HWP Malware disguised as Korea Development Association (Real Estate Association)

2018-09-13 kino

http://sfkino.tistory.com/69

Thumbnail for HWP Malware disguised as Korea Development Association (Real Estate Association)

A malicious HWP file was disguised as a Korea Real Estate Association daily trend report, a document type said to be available only to members. The infection flow uses EPS content to decrypt shellcode with a 16-byte key and then download Manuscrypt. The downloaded Manuscrypt payload is XOR-encoded with 0xAA, and the excerpt lists download and callback infrastructure including eronow.in, 51shousheng.com, titanik.fr, and aurumgroup.co.id paths. The note that the Manuscrypt sample appeared in VirusTotal before the HWP file helps analysts understand sample timing and pivot from the payload to the delivery document.

Indicators of Compromise

Type Value First Seen Last Seen
HASH f392492ef5ea1b399b4c0af38810b0d6 2018-09-13 2019-11-18
HASH 201add03aef92bf9c2724b7c8fd5a90… 2018-09-13 2018-09-13
HASH a299bdc3fc07def4b0d5a409484f471… 2018-09-13 2018-09-13
HASH b59c5b8b9f2c0676c31a88abd9653f1… 2018-09-13 2018-09-13
HASH 8f8899046cb0e4f948c54d52e4066db… 2018-09-13 2018-09-13
URL https://tamil.eronow.in/wp-cont… 2018-09-13 2018-09-13
URL http://www.51shousheng.com/incl… 2018-09-13 2018-09-13
URL http://aurumgroup.co.id/wp-incl… 2018-09-13 2018-09-13
URL https://tamil.eronow.in/wp-cont… 2018-09-13 2018-09-13
URL http://new.titanik.fr/wp-includ… 2018-09-13 2018-09-13
DOMAIN new.titanik.fr 2018-09-13 2018-09-13
DOMAIN tamil.eronow.in 2018-09-13 2018-09-13
DOMAIN aurumgroup.co.id 2018-09-13 2018-09-13

Related Reports

« Back