APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire. The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the…

VBS Script Disguised as PDF File Being Distributed (Kimsuky)

On March 23rd, the ASEC analysis team has discovered APT attacks launched by an attack group presumed to be Kimsuky, and they targeted certain Korean companies. Upon running the script file with the VBS extension, the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information. Taking PDF file into consideration, it seems the attacker is targeting precise-refinement industries….

APT Attack Using Word Files About Cryptocurrency (Kimsuky)

On March 21st, the ASEC analysis team has discovered the Kimsuky group’s APT attacks that use Word files containing information about cryptocurrency. A total of three Word files were discovered that were used as baits for the attacks. The macro’s author and its execution flow are identical to that which was introduced in the ASEC blog post uploaded on March 17th (Title:  Malicious Word Files Disguised as Product Introduction). It appears that all three files are properly created Word files…

Word Document Attack Targeting Companies Specialized in Carbon Emissions

On March 18th, the ASEC analysis team discovered a document-borne APT attack targeting companies specialized in carbon emissions. According to logs collected from AhnLab’s ASD (AhnLab Smart Defense), the user of the infected PC appears to have downloaded a malicious word document titled “**** Carbon Credit Institution.doc” through a web browser. While the malicious document could not be secured, it is likely that its internal macro code runs wscript.ex. The confirmed execution argument for wscript.exe is as follows: wscript.exe %AppData%\Microsoft\Templates\version.ini…

APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)

The ASEC analysis team has recently discovered the distribution of malicious Word (DOC) files to graduate school professors that are disguised as North Korea-related paper requirements. The name of the Word file is shown below. The term ‘KIMA’ mentioned in the filename is the name of the monthly magazine specializing in the field of security, national defense, and military, published by Korea Institute for Military Affairs. March Monthly KIMA Paper_Requirements.doc The attacker performed spear-phishing attacks targeting professors of certain universities….