RTF Malware Disguised as a Cover Letter for a Particular Airline

In early October, the ASEC analysis team has discovered an RTF file-based malware disguised as a cover letter for a particular airline. This is not a type of document file format that appears often as other document-type malware (Word, Excel, etc.), and RTF malware disguised as a particular document hasn’t been discovered in a long time.

  • Filename used in distribution: ****Airline Cover Letter_.rtf

An MS Office equation editor program EQNEDT32.EXE related vulnerability (CVE-2017-11882) was used for the RTF file, and the last sentence in the body of the cover letter is not finished as if the cover letter isn’t complete.

This file was first created on October 1st and last modified on October 4th. It appears that when a vulnerability occurs, it will connect to a particular network and download the following additional files.

  • hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.png
  • hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.jpg

Figure 1. Connected network URL

The URL is currently disabled, so the additional data that is downloaded cannot be confirmed. It appears that when it is enabled, additional data (malware) will be downloaded from the URL above and executed.

The URL of the malicious network used here is the same as the C2 URL which was used by HWP files containing malicious EPS in 2019. It is thus assumed that the same attacker created this, and an external Twitter post mentions Lazarus as the attacker group who created the RTF.

Users should refrain from opening files from unknown sources and update V3 and other programs that they use to the latest version. AhnLab’s anti-malware solution, V3, detects and blocks this malware using the aliases below.

[File Detection]
Exploit/MSOffice.Agent

[IOC]
dd8bb1686f16924ac797620092776022
hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.png
hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.jpg

[Reference]
https://twitter.com/souiten/status/1446725907637358597

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments