Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade

On April 29th, the ASEC analysis team discovered the distribution of a malicious Word file related to North Korea’s military parade. The distributor uploaded the file on a Korean web server which is assumed to have been breached. Besides the malicious Word file, the server also had 2 normal HWP files, likely used for distributing malicious HWP files with the OLE object or EPS vulnerability method.

– [Analysis] North Korea’s Position on Use of Nuclear Weapons and Implications of Changes in Military Elites Based on April 25th Military Parade.docm (malicious: inside data.zip)
– “Channel A news anchor Ha Jong-dae joins Yoon Suk-yeol’s election camp”.hwp (normal)
– attach.hwp (normal)

Figure 1. Server webpage uploaded with malicious Word file (data.zip)
Figure 2. attach.hwp (created on: March 2nd, 2022 Wednesday 3:36:27 P.M.)
Figure 3. “Channel A news anchor Ha Jong-dae joins Yoon Suk-yeol’s election camp”.hwp (created on: February 25th, 2022 Friday 12:38:15 A.M.)

While the team could not secure the file as “data.zip” uploaded on the attacker’s server was encrypted, it is likely that the attacker used wscript.exe like in previous attacks to perform malicious behaviors such as leaking the PC information.

The attacker is continuously attacking personnel in the field of national defense, politics, and diplomacy. Since malicious Word files are mainly distributed in the form of e-mail attachments, users should refrain from opening attachments of e-mails received from unknown sources and enabling macros.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Trojan/HTML.Loader(2022.04.30.00)

[IOC]
6cc09bc6e605b59d7eb48eb266f798f8 (HTML)
hxxp://www.namastte[.]kr/sources/Util/AJAX.php?fpath=/home/namastte/html/sources/Util/temp/data&rename=[Analysis].zip (HTML)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
guest
1 Comment
Inline Feedbacks
View all comments