How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group
Contents
A few days ago, ESTsecurity published a post detailing a newly identified malicious Hangul Word Processor (HWP) document that shared technical characteristics with previously reported malicious activity attributed to North Korean threat actors (an important note: this particular group is not typically associated with or clustered with the SWIFT/ATM adversary detailed in other posts on this blog, although this blog avoids using specific vendor naming classifications where possible).
The Hangul Office suite is widely used in South Korea; in the West, it’s significantly less common. As a result of this, there is limited public documentation regarding how to analyze exploit-laden HWP documents. This blog post is intended to provide additional documentation from start to finish of the file identified by ESTsecurity. As such, the language used will be somewhat less formal than the content typically posted here.
The following tools (in a VM) are recommended for analysis:
1) Cerbero Profiler (advanced or standard)
2) …
The Hangul Office suite is widely used in South Korea; in the West, it’s significantly less common. As a result of this, there is limited public documentation regarding how to analyze exploit-laden HWP documents. This blog post is intended to provide additional documentation from start to finish of the file identified by ESTsecurity. As such, the language used will be somewhat less formal than the content typically posted here.
The following tools (in a VM) are recommended for analysis:
1) Cerbero Profiler (advanced or standard)
2) …
IoC
5d9e5c7b1b71af3c5f058f8521d383dbee88c99ebe8d509ebc8aeb52d4b6267b
7a86e6bffba91997553ac4cf0baec407bc255212
f2e936ff1977d123809d167a2a51cdeb
7a86e6bffba91997553ac4cf0baec407bc255212
f2e936ff1977d123809d167a2a51cdeb