2022-08-09

Gwisin Ransomware Targeting Korean Entities

Level: 
Tactical
  |  Source: 
ASEC
Share:

Gwisin Ransomware Targeting Korean Entities

Industry: N/A | Level: Tactical | Source: ASEC

Research from ASEC have identified Gwisin ransomware being used against Korean organizations. The malware uses MSI Installer and requires a specific value as an argument to execute. As analyzed by ASEC "The value is used as key information to run the DLL file included in the MSI. As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company." General characteristics observed for Gwisin involve distribution as an MSI installer file, the use of a specific value to run the ransomware's DLL, injecting itself into a Windows system process, tailoring specific ransomware notes per organization, and the ability to encrypt files in safe mode.

Anvilogic Use Cases:

  • Msiexec Abuse

Get trending threats published weekly by the Anvilogic team.

Sign Up Now