# North Korea-linked APT attack found disguised as a digital asset wallet service customer center!

**blog.alyac.co.kr/4501**

February 16, 2022

## Detailed content

### body title

North Korea-linked APT attack found disguised as a digital asset wallet service customer
center!

[Malware analysis report](https://blog.alyac.co.kr/category/%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8)
by pill 4 2022. 2. 16. 14:55

### main text

Hello? This is the East Security Security Response Center (ESRC).

A malicious file disguised as the Klip customer center was recently discovered, and users
need to be extra careful.


-----

Klip is a digital asset wallet service developed by Ground X, a blockchain-related subsidiary
of Kakao. The file found this time was distributed under the file name '[Klip Customer
Center] Mistransmission_Token Resolution_Guide.doc'.

[Figure 1] Screen inducing users to click the content use button

The file contains malicious macros, convincing users to click the Enable Content button,
claiming that the document is protected.

If the user clicks the use content button, it is written like a file sent from the actual Klip
customer center, causing the user to mistake it for a real normal file.


-----

[Figure 2] Klip customer center camouflage file

However, that file contains the macro code, and the macro runs in the background.


-----

[Figure 3] Macros included in malicious files

When the macro is executed, the file is dropped in xml format, and the dropped file is
automatically executed and then attempts to connect to the C&C.

[Figure 4] xml file dropped after macro execution

However, at the time of analysis, access to the C&C server was not possible, so further
analysis was not possible.


-----

This threat has been identified as an extension of the Smoke Screen campaign, which is one
of the three major threats of 'Thallium (also known as Kimsuky)'.

**IoC**

hxxp://asenal.medianewsonline[.]com/good/luck/flavor/list.php?query=1
hxxp://asenal.medianewsonline[.]com/good/luck/flavor/show.php

Currently, the pill is being detected as Trojan.Downloader.DOC.Gen .

[Attributionnon-profitchange prohibited](https://creativecommons.org/licenses/by-nc-nd/4.0/deed.ko)


-----