Hxxps://encorpostcom/post/post.php?type=1 However, as the attacker may upload various malware strains to the URL, users must always take caution.ĪhnLab’s anti-malware product, V3, detects the malware using the alias below. Currently, clicking the download URL results in an innocuous executable being downloaded, making it not possible to check what exactly the ultimately downloaded malware does. Seeing that the names of compressed files and interface of help files are written in Korean, it appears that the attackers are targeting Korean users. Recently, malicious Windows help files (*.chm) distributed in the form of compressed files are continuously being found. Hxxps://want-helpercom/database/db.php?type=1 Hxxps://sktelecomhelp/download/select.php type=1 Hxxps://sktelecomhelp/download/select.php?type=1 Hxxps://nhn-gamescom/game03953/gamelist.php?type=1 Afterward, when script files are run, additional malicious files are downloaded, saved into the %tmp% folder as advupdate.exe, and executed.īelow are the discovered download URLs.
chm files are run, script files are dropped into the %USERPROFILE%\Links\ folder and add run key. Additionally discovered malicious file 2-3 (CHM file)
0 kommentar(er)
