AhnLab Security Emergency response Center (ASEC) has previously covered the malware that is generated by the installation file of a Korean program development company.
When malware is distributed alongside an installation file, users will struggle to notice that malware is being executed concurrently. Additionally, due to its characteristic of operating in a fileless format by being injected into a normal program, signature-based anti-malware products find it difficult to detect such malware.
However, Endpoint Detection & Response (EDR), which records and reports all suspicious behaviors occurring on endpoints, can keep up with the evolving evasion techniques of such malware. By detecting suspicious behaviors, like the ones listed below, security admins can be alerted to these techniques.
Figure. Suspicious behaviors detected by EDR
Figure. Malicious behavior diagram of the installerThe threat actor downloaded additional malware and used the normal process Powershell.exe to carry out malicious behaviors by performing an injection on the normal program Notepad (notepad.exe).
Figure. Malicious command being executed using the normal process Powershell.exe
Figure. Installer’s connection to the Sliver C2 being detectedAs shown above, the malware creator carries out a normal installation to make it difficult for users to detect the malware, and they either develop a variant to bypass signature-based detection or carry out their infection through a normal process using a fileless format. However, EDR detects such suspicious behaviors and provides users with a clear flow chart of the threats.
IOC
MD5
– e84750393483bbb32a46ca5a6a9d253c: Malicious installer
– eefbc5ec539282ad47af52c81979edb3: Malicious installer (31254396_hzczvmfw_….vpn1.1.1.exe)
– 10298c1ddae73915eb904312d2c6007d: Malicious installer (31254396_LO38iuSd_….Setup1.2.1.exe)
– b4481eef767661e9c9524d94d808dcb6: Malicious installer (31254396_a7z34P10_….Install2.1.7.exe)
– 70257b502f6db70e0c75f03e750dca64: Malicious installer (167775112_v17MGr85_167775039_EvimzM59_….VPNSetup1.0.4.4.exe)
– 1906bf1a2c96e49bd8eba29cf430435f: Malicious installer (167774990_A5TinsS6_….VPNInstaller1.0.4_230710.exe)
– 499f0d42d5e7e121d9a751b3aac2e3f8 :Malicious installer (31254396_ORZNvfG9_….Fax1.0.0.exe)
– b66f351c35212c7a265272d27aa09656: Malicious VPN program
– ea20d797c0046441c8f8e76be665e882: Malicious VPN program
– 73f83322fce3ef38b816bef8fa28d37b: Encrypted Sliver C2 (sans.font2)
– 5eb6821057c28fd53b277bc7c6a17465: MeshAgent (preMicrosoft.exe)
– 95dac8965620e69e51a1dbdf7ebbf53a: MeshAgent (Microsoft.exe)
– 23f72ee555afcd235c0c8639f282f3c6: MeshAgent (registrys.exe)
– 27a24461bd082ec60596abbad23e59f2: Webcam capturing malware (m.exe)
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Malware Disguised as Normal Installation File of a Korean Development Company – EDR Detection appeared first on ASEC BLOG.
Article Link: Malware Disguised as Normal Installation File of a Korean Development Company - EDR Detection - ASEC BLOG