Threat Research

Malicious HWP Files with BAT Scripts Being Distributed Actively (North Korea/National Defense/Broadcasting) – ASEC BLOG

Securonix

ASEC’s analysis identifies active distribution of malicious HWP files that exploit an OLE object insertion feature to run a batch file, with PowerShell injecting shellcode into a normal process. The campaigns target national defense, North Korea–related materials, and broadcasting, and appear linked to the same group behind earlier HWP campaigns. #Kimsuky #PSKimsuky #HancomOffice #HWP #OLE #PowerShell #NorthKorea #NationalDefense #Broadcasting

Keypoints

  • Active distribution of malicious HWP files exploiting OLE object insertion to execute a batch file.
  • The attack chain includes user interaction to enable execution (clicking prompts) that triggers the OLE object.
  • Powershell is used to inject shellcode into a normal Windows process.
  • The final shellcode decryption and injection flow uses Windows APIs (CreateProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread).
  • The batch script is obfuscated, yet capable of driving the PowerShell-based injection.
  • Attack patterns and artifacts suggest linkage to the same actor/group responsible for a prior HWP campaign.
  • A set of malicious HWP filenames and explicit IOCs (file hashes) are associated with the campaign.

MITRE Techniques

  • [T1204.002] User Execution – The attackers prompt users to click so that OLE objects (batch files) can be executed. “The attackers usually use texts to prompt users to click them so that OLE objects (batch files) can be executed.”
  • [T1059.001] PowerShell – Powershell is used to load and execute payloads (shellcode) in memory. “powershell injects the shellcode into a normal process.”
  • [T1055] Process Injection – Shellcode is injected into a Windows process (help.exe) after decryption. “to perform an injection to a normal Windows process (help.exe).”
  • [T1059.003] Windows Command Shell – The batch file runs commands via the Windows command shell to orchestrate the payload. “internal batch file script … can still ultimately inject the shellcode into a normal Windows process using powershell.”
  • [T1027] Obfuscated/Compressed Files and Information – The batch file script is described as obfuscated, concealing its true behavior. “the script of the batch file exists in an obfuscated form.”
  • [T1203] Exploitation for Client Execution – Historical note that APT/HWP campaigns used the Post Script vulnerability to deliver payloads. “For malicious HWP files, APT files were usually distributed in the past using the Post Script vulnerability.”

Indicators of Compromise

  • [File hash] IOCs related to Infostealer/PS.Kimsuky – 882546e8fc2dc2fd580170afda20e396, 1d413a7c62b48760838bed0d03a35b05, and 11 more hashes
  • [File Name] IOCs – For review_Understanding Politics 6th Period(edited)_20220507.hwp, Peace Asia membership request form(2022).hwp, and 11 more file names
  • [Malware family] Infostealer/PS.Kimsuky – Detection name referenced in the article

Read more: https://asec.ahnlab.com/en/35405/