lazarusholic

2022-11-25, Ahnlab
https://asec.ahnlab.com/en/42529/
#Kimsuky

The ASEC analysis team discovered that the Word document type identified in the blog, ‘Malicious Word Files Targeting Specific Individuals Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’, disguised as a CNA Singaporean TV program interview. The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password.
The identified Word file contains information related to North Korea like the previous cases and includes malicious VBA macro.
An image that induces macro execution has not been found upon opening the document file, but the following code exists in the macro included in the file. This creates a message box telling the user that the macro must be enabled when the user begins typing. Thus, the user clicks the ‘Enable Content’ button to fill in the answers in the document, executing the VBA …

59be2b9a3e33057b3d80574764ab0952
8785b8e882eef125dc527736bb1c5704
89d972f89b336ee07733c72f6f89edc5
http://jojoa.mypressonline.com
http://jojoa.mypressonline.com/kmas.txt
http://okihs.mypressonline.com
http://okihs.mypressonline.com/bb/bb.down
http://okihs.mypressonline.com/bb/bb.txt
http://okihs.mypressonline.com/bb/post.php