Malware

Distribution of Malware Disguised as ‘2021 Ministry of National Defense Work Report Revised’

Feb 03 2021

On January 24, ASEC discovered the distribution of malware disguised as ‘2021 Ministry of National Defense Work Report Revised.’ As shown below, the extension of the distributed malware is *.pif, but it is an executable file just like the EXE extension. Once run, a file that is identical to that of a PDF document file accessible on the website of Ministry of National Defense is shown to the user. However, it is designed to run malware (DLL format) along with a valid PDF file secretly so that the user would not notice what has happened.

Name of Distributed File
- 2021 Ministry of National Defense Work Report Revised.pif
Created File
- %Original file path%\2021 Ministry of National Defense Work Report Revised.pdf (valid document)
- C:\ProgramData\Intel\Driver\driver.cfg (malicious DLL file)

The created malicious DLL file is run via regsvr32.exe, and is run every 30 minutes after being registered as a schedule named ‘Disk0.’

Malicious DLL compiled on January 23, 2021

ASEC speculates that ultimately, this malware will connect to C2, receive the command from the attacker, and perform additional malicious behaviors.

AhnLab’s anti-malware solution V3 detects and blocks this malware under following aliases.

[File Detection]

Downloader/Win64.Agent.C4318031
Trojan/Win64.Agent.C4318029

MD5

447163d776b62bf0b1c652c996cc0586

7e041b101e1e574fb81f3f0cdf1c72b8

URL

http[:]//exchange[.]amikbvx[.]cf/

http[:]//imap[.]pamik[.]cf/

Distribution of Malware Disguised as ‘2021 Ministry of National Defense Work Report Revised’

BlueCrab Ransomware Installing Hacking Tool CobaltStrike in Corporate Environments

Received Estimate/Purchase Order Email? Take Caution When Opening Them!