Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP)

Recently, malware disguised as a lecture request form targeting specific users was identified. 

The distributed files include Hangul Word Processor (HWP) documents and files in MSC format, which download additional malicious files. Decoy document files used to disguise as legitimate documents have been found to sometimes contain personal information, suggesting that the malware targets specific users. Although the final malicious behaviors have not been confirmed, a script containing the threat actor’s commands is stored and continuously executed on the user’s PC, which could lead to various malicious behaviors such as information leakage and downloading additional malicious code.

The format of the malicious URLs used by this malware is similar to those analyzed in AhnLab’s ASEC blog post in 2023, “Malicious Batch File (*bat) Disguised as a Document Viewer Being Distributed (Kimsuky) [1]“, suggesting that it is suspected to be the same attack group.

 This document explains the behavior of the distributed files and their subsequent actions.

Figure 1. Malware operation process

A characteristic of the operation process is the use of a legitimate executable file and a malicious script file disguised as the executable’s manifest file. Additionally, the malware uses Google Drive to receive additional malicious commands by inserting encoded malicious commands into the title of uploaded files to carry out malicious behaviors.

The malware is suspected to be primarily distributed through spear phishing, with Hangul Word Processor (HWP) documents and MSC files being identified. The confirmed distributed file names are as follows.

Table 1. Distributed file names

The decoy document identified in the same type is as follows.

Figure 6. A confirmed decoy document