Distribution of Malware Disguised as ‘2021 Ministry of National Defense Work Report Revised’

On January 24, ASEC discovered the distribution of malware disguised as ‘2021 Ministry of National Defense Work Report Revised.’ As shown below, the extension of the distributed malware is *.pif, but it is an executable file just like the EXE extension. Once run, a file that is identical to that of a PDF document file accessible on the website of Ministry of National Defense is shown to the user. However, it is designed to run malware (DLL format) along with a valid PDF file secretly so that the user would not notice what has happened.

  • Name of Distributed File
    • 2021 Ministry of National Defense Work Report Revised.pif
  • Created File
    • %Original file path%\2021 Ministry of National Defense Work Report Revised.pdf (valid document)
    • C:\ProgramData\Intel\Driver\driver.cfg (malicious DLL file)

The created malicious DLL file is run via regsvr32.exe, and is run every 30 minutes after being registered as a schedule named ‘Disk0.’

Malicious DLL compiled on January 23, 2021

ASEC speculates that ultimately, this malware will connect to C2, receive the command from the attacker, and perform additional malicious behaviors.

AhnLab’s anti-malware solution V3 detects and blocks this malware under following aliases.

[File Detection]

  • Downloader/Win64.Agent.C4318031
  • Trojan/Win64.Agent.C4318029

[Relevant IoC]

  • hxxp://exchange.amikbvx.cf/
  • hxxp://imap.pamik.cf/
  • 7e041b101e1e574fb81f3f0cdf1c72b8
  • 447163d776b62bf0b1c652c996cc0586

Categories:Malware Information

5 3 votes
Article Rating
Notify of

Inline Feedbacks
View all comments