The ASEC analysis team has discovered distribution of malicious HWP file disguised as “Press Release of 20th Presidential Election Early Voting for Sailors” as the presidential election draws near. The attacker distributed the malicious HWP file on February 28th, and though the team could not get the file in the hand, it appears this file runs a batch file through the internal OLE object to execute powershell according to AhnLab’s ASD (AhnLab Smart Defense) infrastructure log.
- Filename used in distribution: PressRelease(220228)_March_1st___March_4th_20th_Presidential Election_Early Voting for Sailors_Done(Final).hwp
Figure 1 shows the batch file path and name of the HWP file discovered in the ASD infrastructure. Seeing that the size of the normal HWP file is 2.06MB and the malicious file is 2.42MB; it can be predicted that the file was probably created by inserting an additional BAT file inside it.
- %TEMP%\mx6.bat (creation path of the batch file)
A similar attack was also found on February 7th. According to the article, the attacker impersonated the NEC (National Election Commission) and distributed a malicious file disguised as ‘Publicly Recruiting Election Observer for 20th Presidential Election Among Electors.’
The following are the similarities found between the malicious HWP file that had been distributed back then and the one used for this attack:
- Distributed malicious HWP file by impersonating the same institution (NEC)
- Prompts users to run the batch file by the OLE object method
- Powershell command includes a variable name ($kkx9) that is similar to the one used in the February 7th attack ($kky4)
- Part of powershell command: ($kkx9='[DllImport(“user32.dll”)] public static extern bool ShowWindow(int handle, int state);’)
Figure 3 shows a normal HWP file that the attacker likely used for distributing the malicious file.
The official normal HWP file can be found on the official website of the National Election Commission (https://www.nec.go.kr/). Users should be cautious when downloading similar files from unknown sources.
- https://www.nec.go.kr/cmm/dozen/view.do?cbIdx=1090&bcIdx=164018&fileNo=1 (URL for downloading the file)
It appears that the attacker is performing various attacks while impersonating the NEC as the presidential election draws close. AhnLab is constantly monitoring other similar malicious activities and will swiftly share new information if there is any.
[AhnLab V3 Products Response]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.