On May 10, the ASEC analysis team confirmed that an attacker has been distributing malware in the disguise of a food delivery app, in time with the recent surge in consumption of delivery food due to COVID-19.
- I’d like to order app.zip (name of the compressed file)
- I’d like to order app\marketing.docx (XML External document malware within compressed file)
- I’d like to order app\changes.docx (XML External document malware within compressed file)
(The filename used in the discovered malicious zip file is not at all related to the normal application. It appears that the attacker stole the name of the delivery app.)
The XML External technique utilized by this attacker was introduced in the ASEC post in the past.
- https://asec.ahnlab.com/en/23009/ (Malicious Word Document Impersonating U.S. Investment Bank (External Connection + VBA Macro))
This attack method imports and runs the actual malicious macro from an external source through Microsoft Office Open XML (OOXML) document format’s Template property. It is called the Template Injection.
- https://attack.mitre.org/techniques/T1221/ (Check MITRE: Defense Evasion – About Template Injection technique)
Given that the malicious macro does not exist in the initial document file but in the file additionally downloaded from an external source, MITRE ATT&CK categorizes the technique as Defense Evasion. As such, it is difficult for security products to distinguish whether the file is malicious or not with just the initial document file.
The features of the malicious macro existing in the DOTM file that was ultimately run by the External of Template properties are as follows.
- Connect to hxxp://kr2959.atwebpages.com/view.php?id=2 and download and decompress cvwiq.zip -> Creates PE file in C:\Users\Public\wieb.dat directory
- Create and run C:\Users\Public\nwib.bat file -> Run command “rundll32.exe “C:\Users\Public\wieb.dat” Run”, “del /f /q %0″”
wieb.dat run by the nwib.bat file is executed through rundll32.exe. It downloads and runs the additional malicious payload.
The final executed payload performs the following features:
- Collection of system information (ipconfig /all, systeminfo, and tasklist)
- Collection of clipboard data
- Send collected information to C&C
Attacks utilizing such Template Injection technique have been found distributing malicious files to random public institutions, large companies, and other entities through spam mails and websites. Caution is advised.
Users should refrain from opening mails with unknown sources and update V3 to the latest version to prevent malware infection in advance.
- Malware/Win.Generic.C4465648 (2021.05.11.01)
- Trojan/Win.Akdoor.C4468947 (2021.05.13.00)
- Downloader/DOTM.External (2021.05.13.00)