RokRAT Malware Using Malicious Hangul (.HWP) Documents
Contents
RokRAT Malware Using Malicious Hangul (.HWP) Documents
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of RokRAT malware using a Hangul Word Processor document (.hwp). RokRAT is typically distributed by including a decoy file and malicious script inside a shortcut (LNK) file. However, ASEC found a case where the malware was distributed through HWP documents instead of an LNK file.
| File Name |
|---|
| 250615_Operation status of grain store.hwp |
| Recent major portal site.hwpx |
| [Notice] Q1 VAT Return Filing Deadline (Final) |
Table 1. Document file names used to distribute RokRAT
The document ‘250615_Operation status of grain store.hwp’ is shown in the following figure.
Figure 1. Document content
To avoid suspicion, the document covers North Korea’s grain distribution points, matching the file name ‘250615_Operation status of grain store’.
Figure 2. Hyperlink to execute ShallRunas.exe
At the bottom of the document, a hyperlink to ‘[Appendix] Reference Materials.docx’ is inserted. When users click this link, a warning window …
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of RokRAT malware using a Hangul Word Processor document (.hwp). RokRAT is typically distributed by including a decoy file and malicious script inside a shortcut (LNK) file. However, ASEC found a case where the malware was distributed through HWP documents instead of an LNK file.
| File Name |
|---|
| 250615_Operation status of grain store.hwp |
| Recent major portal site.hwpx |
| [Notice] Q1 VAT Return Filing Deadline (Final) |
Table 1. Document file names used to distribute RokRAT
The document ‘250615_Operation status of grain store.hwp’ is shown in the following figure.
Figure 1. Document content
To avoid suspicion, the document covers North Korea’s grain distribution points, matching the file name ‘250615_Operation status of grain store’.
Figure 2. Hyperlink to execute ShallRunas.exe
At the bottom of the document, a hyperlink to ‘[Appendix] Reference Materials.docx’ is inserted. When users click this link, a warning window …