Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
Contents
◈ Key Findings
- The threat actor poses as a writer for Korean TV programs and reaches out to targets for casting or interview arrangements.
- A short self-introduction and legitimate-looking instructions are used to build trust.
- The attacker distributes a malicious HWP file disguised as a pre-interview questionnaire or event guide document.
- The attack combines initial HWP execution with DLL side loading to evade signature-based detection.
- Real-time monitoring through an EDR solution is essential for identifying abnormal behavior.
1. Overview
Genians Security Center identified the “Artemis” campaign conducted by the APT37 group. The threat actor embedded a malicious OLE object inside an HWP document in a covert manner. The attack chain is triggered when the user trusts the document content and clicks the hyperlink.
[Figure 1-1] Overview of the Attack Flow
When the OLE object was loaded, the threat actor used a masquerading technique launching a legitimate process first. This multi-stage procedure leverages legitimate execution …
- The threat actor poses as a writer for Korean TV programs and reaches out to targets for casting or interview arrangements.
- A short self-introduction and legitimate-looking instructions are used to build trust.
- The attacker distributes a malicious HWP file disguised as a pre-interview questionnaire or event guide document.
- The attack combines initial HWP execution with DLL side loading to evade signature-based detection.
- Real-time monitoring through an EDR solution is essential for identifying abnormal behavior.
1. Overview
Genians Security Center identified the “Artemis” campaign conducted by the APT37 group. The threat actor embedded a malicious OLE object inside an HWP document in a covert manner. The attack chain is triggered when the user trusts the document content and clicks the hyperlink.
[Figure 1-1] Overview of the Attack Flow
When the OLE object was loaded, the threat actor used a masquerading technique launching a legitimate process first. This multi-stage procedure leverages legitimate execution …
IoC
[email protected]
d2b2c6646535a62e4c005613d6a036f0
2f3dff7779795fc01291b0a31d723aca
e726b59f96ab8360f323469d72b8b617
ea95109b608841d2f99a25bd2646ff43
8e4a99315a3ef443928ef25d90f84a09
a196fb11a423076f66f5e4b2d02813a9
ad3433f5f64abdec7868a52341f14196
31662a24560b3fe1f34f0733e65509ff
c0cac70c93d213d113001e3410c24fd2
f13a4834e3e1613857b84a1203e2e182
f3603f68aadc8bc1ea8939132f0d5252
17171c644307b17d231ad404e25f08b1
d287dcaeaf17c9dae8a253994502ee58
7e8c24bb3b50d68227ff2b7193d548dd
d2b2c6646535a62e4c005613d6a036f0
2f3dff7779795fc01291b0a31d723aca
e726b59f96ab8360f323469d72b8b617
ea95109b608841d2f99a25bd2646ff43
8e4a99315a3ef443928ef25d90f84a09
a196fb11a423076f66f5e4b2d02813a9
ad3433f5f64abdec7868a52341f14196
31662a24560b3fe1f34f0733e65509ff
c0cac70c93d213d113001e3410c24fd2
f13a4834e3e1613857b84a1203e2e182
f3603f68aadc8bc1ea8939132f0d5252
17171c644307b17d231ad404e25f08b1
d287dcaeaf17c9dae8a253994502ee58
7e8c24bb3b50d68227ff2b7193d548dd