Malware disguised as a resume

This malware is one of the variants of the APT attack that the Kimsuky group has continued to attack South Korea. This variant, created on February 27, 2020, is a file titled “이력서 양식.hwp.scr”(“resume sample.hwp.scr” in English), which looks like a hwp file but as a scr (screen saver extension but executable as an exe) file. When executed, the script is executed and the Hangeul document file with the actual resume form is loaded as follows.

Analysis

MD5 : 47c95f19ebd745d588bb208ff89c90ba

It’s a fairly complex piece of malware that can’t be easily analyzed statically. Therefore, I tried analysis is based on behavior. When executed, the actions are as follows :

Create files

C:\Users[User]\AppData\Local\Temp\ÀÌ·Â¼­ ¾ç½Ä.hwp C:\Users[User]\AppData\Local\Temp\654A.tmp.db C:\Users[User]\AppData\Local\Temp\67DB.tmp.bat C:\Users[User]\AppData\Local\Temp\65E7.tmp.bat C:\Users[User]\AppData\Roaming\Microsoft\Windows\Defender\AutoUpdate.dll

### ÀÌ·Â¼­ ¾ç½Ä.hwp — After execution, the .scr file is replaced by this .hwp file. Actual resume form file.

### 654A.tmp.db — It is actually a dll and is injected into explorer.exe.

### 67DB.tmp.bat — Batch script that deletes the first executable file(.scr file).

### 65E7.tmp.bat — This batch script deletes the 654A.tmp.db file.

### AutoUpdate.dll — It is actually an exe executable and performs actual malicious behaviors such as connecting to the C & C server, tampering the registry, and injecting explorer.exe.

Network connections

http://suzuki.datastore.pe.hu (45.13.135.103:80) Attempt to connect to the C & C server.

Download additional malicious files through http://suzuki.datastore.pe.hu//?m=a&p1=5254004a04af&p2=win_6.1.7601-x32_DROPPER.

p1 contains the mac address, and p2 contains the version of Windows.

Registry tampering

Register AutoUpdate.dll with Registry Server using regsvr32.exe. Make it run every time the computer starts.

Injecting to explorer.exe

AutoUpdate.dll registered through regsvr32.exe infects explorer.exe. The execution graph is as follows: Source app.any.run

If you check the memory dump of explorer.exe, you can see that the malicious code is inserted inside explorer.exe.