Malware Campaign Targeted South Korea

Cisco Talos Experts discovered a dangerous malware campaign that has targeted computer users located in South Korea delivered via an infected document.

South Korea Malware Campaign Discovered

Cisco Talos researchers have spotted a dangerous malware campaign which targeted computer users from South Korea. The incident occurred between November 2016 and January 2017 by using a popular method of infection – infected documents. The file in question is a Hangul Word Processor document (HWP) which is popular in the country as a replacement for the ordinary Microsoft Offices suite. The malicious document in question is written in Korean and bears the following title:

5170101-17_북한_신년사_분석.hwp (translation: 5170101-17 __ North Korea _ New Year _ analysis .hwp)

The file poses as being sent by the Korean Ministry of Unification and it even features some of their graphics in the footer. As usual the file in question contains dangerous scripts which trigger a download function when the user interacts with it. The experts deduce that the analyzed documents contain scripts that also download files from an official government site (property of the Korean Government Legal Service). The downloaded payload is a binary file which masquerades as a jpeg image file. It is very likely that the file has been uploaded by the hackers as a result of a successful intrusion.

What’s more interesting is that the malicious document is available in a HWP file. The Hangul Word Processor is rarely used outside of the country and this has played an important role – many security mechanisms do not process the file as it is unknown to them. This allow the hackers to conduct large-scale attack campaigns with a low risk of detection. The contents of the document contains two links which link to dangerous binary files which lead to the actual malware infection.

When the infection is initiated the virus starts to collect information about the host system which is sent to remote C&C servers which collects the data and sends out a final payload. The harvested information includes the computer’s name, username, execution path of the sample, the BIOS model (derived from the Windows registry) and a randomly-generated infection ID. It is very possible that the collected information is used for reconnaissance purposes. One of the reasons why the data is gathered is to determine if the compromised system is not a sandbox environment or a honeypot.

You can easily remove the threat with the help of an anti-malware tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *