AhnLab recently discovered a series of malicious document files disguised as diplomatic and security-related content and urged users to be cautious.
Recently discovered cases include disguising it as an interview questionnaire and inducing the use of malicious macros to steal information, or distributing malicious documents with titles related to diplomacy and security in messenger group chat rooms to encourage viewing. In particular, considering the contents of these documents, it is presumed that they are targeting people working in related fields, so experts in the field need to be careful.
The document discovered by AhnLab has the file name ‘CNA[Q].doc’ and contains questions about the government’s foreign and security policies. If the user starts typing to write a response, a message encouraging the use of macros and an ‘Enable Content’ button appear at the top of the document. When a user inadvertently presses the ‘Use Content’ button, a malicious macro is executed and the user’s PC’s recent folder path, folder contents, and system information are leaked to the attacker’s server.
In particular, a password is required to open this document, and it is presumed that the attacker wrote the password in the body of the email and then distributed it. This is presumed to be intended to prevent analysis by preventing the file from being opened without the password included in the email body, while also targeting only the party who received the attack email.
Malicious documents being distributed mainly through messenger group chat rooms where experts in the fields of diplomacy and security participate are also being discovered on a consistent basis.
In a recently discovered malicious document, the attacker attracted the recipient’s attention by including keywords related to international trends such as the Northern Limit Line (NLL) and the current state of Chinese politics in the file name. In particular, the real names of specific experts in the fields of diplomacy and security were included in the file name to avoid the recipient’s suspicion.
If the user executes the document, it connects to the attacker’s C2 server without the user’s knowledge. Afterwards, it is presumed that additional malicious code such as information theft and backdoor will be downloaded from the server and installed on the device connected to the user.
To prevent damage, users must ▲prohibit running document files from unknown sources and clicking the ‘Use Content’ button ▲apply the latest security patches for programs such as office SW, OS, and Internet browser ▲maintain basic security such as maintaining the latest version of antivirus and running real-time monitoring functions You must follow the rules.
Kim Geon-woo, head of AhnLab’s Security Response Center (ASEC), said, “Recently, malicious files are being distributed through various channels, including not only email but also messenger group chat rooms.” “Even if it is a document with content, basic security rules must be observed, such as not running files of unknown origin and refraining from ‘using content.’”
Source: Pangyo Techno Valley Official Newsroom
→ Go to ‘Asian Innovation Hub Pangyo Techno Valley 2022’ news