Malware Stealing Certificate from Major Korean Game Company Spread via Document File

Last month, ASEC analysis team uploaded a blog post about malware disguised as a bonus payment invoice (see link below). Another malware of the same type was found recently, and AhnLab has decided to share more information through this post.

The document has a history of distribution via email. The attacker disguised the sender’s address as one of media press. The malicious DLL that runs at the end stole the certificate of a major Korean game company to disguise itself as a normal file.

Figure 1 -Execution flow

When WORD1 document file is run, Microsoft guide is shown. However the screen of Microsoft guide faintly covers a table underneath. Upon opening the document, the file approaches the below URL specified in settings.xml.rels and attempts to download WORD2.

Figure 2 – WORD2 download URL (settings.xml.rels of WORD1)

WORD2, a malicious file additionally downloaded via WORD1, contains 2 internally encoded PE files.

One of the files is a normal file (MicrosoftEdgeUpdate.exe), and WORD2 used its feature of loading msedgeupdate.dll to create a malicious DLL with that name and command it to perform automatically.

Figure 3 – File creation code

These 2 files are Base64-encoded, and they are created after being decoded by the macro code above.

Normal EXE fileCreate C:\Users\Public\Documents\MicrosoftEdgeUpdate.exe (Load malicious DLL below)
Malicious DLL fileCreate C:\Users\Public\Documents\msedgeupdate.dll

The created DLL stole the certificate of a major Korean game company, and the signed date is same as the modified date of the document file.

Also, the DLL is designed to run only in an environment with 4 or more CPUs, and this allows it to bypass commonly used virtual environment dynamic analysis. If there are 4 or more CPUs, the DLL executes a code that is internally encoded to connect to a specific network. We assume that the DLL is designed to acquire data through this network, but currently there’s no acquiring data that further details cannot be confirmed

Figure 4 – Part of DLL code

As malware of this type is continually attacking the cryptocurrency market, media press, and game companies, users must refrain from opening document files with unknown sources and remain vigilant to avoid damage.

AhnLab’s V3 products detect the malicious document file and the DLL file under the following aliases:

  • Downloader/Xml.Generic (2020.05.07.08)
  • Dropper/Doc.Generic (2020.05.08.07)
  • Trojan/Win32.Agent (2020.05.04.05)

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments