Threat Research

Malware Being Distributed Disguised as a Job Application Letter – ASEC BLOG

Securonix

AhnLab’s ASEC warns that malware disguised as a job application letter is being distributed via malicious URLs that mimic a Korean job-seeking site, delivering a Windows payload. The malware exfiltrates data, performs keylogging, takes screenshots, and persists by abusing registry Run keys and shortcut execution. #AhnLab #V3Lite #Albamon #JobApplicationLetter #HWP #cmcs21 #WechatWeb #Yga #Kinf

Keypoints

  • Malware is distributed through malicious URLs designed to resemble a Korean job-seeking site, using a file named like a job application letter (.scr with an HWP icon).
  • The dropper decompresses data from an internal resource to create multiple files, including lim_b_n.hwp, cmcs21.dll, wechatweb.exe, and yga.txt.
  • Persistence is achieved via a registry Run entry and a shortcut file that triggers execution of the HWP file and wechatweb.exe.
  • CMGetCommandString is executed by loading cmcs21.dll into wechatweb.exe, and the DLL is injected into the process to enable ongoing malicious activity.
  • The malware collects system information, enumerates antivirus processes, and transmits data to a C2 server, with keylogging and screenshot capture as capabilities.
  • C2 endpoints include ggt-send-6187.orange-app.vip:6187 and manage.albamon.info; several related MD5s and filenames are identified as IOCs.

MITRE Techniques

  • [T1566.002] Spearphishing Link – The distribution occurs via malicious URLs designed to resemble a Korean job-seeking website. ‘malicious URLs designed to resemble a Korean job-seeking website.’
  • [T1036] Masquerading – Files are disguised as Job Application Letter.scr with an HWP icon. ‘Files disguised as Job Application Letter.scr have been continuously distributed’
  • [T1027] Obfuscated/Compressed Files and Information – Data compressed within internal resources and saved as a ZIP in the user’s profile. ‘the compressed file data stored in the internal RCDATA is saved as %Public%[6 ransom characters].zip’
  • [T1023] Shortcut Modification – InternetShortcut file is used to trigger execution of the HWP and wechatweb.exe. ‘InternetShortcut file to enable the execution of the normal HWP file created before and wechatweb.exe’
  • [T1055] Process Injection – cmcs21.dll is loaded and injected into wechatweb.exe to run a command string. ‘loads cmcs21.dll which was created simultaneously and executes the exports function named CMGetCommandString’ and ‘injects the data into the recursively executed wechatweb.exe process’
  • [T1547.001] Boot or Logon Autostart Execution – Registry Run key is created to keep the malware running. ‘registry entry to enable the malicious file to run continuously’
  • [T1112] System Information Discovery – The malware collects extensive system information and checks antivirus software. ‘Collected information’ including drive serial, IP, OS version, etc.; ‘process names and transmitted information’ table
  • [T1113] Screen Capture – The threat is capable of capturing screenshots as part of its malicious behavior. ‘capturing screenshots’
  • [T1059] Command and Scripting Interpreter – The malware executes via the injected DLL and its exported command string, enabling execution control. ‘CMGetCommandString’
  • [T1041] Exfiltration Over C2 Channel – Data is transmitted to a C2 endpoint. ‘C2 : ggt-send-6187.orange-app[.]vip:6187’
  • [T1071.001] Web Protocols – C2 communication uses web protocols to a domain like orange-app.vip and manage.albamon.info. ‘C2: …orange-app[.]vip:6187’
  • [T1518.001] Software Discovery – The malware checks for antivirus processes such as V3Lite.exe. ‘process names checked and transmitted’

Indicators of Compromise

  • [URL] C2/Delivery – hxxp://ggt-send-6187.orange-app[.]vip:6187, hxxps://manage.albamon[.]info
  • [URL] Additional C2/Delivery – hxxps://manage.albamon[.]live/23_05_15_05/…hwp.scr, hxxps://manage.albamon[.]live/23_05_22_Fighting_ok/…hwp.scr
  • [MD5] File hash – 15a0e9cd449bce9e37bb1f8693b3c4e0 (scr), 498eda85200257a813dc6731d3324eb6 (scr), 0ddcb876007aee40f0c819ae2381d1b1 (yga.txt), ccf3fcd6323bcdd09630e69d6ee74197 (yga.txt)
  • [Filename] Dropped/Created files – lim_b_n.hwp, cmcs21.dll, wechatweb.exe, yga.txt
  • [Registry] Run key – HKCUSoftwareMicrosoftWindowsCurrentVersionRunspecialyouttg0a
  • [Process] Antivirus process name – V3Lite.exe

Read more: https://asec.ahnlab.com/en/53744/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint