PoorWeb - Hitching a Ride on Hangul - Reversing Labs

PoorWeb - Hitching a Ride on Hangul

2020-11-16 • Reversing Labs •

https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats?fbclid=IwAR2Sa3EuJaFz1aF60ieSUinH219sxfT6Ox7Sql-ebJSZOSeYRO6FjMwvYa4

#T1106

Thumbnail for PoorWeb - Hitching a Ride on Hangul

ReversingLabs analyzed a PoorWeb campaign built around malicious Hangul Word Processor documents aimed at a victim organization and related Korean-language HWP attacks seen from March 2019 through September 2020. The initial documents abused HWP compound-file streams, including HwpSummaryInformation metadata such as the “HighExpert” marker and BinData streams containing encapsulated PostScript loaders. The EPS content used XOR-encoded shellcode loaders that ultimately led to PoorWeb-family PE payloads, while related samples reused loader templates and overlapping document structures. The report’s value is in separating this PoorWeb delivery chain from other campaigns by comparing HWP metadata, shellcode behavior, YARA-detectable structures, and payload relationships.

Indicators of Compromise

Type	Value	First Seen	Last Seen
YARA	HighExpert_HWP_HSIProp	2020-11-16	2020-11-16
HASH	7510b511093b09fe2bb0e9f7b60b80a…	2020-11-16	2020-11-16
HASH	9f01dd87c28a9789a7730c667599552…	2020-11-16	2020-11-16
HASH	12c5f8c63803403859268f000135dbb…	2020-11-16	2020-11-16
HASH	7a3ab8b865f9581806f259d8a165ad7…	2020-11-16	2020-11-16
HASH	3c844c1d7060aa6d063f71081df5f49…	2020-11-16	2020-11-16
HASH	65e821470779cd13297a6ecdfd6a263…	2020-11-16	2020-11-16
HASH	90f0582453f49d3b38da03b289d0ffc…	2020-11-16	2020-11-16
HASH	d2fe12893b35d775830aa0ef25a8174…	2020-11-16	2020-11-16
HASH	ad3fada660f40b5d3ce2c6187dffc07…	2020-11-16	2020-11-16
HASH	252e9f7856f221338ade8756849871d…	2020-11-16	2020-11-16
HASH	11c1d41668667220b50ec436f7325af…	2020-11-16	2020-11-16
HASH	2cc52400575174c0eb132e349c26a7e…	2020-11-16	2020-11-16
HASH	ce5cbdc387a4b988b8ed3caacc4ac24…	2020-11-16	2020-11-16
HASH	3c0024f6066376415acdb01d55e0b33…	2020-11-16	2020-11-16
HASH	99a6b3b15f0e805a5ae98048dea41d5…	2020-11-16	2020-11-16
HASH	f5e1ced1f2c52980ce54a50212b5bc8…	2020-11-16	2020-11-16
HASH	7c5db78537f3a28b9bcfe8f75e86c36…	2020-11-16	2020-11-16
HASH	2c1d693401930b455759fe8ab580d3c…	2020-11-16	2020-11-16
HASH	9e2d374bfc9e099d376f5255f194608…	2020-11-16	2020-11-16
HASH	ea91f1e475ab4eb54971a0e7adbd61d…	2020-11-16	2020-11-16
HASH	d074bbb7d821a58edfcf5fb20b6d632…	2020-11-16	2020-11-16
HASH	a201ae69d8c84d1c95f87dced704a38…	2020-11-16	2020-11-16
HASH	6f111be4a0cb4f033639f906f512b7f…	2020-11-16	2020-11-16
HASH	80f566efbdceac356a09e3e97e12896…	2020-11-16	2020-11-16
HASH	4b249546ff2cab9ea49a98a10b200f7…	2020-11-16	2020-11-16
HASH	0a960dd9c015545c2fe4d4f39bae6f9…	2020-11-16	2020-11-16
HASH	2196a88f27c3f813e5b359b9be31ed5…	2020-11-16	2020-11-16
HASH	5d88596be0e998340e12c885645bbca…	2020-11-16	2020-11-16
HASH	142f8cd20af1065eed8685056977b16…	2020-11-16	2020-11-16
HASH	d6a0444a111227650902c5b12293478…	2020-11-16	2020-11-16
HASH	4c8be817d4de798bb541640894aa153…	2020-11-16	2020-11-16
HASH	f9f95afaecc0b3ee6cb0828f9fb9c8a…	2020-11-16	2020-11-16
HASH	b5453db394ce8c22330fe620ab62a8a…	2020-11-16	2020-11-16
HASH	0455e0788715ba74503ce23784de9d9…	2020-11-16	2020-11-16
HASH	aa461e70ab464a503d1e647e693df7e…	2020-11-16	2020-11-16
HASH	f007369641e5eed5f575bfe57ebea68…	2020-11-16	2020-11-16
HASH	a1a4cc7ff9c58c07fb3cbd1799809cc…	2020-11-16	2020-11-16
HASH	c9d1c5bab22f16cb06a9ca9209710c2…	2020-11-16	2020-11-16
HASH	6f1881c6809982ce9de4dac20ce6cbc…	2020-11-16	2020-11-16
HASH	73069aa5890b22b79e03ef7bd86ce15…	2020-11-16	2020-11-16
HASH	fa7c09036e545cb4898df21e284d81a…	2020-11-16	2020-11-16
HASH	656d0dc4e7d1da530397b7b140559ea…	2020-11-16	2020-11-16
HASH	6882ba20ca9e7c34897123931488007…	2020-11-16	2020-11-16
HASH	836df87c3a87d8308075edb7aaec3ed…	2020-11-16	2020-11-16
HASH	9a316c168e3bc0f27a6884e44f5beff…	2020-11-16	2020-11-16
HASH	e452536f98446f54c6527106c7b123d…	2020-11-16	2020-11-16
HASH	6a36a82767ba11ce6f313c0895da41d…	2020-11-16	2020-11-16
HASH	fa8f890514fe0ff1559d7ba760ebbbd…	2020-11-16	2020-11-16
HASH	f3e65b66e03fcd15e00e67a0f756ec9…	2020-11-16	2020-11-16
HASH	7ac5311e3f81ea20951b19b9315e269…	2020-11-16	2020-11-16
HASH	dc69b98da87a7b6b683359082b63d1e…	2020-11-16	2020-11-16
HASH	9fe2c4af5b7a80ae8d714908db4039c…	2020-11-16	2020-11-16
HASH	87ebae83d90f49d5232266d5c27ac3b…	2020-11-16	2020-11-16
HASH	1958b75e2ef787fdb9938053f117da9…	2020-11-16	2020-11-16
HASH	ec8cf2570f869c897ca9d898279d10b…	2020-11-16	2020-11-16
HASH	24983121690aaf2e648a9e19860e9e5…	2020-11-16	2020-11-16
HASH	2fa25c729c8cf1a0e4b7ce71d184083…	2020-11-16	2020-11-16
HASH	73d65cd0b513cadaaa76b559ada2899…	2020-11-16	2020-11-16
HASH	c73ff2398ee0a564830508f1766cdbb…	2020-11-16	2020-11-16
DOMAIN	ridiculousfish.com	2020-11-16	2020-11-16
DOMAIN	cerbero-blog.com	2020-11-16	2020-11-16
DOMAIN	hpc.kau.ac.kr	2020-11-16	2020-11-16
DOMAIN	ub-farm.com	2020-11-16	2020-11-16
HASH	d057088d0de3d920ea0939217c75627…	2018-10-01	2020-11-16

