Malware disguised as company document related to inter-Korean economic cooperation
Contents
SUMMARY
In the mood of reconciliation between the two Koreas, we found that the hacking group presumed to be North Korea was distributing malware using the Korean Word Processor (HWP) document vulnerability. The contents of this document are related to the South-North economic cooperation.
The decoy document is named "㈜OOO앤티 망 분리 관련 요청사항.hwp". The screen of the document is as follows.
The same malware was discovered in May of 2018 and was reused. It is estimated that only Korean Word Processor (HWP) documents and Shellcode have changed to distribute malware.
Compared to malware found in May, only 16 bytes were added to the end of the file, and padding was probably added during encryption to AES.
It was first uploaded to Virustotal in May, but there are still only three vaccines to detect the file. (check date : July 6)
|
|
Malware uploaded in May
|
|
Malware uploaded in July
|
|
Malware uploaded in May
|
|
Malware uploaded in July
MALWARE INFORMATION
The hacking …
In the mood of reconciliation between the two Koreas, we found that the hacking group presumed to be North Korea was distributing malware using the Korean Word Processor (HWP) document vulnerability. The contents of this document are related to the South-North economic cooperation.
The decoy document is named "㈜OOO앤티 망 분리 관련 요청사항.hwp". The screen of the document is as follows.
The same malware was discovered in May of 2018 and was reused. It is estimated that only Korean Word Processor (HWP) documents and Shellcode have changed to distribute malware.
Compared to malware found in May, only 16 bytes were added to the end of the file, and padding was probably added during encryption to AES.
It was first uploaded to Virustotal in May, but there are still only three vaccines to detect the file. (check date : July 6)
|
|
Malware uploaded in May
|
|
Malware uploaded in July
|
|
Malware uploaded in May
|
|
Malware uploaded in July
MALWARE INFORMATION
The hacking …
IoC
3d0355ff78dcc979b3f83a679b6ba794
a5a71b23e75795fd76153fdf02e7e2ed
d08986b22d2371419dfcdf4abdb821b5
http://doosungsys.com/file_bd/upload_file/file_board.asp
http://sdajunghwa.com/admin/data/admindata.asp
http://www.orentcar.com/rental/sub06.asp
http://www.patentmall.net/goods/goods.asp
http://www.pyeonta.com/board/news/board.asp
a5a71b23e75795fd76153fdf02e7e2ed
d08986b22d2371419dfcdf4abdb821b5
http://doosungsys.com/file_bd/upload_file/file_board.asp
http://sdajunghwa.com/admin/data/admindata.asp
http://www.orentcar.com/rental/sub06.asp
http://www.patentmall.net/goods/goods.asp
http://www.pyeonta.com/board/news/board.asp