Analysis of Connection Between Malicious Hangul Word Processor Files (.hwp) by Theme

In the previous post, ASEC shared information on how the titles of the distributed malicious HWP files changed over the course of 3 months. This post is written as a follow-up to the previous post to shed some light on the new information about relationship between title categories.

Connection between Theme 1, Theme 2, and Theme 3

Similarities were found between HWP files of Theme 1 (COVID19), Theme 2 (Real-estate), and the themes that were mentioned in the previous post. Between Theme 2 and Theme 3, the HWP files have similar key shellcode command patterns by which EPS (Encapsulated PostScript) runs, and between Figure 1 and Figure 3, the method of saving and running data in the early EPS is similar. Between Theme 1 and 2, a part of data of the final downloaded PE contained similar strings. Judging by the similarities, we can conclude that HWP files of the three themes were all distributed by the same attacker. Details will be explained using the samples shown in the figures below.

Figure 1 – Similarity in the content of final EPS between Theme 2 and 3

As shown in Figure 1, files that represent Theme 2 and 3 use the final EPS shellcode to download and run additional malware. They have similar patterns and create a VBS file which proceeds to download the additional file.

Figure 2 – Similarity in the first EPS between Theme 1 and 3

Files that represent Theme 1 and 3 save execution code in a specific variable and run them via exec command (see Figure 2). These 2 EPS codes perform the task of connecting to a specific network and downloading an additional file.

Figure 3 – Similarity in the downloaded PE between Theme 1 and 2

The similarity of DLL downloaded from representative file of Theme 1 and Theme 2 is shown above. The 2 files perform malicious behavior by running an export function, and they use function names that are similar to the ones used for installer files. Furthermore, the DLL filename that was used by DLL of Theme 1 was used as a PDB path for Theme 2.

As shown above, HWP files that represent each theme share some properties of another file (Theme 1 – Theme 2 / Theme 2 – Theme 3 / Theme 1 – Theme 3). Because of this, we can conclude that all three files are from the same developer group.

Connection with files in ‘Others’

Filenames listed in the previous post, and categorized as ‘Others’ were not groups with similar filenames, but the difference in filenames did not stop the files from gaining hashtags.

Again, this is another indicator which hints that the same developer group distributed the files using various filenames.

Files with same hashtag 1Files with same hashtag 2Files with same hashtag 3
:Fair trade agreement for partner companies.hwp
scm inquiry.hwp)
20200518.hwp
2020_05_22.hwp
\KakaoTalk Downloads\Profit Model.hwp
\KakaoTalk Downloads\Investment details.hwp
Resource.hwp
Legal comment.hwp
Off board stock sell info sheet.hwp
translated: About establishment of juridical person.hwp
Bill of indictment.hwp
Audition guide.hwp

Each of the tables contains files that share the same hashtag. The files in these three groups are basically the EPS of the same type, and the filenames of that they additionally download are also identical. HWP files of this type used the same malicious behavior process that was used in the files before, and we assume that the attacker is KONNI group.

The three files all contain EPS with the same structure that is shown below, and an XOR-encoded shellcode executes within the memory and downloads additional malicious files. Filenames of downloaded malicious files are ‘vbs.txt’ and ‘no1.txt.’ Ultimately, they can send user info and download additional malicious files. HWP EPS of Theme 1, 2, and 3 create a VBS that downloads an additional malware, but this KONNI type does not create downloading shellcode as a file, but instead, runs it in the memory. 

Figure 4 – Structure of EPS in HWP files of ‘Others’

The attacker is continually launching attacks using HWP files, and it is speculated that the attacker will continue deceiving users using various filenames and contents with different themes. AhnLab aims to continuously monitor changes in attack methods, and share information discovered further. Meanwhile, users must refrain from running document files sent by an unknown sender.

Some of the C2 confirmed from the above documents are as follow:

0 0 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments