Malicious Word Document Being Distributed in Disguise of a News Survey

The ASEC analysis team discovered that the Word document type identified in the blog, Malicious Word Files Targeting Specific Individuals Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’, disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password.

Password-protected Word file

The identified Word file contains information related to North Korea like the previous cases and includes malicious VBA macro.

Word file content
File properties

An image that induces macro execution has not been found upon opening the document file, but the following code exists in the macro included in the file. This creates a message box telling the user that the macro must be enabled when the user begins typing. Thus, the user clicks the ‘Enable Content’ button to fill in the answers in the document, executing the VBA macro embedded in the file.

Part of the macro code included in the Word file
The message box generated upon typing

The VBA macro includes the Document_Open() function, enabling the malicious macro to be executed automatically. The executed macro code is obfuscated with a similar method as the previous versions, and it ultimately creates and executes a VBScript tmp.pip file in the %appdata% folder.

Automatically executed malicious VBA macro code

When the tmp.pip file is executed, it creates Defender.log, DefenderUpdate.lba, and Ahnlab.lnk. Afterward, it changes the file extension of DefenderUpdate.lba to bat and executes this file. The features of each file are as follows.

FilenameFeature
DefenderUpdate.lba (DefenderUpdate.bat)Executes Ahnlab.lnk (has a Ahnlab.lnk path within the file)
Ahnlab.lnkExecutes Defender.log with PowerShell
Defender.logExecutes a script at ‘hxxp://okihs.mypressonline[.]com/bb/bb.txt’
Created files and their features

Hxxp://okihs.mypressonline[.]com/bb/bb.txt is accessed when Defender.log is executed, and in this address, there is a script similar to ng.txt identified in a previous blog post.

Additional script identified in hxxp://okihs.mypressonline[.]com/bb/bb.txt

The major features of the script are as follows.

  • Collects and transmits user PC info (Collected info is saved as %APPDATA%Ahnlab.hwp before being transmitted to hxxp://okihs.mypressonline[.]com/bb/post.php)
  • Downloads additional files from hxxp://okihs.mypressonline[.]com/bb/bb.down

The leaked information is the same as before.

Execution CommandCollected Information
GetFolderPath(“Recent”)Recent folder path
dir $env:ProgramFilesProgramFiles folder information
dir “C:\Program Files (x86)C:\Program Files (x86) folder information
systeminfoSystem information
Collected information

The bb.down file, an additional script downloaded via bb.txt, has an additional code that uses FTP to leak user information, unlike the previously discussed ng.down. Aside from this new code, the creation of a LNK file (Ahnlab.lnk), changing the MS Office security settings, and keylogging features operate in the same way as past versions. The added code is as follows.

Additionally identified code

The bb.down script executes the ‘main’ function above upon being executed, and among the files in “%LOCALAPPDATA%\Google\Chrome\User Data” and sub-folders of “%LOCALAPPDATA%\Microsoft\Edge\User Data”, it reads files that include ‘Local State’ and saves the encrypted_key in %APPDATA%\masterkey.txt. Afterward, it uses FTP to upload the masterkey.txt file to jojoa.mypressonline[.]com/kmas.txt, and this is likely for the purpose of decrypting the content of the browser-related file to be collected next.

After uploading encrypted_key, it finds the files below and copies them into the %APPDATA% folder to collect information saved in the user browser.

Collection PathLocal Save Path
Files containing ‘Login Data’ within %LOCALAPPDATA%\Google\Chrome\User Data%APPDATA%\LoginData_Chrome[n]
Files containing ‘Login Data For Account’ within %LOCALAPPDATA%\Google\Chrome\User Data%APPDATA%\LoginForAccount_Chrome[n]
Files containing ‘Cookies’ within %LOCALAPPDATA%\Google\Chrome\User Data%APPDATA%\Cookies_Chrome[n]
Files containing ‘Login Data’ within %LOCALAPPDATA%\Microsoft\Edge\User Data%APPDATA%\LoginData_msedge[n]
Files containing ‘Login Data For Account’ within %LOCALAPPDATA%\Microsoft\Edge\User Data%APPDATA%\LoginForAccount_msedge[n]
Files containing ‘Cookies’ within %LOCALAPPDATA%\Microsoft\Edge\User Data%APPDATA%\Cookies_msedge[n]
Collected files and save paths

The copied files are uploaded to the threat actor’s server under filenames such as KLoginData and KCookie. The upload addresses for each file are as follows.

  • LoginData : jojoa.mypressonline[.]com/KLoginData_[Chrome/msedge][n]
  • Login Data For Account : jojoa.mypressonline[.]com/KLoginForAccount_[Chrome/msedge][n]
  • Cookies : jojoa.mypressonline[.]com/KCookie_[Chrome/msedge][n]

In order to make it difficult for the user to identify the PowerShell command used in the attack, the threat actor has added a code to delete %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt, where the PowerShell command execution log is saved. The script used in the attack is continuously evolving as such, thus users must be particularly vigilant.

[File Detection]
Downloader/DOC.Generic (2022.11.09.00)
Dropper/VBS.Generic (2022.11.16.03)
Downloader/PowerShell.Generic (2022.11.16.03)

[IOC]
59be2b9a3e33057b3d80574764ab0952
89d972f89b336ee07733c72f6f89edc5
8785b8e882eef125dc527736bb1c5704
okihs.mypressonline[.]com
jojoa.mypressonline[.]com

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

5 1 vote
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments