AhnLab Security Emergency response Center (ASEC) has identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes including a process with AhnLab’s product name (V3Lite.exe) and is being distributed through malicious URLs designed to resemble a Korean job-seeking website. Below are the discovered download URLs.
The malicious file downloaded from the above URLs has a screen saver file extension (.scr) and an HWP document icon. Upon execution, the compressed file data stored in the internal RCDATA is saved as %Public%\[6 ransom characters].zip as shown in Figure 3.
Afterward, it creates additional files by decompressing the above file in the %Public%\Documents\Defender\[six random characters] directory. For wechatweb.exe, the created file name consists of six random characters. The files created are shown below.
|lim_b_n.hwp||Normal HWP file|
|cmcs21.dll||Decodes and executes yga.txt|
|wechatweb.exe ([six random characters].exe)||Loads cmcs21.dll|
|yga.txt||Encoded malicious data|
It then creates the %Public%\Music\[six random characters] folder before creating an InternetShortcut file to enable the execution of the normal HWP file created before and wechatweb.exe ([six random characters].exe). This shortcut file is deleted after it is executed.
The HWP document executed via the shortcut file in Figure 6 is a normal document that has the format of a job application letter as shown below.
wechatweb.exe ([six random characters].exe) executed via the shortcut file in Figure 7 loads cmcs21.dll which was created simultaneously and executes the exports function named CMGetCommandString. The loaded cmcs21.dll file registers the following registry entry to enable the malicious file to run continuously.
- Data: C:\Users\Public\Documents\Defender\[six random characters]\[six random characters].exe(wechatweb.exe)
Afterward, it reads and decodes yga.txt and injects the data into the recursively executed wechatweb.exe ([six random characters].exe) process, ultimately executing malicious behaviors such as information theft. The injected process creates a file named [six random characters].Kinf in the same folder where it encodes and saves keylogging data later on.
It also collects information on various antivirus programs including a process name deemed to be AhnLab’s antivirus software (V3Lite.exe). When certain processes are identified, it sends the information on the right-hand side of Table 2 below, instead of the process name.
|Process Name||Transmitted Information|
Below is a list of other information collected.
|0$*[ Drive volume serial number ]$*0515$*$*[ Local PC’s IP information ]$*$*[ PC name ] $* [Username] $* [ OS version information ] $* [ Memory usage ] MB $* [ Processor information ] $* [ Screen resolution] $*$*$* [ Process time information ] $*[ Random value ] $* [ Text in the foreground window ] $* [ Types of antivirus processes in use ] $*2560230837$*zxcv12321$*1111111$*|
This malware can not only collect information but perform a variety of malicious behaviors according to the threat actor’s commands including Internet options configuration, capturing screenshots, managing services, and checking Internet cookie data.
- C2 : ggt-send-6187.orange-app[.]vip:6187
Files disguised as Job Application Letter.scr have been continuously distributed as shown below. The recent download URLs for the malware are designed to resemble a Korean job-seeking and recruitment website, and it is difficult for users to recognize that they are fake. Thus, particular caution is advised on the part of users.
|Date of Identification||File Name|
|Feb. 18, 2021||Bae**_Job Application Letter.scr|
|May 10, 2021||Lee**_Job Application Letter.scr|
|Jan. 17, 2022||Song**_Job Application Letter.scr|
|Apr. 04, 2022||Lee**_Job Application Letter.scr|
|Jan. 31, 2023||Lee**_Job Application Letter.hwp.scr|
|May 15, 2023||Lim**_Job Application Letter.hwp.scr|
URL & C2
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.