Malware Disguised as HWP Document File (Kimsuky) By ATCP Published: 2023-06-15 · Archived: 2026-04-06 00:04:41 UTC AhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously distributed in CHM and OneNote file formats, being distributed as an executable. Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware. Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022 OneNote Malware Disguised as Compensation Form (Kimsuky) – Mar 24, 2023 CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) – Mar 13, 2023 Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics – May 25, 2022 APT Attack Attempts Disguised as North Korea-Related Paper Requirements (Kimsuky) – Feb 22, 2022 The identified malware is distributed as a compressed file which contains a readme.txt along with an executable disguised with an HWP document file extension. https://asec.ahnlab.com/en/54736/ Page 1 of 5 The readme.txt file contains the following message which prompts users to open the malicious EXE file (Personal Data Leakage Details.hwp.exe). The malicious EXE file was compiled with .NET and uses the HWP document icon to disguise itself to appear like a document file. Multiple spaces were also inserted into the file name to prevent the file extension from being fully visible. The above EXE file contains a PowerShell command encoded in Base64. Thus, when the file is executed, this command is decoded and saved as update.vbs in the %APPDATA% folder. The generated update.vbs file is then executed through PowerShell. The following message box is then generated, rendering it difficult for users to realize that malicious behaviors are being performed. The message contains North Korean dialect as shown in Figure 4 below. https://asec.ahnlab.com/en/54736/ Page 2 of 5 The created update.vbs file contains obfuscated commands. Decoding this reveals a code that downloads and executes an additional script from hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1. Both the script present in the above URL and the subsequent scripts executed perform functions such as user credential leakage and keylogging, which are consistent with the findings in the . The identified URL and features of the created file are as follows. URL and Filename Feature update.vbs – Changes a certain registry – Runs the script hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1 hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1 – Changes a certain registry – Creates OfficeAppManifest_v[Min]_[Hr]_[Day] [Month].xml and registers it as a service – Runs the script hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=1 OfficeAppManifest_v[Min]_[Hr]_[Day] [Month].xml – Runs the script hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=6 hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=6– Runs the script hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=5 https://asec.ahnlab.com/en/54736/ Page 3 of 5 hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=5 – Keylogger – Transmits keylogging data to hxxp://well-story.co[.]kr/adm/inc/js/show.php hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=1 – Collects user PC information – Transmits the collected information to hxxp://well-story.co[.]kr/adm/inc/js/show.php Table 1. Features of the scripts found on a certain URL and the generated files The information collected at this stage also matches those of the aforementioned report. Given the continuous detection of this malware type being distributed, users are advised to exercise extra caution. Users should always verify the file extension when opening email attachments and refrain from executing files received from unknown sources. [File Detection] Dropper/Win.Agent.C5441936 (2023.06.16.02) Trojan/VBS.Kimsuky (2023.03.21.03) Trojan/PowerShell.Obfuscated (2023.03.14.00) Trojan/PowerShell.KeyLogger (2023.05.09.00) MD5 https://asec.ahnlab.com/en/54736/ Page 4 of 5 73174c9d586531153a5793d050a394a8 8133c5f663f89b01b30a052749b5a988 91029801f6f3a415392ccfee8226be67 ec1b518541228072eb75463ce15c7bce f05991652398406655a6a5eebe3e5f3a Additional IOCs are available on AhnLab TIP. URL http[:]//well-story[.]co[.]kr/adm/inc/js/lib[.]php?idx=1 http[:]//well-story[.]co[.]kr/adm/inc/js/lib[.]php?idx=5 http[:]//well-story[.]co[.]kr/adm/inc/js/list[.]php?query=1 http[:]//well-story[.]co[.]kr/adm/inc/js/list[.]php?query=6 http[:]//well-story[.]co[.]kr/adm/inc/js/show[.]php Additional IOCs are available on AhnLab TIP. Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below. Source: https://asec.ahnlab.com/en/54736/ https://asec.ahnlab.com/en/54736/ Page 5 of 5