Zero-Day_HWP_Exploit.pdf (1 MB)

FireEye analyzed malicious Hangul Word Processor documents exploiting CVE-2015-6585, a then unknown HWPX parsing vulnerability in hwpapp.dll. The exploit abuses a type confusion condition in para text handling, uses Unicode values and heap spraying to redirect execution, then decodes and drops svchost.exe from heap spray data. FireEye says payloads and infrastructure overlap with suspected North Korean threat actors and identifies the HANGMAN backdoor, which can upload and download files, manage processes and files, gather system information, update configuration, and wrap C2 traffic in SSL.