Anatomy of attacks aimed at financial sector by the Lazarus group
Contents
About Manuscrypt
• From when?
Start to use Manuscrypt from around 2013
Use it actively until recent
• Connection?
Many overlap with known Lazarus code style and C&C
infrastructure
• Attack where?
Usually attacked national intelligence before
Recently, used when attacked financial sector
Weaponized hwp
HWP file format
• Hangul (also known as Hangul Word Processor or
HWP) is a proprietary word processing application
published by the South Korean company Hancom
Inc. -Wikipedia
• Used by most government agencies and
government offices due to national software
activation policy of Government
• The South Korea is one of the few countries
where MS Word does not rank first
Recently, postscript mainly used to deliver payload
Decoy and targets
Cryptocurrency
Any cryptocurrency related news/contents
Cryptocurrency market expectation
Legal issues
Related to lawsuit or audit
Forms about legal issues
Resume
Resume of mainly financial related person
Some decoy include victim company name
Postscript Type #1
— Postscript has asciihex-format
executable
— Drop file %startup% folder for
persistence mechanism
— Dropped file is Manuscrypt
Direct drop from embedded
ascii hex string
Creation path (+persistence mechanism)
asciihex type payload
Asciihex type Manuscrypt
Postscript to drop executable
Drop and
execute
Structure
Postscript Type …
• From when?
Start to use Manuscrypt from around 2013
Use it actively until recent
• Connection?
Many overlap with known Lazarus code style and C&C
infrastructure
• Attack where?
Usually attacked national intelligence before
Recently, used when attacked financial sector
Weaponized hwp
HWP file format
• Hangul (also known as Hangul Word Processor or
HWP) is a proprietary word processing application
published by the South Korean company Hancom
Inc. -Wikipedia
• Used by most government agencies and
government offices due to national software
activation policy of Government
• The South Korea is one of the few countries
where MS Word does not rank first
Recently, postscript mainly used to deliver payload
Decoy and targets
Cryptocurrency
Any cryptocurrency related news/contents
Cryptocurrency market expectation
Legal issues
Related to lawsuit or audit
Forms about legal issues
Resume
Resume of mainly financial related person
Some decoy include victim company name
Postscript Type #1
— Postscript has asciihex-format
executable
— Drop file %startup% folder for
persistence mechanism
— Dropped file is Manuscrypt
Direct drop from embedded
ascii hex string
Creation path (+persistence mechanism)
asciihex type payload
Asciihex type Manuscrypt
Postscript to drop executable
Drop and
execute
Structure
Postscript Type …