Hackers linked to known North Korean attack points and methods exploited a zero-day vulnerability in the Hangul Word Processor (HWP), widely deployed in the offices of the South Korean government.
According to research at cyber-security firm FireEye, the attackers used a known vulnerability (CVE-2015-6585), which was then patched on Monday, September 7.
The attack relied on victims opening a malicious HPWX file
The zero-day exploit consisted of distributing a maliciously crafted .hwpx document (similar to .docx used by Microsoft Office), which leveraged bugs in the Hangul Word Processor to open up a backdoor in the software.
According to FireEye, this backdoor, called HANGMAN, is capable of stealing files and uploading them to a C&C server, while also being able to download new files to the victim’s computer.
HANGMAN is also very well designed, using SSL to encrypt its communications with the C&C server, hiding the data transfer from prying eyes.
Attribution to North Korea was quite simple
What gave away HANGMAN as a North Korea-based malware was the fact that, during its communications to the C&C server, the backdoor used an IP address previously spotted in another backdoor, MACKTRUCK.
Additionally, some of the functions used in the HANGMAN code were similar to the ones used in the PEACHPIT backdoor.
Since PEACHPIT and MACKTRUCK were also spotted in campaigns aimed at targets of interest for the North Korean government, linking all the three attacks to the Pyongyang government was quite effortless.
“The targeting of a South Korean proprietary word processing software
strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors,” say FireEye researchers.
For more in-depth technical details and a breakdown of the attack, you can download the full FireEye report.