AhnLab’s ASEC reports HWP documents embedded with OLE objects that deliver malware to individuals in defense, press, and related sectors, mainly distributed via download URLs or email attachments. The campaign uses two main payload types: a Type 1 OLE-based method that connects to a malicious URL, and a Type 2 method embedding a script that fetches additional code from GitHub, with PowerShell-based stages and persistence mechanisms. #AhnLab #HWP #PowerShell #GitHub #Startup
Keypoints
- ASEC found HWP documents targeted at national defense, unification, education, and broadcasting sectors, implying sector-specific spearphishing or targeted distribution.
- Two operation types: Type 1 uses an OLE object to access an external URL; Type 2 embeds a script that loads code from GitHub.
- Type 1 documents prompt users to click the OLE object, which then attempts to connect to a malicious URL; several document filenames are listed as samples.
- Type 2 documents deploy a chain where zz.bat and oz.txt are created, then zz.bat downloads and executes data from a GitHub-hosted script (pq.txt).
- The PowerShell dropper (mainFunc, getinfo, uploadResult, downCommand) changes PowerShell policy to bypass execution restrictions and fetches/deploys further payloads.
- Persistence is achieved via an LNK file placed in the Startup folder to ensure repeated execution after reboot; data exfiltration uses FTP to the attacker-controlled server.
- Numerous IOCs include file hashes, domain/URL indicators, and HWP filenames associated with the campaign.
MITRE Techniques
- [T1071.001] Web Protocols – This type accesses an external URL through an OLE object embedded in the HWP documents. Quote: “This type accesses an external URL through an OLE object embedded in the HWP documents.”
- [T1204.002] User Execution – The documents prompt the user to click the OLE object for it to run. Quote: “The text prompts the user to click the OLE object for it to run.”
- [T1059.001] PowerShell – The dropper uses PowerShell commands to download and execute additional data, including setting a bypassed execution policy. Quote: “mainFunc … changes PowerShell policy with the following command … Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass –Force.”
- [T1027] Obfuscated/Compressed Files and Information – The dropper uses obfuscated data that is deobfuscated with a key value before execution. Quote: “obfuscated pieces of data uploaded. Upon connecting to the corresponding URLs, these pieces of data are deobfuscated with a certain key value then executed.”
- [T1041] Exfiltration Over C2 Channel – Collected data is uploaded to the threat actor’s FTP server. Quote: “Uploads the collected information to the threat actor’s FTP server.”
- [T1547.001] Boot or Logon Autostart Execution – Persistence via an LNK file in the Startup folder to run the malicious script on startup. Quote: “the threat actor creates an LNK file in the Startup folder.”
- [T1105] Ingress Tool Transfer – The Type 2 chain downloads a script from GitHub (raw.githubusercontent.com) to fetch and execute additional payloads. Quote: “The PowerShell script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt contains four functions.”
Indicators of Compromise
- [Domain] host.sharingdocument.one and [Domain] mail.smartprivacyc.com – used in malicious URLs and as delivery/C2 points
- [URL] hxxp://host.sharingdocument[.]one/dashboard/explore/starred?hwpview=[specific value], hxxp://mail.smartprivacyc[.]com/get/account/view?myact=[specific value]
- [Domain] plm.myartsonline[.]com – exfiltration/command server address
- [File Hash] 2f0a67b719d8303c0ec7cc9057ed8411, af5bbab33f934dc016fc1aa0d910820e
- [File Hash] 7f3a30525b9324a2aeb32a9018df944f, 361237b6b385874f02f3724ae50d1522, a242741873637fdac8f69f2ffdba47bc
- [Script] 7284a6376aa79a2384f797769b7ce086, 2ef182bced72da507d2e403ab9db3c9f, f416b44332b4fb394b4735634cb07ff2
- [File Name] Unification cue sheet May 29 Mon.hwp, 20230508_ProfessorMeetingMaterial_NewTemplate.hwp
Read more: https://asec.ahnlab.com/en/58335/