Malicious HWP File with COVID-19 Relief Fund Related ‘Collection of Personal Information Consent Form’

The ASEC analysis team has discovered a malicious HWP file that hasn’t been distributed for some time. The HWP file that was last posted in April was inserted with a malicious link object inside, and it is the first time this year that a file inserted with malicious EPS was found. The file is also uploaded in VirusTotal, and judging by the fact that the filename is ‘test.hwp’ and ‘123.hwp,’ it is possible that the file was created for testing.

It must be noted that the same malicious RTF and internal shellcode from the recent blog post of ‘RTF Malware Disguised as a Cover Letter for a Particular Airline were used. The malicious URL that it attempted to connect to via this shellcode is the same one that the malicious HWP file used in 2019 as stated in the previous blog post.

Figure 1. Details within the document

Figure 2. Date of document creation/modification

The document takes the form of a consent form for the collection of personal information to apply for the COVID-19 relief fund, and it was last modified at the beginning of October this year. It appears that the attacker edited the normal original document.

The PS (Post Script) code of the malicious EPS inserted inside is encoded, and upon decrypting, internal shellcode is shown to exist.

Figure 3. Part of shellcode

Although it appears that it will ultimately download additional files from the following URL and inject them into explorer.exe, the team could not find out its further actions as additional data could not be downloaded from these URLs.

  • hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.png
  • hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.jpg

As the EPS vulnerability was patched in 2017, malicious behavior cannot occur in the latest version of HWP files. Users should refrain from opening files from unknown sources and update V3 and applications they use to the latest version. AhnLab’s anti-malware solution, V3, detects and blocks this malware using the aliases below.

[File Detection]
Exploit/HWP.Agent
Exploit/HWP.Generic

[Behavior Detection]
Malware/MDP.Behavior.M2411

[IOC]
e1f94437ea6cff17ea718bd152a9167f
9f03fd9d9703ce32fac2967f6bde1e08
hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.png
hxxps://gozdeelektronik[.]net/wp-content/themes/0111/movie.jpg

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments