The ASEC analysis team has recently discovered the distribution of malicious Word (DOC) files to graduate school professors that are disguised as North Korea-related paper requirements. The name of the Word file is shown below. The term ‘KIMA’ mentioned in the filename is the name of the monthly magazine specializing in the field of security, national defense, and military, published by Korea Institute for Military Affairs.
- March Monthly KIMA Paper_Requirements.doc
The attacker performed spear-phishing attacks targeting professors of certain universities. Figure 1 shows the macro feature and overall operation method of the malicious word file: downloading additional commands (Visual Basic Script) and executing them from memory.
The way the executed VBS code communicates with the attacker’s C&C server is similar to the method introduced in the previous ASEC blog post (APT Attacks Using Malicious Word File of a Particular Thesis).
The VBS code downloaded from the attacker server obtained during the time of the analysis collects and leaks the following information from the user PC.
- Basic system information (computer name, owner information, producer, computer model, and system type)
- OS information (OS, OS version, and memory capacity)
- Processor information
- Anti-malware software information
- Information of currently running processes
- Information of file list within certain folders (path of desktop, My Folder, Favorites, Recent, ProgramFiles, and Downloads)
- Names of recently opened word files
The script also creates a VBS file named “OfficeAppManifest_[minute]_[hour]_[day]_[month].ini” in the path of “%AppData%\Microsoft\Templates“. It then registers a service disguised as that of Microsoft to run the script. This is thought to maintain the persistence of running the script. The registered service waits for the commands from the attacker server in a method similar to that of the word macro feature initially run.
- “OfficeAppManifest_v[minute]_[hour]_[day]_[month].ini” // Minute, hour, day, and month refer to the time when the downloaded script was initially run
The document-type APT attack method is a type that has been found the most often from AhnLab’s ASD (AhnLab Smart Defense) infrastructure last year.
AhnLab’s anti-malware programs detect and block the malware using the alias below.
[IOC and Detection Name (Engine Version)]
– 89ea8dff2ed6380b756640bc5ba7e7d0 (Downloader/DOC.Kimsuky (2022.02.10.03))
(March Monthly KIMA Paper_Requirements.docc)
– 4cb18d33a729eeea494238dcc1bdb278 (Downloader/VBS.Agent (2022.02.11.00))
(VBS code downloaded from the attacker server)
– http[:]//thdde.scienceontheweb[.]net/accout/list.php?query=1 (C&C server URL accessed by DOC macro)
– http[:]//thdde.scienceontheweb[.]net/accout/list.php?query=6 (C&C server URL accessed by VBS code)