In June this year, the ASEC analysis team introduced a malicious word document assumed as a targeted attack. Recently, the team confirmed that malware of the same type is being distributed with new content. It was distributed through mails with the sender impersonating an admin of a summer academic conference in Korea (see Figure below). The mail had an attachment named ‘[** Summer Academic Conference]_Profile Template.doc’ which prompts the user to fill out the form.
The figure below is the word file attached to the mail which has macro within the file. Both the author and the modifier of the document are the same as those in the previously discovered document ‘Compensation Claim Form,’ so it is likely that both documents were distributed by the same attacker (https://asec.ahnlab.com/en/24443/).
Like ‘Compensation Claim Form,’ simply opening the file does not activate malicious behaviors. The malicious macro is run when the user enters texts in the document. When the macro is run, it downloads data from the following URL and saves it as the %APPDATA%\desktop.ini file.
- Download URL: hxxp://daewon3765.cafe24.com/about/down/download.php?filename=[user name]
Afterward, it executes the desktop.ini file with a command in Excel through the ExcelApp.ExecuteExcel4Macro(cmd) function as shown below. As the team could not currently access the URL that downloads additional data, it could not check what the malware does after.
- call(“kernel32”, “WinExec”, “JFJ”, “wscript //e:vbscript //b “”C:\\Users\\[user name]\\AppData\\Roaming\\desktop.ini”””, 5)
Additionally, by checking the sender ID of the mail that distributed the malware, the team discovered a blog that has the malicious script.
- Blog URL: hxxps://kaisjovtnal.blogspot.com
The malicious script is encoded with Base64 and performs the same feature as the script existing in the attacker’s web page (hxxps://smyun0272[.]blogspot[.]com/2021/06/dootakim[.]html) of ‘Compensation Claim Form.’
When the script is run, it changes the value of HKCU\Software\Microsoft\Office[Version].0\Word\Security\VBAWarnings to 1 so that the macro can automatically run. Also, it collects certain information from the user PC and sends it to C2. The script checked on 29th used deawon3765.cafe24[.]com, but the current C2 is changed as you can see below.
- C2 Before Change: hxxp://daewon3765.cafe24.com/about/post/info.php
C2 After Change: hxxp://taesan109.myartsonline.com/about/post/info.php
|List of running service processes|
List of recent files
Operating System information
Office version information
.NET version information
List of desktop files
List of apps pinned to taskbar
AhnLab’s anti-malware product, V3, detects and blocks the files above using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.