Shares tag: Phishing • Same author: Ahnlab • Published within a week
악성 한글문서(.hwp) 주제별 연관성 분석
2020-05-29 • Ahnlab • Analysis of thematic relevance of malicious Hangul documents (.hwp) •
ASEC correlates several malicious Hangul document clusters using COVID-19, real estate, and renewable-energy themes and concludes they likely came from the same maker group based on overlapping EPS and payload characteristics. The documents abuse Encapsulated PostScript content to execute shellcode, create or run VBS in some variants, and download additional malicious files from attacker-controlled URLs. A related Koni-style set uses XOR-encoded shellcode that runs in memory rather than writing the downloader shellcode to disk. The report provides multiple download and C2 URLs and hashes, supporting detection for malicious HWP delivery chains that rely on social-engineered document titles.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://www.afuocolento.it/wp-i… | 2020-05-29 | 2020-05-29 |
| URL | https://www.afuocolento.it/wp-i… | 2020-05-29 | 2020-05-29 |
| URL | http://mbrainingevents.com/wp-a… | 2020-05-29 | 2020-05-29 |
| URL | https://mokawafm.com/wp-content… | 2020-05-25 | 2020-05-29 |
| DOMAIN | mokawafm.com | 2020-05-25 | 2020-05-29 |
| URL | http://www.kingsvc.cc/index.php | 2020-04-02 | 2020-05-29 |
| URL | http://www.sofa.rs/wp-admin/net… | 2020-04-02 | 2020-05-29 |
| DOMAIN | mbrainingevents.com | 2020-04-02 | 2020-05-29 |