2023-01-10 • Ahnlab • Malware disguised as a manuscript solicitation letter targeting security-related personnel •
AhnLab ASEC observed document malware distributed to people in the security field under the guise of a manuscript solicitation letter. Opening the Word document used template injection through an external object to download and run an additional malicious macro document from attacker C2 infrastructure, while also opening a benign Korean decoy document. The follow-on script exfiltrated the user’s Downloads-folder path and installed persistence through a scheduled task, and it collected installed antivirus information. ASEC linked the C2 IP 112.175.85.243 to phishing domains previously seen in a fake Kakao login-page campaign, suggesting the same operator; listed indicators include lifehelper[.]kr paths and MD5 hashes for the downloader documents and VBS components.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 112.175.85.243 | 2023-01-10 | 2024-10-04 |
| HASH | dd954121027d662158dcad24c21d04ba | 2023-01-10 | 2023-01-17 |
| HASH | 3fe5ce0be3ce20b0c3c9a6cd0dae4ae9 | 2023-01-10 | 2023-01-17 |
| HASH | 68e79490ed1563904791ca54c97b680a | 2023-01-10 | 2023-01-17 |
| HASH | 2244f8798062d4cef23255836a2b4569 | 2023-01-10 | 2023-01-17 |
| HASH | 2c9d6f178f652c44873edad3ae98fff5 | 2023-01-10 | 2023-01-17 |
| HASH | f22899abfa82e34f6e59fa97847c7dfd | 2023-01-10 | 2023-01-17 |
| URL | http://lifehelper.kr/gnuboard4/… | 2023-01-10 | 2023-01-17 |
| URL | http://lifehelper.kr/gnuboard4/… | 2023-01-10 | 2023-01-17 |
| URL | http://lifehelper.kr/gnuboard4/… | 2023-01-10 | 2023-01-17 |
| URL | http://lifehelper.kr/gnuboard4/… | 2023-01-10 | 2023-01-17 |
| URL | http://lifehelper.kr/gnuboard4/… | 2023-01-10 | 2023-01-17 |
| URL | http://lifehelper.kr/gnuboard4/… | 2023-01-10 | 2023-01-17 |
| DOMAIN | lifehelper.kr | 2023-01-10 | 2023-01-17 |