Warning Against HWP Documents Embedded with Malicious OLE Objects
Contents
AhnLab Security Emergency response Center (ASEC) found HWP documents that were embedded with OLE objects, targeting individuals in specific sectors such as the national defense and the press. The malware is presumed to be distributed mainly through download URLs or attachments in emails. The file names of the distributed documents are relevant to the areas of national defense, unification, education, and broadcasting, suggesting that the malware targets professionals involved in these areas.
The HWP documents analyzed in this post largely fall into two types: one that connects to an external URL and one that creates an additional script file. [Type 2] has a similar operation method to the malware covered in a previous post [1] and also uses the same FTP server password. Such similarities allow us to believe that they were made by the same person.
The figure below shows a brief flow of operations of each type.
<Type 1>
This type accesses …
The HWP documents analyzed in this post largely fall into two types: one that connects to an external URL and one that creates an additional script file. [Type 2] has a similar operation method to the malware covered in a previous post [1] and also uses the same FTP server password. Such similarities allow us to believe that they were made by the same person.
The figure below shows a brief flow of operations of each type.
<Type 1>
This type accesses …
IoC
0217e70fd7bc3a65ee0f2dd60ff85fbf
1061425d7e3d054a79f9294a2118b5da
2773acee87413790e9ace99c536c78ad
2ef182bced72da507d2e403ab9db3c9f
2f0a67b719d8303c0ec7cc9057ed8411
361237b6b385874f02f3724ae50d1522
4934226f319d82ae092ada2525a7feb5
7284a6376aa79a2384f797769b7ce086
77edb140b86596eabe3602bb7febb997
7f3a30525b9324a2aeb32a9018df944f
8cafe74f03605a9bfaea5081b3ed0fc2
a242741873637fdac8f69f2ffdba47bc
af5bbab33f934dc016fc1aa0d910820e
c16796909d5feea709d99e306f7e9975
d5d395d90ccf9a7309f2f64169a2c019
f416b44332b4fb394b4735634cb07ff2
http://host.sharingdocument.one/dashboard/explore/starred?hwpview=
http://mail.smartprivacyc.com/get/account/view?myact=
http://plm.myartsonline.com
https://raw.githubusercontent.com/babaramam/repo/main/down.txt
https://raw.githubusercontent.com/babaramam/repo/main/info.txt
https://raw.githubusercontent.com/babaramam/repo/main/pq.txt
https://raw.githubusercontent.com/babaramam/repo/main/upload.txt
1061425d7e3d054a79f9294a2118b5da
2773acee87413790e9ace99c536c78ad
2ef182bced72da507d2e403ab9db3c9f
2f0a67b719d8303c0ec7cc9057ed8411
361237b6b385874f02f3724ae50d1522
4934226f319d82ae092ada2525a7feb5
7284a6376aa79a2384f797769b7ce086
77edb140b86596eabe3602bb7febb997
7f3a30525b9324a2aeb32a9018df944f
8cafe74f03605a9bfaea5081b3ed0fc2
a242741873637fdac8f69f2ffdba47bc
af5bbab33f934dc016fc1aa0d910820e
c16796909d5feea709d99e306f7e9975
d5d395d90ccf9a7309f2f64169a2c019
f416b44332b4fb394b4735634cb07ff2
http://host.sharingdocument.one/dashboard/explore/starred?hwpview=
http://mail.smartprivacyc.com/get/account/view?myact=
http://plm.myartsonline.com
https://raw.githubusercontent.com/babaramam/repo/main/down.txt
https://raw.githubusercontent.com/babaramam/repo/main/info.txt
https://raw.githubusercontent.com/babaramam/repo/main/pq.txt
https://raw.githubusercontent.com/babaramam/repo/main/upload.txt