Word

LockBit 3.0 Ransomware Distributed via Word Documents

The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases. There is an external link in the…

Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy and National Defense Being Distributed‘. Also, there was also a type using mshta. The malicious Word files are distributed in various names as shown below. CV of Kim **(Korean American Organization of **,220711).doc…

Malicious Word Documents Using MS Media Player (Impersonating AhnLab)

Last week, the ASEC analysis team uploaded a post named “Malicious Word File Targeting Corporate Users Being Distributed” that contained information about a malicious Word file. Currently, documents of the same type are being distributed with text that impersonates AhnLab. The Word files confirmed this time download another Word file containing malicious VBA macro via the external URL and run it. Another difference is that the additionally downloaded Word file uses the Windows Media Player() function instead of AutoOpen() to…

Malicious Word File Targeting Corporate Users Being Distributed

The ASEC analysis team discovered a Word file that seems to target corporate users. The file contains an image that prompts users to enable macros like other malicious files. To trick users into thinking that this is an innocuous file, it shows information related to improving Google account security when the macro is run. Ultimately, it downloads additional malware files and leaks user information. When the file is run, it shows a warning image that mentions ‘file created in public…

Word File Disguised as a Design Modification Request for Information Theft

The ASEC analysis team has discovered the distribution of malicious Word file targeting Korean users. The filename is Design Modification Request.doc, and it includes an image that prompts the user to run the macro. As shown below, the Word file includes a malicious macro that downloads additional files from hxxp://filedownloaders.com/doc09. When the user clicks Enable Content, the macro is automatically run, and it downloads additional malicious files. It then runs the downloaded temp.doc document file. The Word file contains texts…