Spam
Malware detection of non-executables has recently been drawing much attention because ordinary users are vulnerable to such malware. Hangul Word Processor (HWP) is software for editing non-executable text files and is widely used in South Korea. New malware for HWP files continues to appear because of the circumstances between South Korea and North Korea. There have been various studies to. Hangul Word Processor free download - NJStar Chinese Word Processor, NJStar Japanese Word Processor, Urdu Word Processor, and many more programs. This page is based on the copyrighted Wikipedia article 'Hangul(wordprocessor)'; it is used under the Creative Commons Attribution-ShareAlike 3.0 Unported License. You may redistribute it, verbatim or modified, providing that you comply with the terms of the CC-BY-SA.
- Hangul is a word processing application that is used in South Korea and created by Hancom Incorporated. Hancom is a computer software company in South Korea and was founded in the year 1990. It has established itself as a leading company in software and listed on KOSDAQ, a trading board of Korea Exchange in South Korea.
- T he word processor program called Hangul Word Processor is one of the most used programs by the South Korean government and public institutions. According to a report by FireEye, North Korean.
Hangul Word Processor (HWP) is a word processing application in South Korea. It can run PostScript code, a language originally used for printing and desktop publishing. This ability is now being exploited in attacks involving malicious attachments.
The Hangul Word Processor (HWP) is a word processing application which is fairly popular in South Korea. It possesses the ability to run PostScript code, which is a language originally used for printing and desktop publishing, although it is a fully capable language. Unfortunately, this ability is now being exploited in attacks involving malicious attachments.
A branch of PostScript called Encapsulated PostScript exists, which adds restrictions to the code that may be run. This is supposed to make opening these documents safer, but unfortunately older HWP versions implement these restrictions improperly. We have started seeing malicious attachments that contain malicious PostScript, which is in turn being used to drop shortcuts (or actual malicious files) onto the affected system.
Office suites have long been a popular way of getting users to drop and run malware on their systems. The various components of Microsoft Office have been exploited for years, whether via social engineering (macro malware) or vulnerabilities. It shouldn't be a surprise that other office suites are similarly targeted.
Technical Details
The goal of this attack is to use PostScript to gain a foothold onto a victim's machine. No actual exploit is used, as this is a case where a feature of PostScript is being abused.
Some of the subject lines and document names used include “Bitcoin” and “Financial Security Standardization”. The appearance of these decoy documents are shown below:
Hangul Word Processor Free Download
Figures 1 and 2. Samples of decoy documents
Hangul Word Processor File
PostScript does not have the ability to execute shell commands. However, it does have the capability to manipulate files. This attack instead drops files into various startup folders, and waits for the user to reboot their machine. Some of the ways we've seen this seen of this include:
- Drops a shortcut in the startup folder, which executes MSHTA.exe to execute a Javascript file.
- Drops a shortcut in startup folder and a DLL file in %Temp% directory. The shortcut calls rundll32.exe to execute the said DLL file.
- Drops an executable file in the startup folder.
Figure 3. Sample of code in HWP file
One of the samples we’ve received will overwrite gswin32c.exe with a legitimate version of Calc.exe. This file is the PostScript interpreter used by HWP. Since the interpreter is overwritten, this would prevent other embedded PostScript content from executing.
Figure 4. Calculator opened by HWP file
Mitigation and Solutions
Newer versions of the Hangul Word Processor implement EPS correctly, with the 2014 versions and later not being susceptible to this problem. We suggest upgrading to these newer, safer versions.
Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security all include behavior monitoring that prevents HWP from dropping any PostScipt files. We also detect the files associated with this attack as TROJ_HWDOOR.A, TROJ_HWDOOR.B, and TROJ_MALEPS.B, and TROJ_HWDOOR.SMZBEH-A.
Indicators of Compromise
The following hashes are associated with this attack:
- 082651553ee19f87282ea700446a1335f3c9e0d78192097cbbe32ddc8c8f0ff3 (detected as TROJ_HWDOOR.SMZBEH-A)
- 1a69a862a0fb66af0cfc5dc131e435c3d4677525bf2f2dc3e42d35e68ff4b3a6 (detected as TROJ_HWDOOR.SMZBEH-A)
- 4996554df0a31e3d06c08657e61efd50b91b617f1c6d85cb8b67620bfd5d232f (detected as TROJ_HWDOOR.SMZBEH-A)
- 4f1dd7c10adee45f7ff13dbffa328afae26448ff39ba6d9ae91dec611705dede (detected as TROJ_MALEPS.B)
- 56a686c591ac63cb8398824f74d882d8ebd117717fd65e52a11b26b3ee5d0235 (detected as TROJ_HWDOOR.C)
- 58febbf2e2f3f2add32a81d91a94ed94c7ce4e37b91e6ea5679617e7d899b8b3 (detected as TROJ_HWDOOR.B)
- 6b15a7761443f6a9555c0a6cac41de78e71016d803b726abbb4b0489e8cc323f (detected as TROJ_HWDOOR.SMZBEH-A)
- 7d099411f19b6f7268a482277cd2da32dffd4a7b58ef4371a71f6b6186705436 (detected as TROJ_HWDOOR.SMZBEH-A)
- 7df47f410fbd58dbbd995558a9be197da91687f9631bcfe5f0bdb042a67fc41d (detected as TROJ_HWDOORPOC.A)
- 8278cee571bed619ac786898fea1bc03cf67724ebcd8d974c6cbaa942821f93d (detected as TROJ_HWDOOR.SMZBEH-A)
- 851723d38c11654d881cb0528ac82f38b43d30cac9ed12c12364d8b2a47697cc (detected as TROJ_HWDOOR.B)
- 85bf524950260471dba454c5d3ec43141556d74d8f6b016784ecfa48e9056f49 (detected as TROJ_HWDOOR.SMZBEH-A)
- 904bc03090b39b59180b976b2e87580c9404fa0c9ff5135cbcdb68ecf1fe8c08 (detected as TROJ_HWDOOR.SMZBEH-A)
- d9829e45cc1989617851b1727e9e4aaf19ee24f5e63b46d2cb2160e7b8c8f6e4 (detected as TROJ_HWDOOR.SMZBEH-A)
- e5adba30f177431f91ef71d322091f6f26298cac36bfbcca9e6a1dcee0beff94 (detected as TROJ_HWDOOR.B)