Korean MalDoc Drops Evil New Years Presents
Contents
This blog was authored by Warren Mercer and Paul Rascagneres.
Executive Summary
Talos has investigated a targeted malware campaign against South Korean users. The campaign was active between November 2016 and January 2017, targeting a limited number of people. The infection vector is a Hangul Word Processor document (HWP), a popular alternative to Microsoft Office for South Korean users developed by Hancom.
The malicious document in question is written in Korean with the following title:
|5170101-17년_북한_신년사_분석.hwp (translation: 5170101-17 __ North Korea _ New Year _ analysis .hwp)|
This document was alleged to be written by the Korean Ministry of Unification and included their logo as a footer on the document.
An interesting twist also came within the analysed malicious document as it attempts to download a file from an official Korean government website: kgls.or.kr (Korean Government Legal Service). The file downloaded is a binary masquerading as a jpeg file that is later executed as part of …
Executive Summary
Talos has investigated a targeted malware campaign against South Korean users. The campaign was active between November 2016 and January 2017, targeting a limited number of people. The infection vector is a Hangul Word Processor document (HWP), a popular alternative to Microsoft Office for South Korean users developed by Hancom.
The malicious document in question is written in Korean with the following title:
|5170101-17년_북한_신년사_분석.hwp (translation: 5170101-17 __ North Korea _ New Year _ analysis .hwp)|
This document was alleged to be written by the Korean Ministry of Unification and included their logo as a footer on the document.
An interesting twist also came within the analysed malicious document as it attempts to download a file from an official Korean government website: kgls.or.kr (Korean Government Legal Service). The file downloaded is a binary masquerading as a jpeg file that is later executed as part of …
IoC
19e4c45c0cd992564532b89a4dc1f35c769133167dc20e40b2a41fccb881277b
21b098d721ea88bf237c08cdb5c619aa435046d9143bd4a2c4ec463dcf275cbe
281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919
3a0fc4cc145eafe20129e9c53aac424e429597a58682605128b3656c3ab0a409
3d442c4457cf921b7a335c0d7276bea9472976dc31af94ea0e604e466596b4e8
4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4
6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f
761454dafba7e191587735c0dc5c6c8ab5b1fb87a0fa44bd046e8495a27850c7
7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8
7e810cb159fab5baccee7e72708d97433d92ef6d3ef7d8b6926c2df481ccac2f
7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1
930fce7272ede29833abbfb5df4e32eee9f15443542434d7a8363f7a7b2d1f00
95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a
f080f019073654acbe6b7ab735d3fd21f8942352895890d7e8b27fa488887d08
21b098d721ea88bf237c08cdb5c619aa435046d9143bd4a2c4ec463dcf275cbe
281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919
3a0fc4cc145eafe20129e9c53aac424e429597a58682605128b3656c3ab0a409
3d442c4457cf921b7a335c0d7276bea9472976dc31af94ea0e604e466596b4e8
4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4
6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f
761454dafba7e191587735c0dc5c6c8ab5b1fb87a0fa44bd046e8495a27850c7
7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8
7e810cb159fab5baccee7e72708d97433d92ef6d3ef7d8b6926c2df481ccac2f
7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1
930fce7272ede29833abbfb5df4e32eee9f15443542434d7a8363f7a7b2d1f00
95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a
f080f019073654acbe6b7ab735d3fd21f8942352895890d7e8b27fa488887d08