AhnLab Security Emergency response Center (ASEC) has recently confirmed the distribution of malware disguised with coin exchange and investment-related topics. The malware is being distributed in the form of an executable and a Word file. Based on the User-Agent name used in the malware, it is suspected that it was created by the Kimsuky group. The confirmed filenames are as follows:
|07.28||0728-We**Wallet Automatic Withdrawal of Funds.docx.exe (assumed)|
|07.28||230728 We**Team – Wallet Hacking Similarities.docx.exe (assumed)|
|07.28||We** Team – Ban on Cloud Usage.doc|
The executables identified in Table 1 are disguised with Word document and PDF icons, making them appear like normal files.
The above malicious executables are in the form of self-extracting archives (SFX) containing normal files within. Therefore, when the file is executed, the following normal document files are generated.
Each document file contains content impersonating asset management and coin exchanges. The contents of each document are as follows.
The archive content of each executable includes the normal documents identified in Figure 2, along with a command to access a specific URL.
As a result, upon executing a file, a normal document is generated, and mshta.exe is utilized to execute the script code present in the malicious URL. At the time of analysis, access to the mentioned URL was not possible, so the exact behavior could not be confirmed. Below are the confirmed malicious URLs.
Aside from the aforementioned SFX-type executables, the threat actor appears to have also distributed a Word document containing a VBA macro. The identified document file also bears the same disguising filename as the malicious executables, as it pretends to be related to coin exchange.
When the document file is opened, the text color in the body is set to gray, as shown below, manipulating users into clicking the Enable Content button. Upon clicking this button, the VBA macro code embedded in the document is executed, changing the text color in the body to black, as seen in Figure 8, enabling users to view the content.
When the VBA macro embedded in the document is executed, the normal wscript.exe file in the %windir%\system32 directory is copied under the name word.exe in the %appdata% folder. Afterward, it downloads an additional Base64-encoded script from hxxps://partner24[.]kr/mokozy/hope/kk.php before decoding it and saving it in the %USERPROFILE% folder as set.sl. The created set.sl file is executed with the following command.
- cmd /c %appdata%\word.exe //e:vbscript //b %USERPROFILE%\set.sl
At the time of analysis, the code downloaded from hxxps://partner24[.]kr/mokozy/hope/kk.php did not perform any particular malicious behaviors, but various malicious commands can be executed through it according to the threat actor’s intent. The code saved in set.sl at the time of analysis is as follows.
Considering that the malware in question uses Chnome instead of Chrome as the User-Agent in the macro code shown in Figure 9, the Kimsuky group is suspected to have created it. (1) Furthermore, the fact that both the executables and document file share the same coin exchange name in their filenames and connect to the same C2 address suggests that the executables were also created by the same threat group.
Currently, the exact script that is ultimately executed cannot be identified due to the C2 being inaccessible. However, given the potential for various malicious behaviors such as exfiltrating user credentials and downloading additional malware, users should exercise extra caution.
[Behavior Detection by AhnLab Product Type]