On March 29th, ASEC analysis team has introduced malicious word documents containing North Korea related materials. Upon opening the file, it connects to the ‘External URL’ written within XML and downloads additional files.
Recently the team has found out that malicious word documents using the mentioned method and disguised as a military security monthly magazine (April 2021) are currently being distributed. The names of the files are as follows:
- MonthlyKIMA2021_AprilMilitarySecurity0330.docx
- MonthlyKIMA2021_AprilMilitarySecurity0331.docx
The document file is protected, and upon unlocking the protection, the following is revealed.
The malicious External address connected from the document is as follows:
- Target=”hxxp://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6″ TargetMode=”External”/>
As shown in the figure below, normally distributed documents are in PDF format.
Recently, Numerous malicious word documents containing North Korea-related materials are being distributed. It is highly likely that they have been sent to people working in North Korea-related fields. Since social engineering technique attacks via emails have increased substantially, users must remain vigilant to prevent damage by attacks.
V3 products detect and block the files using the following aliases:
[File Detection]
- Downloader/DOC.External (2021.04.03.00)
[IOC]
- MonthlyKIMA2021_AprilMilitarySecurity0331.docx
- MonthlyKIMA2021_AprilMilitarySecurity0330.docx
- hxxp://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6
Categories:Malware Information