Malware Disguised as HWP Document File (Kimsuky)
AhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously distributed in CHM and OneNote file formats, being distributed as an executable. Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware.
- Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022
- OneNote Malware Disguised as Compensation Form (Kimsuky) – Mar 24, 2023
- CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) – Mar 13, 2023
- Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics – May 25, 2022
- APT Attack Attempts Disguised as North Korea-Related Paper Requirements (Kimsuky) – Feb 22, 2022
The identified malware is distributed as a compressed file which contains a readme.txt along with an executable disguised with an HWP document file extension.
The readme.txt file contains the following message which prompts users to open the malicious EXE file (Personal Data Leakage Details.hwp.exe). The malicious EXE file was compiled with .NET and uses the HWP document icon to disguise itself to appear like a document file. Multiple spaces were also inserted into the file name to prevent the file extension from being fully visible.
The above EXE file contains a PowerShell command encoded in Base64. Thus, when the file is executed, this command is decoded and saved as update.vbs in the %APPDATA% folder. The generated update.vbs file is then executed through PowerShell.
The following message box is then generated, rendering it difficult for users to realize that malicious behaviors are being performed. The message contains North Korean dialect as shown in Figure 4 below.
The created update.vbs file contains obfuscated commands. Decoding this reveals a code that downloads and executes an additional script from hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1.
Both the script present in the above URL and the subsequent scripts executed perform functions such as user credential leakage and keylogging, which are consistent with the findings in the <Analysis Report on Malware Distributed by the Kimsuky Group>. The identified URL and features of the created file are as follows.
| URL and Filename | Feature |
| update.vbs | – Changes a certain registry – Runs the script hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1 |
| hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1 | – Changes a certain registry – Creates OfficeAppManifest_v[Min]_[Hr]_[Day][Month].xml and registers it as a service – Runs the script hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=1 |
| OfficeAppManifest_v[Min]_[Hr]_[Day][Month].xml | – Runs the script hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=6 |
| hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=6 | – Runs the script hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=5 |
| hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=5 | – Keylogger – Transmits keylogging data to hxxp://well-story.co[.]kr/adm/inc/js/show.php |
| hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=1 | – Collects user PC information – Transmits the collected information to hxxp://well-story.co[.]kr/adm/inc/js/show.php |
Table 1. Features of the scripts found on a certain URL and the generated files
The information collected at this stage also matches those of the aforementioned report.
Given the continuous detection of this malware type being distributed, users are advised to exercise extra caution. Users should always verify the file extension when opening email attachments and refrain from executing files received from unknown sources.
[File Detection]
Dropper/Win.Agent.C5441936 (2023.06.16.02)
Trojan/VBS.Kimsuky (2023.03.21.03)
Trojan/PowerShell.Obfuscated (2023.03.14.00)
Trojan/PowerShell.KeyLogger (2023.05.09.00)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
