Hidden Dangers – How Weaponized Research Papers Deliver Malware Through Password-Protected Files

The sophistication of cyberattacks continues to climb, with threat actors now leveraging something as innocuous as academic research papers to infect unsuspecting victims.

The recent discovery by AhnLab Security Intelligence Center (ASEC) highlights a new campaign by the notorious Kimsuky group, which has been targeting academics with a phishing scheme cleverly disguised as a routine request for a paper review.

The attack leverages password-protected files and trusted software to infiltrate and surveil its victims, demonstrating the evolving nature of advanced persistent threats (APTs).

Technical Analysis

The attack begins with a seemingly benign email, purportedly from a professor seeking feedback on a paper. The recipient is prompted to open a password-protected HWP (a common Korean word processor format) document.

The password is conveniently provided in the email body, lulling the target into a false sense of security.

Once the document is opened, a malicious OLE (Object Linking and Embedding) object embedded within the file springs into action, secretly creating six files in the system’s temporary folder.

These files, as shown in Table 1, include executables with valid signatures, PowerShell scripts, and configuration files.

One notable file, a batch script named “peice.bat,” orchestrates the next phase of the attack.

It deletes the original malicious document, renames and opens a seemingly legitimate file to reassure the user, and establishes persistence on the machine by registering a scheduled task.

The scheduled task, named “GoogleTransltatorExtendeds,” executes the malicious payload every 12 minutes.

The payload reads a configuration file, decodes a BASE64-encoded VBScript, and runs it to launch a PowerShell script.

This script gathers sensitive system information including process lists and installed antivirus software and exfiltrates this data to the attacker’s Dropbox.

The threat actor then follows up by downloading additional malicious files to the compromised host.

Leveraging Legitimate Software for Covert Control

The attack’s second stage demonstrates a growing trend among APT groups: the misuse of legitimate remote administration tools.

In this instance, the threat actor utilizes AnyDesk, a widely used remote desktop application.

The PowerShell script downloads and arranges files to set up AnyDesk on the victim’s system, but cleverly hides the application’s tray icon and window to prevent detection.

The attacker replaces AnyDesk’s configuration files with their own, which contain connection IDs and hashed passwords, enabling remote access.

Since the software runs invisibly, the user remains blissfully unaware of the ongoing compromise unless they actively monitor their process list.

The Evolving Threat Landscape

The Kimsuky group’s tactics highlight a broader shift in cyber espionage. By disguising malware as research papers and exploiting trusted software, attackers increase their chances of successful infiltration.

This campaign also highlights the increasing reliance on cloud storage services like Google Drive and Dropbox as command and control (C2) channels, making detection and mitigation more challenging.

Security experts urge users to exercise caution when opening files from unknown sources, especially those requiring passwords.

Checking file extensions and verifying the sender’s identity before opening attachments remains a vital precaution in defending against such insidious threats.

As APT actors continue to refine their techniques, vigilance and education are the best defenses against these hidden dangers.