Threat Research

Malware Disguised as HWP Document File (Kimsuky) – ASEC BLOG

Securonix

ASEC reports a new malware variant distributed as an executable disguised with an HWP document extension, likely created by the Kimsuky threat group. The dropper uses a Base64-encoded PowerShell command, saves update.vbs, and downloads additional scripts from a malicious URL to enable credential leakage and keylogging. #Kimsuky #HWP #PowerShell #WellStory

Keypoints

  • Malware is distributed as a compressed file containing readme.txt and an executable disguised as an HWP document.
  • The EXE is .NET-based and uses an HWP document icon with extra spaces to mask its true extension.

MITRE Techniques

  • [T1036] Masquerading – ‘an executable disguised with an HWP document file extension.’
  • [T1204.001] User Execution – ‘The readme.txt file contains the following message which prompts users to open the malicious EXE file (Personal Data Leakage Details.hwp.exe).’
  • [T1059.001] PowerShell – ‘The above EXE file contains a PowerShell command encoded in Base64. Thus, when the file is executed, this command is decoded and saved as update.vbs in the %APPDATA% folder. The generated update.vbs file is then executed through PowerShell.’
  • [T1059.005] Visual Basic / VBScript – ‘The created update.vbs file contains obfuscated commands.’
  • [T1027] Obfuscated/Compressed Files and Information – ‘update.vbs file contains obfuscated commands.’
  • [T1105] Ingress Tool Transfer – ‘downloads and executes an additional script from hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1.’
  • [T1112] Modify Registry – ‘Changes a certain registry.’
  • [T1543.003] Create or Modify System Process: Windows Service – ‘Registers it as a service.’
  • [T1056.001] Keylogging – ‘Keylogger.’
  • [T1041] Exfiltration Over C2 Channel – ‘Transmits keylogging data to hxxp://well-story.co[.]kr/adm/inc/js/show.php’
  • [T1041] Exfiltration Over C2 Channel – ‘functions such as user credential leakage and keylogging’ (information exfiltration context)

Indicators of Compromise

  • [MD5] context – 8133c5f663f89b01b30a052749b5a988 (exe), 91029801f6f3a415392ccfee8226be67 (script) and 3 more hashes
  • [URL] context – hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1, hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=6, and 3 more URLs (lib.php?idx=1, lib.php?idx=5, show.php)
  • [File name] context – Personal Data Leakage Details.hwp.exe, OfficeAppManifest_v[Min]_[Hr]_[Day][Month].xml, and 0 more items

Read more: https://asec.ahnlab.com/en/54736/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint