Thallium Group launches cyber attack with documents of evaluation contents of the 8th party congress in DPRK.
Two malicious DOCX document files have been found using typical spear phishing techniques that induce infection by attaching malicious files to emails.
Two types of malicious document files were captured in this attack, and functionally analyzed in the same format.
● 2021-0112 종합 당대회평가.docx : 2021-0112 Comprehensive Party Congress Evaluation.docx
● 당대회 결론.docx: Conclusion of the party conference.docx
Each document file contains different contents, but in terms of threats, it performs the same actions and functions.
When the document is executed for the first time, the target address of’attachedTemplate’ declared in the’settings.xml.rels’ code inside the word (docx) is called as follows. The host server address used at this time is’reform-ouen[.]com/wp-includes/css/dist/nux/dotm/dwn.php?id=0119′.
If the command works, the following screen will be displayed temporarily during the actual document loading process.
At the time of analysis, normal communication with the server was not in progress, so the further threat process was not accurately reproduced. However, when comparing similar cases in the past, it is presumed that the process of downloading a template containing malicious macros was in progress.
Comparing the text displayed when each of the two documents is executed, one contains the contents of the evaluation (comprehensive) of the 8th Party Congress of North Korea, and the other contains the conclusions of Kim Jong-un’s 8th Party Congress.
2021-0112 종합 당대회평가.docx
(2021-0112 Comprehensive Party Congress Evaluation.docx)
(Party conference conclusion.docx)
Looking at the properties of each document file, I found that the author information is different, but the last modified’Freehunter’ account matches and the last modified date and time (2021-01-20 9:39 AM) are the same. .