Malware Disguised as HWP Document File (Kimsuky)
Contents
AhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously distributed in CHM and OneNote file formats, being distributed as an executable. Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware.
- Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022
- OneNote Malware Disguised as Compensation Form (Kimsuky) – Mar 24, 2023
- CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) – Mar 13, 2023
- Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics – May 25, 2022
- APT Attack Attempts Disguised as North Korea-Related Paper Requirements (Kimsuky) – Feb 22, 2022
The identified malware is distributed as a compressed file which contains a readme.txt along with an executable disguised with an HWP document file extension.
The readme.txt …
- Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022
- OneNote Malware Disguised as Compensation Form (Kimsuky) – Mar 24, 2023
- CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) – Mar 13, 2023
- Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics – May 25, 2022
- APT Attack Attempts Disguised as North Korea-Related Paper Requirements (Kimsuky) – Feb 22, 2022
The identified malware is distributed as a compressed file which contains a readme.txt along with an executable disguised with an HWP document file extension.
The readme.txt …
IoC
73174c9d586531153a5793d050a394a8
8133c5f663f89b01b30a052749b5a988
91029801f6f3a415392ccfee8226be67
ec1b518541228072eb75463ce15c7bce
f05991652398406655a6a5eebe3e5f3a
http://well-story.co.kr/adm/inc/js/lib.php?idx=1
http://well-story.co.kr/adm/inc/js/lib.php?idx=5
http://well-story.co.kr/adm/inc/js/list.php?query=1
http://well-story.co.kr/adm/inc/js/list.php?query=6
http://well-story.co.kr/adm/inc/js/show.php
8133c5f663f89b01b30a052749b5a988
91029801f6f3a415392ccfee8226be67
ec1b518541228072eb75463ce15c7bce
f05991652398406655a6a5eebe3e5f3a
http://well-story.co.kr/adm/inc/js/lib.php?idx=1
http://well-story.co.kr/adm/inc/js/lib.php?idx=5
http://well-story.co.kr/adm/inc/js/list.php?query=1
http://well-story.co.kr/adm/inc/js/list.php?query=6
http://well-story.co.kr/adm/inc/js/show.php