AhnLab_ASEC_ED959CEAB880ED8C8CEC9DBCEC9790EC88A8EC96B4EB93A027EAB3_UkCTFx6.pdf (5 MB)

AhnLab analyzed a long-running wave of malicious HWP files that abused the Ghostscript CVE-2017-8291 “GhostButt” vulnerability embedded in EPS content. The report explains that HWP attacks against Korean users have often been targeted, with decoys crafted for public agencies, government-related themes, cryptocurrency businesses, companies, and job seekers. In affected HWP versions, embedded EPS files were decompressed into temporary files and passed by Hwp.exe to Ghostscript components such as gbb.exe and gswin32c.exe, where malicious PostScript could trigger the vulnerability. The exploit relies on a type-confusion condition in Ghostscript’s PostScript processing, allowing attackers to alter execution flow while making variants through scripting, encoding, and variable changes. The report matters for defenders because the same vulnerability was reused for roughly two years, showing why legacy HWP/EPS handling and Ghostscript behavior remain important telemetry points.