Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)
Contents
On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique is called the template Injection method. and a similar attack case was covered in a previous blog post.
When the Word document is opened, it downloads and executes an additional malicious Word macro document from the threat actor’s C&C server. The additionally executed macro is written so that a normal document file is opened simultaneously, in order to avoid users noticing that a macro code has been executed in the background.
The normal document file distributed with the malware by the threat actor has text written in Korean but includes Chinese fonts. From this, we can deduce that the threat actor is using a Chinese version of Word.
After executing the normal document, …
When the Word document is opened, it downloads and executes an additional malicious Word macro document from the threat actor’s C&C server. The additionally executed macro is written so that a normal document file is opened simultaneously, in order to avoid users noticing that a macro code has been executed in the background.
The normal document file distributed with the malware by the threat actor has text written in Korean but includes Chinese fonts. From this, we can deduce that the threat actor is using a Chinese version of Word.
After executing the normal document, …
IoC
112.175.85.243
2244f8798062d4cef23255836a2b4569
2c9d6f178f652c44873edad3ae98fff5
3fe5ce0be3ce20b0c3c9a6cd0dae4ae9
68e79490ed1563904791ca54c97b680a
dd954121027d662158dcad24c21d04ba
f22899abfa82e34f6e59fa97847c7dfd
http://lifehelper.kr/gnuboard4/bbs/img/upload/list.php?query=1
http://lifehelper.kr/gnuboard4/bbs/img/upload/temp.docx
http://lifehelper.kr/gnuboard4/bbs/img/upload/temp.dotm
http://lifehelper.kr/gnuboard4/bbs/img/upload1/list.php?query=1
http://lifehelper.kr/gnuboard4/bbs/img/upload1/temp.docx
http://lifehelper.kr/gnuboard4/bbs/img/upload1/temp.dotm
2244f8798062d4cef23255836a2b4569
2c9d6f178f652c44873edad3ae98fff5
3fe5ce0be3ce20b0c3c9a6cd0dae4ae9
68e79490ed1563904791ca54c97b680a
dd954121027d662158dcad24c21d04ba
f22899abfa82e34f6e59fa97847c7dfd
http://lifehelper.kr/gnuboard4/bbs/img/upload/list.php?query=1
http://lifehelper.kr/gnuboard4/bbs/img/upload/temp.docx
http://lifehelper.kr/gnuboard4/bbs/img/upload/temp.dotm
http://lifehelper.kr/gnuboard4/bbs/img/upload1/list.php?query=1
http://lifehelper.kr/gnuboard4/bbs/img/upload1/temp.docx
http://lifehelper.kr/gnuboard4/bbs/img/upload1/temp.dotm