Analysis of Connection Between Malicious Hangul Word Processor Files (.hwp) by Theme Posted By janekyungjin , May 29, 2020 In the previous post, ASEC shared information on how the titles of the distributed malicious HWP files changed over the course of 3 months. This post is written as a follow-up to the previous post to shed some light on the new information about relationship between title categories. Connection between Theme 1, Theme 2, and Theme 3 Similarities were found between HWP files of Theme 1 (COVID19), Theme 2 (Real-estate), and the themes that were mentioned in the previous post….
Distribution of HWP Malware via Real-estate Investment Emails (Uses EPS) Posted By janekyungjin , May 25, 2020 Distribution of malicious HWP files that has been increasing since April is still ongoing. In this blog, ASEC will explain about the Hangul Word Processor file (.HWP) disguised as a real-estate investment email (received last week) which is currently being distributed. Once a user opens the Hangul Word Processor file (.HWP) attached in the email, the malicious postscript (EPS) within the HWP file activates and executes malicious behaviors. The EPS causes CVE-2017-8291 vulnerability so that the code inside starts…
Distribution of Malware Using Word File Disguised as Coin Company Recruitment Table Document Posted By janekyungjin , May 14, 2020 On May 8, AhnLab ASEC analysis team uploaded a post that shed some light on distribution of malware that stole certificate of a Korean gaming company. Since then, AhnLab ASEC confirmed distribution of malware of the same type that went through some modifications. These files are using a variety of filenames, and further information will be explained below. Like the case introduced in the previous blog post, this malware used the recruitment table of a coin company. Furthermore, the attacker…
Malware Stealing Certificate from Major Korean Game Company Spread via Document File Posted By janekyungjin , May 8, 2020 Last month, ASEC analysis team uploaded a blog post about malware disguised as a bonus payment invoice (see link below). Another malware of the same type was found recently, and AhnLab has decided to share more information through this post. The document has a history of distribution via email. The attacker disguised the sender’s address as one of media press. The malicious DLL that runs at the end stole the certificate of a major Korean game company to disguise itself as…
Increase in the Frequency of Attacks Toward Defense Companies by Lazarus Group Posted By janekyungjin , May 8, 2020 Since the last month, attacks against defense companies by Lazarus group have been increasing. They use Office Open XML word document file of Microsoft Office Word program for their attacks. (Sample source: Twitter post) Senior_Design_Engineer.docx – UK BAE Systems (Received in May) Boeing_DSS_SE.docx – US Boeing (Received in May) US-ROK Relations and Diplomatic Security.docx – KR ROK (Received in April) For document files, they connect to the external address and download additional document files (*.dotm, Word Macro-Enabled Template). The downloaded additional…
