The article discusses the discovery of a malicious HWP document used to recruit students for a unification-related course. The document downloads various files, including a malware-laden BAT file, which executes harmful commands on the user’s system. Users must be cautious due to the increasing prevalence of such attacks targeting the general public. Affected: HWP documents, users, site administrators
Keypoints :
- Malicious HWP document discovered aimed at student recruitment.
- Document disguised as an application form for course enrollment.
- Includes links to download JPG, HWP, and DOC files.
- Malicious BAT files created in the TEMP folder when HWP is opened.
- Malware is activated via hyperlinks embedded in the HWP content.
- Malware accesses external URLs to download additional harmful files.
- Recent trend of malware distributed through HWP files targeting the public.
- Users urged to update security software and be cautious of file execution.
MITRE Techniques :
- T1546.001 – Event Triggered Execution: The document.bat executes commands through task scheduling upon opening the HWP document.
- T1203 – Exploit Public-Facing Application: The HWP file is an exploit that takes advantage of unpatched software vulnerabilities.
- T1071 – Application Layer Protocol: The malware communicates with an external URL to download additional payloads.
Indicator of Compromise :
- [MD5] 34d8c6e9426dc6c01bb47a53ebfc4efb
- [MD5] 49c91f24b6e11773acd7323612470ffb
- [MD5] 4edae618f59180577a196fa5bab89bb4
- [MD5] 7b6b6471072b8f359435f998a96176e7
- [MD5] ce7fa1dc1e5a776dacb27fe2c4385ac2
- [URL] http[:]//103[.]149[.]98[.]231/pprb/0304_pprb/d[.]php?newpa=comline
Full Story: https://asec.ahnlab.com/en/86841/