5e759d952b6255cad781503243d2dc75cba479f9.pdf (1 MB)

AhnLab examined malicious Hangul Word Processor files used against South Korean organizations from September 2016 through December 2017. The targets were mainly employees of North Korea related businesses and virtual currency businesses, with delivery through email attachments or download links. The report describes HWP vulnerability, EPS, script, and embedded object techniques, noting a shift toward memory execution after September 2016 to evade behavior based detection. AhnLab grouped the activity into three attacker clusters, two of which actively used Hangul files as a delivery mechanism.