Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
Contents
Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
Recently, the AhnLab SEcurity intelligence Center (ASEC) confirmed the phishing email attack case where the Kimsuky group disguised their attack as a request for paper review from a professor. The email prompted the recipient to open a HWP document file with a malicious OLE object attachment. The document was password-protected, and the recipient had to enter the password provided in the email body to view the document. Upon opening the document, six files were automatically created in the %TEMP% (temporary folder) path. To further prompt the user to check the content, the document body included a “More…” phrase, which contained a hyperlink that executed the “peice.bat” file, one of the six files created. The table below shows the list of files created upon opening the document.
Figure 1. HWP document file containing malicious OLE object
(The content of the HWP file describes …
Recently, the AhnLab SEcurity intelligence Center (ASEC) confirmed the phishing email attack case where the Kimsuky group disguised their attack as a request for paper review from a professor. The email prompted the recipient to open a HWP document file with a malicious OLE object attachment. The document was password-protected, and the recipient had to enter the password provided in the email body to view the document. Upon opening the document, six files were automatically created in the %TEMP% (temporary folder) path. To further prompt the user to check the content, the document body included a “More…” phrase, which contained a hyperlink that executed the “peice.bat” file, one of the six files created. The table below shows the list of files created upon opening the document.
Figure 1. HWP document file containing malicious OLE object
(The content of the HWP file describes …