Yesterday (April 9, 2020), AhnLab revealed that a malware in the form of an election-related document is being distributed. When running it alone, it is difficult to check whether it’s an actual election related document or not, but we found out that it can be checked via macro of another document file. Seeing that its content can be checked only in specific situations, it is assumed that the attacker targeted specific systems. This malware was confirmed to be an attack carried out by Kimsuky group, and more information will be shared below.
Figure 1 – Architecture of ‘WORD 1’
As shown in Figure 1, ‘WORD 1’ connects to the domain: ‘saemaeul.mireene.com’ which is stated in settings.xml.rels. Although additional data is not currently downloaded, ‘WORD 2,’ a document created when the downloading is successful, also attempts to connect to the same domain. This domain is mireene.com hosting server, which Kimsuky group has been using, and it was used for this attack as well.
Furthermore, on the surface, ‘WORD 1,’ ‘WORD 2,’ and other distributed documents similarly look to be written in English, but Korean language settings are included together in the internal properties. Interestingly, the name of the author for ‘WORD 1’ is clearly a Korean name.
The content related to the legislative election in ‘WORD 1’ cannot be checked by running it alone. As shown in Figure 3, an internal file (document.xml) contains the related content, but it cannot be checked by executing the file alone. The content is revealed only when the macro of ‘WORD 2’ is activated together.
Because ‘WORD 1’ is edit-restricted, a user cannot edit its content by running it alone, but it becomes editable only through ‘WORD 2’ whose macro contains a password. In summary, only a system connected to ‘WORD 2’ can check election-related content when running ‘WORD 1.’ Therefore, we can assume that the attacker is targeting specific systems.
When ‘WORD 1’ is restructured via macro of ‘WORD 2,’ data in the file itself is partially removed and newly saved. The evidence is the file size reduction (see figure below). Macro of ‘WORD 2’ sends the user info to a specific server and attempts to connect to a specific network address by registering a task scheduler and set the created VBS to run every 5 minutes. (See Figure 1 for the network address)
As shown above, Kimsuky group is continuously attacking using document files. In response to them, AhnLab plans to continue analyzing the malwares used in various attacks and share relevant information.
Users must take extra caution when using unidentified documents. AhnLab’s V3 products detect the malware under the following aliases:
- XML/Dloader (2020.04.10.00)
- Downloader/Doc.Generic (2020.04.10.00)