Malware Disguised as Normal Documents (Kimsuky)
Contents
The ASEC analysis team has recently discovered that the malware introduced in the post, <Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)>, is being distributed to broadcasting and ordinary companies as well as those in the security-related field. Identical to the malware introduced in the blog post above, all the malware documents utilize the template injection technique and download malicious word macro documents to execute themselves. The distributed filenames are as follows:
- [kbs Sunday Diagnosis] Questionnaire.docx
- Im ** Cover Letter.docx
- app-planning – copy.docx
To facilitate the execution of the malicious macro code, the threat actor used an image that prompts users to execute the macro. The image has been constantly used since the past and is suspected to be all from the same operator.
Below is a list of download URLS of malicious Word macro documents we have additionally identified.
- hxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload2/init.dotm
- hxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload3/init.dotm
- hxxp://jooshineng[.]com/gnuboard4/adm/img/ghp/up/state.dotm
- hxxp://gdtech[.]kr/gnuboard4/adm/cmg/attatch/init.dotm
- hxxp://ddim.co[.]kr/gnuboard4/adm/cmg/upload/init.dotm
When the malicious macro inside the …
- [kbs Sunday Diagnosis] Questionnaire.docx
- Im ** Cover Letter.docx
- app-planning – copy.docx
To facilitate the execution of the malicious macro code, the threat actor used an image that prompts users to execute the macro. The image has been constantly used since the past and is suspected to be all from the same operator.
Below is a list of download URLS of malicious Word macro documents we have additionally identified.
- hxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload2/init.dotm
- hxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload3/init.dotm
- hxxp://jooshineng[.]com/gnuboard4/adm/img/ghp/up/state.dotm
- hxxp://gdtech[.]kr/gnuboard4/adm/cmg/attatch/init.dotm
- hxxp://ddim.co[.]kr/gnuboard4/adm/cmg/upload/init.dotm
When the malicious macro inside the …