Threat Research

Malicious Word Files Targeting Specific Individuals Related to North Korea – ASEC BLOG

Securonix

The ASEC analysis team reports the ongoing distribution of malicious Word documents targeting individuals tied to national defense and North Korea, with filenames referencing real people. The embedded macros download PowerShell scripts, collect host information, exfiltrate data, and persist via registry changes and startup shortcuts. #Kimsuky #NorthKorea #PowerShell #OfficeMacros

Keypoints

  • Malicious Word files targeting individuals related to North Korea and national defense have been identified, with filenames including real names.
  • The Word macros are obfuscated and align with a type B macro pattern described by AhnLab TIP.
  • The macro downloads additional scripts from a remote URL using PowerShell and executes them.
  • The dropped scripts collect system information (Recent folder, Program Files, systeminfo, tasklist) and exfiltrate it to a remote server.
  • The malware creates persistence (Startup shortcut and Run registry keys) and adjusts Office security settings to allow macros.
  • Keylogging is implemented, saving keystrokes to a local file and sending data back to the remote server.
  • Detected IOCs include a VBA-related file hash and several URLs, with referenced threat detections like Downloader/DOC.Kimsuky and Trojan/PowerShell.FileUpload.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The Word files are distributed targeting specific individuals related to national defense and North Korea. ‘continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea’
  • [T1059.001] PowerShell – The macro downloads and executes remote scripts using PowerShell. ‘When the macro is run, it downloads additional scripts from ‘hxxp://vjdif.mypressonline[.]com/ho/ng.txt’ using PowerShell.’
  • [T1105] Ingress Tool Transfer – The downloaded remote script is retrieved from a remote server. ‘downloads additional scripts from hxxp://vjdif.mypressonline[.]com/ho/ng.txt’
  • [T1041] Exfiltration Over C2 Channel – Collected data is sent to a remote server. ‘eventually sending it to hxxp://vjdif.mypressonline[.]com/ho/post.php’
  • [T1082] System Information Discovery – The malware collects system information (systeminfo). ‘System info’
  • [T1057] Process Discovery – The malware enumerates running processes (tasklist). ‘List of running processes’
  • [T1112] Modify Registry – The script changes Office security settings via registry keys to enable macros. ‘New-ItemProperty -Path HKCU:SOFTWAREMicrosoftOffice…WordSecurity -Name VBAWarnings -Value 1’
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via Run registry entries and a Startup shortcut. ‘Startup folder so that the malware can continuously function’
  • [T1056.001] Input Capture (Keylogging) – Key inputs are saved to a log file. ‘Key inputs are saved to %APPDATA%AhnalbAhnlab.hwp’

Indicators of Compromise

  • [File hash] cbafe2d6c3b36087220fe63129a1e611 (VBA) – VBA macro reference
  • [URL] hxxp://vjdif.mypressonline[.]com/ho/ng.txt – remote script location
  • [URL] hxxp://vjdif.mypressonline[.]com/ho/ng.down – downloaded payload
  • [URL] hxxp://vjdif.mypressonline[.]com/ho/post.php – data exfiltration endpoint
  • [File name] Downloader/DOC.Kimsuky – detection label mentioned in report
  • [File name] Trojan/PowerShell.FileUpload – detection label mentioned in report
  • [File] Ahnlab.hwp – log filename used for keystroke data

Read more: https://asec.ahnlab.com/en/38182/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint