The ASEC analysis team discovered that the Word document type identified in the blog, ‘Malicious Word Files Targeting Specific Individuals Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’, disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password.
The identified Word file contains information related to North Korea like the previous cases and includes malicious VBA macro.
An image that induces macro execution has not been found upon opening the document file, but the following code exists in the macro included in the file. This creates a message box telling the user that the macro must be enabled when the user begins typing. Thus, the user clicks the ‘Enable Content’ button to fill in the answers in the document, executing the VBA macro embedded in the file.
The VBA macro includes the Document_Open() function, enabling the malicious macro to be executed automatically. The executed macro code is obfuscated with a similar method as the previous versions, and it ultimately creates and executes a VBScript tmp.pip file in the %appdata% folder.
When the tmp.pip file is executed, it creates Defender.log, DefenderUpdate.lba, and Ahnlab.lnk. Afterward, it changes the file extension of DefenderUpdate.lba to bat and executes this file. The features of each file are as follows.
|DefenderUpdate.lba (DefenderUpdate.bat)||Executes Ahnlab.lnk (has a Ahnlab.lnk path within the file)|
|Ahnlab.lnk||Executes Defender.log with PowerShell|
|Defender.log||Executes a script at ‘hxxp://okihs.mypressonline[.]com/bb/bb.txt’|
Hxxp://okihs.mypressonline[.]com/bb/bb.txt is accessed when Defender.log is executed, and in this address, there is a script similar to ng.txt identified in a previous blog post.
The major features of the script are as follows.
- Collects and transmits user PC info (Collected info is saved as %APPDATA%Ahnlab.hwp before being transmitted to hxxp://okihs.mypressonline[.]com/bb/post.php)
- Downloads additional files from hxxp://okihs.mypressonline[.]com/bb/bb.down
The leaked information is the same as before.
|Execution Command||Collected Information|
|GetFolderPath(“Recent”)||Recent folder path|
|dir $env:ProgramFiles||ProgramFiles folder information|
|dir “C:\Program Files (x86)||C:\Program Files (x86) folder information|
The bb.down file, an additional script downloaded via bb.txt, has an additional code that uses FTP to leak user information, unlike the previously discussed ng.down. Aside from this new code, the creation of a LNK file (Ahnlab.lnk), changing the MS Office security settings, and keylogging features operate in the same way as past versions. The added code is as follows.
The bb.down script executes the ‘main’ function above upon being executed, and among the files in “%LOCALAPPDATA%\Google\Chrome\User Data” and sub-folders of “%LOCALAPPDATA%\Microsoft\Edge\User Data”, it reads files that include ‘Local State’ and saves the encrypted_key in %APPDATA%\masterkey.txt. Afterward, it uses FTP to upload the masterkey.txt file to jojoa.mypressonline[.]com/kmas.txt, and this is likely for the purpose of decrypting the content of the browser-related file to be collected next.
After uploading encrypted_key, it finds the files below and copies them into the %APPDATA% folder to collect information saved in the user browser.
|Collection Path||Local Save Path|
|Files containing ‘Login Data’ within %LOCALAPPDATA%\Google\Chrome\User Data||%APPDATA%\LoginData_Chrome[n]|
|Files containing ‘Login Data For Account’ within %LOCALAPPDATA%\Google\Chrome\User Data||%APPDATA%\LoginForAccount_Chrome[n]|
|Files containing ‘Cookies’ within %LOCALAPPDATA%\Google\Chrome\User Data||%APPDATA%\Cookies_Chrome[n]|
|Files containing ‘Login Data’ within %LOCALAPPDATA%\Microsoft\Edge\User Data||%APPDATA%\LoginData_msedge[n]|
|Files containing ‘Login Data For Account’ within %LOCALAPPDATA%\Microsoft\Edge\User Data||%APPDATA%\LoginForAccount_msedge[n]|
|Files containing ‘Cookies’ within %LOCALAPPDATA%\Microsoft\Edge\User Data||%APPDATA%\Cookies_msedge[n]|
The copied files are uploaded to the threat actor’s server under filenames such as KLoginData and KCookie. The upload addresses for each file are as follows.
- LoginData : jojoa.mypressonline[.]com/KLoginData_[Chrome/msedge][n]
- Login Data For Account : jojoa.mypressonline[.]com/KLoginForAccount_[Chrome/msedge][n]
- Cookies : jojoa.mypressonline[.]com/KCookie_[Chrome/msedge][n]
In order to make it difficult for the user to identify the PowerShell command used in the attack, the threat actor has added a code to delete %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt, where the PowerShell command execution log is saved. The script used in the attack is continuously evolving as such, thus users must be particularly vigilant.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.