Gwisin Ransomware Targeting Korean Entities
Industry: N/A | Level: Tactical | Source: ASEC
Research from ASEC have identified Gwisin ransomware being used against Korean organizations. The malware uses MSI Installer and requires a specific value as an argument to execute. As analyzed by ASEC "The value is used as key information to run the DLL file included in the MSI. As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company." General characteristics observed for Gwisin involve distribution as an MSI installer file, the use of a specific value to run the ransomware's DLL, injecting itself into a Windows system process, tailoring specific ransomware notes per organization, and the ability to encrypt files in safe mode.
Anvilogic Use Cases:
- Msiexec Abuse