In March 2024, AhnLab SEcurity Intelligence Center (ASEC) identified a dropper disguised as an installer for a Korean public institution. The dropper creates a compressed src.rar file.
Reports detail specific techniques used when this file is present in an infection chain: SRC.rar
It uses a bundled unrar.exe to decompress the archive using the password 1q2w3e4r . In March 2024, AhnLab SEcurity Intelligence Center (ASEC)
Interestingly, Security Boulevard noted that in some CorKLOG deployments, a coding error in the executable prevented the malicious DLL from loading because the filenames did not match. In March 2024
The src.rar archive typically contains a legitimate executable (e.g., lcommute.exe ) and a malicious DLL (e.g., mscorsvc.dll ). The goal is to use the legitimate program to "sideload" the malware into memory.