Location-Aware Malware Targets Japanese and Korean Endpoints
- New malware samples use location awareness to specifically target Japanese and Korean endpoints.
- The malware uses two techniques to determine the location in which it is being executed and ensures that the payload will only be triggered in these regions.
- This approach matches two trends: 1) docs performing regional checks in targeted attacks, and 2) attackers employing steganography to hide payloads within images.
We recently detected a number of samples as part of a malware campaign disseminated via spam email which uses location awareness to specifically target Japanese and Korean endpoints. The emails include an attachment containing a macro embedded into an Excel spreadsheet and utilise social engineering to persuade to user to enable macros in order to infect the endpoint:
Once the user has enabled macros, the malware uses two techniques to determine the location in which it is being executed and ensures that the payload will only be triggered in these regions:
First, the malware calls a function named ZeRo to check that the first character of default currency used by Excel when converted to Ascii has the value 92 (0x5c). Windows uses the Code Page 932 charset to display Japanese characters and, when encoded, the value 0x5c is displayed as the symbol for Japanese Yen. Similarly, Code Page 949 is used to translate Korean characters and the value 0x5c corresponds to the symbol for South Korean Won. If the value of character donating currency is anything else, the check will fail, and the malware will fail to detonate. The second check, found in the function DateAndTime, retrieves Windows language settings for the targeted machine and returns and integer value. This is compared with hardcoded values Windows uses to denote Japanese and Korean language configurations (81 and 82).
Only if these two checks pass will the application piece together and obfuscated PowerShell script which, when executed, proceeds to pull a further payload from a remote server:
Once deobfuscated, we see that it is using a binary or algorithm to decode a final payload from the bitmap of a set of images hosted on popular image sharing websites:
The image in question:
Related: Super Mario Oddity
These findings follow a trend we have observed recently of increasing numbers of documents performing regional checks in targeted attacks to thwart attempts at automated analysis by sandbox applications. Additionally, it shows that attackers are employing stenography to hide payloads within images such that they are less likely to be identified as malicious and taken down.
Bromium protects users against all threats of this kind by using virtualisation to run email attachments in an isolated environment where they have no access to the wider system and no ability to persist after being executed. This means that, unlike traditional security, Bromium protects against as yet unknown threats since virtualisation provides a secure environment for malware to execute regardless of whether it is detected or not.