Kimsuky

Word Files Related to Diplomacy and National Defense Being Distributed

The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related file names. The Word files contain malicious VBA macro codes and are the same file type introduced in <Discovery of Continuous Distribution of North Korea-related Malicious Word Files>. The names of the distributed files that were recently discovered are as follows: 220426-North Korea’s Diplomatic Policy and Our Responses(Professor Jeong).doc (April 26th) North Korea’s Diplomatic Policy and Our Responses.doc (April 26th) China’s Diplomatic Policy and…

APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire. The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the…

VBS Script Disguised as PDF File Being Distributed (Kimsuky)

On March 23rd, the ASEC analysis team has discovered APT attacks launched by an attack group presumed to be Kimsuky, and they targeted certain Korean companies. Upon running the script file with the VBS extension, the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information. Taking PDF file into consideration, it seems the attacker is targeting precise-refinement industries….

APT Attack Using Word Files About Cryptocurrency (Kimsuky)

On March 21st, the ASEC analysis team has discovered the Kimsuky group’s APT attacks that use Word files containing information about cryptocurrency. A total of three Word files were discovered that were used as baits for the attacks. The macro’s author and its execution flow are identical to that which was introduced in the ASEC blog post uploaded on March 17th (Title:  Malicious Word Files Disguised as Product Introduction). It appears that all three files are properly created Word files…

Word Document Attack Targeting Companies Specialized in Carbon Emissions

On March 18th, the ASEC analysis team discovered a document-borne APT attack targeting companies specialized in carbon emissions. According to logs collected from AhnLab’s ASD (AhnLab Smart Defense), the user of the infected PC appears to have downloaded a malicious word document titled “**** Carbon Credit Institution.doc” through a web browser. While the malicious document could not be secured, it is likely that its internal macro code runs wscript.ex. The confirmed execution argument for wscript.exe is as follows: wscript.exe %AppData%\Microsoft\Templates\version.ini…