Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)

On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique is called the template Injection method. and a similar attack case was covered in a previous blog post.

When the Word document is opened, it downloads and executes an additional malicious Word macro document from the threat actor’s C&C server. The additionally executed macro is written so that a normal document file is opened simultaneously, in order to avoid users noticing that a macro code has been executed in the background.

Figure 1. Code for executing the malicious script after opening the normal document
Figure 2. Manuscript solicitation letter (normal file)

The normal document file distributed with the malware by the threat actor has text written in Korean but includes Chinese fonts. From this, we can deduce that the threat actor is using a Chinese version of Word.

Figure 3. The normal document including Chinese fonts
Figure 4. Alleged creator (cloudconvert_6)

After executing the normal document, an info-leaking script is downloaded and executed, and this script is responsible for forwarding the information below to the C&C server.

  • Infected PC system information
  • List of recently opened Word files
  • Directory information of the download folder in the system
  • Modification of IE-related registries
  • Registration to the task scheduler to maintain a connection to the C&C server
  • Information on virus vaccines installed on the system

One thing to note is that in the threat actor’s C&C server IP (112.175.85.243), a similar phishing domain as the domain covered in the “Web Page Disguised as a Kakao Login Page” blog post (published on January 10th) was additionally found. This allows us to assume that the threat actor in the previous blog and this case is the same person.

Recently, there has been a surge of APT attacks using the template injection method. This method often involves distribution via email attachments, therefore, to prevent infection, users must refrain from opening attachments in emails from unknown senders.

Currently, AhnLab’s V3 detects relevant malware under the following aliases.

[IOC]
[Word Files Using External Objects]
[MD5, Detection Name (Engine ver.)]
– 2c9d6f178f652c44873edad3ae98fff5 – Downloader/DOC.External (2023.01.10.03)
– 68e79490ed1563904791ca54c97b680a – Downloader/DOC.External (2023.01.10.03)

[Additionally Downloaded Word Macro Files]
– dd954121027d662158dcad24c21d04ba – Downloader/DOC.Kimsuky (2023.01.10.03)
– f22899abfa82e34f6e59fa97847c7dfd – Downloader/DOC.Kimsuky (2023.01.10.03)

[Normal Word Document]
– 3fe5ce0be3ce20b0c3c9a6cd0dae4ae9 – Downloader/VBS.Generic.SC185541 (2023.01.10.03)
– 2244f8798062d4cef23255836a2b4569 – Downloader/VBS.Generic.SC185542 (2023.01.10.03)

[C&C]
– hxxp://lifehelper[.]kr/gnuboard4/bbs/img/upload1/temp.dotm
– hxxp://lifehelper[.]kr/gnuboard4/bbs/img/upload/temp.dotm
– hxxp://lifehelper[.]kr/gnuboard4/bbs/img/upload1/temp.docx
– hxxp://lifehelper[.]kr/gnuboard4/bbs/img/upload/temp.docx
– hxxp://lifehelper[.]kr/gnuboard4/bbs/img/upload1/list.php?query=1
– hxxp://lifehelper[.]kr/gnuboard4/bbs/img/upload/list.php?query=1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

3.7 3 votes
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments