On January 24, ASEC discovered the distribution of malware disguised as ‘2021 Ministry of National Defense Work Report Revised.’ As shown below, the extension of the distributed malware is *.pif, but it is an executable file just like the EXE extension. Once run, a file that is identical to that of a PDF document file accessible on the website of Ministry of National Defense is shown to the user. However, it is designed to run malware (DLL format) along with a valid PDF file secretly so that the user would not notice what has happened.
- Name of Distributed File
- 2021 Ministry of National Defense Work Report Revised.pif
- Created File
- %Original file path%\2021 Ministry of National Defense Work Report Revised.pdf (valid document)
- C:\ProgramData\Intel\Driver\driver.cfg (malicious DLL file)
The created malicious DLL file is run via regsvr32.exe, and is run every 30 minutes after being registered as a schedule named ‘Disk0.’
ASEC speculates that ultimately, this malware will connect to C2, receive the command from the attacker, and perform additional malicious behaviors.
AhnLab’s anti-malware solution V3 detects and blocks this malware under following aliases.