Malicious Word Document Being Distributed in Disguise of a News Survey Posted By jcleebobgatenet , November 25, 2022 The ASEC analysis team discovered that the Word document type identified in the blog, ‘Malicious Word Files Targeting Specific Individuals Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’, disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password. The identified Word file contains information related to North Korea like the…
LockBit 3.0 Ransomware Distributed via Word Documents Posted By jcleebobgatenet , September 28, 2022 The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases. There is an external link in the…
Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky) Posted By jcleebobgatenet , August 2, 2022 The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy and National Defense Being Distributed‘. Also, there was also a type using mshta. The malicious Word files are distributed in various names as shown below. CV of Kim **(Korean American Organization of **,220711).doc…
Malicious Word Documents Using MS Media Player (Impersonating AhnLab) Posted By jcleebobgatenet , April 5, 2022 Last week, the ASEC analysis team uploaded a post named “Malicious Word File Targeting Corporate Users Being Distributed” that contained information about a malicious Word file. Currently, documents of the same type are being distributed with text that impersonates AhnLab. The Word files confirmed this time download another Word file containing malicious VBA macro via the external URL and run it. Another difference is that the additionally downloaded Word file uses the Windows Media Player() function instead of AutoOpen() to…
Malicious Word File Targeting Corporate Users Being Distributed Posted By jcleebobgatenet , March 30, 2022 The ASEC analysis team discovered a Word file that seems to target corporate users. The file contains an image that prompts users to enable macros like other malicious files. To trick users into thinking that this is an innocuous file, it shows information related to improving Google account security when the macro is run. Ultimately, it downloads additional malware files and leaks user information. When the file is run, it shows a warning image that mentions ‘file created in public…
