Distribution of Malware Disguised as Coin and Investment-related Content
Contents
AhnLab Security Emergency response Center (ASEC) has recently confirmed the distribution of malware disguised with coin exchange and investment-related topics. The malware is being distributed in the form of an executable and a Word file. Based on the User-Agent name used in the malware, it is suspected that it was created by the Kimsuky group. The confirmed filenames are as follows:
|Date||Filename|
|07.17||20230717_030190045911.pdf .exe|
|07.28||0728-We**Wallet Automatic Withdrawal of Funds.docx.exe (assumed)|
|07.28||230728 We**Team – Wallet Hacking Similarities.docx.exe (assumed)|
|07.28||We** Team – Ban on Cloud Usage.doc|
Executables
The executables identified in Table 1 are disguised with Word document and PDF icons, making them appear like normal files.
The above malicious executables are in the form of self-extracting archives (SFX) containing normal files within. Therefore, when the file is executed, the following normal document files are generated.
Each document file contains content impersonating asset management and coin exchanges. The contents of each document are as follows.
The archive content of each executable includes …
|Date||Filename|
|07.17||20230717_030190045911.pdf .exe|
|07.28||0728-We**Wallet Automatic Withdrawal of Funds.docx.exe (assumed)|
|07.28||230728 We**Team – Wallet Hacking Similarities.docx.exe (assumed)|
|07.28||We** Team – Ban on Cloud Usage.doc|
Executables
The executables identified in Table 1 are disguised with Word document and PDF icons, making them appear like normal files.
The above malicious executables are in the form of self-extracting archives (SFX) containing normal files within. Therefore, when the file is executed, the following normal document files are generated.
Each document file contains content impersonating asset management and coin exchanges. The contents of each document are as follows.
The archive content of each executable includes …
IoC
002105e21f1bddf68e59743c440e416a
17daf3ea7b80ee95792d4b3332a3390d
8a5fd1e9c9841ff0253b2a6f1e533d0e
b6614471ebf288689d33808c376540e1
https://partner24.kr/mokozy/hope/biz.php
https://partner24.kr/mokozy/hope/doc1.php
https://partner24.kr/mokozy/hope/doc2.php
https://partner24.kr/mokozy/hope/kk.php
17daf3ea7b80ee95792d4b3332a3390d
8a5fd1e9c9841ff0253b2a6f1e533d0e
b6614471ebf288689d33808c376540e1
https://partner24.kr/mokozy/hope/biz.php
https://partner24.kr/mokozy/hope/doc1.php
https://partner24.kr/mokozy/hope/doc2.php
https://partner24.kr/mokozy/hope/kk.php