On April 29th, the ASEC analysis team discovered the distribution of a malicious Word file related to North Korea’s military parade. The distributor uploaded the file on a Korean web server which is assumed to have been breached. Besides the malicious Word file, the server also had 2 normal HWP files, likely used for distributing malicious HWP files with the OLE object or EPS vulnerability method.
– [Analysis] North Korea’s Position on Use of Nuclear Weapons and Implications of Changes in Military Elites Based on April 25th Military Parade.docm (malicious: inside data.zip)
– “Channel A news anchor Ha Jong-dae joins Yoon Suk-yeol’s election camp”.hwp (normal)
– attach.hwp (normal)
While the team could not secure the file as “data.zip” uploaded on the attacker’s server was encrypted, it is likely that the attacker used wscript.exe like in previous attacks to perform malicious behaviors such as leaking the PC information.
The attacker is continuously attacking personnel in the field of national defense, politics, and diplomacy. Since malicious Word files are mainly distributed in the form of e-mail attachments, users should refrain from opening attachments of e-mails received from unknown sources and enabling macros.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.