Related Reports

2020-11-16 • 60% Match

Lazarus supply‑chain attack in South Korea

ESET

#BookCodes #SupplyChain #MagicLine4NX #VeraPort #Lazarus #T1584.004 #T1587.001 #T1041 #T1071.001 #T1195.002 #T1036 #T1055 #T1553.002 #T1027.002 #T1573.001 #T1588.003 #T1106 #T1547.005

Shares tag: T1106 • Published within a week

2020-08-26 • 50% Match

FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

USCISA

#BeagleBoyz #FASTCash2 #T1082 #T1119 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1020 #T1560 #T1115 #T1083 #T1036 #T1027 #T1071 #T1548.003 #T1204 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1053 #T1132.001 #T1102 #T1059 #T1199 #T1105 #T1219 #T1055 #T1553.002 #T1552.004 #T1562.001 #T1486 #T1129 #T1489 #T1078 #T1133 #T1053.003 #T1190 #T1203 #T1189 #T1049 #T1098 #T1087 #T1016 #T1070.006 #T1021.001 #T1574.001 #T1217 #T1106 #T1573 #T1095 #T1056 #T1010 #T1021.002 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1110 #T1561.002 #T1202 #T1070.003 #T1565.001 #T1021 #T1505.003 #T1027.005 #T1056.004 #T1218.001 #T1562.003 #T1014 #T1053.004 #T1101 #T1565.002 #T1565.003 #T1562.006

Shares tag: T1106

2021-04-27 • 45% Match

Lazarus Group Recruitment: Threat Hunters vs Head Hunters

Ptsecurity

#DreamJob #T1082 #T1059.003 #T1070.004 #T1071.001 #T1027 #T1566.003 #T1057 #T1135 #T1132.002 #T1564.001 #T1016 #T1087.001 #T1218.011 #T1106 #T1047 #T1021.002 #T1033 #T1543.003 #T1012 #T1547.009 #T1069.002 #T1136

Shares tag: T1106

2020-06-17 • 45% Match

Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies

ESET

#Inception #T1082 #T1140 #T1005 #T1036 #T1027 #T1071 #T1204 #T1053 #T1059 #T1078 #T1220 #T1114 #T1087 #T1018 #T1106 #T1048 #T1070 #T1047 #T1012 #T1110 #T1085 #T1116 #T1050 #T1086 #T1537 #T1117 #T1002 #T1035 #T1194

Shares tag: T1106

2025-11-17 • 40% Match

Nation-State Actor’s Arsenal: An In-Depth Look at Lazarus’ ScoringMathTea

0x0d4y

#Lazarus #ScoringMathTea #T1071.001 #T1497 #T1620 #T1622 #T1573.001 #T1027.007 #T1036.012 #T1564.004 #T1106

Shares tag: T1106

2025-08-25 • 40% Match

GolangGhost - Comprehensive Threat Intelligence Report

Bloo

#Lazarus #GolangGhost #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1115 #T1083 #T1056.001 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1497.001 #T1219 #T1574.002 #T1562.001 #T1622 #T1027.002 #T1573.001 #T1190 #T1123 #T1132.002 #T1564.001 #T1548.002 #T1055.012 #T1027.007 #T1217 #T1106 #T1027.009 #T1036.003 #T1055.002 #T1036.007 #T1059.010 #T1136.001 #T1134.004 #T1614.001 #T1574.007 #T1098.007 #T1010 #T1071.004 #T1021.002 #T1021.006

Shares tag: T1106

« Back