Hwp malicious code disguised as Korea's Financial Supervisory Service

2018-08-07 kino

http://sfkino.tistory.com/64

Thumbnail for Hwp malicious code disguised as Korea's Financial Supervisory Service

A malicious HWP document disguised as a Korea Financial Supervisory Service notice used encrypted shellcode similar to a previously observed HWP sample. The excerpt notes 16-byte XOR keys, extraction of PostScript code and shellcode, and a malware-structure signature value of 0xAABBCCDD followed by a download URL. The domain tpddata.com is described as recurring across recently released HWP samples, and the body lists related HWP filenames, hashes, and compromised-looking PHP paths. The evidence is useful for defenders tracking Korean-language HWP lure documents and validating the listed hashes, domains, and URLs in endpoint and network telemetry.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 29ddf9baad018518060814a03d424f4… 2018-08-07 2020-06-23
HASH 2228fea495bee51dc88c1a0ed953450a 2018-06-22 2019-07-03
HASH 06cfc6cda57fb5b67ee3eb0400dd5b97 2018-06-22 2019-07-03
HASH a7c804b62ae93d708478949f498342f9 2018-06-22 2018-09-24
DOMAIN tpddata.com 2018-06-22 2018-09-24
HASH a9d579819370e860ece7890c3490cde… 2018-08-07 2018-08-07
HASH ef86b14f9798d5c51a8ecb757447f4d… 2018-08-07 2018-08-07
HASH 09db826a7b6dbb16e2d7b3046e0da9f… 2018-08-07 2018-08-07
HASH 3ff4ebae6c255d4ae6b747a77f2821f… 2018-08-07 2018-08-07
HASH c2f150dbe9a8efb72dc46416ca29acd… 2018-08-07 2018-08-07
HASH c9582680978fde80593f2bc164f9ac6f 2018-08-07 2018-08-07
HASH 566f7b3f6af8d0b00593f3a83cd8af16 2018-08-07 2018-08-07
HASH 71c78b84f0153ba64d30ea986c3e682b 2018-06-22 2018-08-07
HASH 298a17c20a517dc02bc5388bc645837d 2018-06-22 2018-08-07
HASH 69ad5bd4b881d6d1fdb7b19939903e0b 2018-06-22 2018-08-07
HASH 86685ec8c3c717aa2a9702e2c9dec379 2018-06-22 2018-08-07
HASH cf09201f02f2edb9c555942a2d6b01d4 2018-06-22 2018-08-07

Related Reports

« Back