PoorWeb - Hitching a Ride on Hangul
Contents
Hangul Office is a popular office software suite in South Korea. 1 It shares the same compound file format as older versions of Microsoft Office, but has unique features that are abused to form malicious documents. The landscape of this type of attack has been analyzed closely in the VirusBulletin talk "DOKKAEBI: Documents of Korean and Evil Binary". 2 This type of malicious document is the first stage of an attack chain often leading to a PE executable trojan. Here we start with a set of three malicious Hangul Word Processor (HWP) documents targeting one victim organization, each with a slightly different set of stages, but ultimately leading to payloads in one malware family: PoorWeb.3 Pivoting outwards from these three, a large number of related attacks is found. This amount of data can be confusing especially when the attacks are so similar. However, looking at similarities and differences in malware …
IoC
0455e0788715ba74503ce23784de9d9839ce80418ed8abac758f18983feeec8e
0a960dd9c015545c2fe4d4f39bae6f9e7af1afb1933900f105c5ae9ec51a446d
11c1d41668667220b50ec436f7325af1fffa43a40a1c3a227b69d6ffa98fa97d
12c5f8c63803403859268f000135dbb9c2c104d480705819447464c5439f6efa
142f8cd20af1065eed8685056977b16f3e3b3c6da877abdd244f1519cd4b3b32
1958b75e2ef787fdb9938053f117da9ba9866509000af547e700dfb6a806d721
2196a88f27c3f813e5b359b9be31ed5122a678bcec447827a98e5f2078b2d666
24983121690aaf2e648a9e19860e9e55f3105aa8f1b0549f2ab239b25c97022b
252e9f7856f221338ade8756849871d009b53e7f624bbbac879b8346cd657b02
2c1d693401930b455759fe8ab580d3ca7c47c574a1c67cabdfbe91fd01377f13
2cc52400575174c0eb132e349c26a7ea0e5ec673fa504d12f9089a9039bbd703
2fa25c729c8cf1a0e4b7ce71d1840837013682dc704c1ddccc385a3960868ac9
3c0024f6066376415acdb01d55e0b332ce462ef2ca065d5d3843686e5e140c71
3c844c1d7060aa6d063f71081df5f49e3a205e398b7a719939b04f9e260200f1
4b249546ff2cab9ea49a98a10b200f7ebef76a5de116cdf31af31a045e743bfa
4c8be817d4de798bb541640894aa153dbf37bb03fd788d04e1461f184c631cf7
5d88596be0e998340e12c885645bbca7a57f0d80110a312b71bb6f2df443c7b0
656d0dc4e7d1da530397b7b140559ea404ba66f6d9694f72a553f0255f13fb0b
65e821470779cd13297a6ecdfd6a263ee0bec5acf1b3a80d8f2f3946e7d33329
6882ba20ca9e7c34897123931488007741987eb805f40b13f23ed1a221d21c5e
6a36a82767ba11ce6f313c0895da41d8dcf373b18b9efa0639e8fd76d639c987
6f111be4a0cb4f033639f906f512b7feb1632630bec58285c9cd5969ae8a6ff3
6f1881c6809982ce9de4dac20ce6cbcc9aa8841db6f81df37f815621c1970f85
73069aa5890b22b79e03ef7bd86ce15e2a26270fc011f27ed3eb15b329bd9b97
73d65cd0b513cadaaa76b559ada28996eb06b68954538fc628e03893f5ff85e8
7510b511093b09fe2bb0e9f7b60b80a40fabde9a6914842e10cf702b51393298
7a3ab8b865f9581806f259d8a165ad7517294e9d576792d293d2be6922548047
7ac5311e3f81ea20951b19b9315e26923f2b340b67322e29f439f120898d4f16
7c5db78537f3a28b9bcfe8f75e86c36038e5929d2206d59827fca4fb524d41c1
80f566efbdceac356a09e3e97e128966e773db43b3a81c460ca35747445ef17b
836df87c3a87d8308075edb7aaec3ed13502ecefe0b7136791246295c459fa41
87ebae83d90f49d5232266d5c27ac3be2fcf7e692332a235045cf8075c1b3b91
90f0582453f49d3b38da03b289d0ffcad4f691ab89f6acb922511e081d472667
99a6b3b15f0e805a5ae98048dea41d5ed9c94e2de1500d7d8250e4ce36deb8b1
