The ASEC analysis team has been keeping eye on the trend of malware that attempts APT attacks using Word documents, and sharing them in the blog. The team has found additional malicious files that use the same code as the malware created from document files such as ‘Constitution Day International Academic Forum.doc’ and ’28th North Korea-South Korea Relations Experts Discussion***.doc’ that Kimsuky group developed and distributed which were mentioned in the previous post. More information will be shared below. The file appears to be at the testing stage and it is assumed that Kimsuky group is developing and testing a similar malware.
The file developed under the filename of kakaoTest.exe reads various information from the test.ini file and performs the feature of logging in to Daum as shown below.
The malware attempts to log in to the Daum account with the username and the password that are assumed to be written in the ini file. Upon succeeding, it uploads a specific file indicated with file value that is assumed to be written in the ini file and sends it to the receiver.
The feature of logging into Daum e-mail account and sending a specific file was also used in the pagefile.sys file, which was previously mentioned in Malware Disguised as Normal Excel and Word Documents. Considering that the code is written in a similar method as well as the malicious behavior, it is also assumed that kakaoTest.exe was developed by the same attacker.
The Pagefile.sys file collects information from user PC and sends it to a specific e-mail. The code that performs the feature of sending the e-mail is made up of a similar form to the kakaoTest.exe file’s code that has been recently found.
Additionally, both files contain the code below, and besides their feature of sending e-mail, they connect to several Daum e-mail URLs and check additional information such as the contacts in the account.
Taking its filename and the name of the reference file into consideration, it appears that the kakaoTest.exe file was developed for testing. However, the file’s features were used in the malicious file that was used for the previous APT attack, and this shows that the attacker is steadily developing files that perform such actions.
Attacker that develop and distribute malware utilizing Daum e-mail logins are continuing to develop malware in various ways, therefore, users need to be cautious.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.