Shares tag: CVE-2017-8291 • Same author: Ahnlab • Published within a month
부동산 투자관련 메일로 유포 중인 한글 악성코드 (EPS사용)
2020-05-25 • Ahnlab • Korean malware being distributed through real estate investment-related emails (using EPS) •
ASEC reports malicious HWP documents distributed by email under real-estate investment themes, with plausible message and document content used to lure Korean-speaking recipients into opening attachments. The malicious HWP contains an EPS object that exploits CVE-2017-8291 and creates a VBS script under an AppData Microsoft Internet Explorer path. The script downloads an encoded payload, decodes it into a DLL saved as security.db, and runs it with rundll32 through the InstallSafari export. Once active, the DLL contacts its C2 over HTTPS, sends system information, and can receive additional attacker-supplied data.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://mokawafm.com/wp-content… | 2020-05-25 | 2020-05-29 |
| DOMAIN | mokawafm.com | 2020-05-25 | 2020-05-29 |
| URL | https://sixbitsmedia.com/wp-con… | 2020-05-25 | 2020-05-27 |
| DOMAIN | sixbitsmedia.com | 2020-05-25 | 2020-05-27 |
| HASH | fb62b1ef85a58b7a9f04d016fbe616f5 | 2020-05-25 | 2020-05-25 |
| IPv4 | 51.81.21.96 | 2020-05-25 | 2020-05-25 |
Related Reports
Shares tag: CVE-2017-8291 • Same author: Ahnlab • Published within a month
Shares tag: CVE-2017-8291 • Same author: Ahnlab
Shares tag: CVE-2017-8291 • Same author: Ahnlab
Shares tag: CVE-2017-8291 • Same author: Ahnlab
Shares tag: CVE-2017-8291 • Same author: Ahnlab