North Korea-related Hangul Word Processor (HWP) File Being Distributed

The ASEC analysis team has recently discovered that North Korea-related HWP file was being distributed. The operation method is not through a vulnerability, but instead, a hyperlink is inserted on the screen the user is exposed to upon running the file, prompting the user to click, and upon clicking, executables inside the file will run. Executables inside the file as such are often found in normal HWP files, and it can be considered a normal feature that is possible via object insertion. Once infected, it is set to run automatically every 121 minutes via the task scheduler, and it downloads external malicious files via Google Drive (https://drive.google.com) additionally. It also has the feature of hiding the detection screen of a V3 product in the process of operation. Although not a problem for the actual repair of malicious files, users should take extra caution as it is developed to be not recognized as a suspicious file. Caution is advised as North Korea-related malware is on the rise and attempts to avoid detection have been discovered.

  • Filename: ONN-Construction activities near Chamjin-ri and Kangson-Dec 2021.hwp

Upon running the HWP file, the user will see the figure below, and the files below that are inside the HWP file are created in the%TEMP% path.

  • ~DF9B1C729B001D998E.tmp
  • iphlpapi.dll
  • OneDriveStandaloneUpdater.exe
  • ONN-Construction activities near Chamjin-ri and Kangson-Dec 2021.tmp
Figure 1. Body of malicious HWP document file

Upon clicking “click here,” the TEMP%\OneDriveStandaloneUpdater.exe file is run via a hyperlink. The OneDriveStandaloneUpdater.exe file here is simply a normal OneDrive update program, but the DLL file iphlpapi.dll loaded when this program is run performs malicious behaviors.

When the iphlpapi.dll file has been loaded via OneDriveStandaloneUpdater.exe, two threads are executed.

The first thread reads the ~DF9B1C729B001D998E.tmp file in the same path and uses a particular parsing text (red section) to divide it into three, then each is decoded via Base64 to be saved as 1.bat, 1.tmp, and 2.tmp file in the %appdata%\Microsoft path.

Figure 2. Details on ~DF9B1C729B001D998E.tmp file

It then runs the 1.bat file.

The second thread uses ClassName of the V3 Lite product to find the window via the FindWindowA function, then uses the ShowWindow function to hide the window and repeats this process.

Figure 3. Code in second threat with the feature to hide V3 product

The window hidden via ClassName has been confirmed to be the same as the V3 malware block window as shown below, and although this window becomes hidden, the malware infection will be repaired normally.

Figure 4. Window hidden via malware

Once 1.bat file is run, it forcibly terminates OneDriverStandaloneUpdater.exe and moves the files that have been created as shown below, then assigns the colegg.vbs file to be run every 121 minutes using the task scheduler program, schtasks.

  • %appdata%\Microsoft\1.tmp -> %appdata%\colegg.vbs
  • %appdata%\Microsoft\2.tmp -> %appdata%\colegg.ps1
  • %temp%\ONN-Co~2021.tmp -> %userprofile%\Downloads\ONN-Co~2021.hwp

After forcibly terminating the HWP file, it runs the ONN-Co~2021.hwp file and deletes itself (1.bat file).

The ONN-Co~2021.hwp file that is run here is confirmed to be a North Korea-related document, and it is a normal HWP file.

Figure 5. Body of ONN-Co~2021.hwp document file

The colegg.vbs file that is registered to the task scheduler and is run repeatedly connects to Google Drive and brings sources of download pages for certain files (additional vbs files).

Figure 6. Details of colegg.vbs file

The files are not actually downloaded here, but instead, it brings the filenames only to decode strings between “johnbegin-” and “-johnend” via a specific decoding routine.

Figure 7. Google Drive page that downloads additional malicious files

Once the decoding is complete, a VB script as shown below appears, and this syntax is run via the Execute function.

Figure 8. Details of decoded script

Once this syntax is run, it is recorded on a particular Google Docs in the form of “-[Hostname]hwp[Current date/time]-” as shown in the figure below. Currently, there is only one PC recorded.

Figure 9. Details recorded on Google Docs

Although there is only a code to simply record the hostname of the infected PC on Google Docs, the attacker can send another command to the infected PC by modifying the filename.

As such, malicious North Korea-related files using various techniques including Hangul Word Processor document files are continually being distributed. Especially as the document file in this case is a normal HWP file when ultimately run, it is difficult for users to figure out that it is a malicious file. Thus, extra caution is needed.

V3 products detect such files using the following aliases:

Figure 10. Detection using V3 product

[File Detection]
Dropper/HWP.HyperLink
Trojan/Win.Kimsuky.C4848645
Trojan/PowerShell.Generic
Trojan/BAT.Generic
Trojan/VBS.Generic

[IOC Info]
3c45e0def2845cc130a9331c774d3935
a7077d9a2c98ec2d0b3b1c12f23b2a79
8ec6e4d3a6142b8bde35899e7fdae42e
41aca1d4282dfb41356ee95e933eedc1
a532a4fe38b76f53885158aa3b75e5dc

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOCs and detailed analysis information.

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments