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to execute a DLL file from a specific path using the regsvr32.exe process as opposed to launching a downloader. The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard conte...
Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Jun 03, 2024 Malware / Cyber Attack
The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. "Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) said in a report published last week. "The threat actor probably used these malware strains to control and steal data from the infected systems." The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities. Andariel, also known by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group that operates on behalf of North Korea's strategic...
Unlocking Google Workspace Security: Are You Doing Enough to Protect Your Data?

Crowdstrike Named A Leader In Endpoint Protection Platforms

Nov 22, 2024Endpoint Security / Threat Detection
CrowdStrike is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time, positioned highest on Ability to Execute and furthest to the right on Completeness of Vision.
Remcos RAT Spreading Through Adult Games in New Attack Wave

Remcos RAT Spreading Through Adult Games in New Attack Wave

Jan 16, 2024 Botnet / Malware
The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea. WebHard, short for  web hard drive , is a popular online file storage system used to upload, download, and share files in the country. While webhards have been used in the past to deliver  njRAT ,  UDP RAT, and DDoS botnet malware , the AhnLab Security Emergency Response Center's (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT. In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named "ffmpeg.exe." This results in the retrieval of Remcos RAT from an actor-controlled server. A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enablin...
cyber security

Innovate Securely: Top Strategies to Harmonize AppSec and R&D Teams

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

Dec 29, 2023 Malware / Cyber Threat
Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as  Kimsuky . "A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC)  said  in an analysis published Thursday. Kimsuky , active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was  sanctioned  by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives. The threat actor's espionage c...
N. Korea's Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

N. Korea's Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

Dec 08, 2023 Cyber Espionage / Cryptocurrency
The North Korean threat actor known as  Kimsuky  has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC)  said  in an analysis posted last week. The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document. The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor. The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server. It's also capable o...
N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

Nov 28, 2023 Malware / Cyber Espionage
The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN. The  findings  come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign. RustBucket  refers to an  activity cluster  linked to the Lazarus Group in which a backdoored version of a PDF reader app, dubbed SwiftLoader, is used as a conduit to load a next-stage malware written in Rust upon viewing a specially crafted lure document. The  KANDYKORN campaign , on the other hand, refers to a malicious cyber operation in which blockchain engineers of an unnamed crypto exchange platform were targeted via Discord to initiate a sophisticated multi-stage attack sequence that led to the deployment of the eponymous full-featured memory resident remote ac...
Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems

Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems

Aug 05, 2023 Linux / Malware
Threat actors are using an open-source rootkit called  Reptile  to target Linux systems in South Korea. "Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems," the AhnLab Security Emergency Response Center (ASEC)  said  in a report published this week. "Port knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a magic packet to the system, the received packet is used as a basis to establish a connection with the C&C server." A rootkit is a malicious software program that's designed to provide privileged, root-level access to a machine while concealing its presence. At least four different campaigns have leveraged Reptile since 2022. The first use of the rootkit was  recorded  by Trend Micro in May 2022 in connection with an intr...
Tonto Team Uses Anti-Malware File to Launch Attacks on South Korean Institutions

Tonto Team Uses Anti-Malware File to Launch Attacks on South Korean Institutions

Apr 28, 2023 Malware / Cyber Threat
South Korean education, construction, diplomatic, and political institutions are at the receiving end of new attacks perpetrated by a China-aligned threat actor known as the  Tonto Team . "Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks," the AhnLab Security Emergency Response Center (ASEC)  said  in a report published this week. Tonto Team, active since at least 2009, has a track record of targeting various sectors across Asia and Eastern Europe. Earlier this year, the group was  attributed  to an unsuccessful phishing attack on cybersecurity company Group-IB. The attack sequence discovered by ASEC starts with a Microsoft Compiled HTML Help (.CHM) file that executes a binary file to side-load a malicious DLL file (slc.dll) and launch  ReVBShell , an open source VBScript backdoor also put to use by another Chinese threat actor called  Tick . ReVBShell is subs...
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media

The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media

Jan 05, 2023 Data Security / Malware
The notorious information-stealer known as  Vidar  is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server. "When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis  published  late last month. "Threat actors write identifying characters and the C2 address in parts of this page." In other words, the technique relies on actor-controlled throwaway accounts created on social media to retrieve the C2 address. An advantage to this approach is that should the C2 server be taken down or blocked, the adversary can trivially get around the restrictions by setting up a new server and editing the account pages to allow the previously distributed malware to communicate with the server. Vidar, first identified in 2018, is a  co...
Expert Insights / Articles Videos
Cybersecurity Resources