APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)

The ASEC analysis team has recently discovered the distribution of malicious Word (DOC) files to graduate school professors that are disguised as North Korea-related paper requirements. The name of the Word file is shown below. The term ‘KIMA’ mentioned in the filename is the name of the monthly magazine specializing in the field of security, national defense, and military, published by Korea Institute for Military Affairs.

  • March Monthly KIMA Paper_Requirements.doc

The attacker performed spear-phishing attacks targeting professors of certain universities. Figure 1 shows the macro feature and overall operation method of the malicious word file: downloading additional commands (Visual Basic Script) and executing them from memory.

Figure 1. Word file’s attack flow

The way the executed VBS code communicates with the attacker’s C&C server is similar to the method introduced in the previous ASEC blog post (APT Attacks Using Malicious Word File of a Particular Thesis).

Figure 2. Part of the macro code for March Monthly KIMA Paper_Requirements.doc

The VBS code downloaded from the attacker server obtained during the time of the analysis collects and leaks the following information from the user PC.

Figure 3. Part of the VBS code downloaded from the attacker’s server
  • Basic system information (computer name, owner information, producer, computer model, and system type)
  • OS information (OS, OS version, and memory capacity)
  • Processor information
  • Anti-malware software information
  • Information of currently running processes
  • Information of file list within certain folders (path of desktop, My Folder, Favorites, Recent, ProgramFiles, and Downloads)
  • Names of recently opened word files

The script also creates a VBS file named OfficeAppManifest_[minute]_[hour]_[day]_[month].ini” in the path of “%AppData%\Microsoft\Templates“. It then registers a service disguised as that of Microsoft to run the script. This is thought to maintain the persistence of running the script. The registered service waits for the commands from the attacker server in a method similar to that of the word macro feature initially run.

Figure 4. OfficeAppManifest_[minute]_[hour]_[day]_[month].ini
  • “OfficeAppManifest_v[minute]_[hour]_[day]_[month].ini” // Minute, hour, day, and month refer to the time when the downloaded script was initially run

The document-type APT attack method is a type that has been found the most often from AhnLab’s ASD (AhnLab Smart Defense) infrastructure last year.

AhnLab’s anti-malware programs detect and block the malware using the alias below.

[IOC and Detection Name (Engine Version)]
[MD5]
– 89ea8dff2ed6380b756640bc5ba7e7d0 (Downloader/DOC.Kimsuky (2022.02.10.03))
(March Monthly KIMA Paper_Requirements.docc)
– 4cb18d33a729eeea494238dcc1bdb278 (Downloader/VBS.Agent (2022.02.11.00))
(VBS code downloaded from the attacker server)
– 54a11842db77475f2aaab5b2dc8a9319
(OfficeAppManifest_v[minute]_[hour]_[day]_[month].ini)

[Attacker C&C]
– http[:]//thdde.scienceontheweb[.]net/accout/list.php?query=1 (C&C server URL accessed by DOC macro)
– http[:]//thdde.scienceontheweb[.]net/accout/list.php?query=6 (C&C server URL accessed by VBS code)

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
guest
3 Comments
Inline Feedbacks
View all comments
trackback

[…] method of using an execution argument is the same as the technique used by the same attacker group in the past. In the previous case, the malware created a task scheduler in the infected PC when version.ini […]

trackback

[…] The ASEC analysis team has discovered that a malware strain disguised as press releases is being distributed. When this malware is run, it loads a normal document file and attempts to access malicious URLs. If the access is successful, the script existing on the webpage is run. It appears the script is of a similar type to the VBS code found in the ASEC blog post <APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)>. […]

trackback

[…] The ASEC analysis team has discovered that a malware strain disguised as press releases is being distributed. When this malware is run, it loads a normal document file and attempts to access malicious URLs. If the access is successful, the script existing on the webpage is run. It appears the script is of a similar type to the VBS code found in the ASEC blog post <APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)>. […]