워드문서를 이용한 특정인 대상 APT 공격시도

2021-07-15 Ahnlab APT attack attempt against a specific person using a word document

https://asec.ahnlab.com/ko/25351/

Thumbnail for 워드문서를 이용한 특정인 대상 APT 공격시도

AhnLab describes a targeted malicious Word-document campaign that continued using the same external-template macro pattern seen in earlier Korean political and policy-advisory lures. Recent DOCX files used biography, inter-Korean summit, and U.S.-Korea dialogue themes and fetched malicious DOTM templates from defanged domains including tbear.mypressonline.com, modri.myartsonline.com, visul.myartsonline.com, ccav.myartsonline.com, and jupit.getenjoyment.net. When opened, the macro launched PowerShell, reconstructed obfuscated commands, downloaded scripts such as mo.txt, and performed user-information collection and follow-on download behavior. The source does not explicitly attribute the activity to a named DPRK actor in the excerpt, but the targeting and Korean political lures make it relevant to North Korea-focused tracking without over-attribution.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN jupit.getenjoyment.net 2021-07-15 2021-08-03
URL http://vbqwer.mypressonline.com… 2021-07-15 2021-07-15
URL http://jupit.getenjoyment.net/P… 2021-07-15 2021-07-15
URL http://ccav.myartsonline.com/of… 2021-07-15 2021-07-15
URL http://warcr.onlinewebshop.net/… 2021-07-15 2021-07-15
URL http://visul.myartsonline.com/y… 2021-07-15 2021-07-15
URL http://giruz.atwebpages.com/sw/… 2021-07-15 2021-07-15
URL http://tbear.mypressonline.com/… 2021-07-15 2021-07-15
URL http://btige.myartsonline.com/o… 2021-07-15 2021-07-15
URL http://visul.myartsonline.com/o… 2021-07-15 2021-07-15
URL http://ripzi.getenjoyment.net/P… 2021-07-15 2021-07-15
URL http://stair.myartsonline.com/o… 2021-07-15 2021-07-15
URL http://rster.atwebpages.com/an/… 2021-07-15 2021-07-15
URL http://mantc.getenjoyment.net/y… 2021-07-15 2021-07-15
URL http://visul.myartsonline.com/o… 2021-07-15 2021-07-15
URL http://stair.myartsonline.com/y… 2021-07-15 2021-07-15
URL http://tbear.mypressonline.com/… 2021-07-15 2021-07-15
URL http://modri.myartsonline.com/o… 2021-07-15 2021-07-15
URL http://tbear.mypressonline.com/… 2021-07-15 2021-07-15
URL http://chels.mypressonline.com/… 2021-07-15 2021-07-15
URL http://stair.atwebpages.com/ne/… 2021-07-15 2021-07-15
URL http://modri.myartsonline.com/g… 2021-07-15 2021-07-15
URL http://lovels.myartsonline.com/… 2021-07-15 2021-07-15
URL http://modri.myartsonline.com/o… 2021-07-15 2021-07-15
URL http://lovel.myartsonline.com/l… 2021-07-15 2021-07-15
URL http://obser.mygamesonline.org/… 2021-07-15 2021-07-15
URL http://benze.atwebpages.com/ki/… 2021-07-15 2021-07-15
URL http://ranso.myartsonline.com/P… 2021-07-15 2021-07-15
URL http://ccav.myartsonline.com/of… 2021-07-15 2021-07-15
URL http://lieon.mypressonline.com/… 2021-07-15 2021-07-15
URL http://warcr.onlinewebshop.net/… 2021-07-15 2021-07-15
DOMAIN vbqwer.mypressonline.com 2021-07-15 2021-07-15
DOMAIN stair.myartsonline.com 2021-07-15 2021-07-15
DOMAIN obser.mygamesonline.org 2021-07-15 2021-07-15
DOMAIN lieon.mypressonline.com 2021-07-15 2021-07-15
DOMAIN benze.atwebpages.com 2021-07-15 2021-07-15
DOMAIN mantc.getenjoyment.net 2021-07-15 2021-07-15
DOMAIN modri.myartsonline.com 2021-07-15 2021-07-15
DOMAIN lovels.myartsonline.com 2021-07-15 2021-07-15
DOMAIN ccav.myartsonline.com 2021-07-15 2021-07-15
DOMAIN rster.atwebpages.com 2021-07-15 2021-07-15
DOMAIN tbear.mypressonline.com 2021-07-15 2021-07-15
DOMAIN chels.mypressonline.com 2021-07-15 2021-07-15
DOMAIN giruz.atwebpages.com 2021-07-15 2021-07-15
DOMAIN stair.atwebpages.com 2021-07-15 2021-07-15
DOMAIN lovel.myartsonline.com 2021-07-15 2021-07-15
DOMAIN btige.myartsonline.com 2021-07-15 2021-07-15
DOMAIN ranso.myartsonline.com 2021-07-15 2021-07-15
DOMAIN visul.myartsonline.com 2021-07-15 2021-07-15
DOMAIN warcr.onlinewebshop.net 2021-07-15 2021-07-15
URL http://likel.atwebpages.com/bu/… 2021-07-02 2021-07-15
DOMAIN ripzi.getenjoyment.net 2021-07-02 2021-07-15
DOMAIN likel.atwebpages.com 2021-07-02 2021-07-15

Related Reports

« Back