At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire.
The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the previous ASEC blog.
Although the attack method and the file’s features are the same as described in the previous blog, this attack creates a batch file with a different name when the macro is run. The batch file was distributed as moster.bat, and its features are identical to those of “error.bat” in the previous blog.
- C:\Users\Public\Documents\moster.bat -> Register start.vbs file to RUN key, run no4.bat file, and download additional files
- hxxp://nomonth-man.com/dfg04/%COMPUTERNAME%.txt (Additional file download URL)
It appears that the attacker is currently attempting to expand their scope of attack beyond North Korea professionals and virtual asset professionals. Users must be cautious when downloading attachments from emails or websites of unknown sources. When running Word files, extra caution is needed if there are messages or images that prompt the users to click Enable macro as clicking it may run a malicious macro.
AhnLab’s anti-malware software, V3, detects and blocks files related to the attack using the aliases below.
[IOC]
[MD5]
– no1.bat : a0fddb12d7b3c445fdb7ab602a5bf5fb
– download.vbs : 85165e07b9f198a5e4047756eb779b46
– temp.doc : f248401769bbcd0ebeff992ef3cfe678
– moster.bat : 07232fe7144b0286eb5c9882834eea96
– no4.bat : 0b41f93365ec443406df942914317ec7
– start.vbs : 050e663bf6c97a953e25eb7e9754d656
– upload.vbs : a40eaa73ccffe4bc2233bdfd84fe2d62
[Detection Name (Engine ver.)]
– no1.bat : Trojan/BAT.Runner (2022.03.30.00)
– download.vbs : Downloader/VBS.Generic (2022.03.30.00)
– temp.doc : Trojan/DOC.Agent (2022.03.30.01)
– moster.bat : Trojan/VBS.Akdoor (2022.03.30.00)
– no4.bat : Trojan/VBS.Akdoor (2022.03.30.00)
– start.vbs : Trojan/VBS.Runner (2022.03.30.00)
– upload.vbs : Trojan/VBS.Akdoor (2022.03.30.00)
[C&C]
– hxxp://nomonth-man.com/uio04/upload.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky) appeared first on ASEC BLOG.
Article Link: APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky) - ASEC BLOG