Beware of Weaponized Research Papers That Delivers Malware Via Password-Protected Documents

A newly identified malware campaign orchestrated by the notorious Kimsuky group has been leveraging password-protected research documents to infiltrate academic networks and compromise sensitive systems.

This sophisticated attack represents a significant evolution in social engineering tactics, exploiting the academic community’s inherent trust in scholarly communications to deliver multi-stage malware payloads that establish persistent remote access capabilities.

The cybersecurity landscape has witnessed an alarming trend where threat actors increasingly exploit legitimate academic processes to bypass traditional security measures.

The Kimsuky group, a well-established advanced persistent threat actor, has recently deployed a particularly insidious campaign that masquerades malicious payloads as legitimate research paper review requests from professors.

This attack vector capitalizes on the academic community’s collaborative nature and the routine exchange of research documents, making detection significantly more challenging for both automated systems and human recipients.

The campaign’s methodology involves distributing phishing emails that appear to originate from academic institutions, complete with authentic-looking subject lines and sender credentials that reference actual research topics.

google

Recipients receive what appears to be a standard academic correspondence requesting document review, accompanied by a password-protected HWP (Hangul Word Processor) file attachment.

The use of password protection serves a dual purpose: it bypasses many automated security scanning systems that cannot analyze encrypted content, while simultaneously adding a veneer of legitimacy that users associate with sensitive academic materials.

ASEC analysts identified this campaign through comprehensive threat intelligence gathering and incident response activities, noting the sophisticated nature of the social engineering component combined with advanced technical execution.

The researchers observed that the malicious documents contained expertly crafted content related to contemporary geopolitical topics, specifically focusing on military technology analysis of the Russo-Ukrainian conflict, which would naturally appeal to defense and security researchers.

The impact of this campaign extends beyond individual system compromises, as academic institutions often serve as repositories for sensitive research data and maintain extensive network connections with government agencies and private sector partners.

The threat actors’ ability to establish persistent remote access through legitimate remote desktop software creates opportunities for extensive data exfiltration and lateral movement within institutional networks.

Infection Mechanism and Technical Implementation

The malware’s infection chain demonstrates remarkable technical sophistication, beginning with the exploitation of malicious OLE (Object Linking and Embedding) objects embedded within the password-protected HWP documents.

HWP document file containing malicious OLE object (Source – ASEC)

Upon opening the document with the provided password, the malicious OLE object automatically triggers the creation of six distinct files in the system’s temporary directory.

These files include “app.db” (an executable with valid signature), “get.db” (a PowerShell script for system reconnaissance), “hwp_doc.db” (legitimate bait document), “sch_0514.db” (XML scheduler configuration), “mnfst.db” (configuration file), and “peice.bat” (execution orchestrator).

The document presents seemingly legitimate academic content while containing a hyperlinked “More…” phrase that serves as the infection trigger, executing the “peice.bat” file when clicked.

This batch file orchestrates a complex series of operations, including deleting the original malicious document, renaming the legitimate bait file to maintain the illusion of normal document access, and establishing persistence through scheduled task registration.

The malware employs a sophisticated obfuscation technique using BASE64-encoded VBScript embedded within manifest files, as demonstrated in the configuration data:

On Error Resume Next:Set ws = CreateObject("WScript.Shell"):ws.run "powershell.exe -executionpolicy remotesigned -file c:\users\public\music\template.ps1",0,false

The “template.ps1” PowerShell script performs comprehensive system reconnaissance, collecting process lists, antivirus information, and network configuration details before exfiltrating this data to threat actor-controlled Dropbox storage.

AnyDesk configuration files (Source – ASEC)

Subsequently, the malware downloads additional payloads that establish persistent remote access through legitimate AnyDesk software, with configuration files designed to hide the remote connection from users while providing attackers with unrestricted system access.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

googlenews
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.