The FlowerPower APT campaign uses a malicious OLE insertion attack inside HWP documents and utilizes Github C2.

◈ Executive Summary

  • Using the delivery method of HWP documents containing malicious OLE through deception and access through foreign news channel interviews
  • Execution of encrypted PowerShell commands using the FlowerPower APT attack tool series
  • Setting up the code hosting platform GitHub for version control and collaboration as a command center for threat commands
  • Effect of minimizing damage through threat visibility and early detection with Genian EDR solution

1. Overview

1.1 Background

○ Genians Security Center (GSC) captured signs of a new Korean-customized Advanced Persistent Threat (APT) attack disguised as an interview request from a foreign news channel in early October. This attack utilizes malicious ‘Object Linking and Embedding’ (OLE) in HWP Korean documents commonly used in Korea. You can refer to Hancom’s help for information related to OLE.1

○ During the detailed analysis process, AhnLab ASEC also posted a blog titled ‘Beware of HWP documents with malicious OLE objects’. 2 GSC is closely investigating this threat case and has confirmed that the attack tool used by the threat actor is a new form of the ‘FlowerPower’ series. In addition, the APT37 group is also conducting HWP attacks incorporating security vulnerabilities. We plan to disclose more detailed information on this matter.

○ This tool is also known as ‘BoBoStealer’ or ‘FakeStriker’, ‘Jinho Spy’, ‘GoldDragon’, etc. In the first half of 2020, there were cases reported using PowerShell commands with the names ‘flower01.ps1’ and ‘bobo.ps1’ in malicious DOC files, and the attacker also used the ‘flower9801’ ID.

○ Through the analysis of this threat case, GSC aims to share the trends of domestic Advanced Persistent Threat (APT) attacks and provide detailed information from the perspective of TTPs (Tactics, Techniques, and Procedures)3 . The main purpose is to actively understand cyber security threats occurring domestically and to establish more effective response measures and provide threat insights through Genians Genian EDR4 service.

Full Report: https://www.genians.co.kr/blog/threat_intelligence/flowerpower