On January 24, ASEC discovered the distribution of malware disguised as ‘2021 Ministry of National Defense Work Report Revised.’ As shown below, the extension of the distributed malware is *.pif, but it is an executable file just like the EXE extension. Once run, a file that is identical to that of a PDF document file accessible on the website of Ministry of National Defense is shown to the user. However, it is designed to run malware (DLL format) along with a valid PDF file secretly so that the user would not notice what has happened.
- Name of Distributed File
- 2021 Ministry of National Defense Work Report Revised.pif
- Created File
- %Original file path%\2021 Ministry of National Defense Work Report Revised.pdf (valid document)
- C:\ProgramData\Intel\Driver\driver.cfg (malicious DLL file)
The created malicious DLL file is run via regsvr32.exe, and is run every 30 minutes after being registered as a schedule named ‘Disk0.’
ASEC speculates that ultimately, this malware will connect to C2, receive the command from the attacker, and perform additional malicious behaviors.
AhnLab’s anti-malware solution V3 detects and blocks this malware under following aliases.
[File Detection]
- Downloader/Win64.Agent.C4318031
- Trojan/Win64.Agent.C4318029
[Relevant IoC]
- hxxp://exchange.amikbvx.cf/
- hxxp://imap.pamik.cf/
- 7e041b101e1e574fb81f3f0cdf1c72b8
- 447163d776b62bf0b1c652c996cc0586
Categories:Malware Information