9a316c168e3bc0f27a6884e44f5beff0587debcdcea5a662783a856d4a244437
9e2d374bfc9e099d376f5255f194608dcedbba68ac16611ed3eb8fdc1e030586
9f01dd87c28a9789a7730c6675995527cd5c2fdfd5b539d84b027e1107121a2c
9fe2c4af5b7a80ae8d714908db4039cc3eafb4ca122e331a7b397aef41f6752f
a1a4cc7ff9c58c07fb3cbd1799809ccd2ca46f961c6baf9eb5d2f847eb5dae3c
a201ae69d8c84d1c95f87dced704a38ad4e131c7e36d60b88ff859ba3bf7aab1
aa461e70ab464a503d1e647e693df7ececfff86d497ee0c57c9448302878a05a
ad3fada660f40b5d3ce2c6187dffc07507e7461a3d3ac249fbb6850e6028d517
b5453db394ce8c22330fe620ab62a8a40ab491992e93d7f495d0370b93bf9688
c73ff2398ee0a564830508f1766cdbb2662037593db669d2fa1bc74af93525ed
c9d1c5bab22f16cb06a9ca9209710c2f92a250903c2119750c220bfb8aaff348
ce5cbdc387a4b988b8ed3caacc4ac2414e80258d2ee9b7889d6064c4cb436a23
d057088d0de3d920ea0939217c756274018b6e89cbfc74f66f50a9d27a384b09
d074bbb7d821a58edfcf5fb20b6d632357779bd6554d9033b11859fc95262650
d2fe12893b35d775830aa0ef25a81748d6a669188709303aa404405c466f9fff
d6a0444a111227650902c5b1229347824e0317b7842f085b826787d1e9ea5165
dc69b98da87a7b6b683359082b63d1e945cbef17a32d432d11c5f488399460ab
e452536f98446f54c6527106c7b123de12f010d3f1fcb25812f533d797253128
ea91f1e475ab4eb54971a0e7adbd61d690136abf1b2ab76b94a246515f65b9a3
ec8cf2570f869c897ca9d898279d10b9c3b137eb4db6b7d68c7f524dc5332af9
f007369641e5eed5f575bfe57ebea68132a6963793a3fda520f31b4870b1cab6
f3e65b66e03fcd15e00e67a0f756ec9fdc95cfe111e7bc4ce6cc176525836e49
f5e1ced1f2c52980ce54a50212b5bc89eaa5870078a5b12e1c738857052c8978
f9f95afaecc0b3ee6cb0828f9fb9c8af0e025e06e66bc85fb1a34d1520306b33
fa7c09036e545cb4898df21e284d81aded9d1d86e85af899bfb14d16a19b625c
fa8f890514fe0ff1559d7ba760ebbbdb5de4658fae3e53a5704294a270f8926a
rule HighExpert_HWP_HSIProp
{
meta:
author = "Malware Utkonos"
date = "2020-08-24"
description = "HWP summary information property entry in malicious Hangul Word Processor document: Operation High Expert."
reference = "https://blog.alyac.co.kr/2226"
strings:
$a = { 1F 00 00 00 0B 00 00 00 48 00 69 00 67 00 68 00 45 00 78 00 70 00 65 00 72 00 74 00 }
condition:
uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1 and $a
}
0a960dd9c015545c2fe4d4f39bae6f9e7af1afb1933900f105c5ae9ec51a446d
11c1d41668667220b50ec436f7325af1fffa43a40a1c3a227b69d6ffa98fa97d
12c5f8c63803403859268f000135dbb9c2c104d480705819447464c5439f6efa
142f8cd20af1065eed8685056977b16f3e3b3c6da877abdd244f1519cd4b3b32
1958b75e2ef787fdb9938053f117da9ba9866509000af547e700dfb6a806d721
2196a88f27c3f813e5b359b9be31ed5122a678bcec447827a98e5f2078b2d666
24983121690aaf2e648a9e19860e9e55f3105aa8f1b0549f2ab239b25c97022b
252e9f7856f221338ade8756849871d009b53e7f624bbbac879b8346cd657b02
2c1d693401930b455759fe8ab580d3ca7c47c574a1c67cabdfbe91fd01377f13
2cc52400575174c0eb132e349c26a7ea0e5ec673fa504d12f9089a9039bbd703
2fa25c729c8cf1a0e4b7ce71d1840837013682dc704c1ddccc385a3960868ac9
3c0024f6066376415acdb01d55e0b332ce462ef2ca065d5d3843686e5e140c71
3c844c1d7060aa6d063f71081df5f49e3a205e398b7a719939b04f9e260200f1
4b249546ff2cab9ea49a98a10b200f7ebef76a5de116cdf31af31a045e743bfa
4c8be817d4de798bb541640894aa153dbf37bb03fd788d04e1461f184c631cf7
5d88596be0e998340e12c885645bbca7a57f0d80110a312b71bb6f2df443c7b0
656d0dc4e7d1da530397b7b140559ea404ba66f6d9694f72a553f0255f13fb0b
