The ASEC analysis team has recently discovered that North Korea-related HWP file was being distributed. The operation method is not through a vulnerability, but instead, a hyperlink is inserted on the screen the user is exposed to upon running the file, prompting the user to click, and upon clicking, executables inside the file will run. Executables inside the file as such are often found in normal HWP files, and it can be considered a normal feature that is possible via object insertion. Once infected, it is set to run automatically every 121 minutes via the task scheduler, and it downloads external malicious files via Google Drive (https://drive.google.com) additionally. It also has the feature of hiding the detection screen of a V3 product in the process of operation. Although not a problem for the actual repair of malicious files, users should take extra caution as it is developed to be not recognized as a suspicious file. Caution is advised as North Korea-related malware is on the rise and attempts to avoid detection have been discovered.
- Filename: ONN-Construction activities near Chamjin-ri and Kangson-Dec 2021.hwp
Upon running the HWP file, the user will see the figure below, and the files below that are inside the HWP file are created in the%TEMP% path.
- ONN-Construction activities near Chamjin-ri and Kangson-Dec 2021.tmp
Upon clicking “click here,” the TEMP%\OneDriveStandaloneUpdater.exe file is run via a hyperlink. The OneDriveStandaloneUpdater.exe file here is simply a normal OneDrive update program, but the DLL file iphlpapi.dll loaded when this program is run performs malicious behaviors.
When the iphlpapi.dll file has been loaded via OneDriveStandaloneUpdater.exe, two threads are executed.
The first thread reads the ~DF9B1C729B001D998E.tmp file in the same path and uses a particular parsing text (red section) to divide it into three, then each is decoded via Base64 to be saved as 1.bat, 1.tmp, and 2.tmp file in the %appdata%\Microsoft path.
It then runs the 1.bat file.
The second thread uses ClassName of the V3 Lite product to find the window via the FindWindowA function, then uses the ShowWindow function to hide the window and repeats this process.
The window hidden via ClassName has been confirmed to be the same as the V3 malware block window as shown below, and although this window becomes hidden, the malware infection will be repaired normally.
Once 1.bat file is run, it forcibly terminates OneDriverStandaloneUpdater.exe and moves the files that have been created as shown below, then assigns the colegg.vbs file to be run every 121 minutes using the task scheduler program, schtasks.
- %appdata%\Microsoft\1.tmp -> %appdata%\colegg.vbs
- %appdata%\Microsoft\2.tmp -> %appdata%\colegg.ps1
- %temp%\ONN-Co~2021.tmp -> %userprofile%\Downloads\ONN-Co~2021.hwp
After forcibly terminating the HWP file, it runs the ONN-Co~2021.hwp file and deletes itself (1.bat file).
The ONN-Co~2021.hwp file that is run here is confirmed to be a North Korea-related document, and it is a normal HWP file.
The colegg.vbs file that is registered to the task scheduler and is run repeatedly connects to Google Drive and brings sources of download pages for certain files (additional vbs files).
The files are not actually downloaded here, but instead, it brings the filenames only to decode strings between “johnbegin-” and “-johnend” via a specific decoding routine.
Once the decoding is complete, a VB script as shown below appears, and this syntax is run via the Execute function.
Once this syntax is run, it is recorded on a particular Google Docs in the form of “-[Hostname]hwp[Current date/time]-” as shown in the figure below. Currently, there is only one PC recorded.
Although there is only a code to simply record the hostname of the infected PC on Google Docs, the attacker can send another command to the infected PC by modifying the filename.
As such, malicious North Korea-related files using various techniques including Hangul Word Processor document files are continually being distributed. Especially as the document file in this case is a normal HWP file when ultimately run, it is difficult for users to figure out that it is a malicious file. Thus, extra caution is needed.
V3 products detect such files using the following aliases:
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOCs and detailed analysis information.