A few weeks ago, we have been alerted by our colleagues from Korea to a specially crafted Hangul Word Processor document (.hwp) that exploits an application vulnerability in the Hancom Office word processing software. The file extension .HWP is a popular Korean word processor file format – just the right format for targeting Korean prospective victims, which might be the case here.
Detected as TROJ_MDROP.ZD, this specially crafted document arrived as an attachment of an email, which used a recent murder case in Korea as social engineering ploy. The email was sent to numerous employees of a prominent Korean company.
Upon opening the malicious attachment, TROJ_MDROP.ZD exploits a still unidentified vulnerability in order to drop and execute the backdoor BKDR_VISEL.FO in the background. This backdoor gives remote access to a potential attacker, who may perform malicious routines on the infected machine. Based on our analysis, BKDR_VISEL.FO also terminates processes related to specific antivirus programs, making its detection and removal difficult. The backdoor also downloads and executes other malicious files, leaving the compromised system susceptible to further infection and data theft.
After execution, TROJ_MDROP.ZD replaces itself with a non-malicious .HWP document in order to prevent the user from suspecting any malicious activity. This decoy document contains the following Korean text:
Judging from the profile of the target company, a successful infection may lead to mass pilfering of personal data of their customers. Add the fact that .HWP is the Korean government’s de facto standard wordprocessor format, what we may be seeing now is a reconnaissance phase of a future, larger, regional attack.
With this incident, we may be seeing attackers gradually taking advantage of vulnerabilities in local-based applications. Hancom Office is also not the first of its kind to be exploited by attackers. We previously reported a case wherein malicious users abused vulnerabilities found in the Japanese-language word processor Ichitaro. Successfully exploiting these lead to the installation of a backdoor. Both incidents prove that using regional software does not guarantee absence of malware attacks. In this case the Word Processor vendor, who adopted a specific third-party module that may have contained the vulnerability, needs to pay attention to industry’s CVE information too and get ready to update.
This highlights the importance of security, specially for organizations whose services include storing customer information. A successful compromise to an organization not only puts their customers at risk, but also easily tarnishes their reputation. Fortunately in this case, proper mitigation steps were executed immediately. However, we must stay vigilant, as this is not the last time we’ll be seeing threats of this kind.
Trend Micro protects users from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. It also blocks the related message and prevents it from even reaching users’ inboxes.
We will update this blog entry once we get more details about the said vulnerability.
With additional insights from Thomas Park
Update as of May 25, 2012 3:23 AM PST
Based on our analysis, TROJ_MDROP.ZD triggers a buffer overflow that stems from the plug-in file HNCTextArt.hplg, which HWP.EXE uses to process .HWP files. HNCTextArt.hplg contains a code that copies a wide character string, including the null termination character, from the source to the destination. The source string must contain a null terminated character. In the case of this malicious .HWP file, the wide character string being copied does not contain the said null terminated character, resulting in an infinite loop.
Because of this, HNCTestArt.hplg copies the data repeatedly until an exception occurs. This triggers the malicious shell code inside the malicious .HWP file. The said code decrypts, drops, and executes the PE file and the non-malicious HWP file, which serves as the decoy.
With additional analysis from Jason Pantig