Shares tag: Phishing • Same author: Ahnlab • Published within a week
외교/안보 관련 내용의 워드문서 유포 중
2022-04-27 • Ahnlab • Distributing word documents containing diplomatic/security related content. •
AhnLab observed malicious Word documents using North Korea-related diplomatic and security themes, including filenames about North Korean foreign policy and military parade analysis. The documents contained obfuscated VBA macros that created a version.ini file under the Microsoft Templates directory and executed it with wscript.exe. The macro attempted to retrieve and run code from URLs such as g00gledrive.mywebcommunity[.]org and impartment.myartsonline[.]com using list.php?query=1. AhnLab detected the activity as Downloader/DOC.Kimsuky and linked it to a recurring actor pattern using document protection removal, the password 1qaz2wsx, and similar macro execution logic.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | g00gledrive.mywebcommunity.org | 2022-04-27 | 2023-11-01 |
| HASH | cb2a18028055cdf1582c1c5ac3756203 | 2022-04-27 | 2022-04-27 |
| HASH | 657b538698483f43aada2e5e4bc4a91d | 2022-04-27 | 2022-04-27 |
| HASH | 0a0f858beeb6914aaf07896b7790a1d4 | 2022-04-27 | 2022-04-27 |
| URL | http://impartment.myartsonline.… | 2022-04-27 | 2022-04-27 |
| URL | http://g00gledrive.mywebcommuni… | 2022-04-27 | 2022-04-27 |
| DOMAIN | impartment.myartsonline.com | 2022-04-27 | 2022-04-27 |
Related Reports
Shares tag: Phishing • Same author: Ahnlab • Published within a month
Shares tag: Phishing • Same author: Ahnlab
Shares tag: Phishing • Published within a week
Shares tag: Phishing • Same author: Ahnlab
Shares tag: Phishing • Same author: Ahnlab