Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky)
Contents
AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group.
Although the exact distribution path of the malware has not been confirmed, it appears that it is being distributed via email. As shown below, the identified batch files have been disguised to appear as viewers for document programs such as Word and HWP.
|Date of Identification||Filename|
|Mar. 22||docview.bat|
|Mar. 28||pdfview.bat|
|Jun. 12||hwp.bat|
|Jun. 20||docxview.bat|
|Jun. 21||pdf.bat|
When the batch file is executed, it accesses Google Drive and Docs through the “explorer” command. Through this process, it executes a document file uploaded to Google Docs or Drive, making it appear as if a …
Although the exact distribution path of the malware has not been confirmed, it appears that it is being distributed via email. As shown below, the identified batch files have been disguised to appear as viewers for document programs such as Word and HWP.
|Date of Identification||Filename|
|Mar. 22||docview.bat|
|Mar. 28||pdfview.bat|
|Jun. 12||hwp.bat|
|Jun. 20||docxview.bat|
|Jun. 21||pdf.bat|
When the batch file is executed, it accesses Google Drive and Docs through the “explorer” command. Through this process, it executes a document file uploaded to Google Docs or Drive, making it appear as if a …
IoC
00119ed01689e76cb7f33646693ecd6a
7d79901b01075e29d8505e72d225ff52
8536d838dcdd026c57187ec2c3aec0f6
a7ac7d100184078c2aa5645552794c19
http://joongang.site/doc/
http://joongang.site/docx/
http://joongang.site/pprb/sec/
http://joongang.site/pprb/sec/ca.php?na=dot_kasp.gif
http://joongang.site/pprb/sec/ca.php?na=reg0.gif
http://joongang.site/pprb/sec/ca.php?na=sh_ava.gif
http://joongang.site/pprb/sec/d.php?na=battmp
http://namsouth.com/gopprb/OpOpO/
http://staradvertiser.store/signal/
https://docs.google.com/document/d/1C3h0agp3E6Z4a9z-YxnMTgP3Fd9y8n2C/edit?rtpof=true&sd=true
https://docs.google.com/document/d/1NJfvSpdku2PW3gwg0dnoELrlVp3CEGB4mtNIFE4bOVE/edit?usp=sharing
https://drive.google.com/file/d/1e41uC2ZTYvTc3CvS6wIKox22AGdP4nFB/view?usp=sharing
https://drive.google.com/file/d/1rCws6IDhJvynpM3TOSv3IKGWNKXI5uH9/view?usp=sharing
https://drive.google.com/file/d/1tI4J95-7HDGES8e6oHR-wu0cXD8wHPUc/view?usp=sharing
https://joongang.site/pprb/sec/ca.php?na=sh_vb.gif
https://joongang.site/pprb/sec/ca.php?na=vbs.gif
https://joongang.site/pprb/sec/d.php?na=battmp
https://joongang.site/pprb/sec/r.php
https://joongang.site/pprb/sec/t1.hta
7d79901b01075e29d8505e72d225ff52
8536d838dcdd026c57187ec2c3aec0f6
a7ac7d100184078c2aa5645552794c19
http://joongang.site/doc/
http://joongang.site/docx/
http://joongang.site/pprb/sec/
http://joongang.site/pprb/sec/ca.php?na=dot_kasp.gif
http://joongang.site/pprb/sec/ca.php?na=reg0.gif
http://joongang.site/pprb/sec/ca.php?na=sh_ava.gif
http://joongang.site/pprb/sec/d.php?na=battmp
http://namsouth.com/gopprb/OpOpO/
http://staradvertiser.store/signal/
https://docs.google.com/document/d/1C3h0agp3E6Z4a9z-YxnMTgP3Fd9y8n2C/edit?rtpof=true&sd=true
https://docs.google.com/document/d/1NJfvSpdku2PW3gwg0dnoELrlVp3CEGB4mtNIFE4bOVE/edit?usp=sharing
https://drive.google.com/file/d/1e41uC2ZTYvTc3CvS6wIKox22AGdP4nFB/view?usp=sharing
https://drive.google.com/file/d/1rCws6IDhJvynpM3TOSv3IKGWNKXI5uH9/view?usp=sharing
https://drive.google.com/file/d/1tI4J95-7HDGES8e6oHR-wu0cXD8wHPUc/view?usp=sharing
https://joongang.site/pprb/sec/ca.php?na=sh_vb.gif
https://joongang.site/pprb/sec/ca.php?na=vbs.gif
https://joongang.site/pprb/sec/d.php?na=battmp
https://joongang.site/pprb/sec/r.php
https://joongang.site/pprb/sec/t1.hta