APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire.

Figure 1. Donation receipt (OOO).doc

The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the previous ASEC blog.

Figure 2. File properties of Donation receipt (OOO).doc

Although the attack method and the file’s features are the same as described in the previous blog, this attack creates a batch file with a different name when the macro is run. The batch file was distributed as moster.bat, and its features are identical to those of “error.bat” in the previous blog.

  • C:\Users\Public\Documents\moster.bat -> Register start.vbs file to RUN key, run no4.bat file, and download additional files
  • hxxp://nomonth-man.com/dfg04/%COMPUTERNAME%.txt (Additional file download URL)

It appears that the attacker is currently attempting to expand their scope of attack beyond North Korea professionals and virtual asset professionals. Users must be cautious when downloading attachments from emails or websites of unknown sources. When running Word files, extra caution is needed if there are messages or images that prompt the users to click Enable macro as clicking it may run a malicious macro.

AhnLab’s anti-malware software, V3, detects and blocks files related to the attack using the aliases below.

[IOC]
[MD5]

– no1.bat : a0fddb12d7b3c445fdb7ab602a5bf5fb
– download.vbs : 85165e07b9f198a5e4047756eb779b46
– temp.doc : f248401769bbcd0ebeff992ef3cfe678
– moster.bat : 07232fe7144b0286eb5c9882834eea96
– no4.bat : 0b41f93365ec443406df942914317ec7
– start.vbs : 050e663bf6c97a953e25eb7e9754d656
– upload.vbs : a40eaa73ccffe4bc2233bdfd84fe2d62

[Detection Name (Engine ver.)]
– no1.bat : Trojan/BAT.Runner (2022.03.30.00)
– download.vbs : Downloader/VBS.Generic (2022.03.30.00)
– temp.doc : Trojan/DOC.Agent (2022.03.30.01)
– moster.bat : Trojan/VBS.Akdoor (2022.03.30.00)
– no4.bat : Trojan/VBS.Akdoor (2022.03.30.00)
– start.vbs : Trojan/VBS.Runner (2022.03.30.00)
– upload.vbs : Trojan/VBS.Akdoor (2022.03.30.00)

[C&C]
– hxxp://nomonth-man.com/uio04/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments