201509SecurityReport.pdf (1 MB)

Somansa analyzes malicious HWP documents attributed in the report to Kimsuky and aimed at specific South Korean institutions through a Hangul Office vulnerability that had already been patched. The documents use heap spraying and shellcode to extract encrypted embedded payloads, inject code into notepad.exe, and load a dropped DLL named ~tmp.dll or ~tmp.dlll. The DLL attempts process-staged execution through explorer.exe and svchost.exe, uses a sysprep.exe and cryptbase.dll UAC bypass path, registers a TelnetManagement service, and copies itself as telnet.dll or websec.dll for persistence. The malware tries to weaken local security controls by modifying V3, Windows Security Center, and firewall-related registry values, then collects host information and communicates through attacker-controlled mail.bg or Hotmail accounts to exfiltrate data and receive additional payloads.