65e821470779cd13297a6ecdfd6a263ee0bec5acf1b3a80d8f2f3946e7d33329
6882ba20ca9e7c34897123931488007741987eb805f40b13f23ed1a221d21c5e
6a36a82767ba11ce6f313c0895da41d8dcf373b18b9efa0639e8fd76d639c987
6f111be4a0cb4f033639f906f512b7feb1632630bec58285c9cd5969ae8a6ff3
6f1881c6809982ce9de4dac20ce6cbcc9aa8841db6f81df37f815621c1970f85
73069aa5890b22b79e03ef7bd86ce15e2a26270fc011f27ed3eb15b329bd9b97
73d65cd0b513cadaaa76b559ada28996eb06b68954538fc628e03893f5ff85e8
7510b511093b09fe2bb0e9f7b60b80a40fabde9a6914842e10cf702b51393298
7a3ab8b865f9581806f259d8a165ad7517294e9d576792d293d2be6922548047
7ac5311e3f81ea20951b19b9315e26923f2b340b67322e29f439f120898d4f16
7c5db78537f3a28b9bcfe8f75e86c36038e5929d2206d59827fca4fb524d41c1
80f566efbdceac356a09e3e97e128966e773db43b3a81c460ca35747445ef17b
836df87c3a87d8308075edb7aaec3ed13502ecefe0b7136791246295c459fa41
87ebae83d90f49d5232266d5c27ac3be2fcf7e692332a235045cf8075c1b3b91
90f0582453f49d3b38da03b289d0ffcad4f691ab89f6acb922511e081d472667
99a6b3b15f0e805a5ae98048dea41d5ed9c94e2de1500d7d8250e4ce36deb8b1
9a316c168e3bc0f27a6884e44f5beff0587debcdcea5a662783a856d4a244437
9e2d374bfc9e099d376f5255f194608dcedbba68ac16611ed3eb8fdc1e030586
9f01dd87c28a9789a7730c6675995527cd5c2fdfd5b539d84b027e1107121a2c
9fe2c4af5b7a80ae8d714908db4039cc3eafb4ca122e331a7b397aef41f6752f
a1a4cc7ff9c58c07fb3cbd1799809ccd2ca46f961c6baf9eb5d2f847eb5dae3c
a201ae69d8c84d1c95f87dced704a38ad4e131c7e36d60b88ff859ba3bf7aab1
aa461e70ab464a503d1e647e693df7ececfff86d497ee0c57c9448302878a05a
ad3fada660f40b5d3ce2c6187dffc07507e7461a3d3ac249fbb6850e6028d517
b5453db394ce8c22330fe620ab62a8a40ab491992e93d7f495d0370b93bf9688
c73ff2398ee0a564830508f1766cdbb2662037593db669d2fa1bc74af93525ed
c9d1c5bab22f16cb06a9ca9209710c2f92a250903c2119750c220bfb8aaff348
ce5cbdc387a4b988b8ed3caacc4ac2414e80258d2ee9b7889d6064c4cb436a23
d057088d0de3d920ea0939217c756274018b6e89cbfc74f66f50a9d27a384b09
d074bbb7d821a58edfcf5fb20b6d632357779bd6554d9033b11859fc95262650
d2fe12893b35d775830aa0ef25a81748d6a669188709303aa404405c466f9fff
d6a0444a111227650902c5b1229347824e0317b7842f085b826787d1e9ea5165
dc69b98da87a7b6b683359082b63d1e945cbef17a32d432d11c5f488399460ab
e452536f98446f54c6527106c7b123de12f010d3f1fcb25812f533d797253128
ea91f1e475ab4eb54971a0e7adbd61d690136abf1b2ab76b94a246515f65b9a3
ec8cf2570f869c897ca9d898279d10b9c3b137eb4db6b7d68c7f524dc5332af9
f007369641e5eed5f575bfe57ebea68132a6963793a3fda520f31b4870b1cab6
f3e65b66e03fcd15e00e67a0f756ec9fdc95cfe111e7bc4ce6cc176525836e49
f5e1ced1f2c52980ce54a50212b5bc89eaa5870078a5b12e1c738857052c8978
f9f95afaecc0b3ee6cb0828f9fb9c8af0e025e06e66bc85fb1a34d1520306b33
fa7c09036e545cb4898df21e284d81aded9d1d86e85af899bfb14d16a19b625c
fa8f890514fe0ff1559d7ba760ebbbdb5de4658fae3e53a5704294a270f8926a
rule HighExpert_HWP_HSIProp
{
meta:
author = "Malware Utkonos"
date = "2020-08-24"
description = "HWP summary information property entry in malicious Hangul Word Processor document: Operation High Expert."
reference = "https://blog.alyac.co.kr/2226"
strings:
$a = { 1F 00 00 00 0B 00 00 00 48 00 69 00 67 00 68 00 45 00 78 00 70 00 65 00 72 00 74 00 }
condition:
uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1 and $a
}