The Hangul Word Processor (HWP) is a word processing application which is fairly popular in South Korea. It possesses the ability to run PostScript code, which is a language originally used for printing and desktop publishing, although it is a fully capable language. Unfortunately, this ability is now being exploited in attacks involving malicious attachments.
A branch of PostScript called Encapsulated PostScript exists, which adds restrictions to the code that may be run. This is supposed to make opening these documents safer, but unfortunately older HWP versions implement these restrictions improperly. We have started seeing malicious attachments that contain malicious PostScript, which is in turn being used to drop shortcuts (or actual malicious files) onto the affected system.
Office suites have long been a popular way of getting users to drop and run malware on their systems. The various components of Microsoft Office have been exploited for years, whether via social engineering (macro malware) or vulnerabilities. It shouldn’t be a surprise that other office suites are similarly targeted.
The goal of this attack is to use PostScript to gain a foothold onto a victim’s machine. No actual exploit is used, as this is a case where a feature of PostScript is being abused.
Some of the subject lines and document names used include “Bitcoin” and “Financial Security Standardization”. The appearance of these decoy documents are shown below:
Figures 1 and 2. Samples of decoy documents
PostScript does not have the ability to execute shell commands. However, it does have the capability to manipulate files. This attack instead drops files into various startup folders, and waits for the user to reboot their machine. Some of the ways we’ve seen this seen of this include:
- Drops a shortcut in startup folder and a DLL file in %Temp% directory. The shortcut calls rundll32.exe to execute the said DLL file.
- Drops an executable file in the startup folder.
Figure 3. Sample of code in HWP file
One of the samples we’ve received will overwrite gswin32c.exe with a legitimate version of Calc.exe. This file is the PostScript interpreter used by HWP. Since the interpreter is overwritten, this would prevent other embedded PostScript content from executing.
Figure 4. Calculator opened by HWP file
Mitigation and Solutions
Newer versions of the Hangul Word Processor implement EPS correctly, with the 2014 versions and later not being susceptible to this problem. We suggest upgrading to these newer, safer versions.
Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security all include behavior monitoring that prevents HWP from dropping any PostScipt files. We also detect the files associated with this attack as TROJ_HWDOOR.A, TROJ_HWDOOR.B, and TROJ_MALEPS.B, and TROJ_HWDOOR.SMZBEH-A.
Indicators of Compromise
The following hashes are associated with this attack:
- 082651553ee19f87282ea700446a1335f3c9e0d78192097cbbe32ddc8c8f0ff3 (detected as TROJ_HWDOOR.SMZBEH-A)
- 1a69a862a0fb66af0cfc5dc131e435c3d4677525bf2f2dc3e42d35e68ff4b3a6 (detected as TROJ_HWDOOR.SMZBEH-A)
- 4996554df0a31e3d06c08657e61efd50b91b617f1c6d85cb8b67620bfd5d232f (detected as TROJ_HWDOOR.SMZBEH-A)
- 4f1dd7c10adee45f7ff13dbffa328afae26448ff39ba6d9ae91dec611705dede (detected as TROJ_MALEPS.B)
- 56a686c591ac63cb8398824f74d882d8ebd117717fd65e52a11b26b3ee5d0235 (detected as TROJ_HWDOOR.C)
- 58febbf2e2f3f2add32a81d91a94ed94c7ce4e37b91e6ea5679617e7d899b8b3 (detected as TROJ_HWDOOR.B)
- 6b15a7761443f6a9555c0a6cac41de78e71016d803b726abbb4b0489e8cc323f (detected as TROJ_HWDOOR.SMZBEH-A)
- 7d099411f19b6f7268a482277cd2da32dffd4a7b58ef4371a71f6b6186705436 (detected as TROJ_HWDOOR.SMZBEH-A)
- 7df47f410fbd58dbbd995558a9be197da91687f9631bcfe5f0bdb042a67fc41d (detected as TROJ_HWDOORPOC.A)
- 8278cee571bed619ac786898fea1bc03cf67724ebcd8d974c6cbaa942821f93d (detected as TROJ_HWDOOR.SMZBEH-A)
- 851723d38c11654d881cb0528ac82f38b43d30cac9ed12c12364d8b2a47697cc (detected as TROJ_HWDOOR.B)
- 85bf524950260471dba454c5d3ec43141556d74d8f6b016784ecfa48e9056f49 (detected as TROJ_HWDOOR.SMZBEH-A)
- 904bc03090b39b59180b976b2e87580c9404fa0c9ff5135cbcdb68ecf1fe8c08 (detected as TROJ_HWDOOR.SMZBEH-A)
- d9829e45cc1989617851b1727e9e4aaf19ee24f5e63b46d2cb2160e7b8c8f6e4 (detected as TROJ_HWDOOR.SMZBEH-A)
- e5adba30f177431f91ef71d322091f6f26298cac36bfbcca9e6a1dcee0beff94 (detected as TROJ_HWDOOR.B)