Researchers say North Korea behind attacks exploiting a Korean word processing program

Recent reports had confirmed that the relations between the two
Koreas (North and South), which were bad for years, now showed some signs of
improvement. After Seoul and Pyongyang had exchanged reconciliatory gestures
and expressed their willingness to talk. There was even a rather high
probability that the third intra-Korean summit would happen in near future.
However, the situation might go in other direction after reading a PDF
report by FireEye, a U.S-based security company that provides automated threat
forensics and dynamic malware protection against advanced cyber threats. The
report says that North Korea is likely behind cyber-attacks that have focused
on exploiting a word processing program widely used in South Korea.
Genwei Jiang and Josiah Kimble, authors of the report, identified
several malicious documents in the wild that exploit a previously unknown
vulnerability (CVE-2015-6585) in the Hangul Word Processor (HWP). HWP,
published by a South Korean company, is a Korean word processing application.
“It is widely used in South Korea, primarily by government
and public institutions. Some HWP programs are frequently used by private
organizations, such as HWP Viewer. The payloads and infrastructure in the attack
are linked to suspected North Korean threat actors. Hancom patched
CVE-2015-6585,” the authors said in the report.
The authors have said that only a handful of attacks have
been publicly attributed to the secretive nation, which is known to have
well-developed cyber capabilities.
According to them, if the malicious HWP file is opened, it
installs a backdoor which FireEye nicknamed “Hangman”, which is used
for downloading files and probing file systems and similar to backdoor FireEye
calls Peachpit, which may have been developed by North Korea, the report said.
Once Hangman has collected data, it sends it to
command-and-control servers over an SSL (Secure Sockets Layer) connection. The
IP addresses of those servers are hard-coded into Hangman and have been linked
to other suspected North Korea-related attacks.
“While not conclusive, the targeting of a South Korean
proprietary word processing software strongly suggests a specific interest in
South Korean targets, and based on code similarities and infrastructure
overlap, FireEye Intelligence assesses that this activity may be associated
with North Korea-based threat actors,” the authors added.
According to a news report published in PCWorld, one
of the most prominent instances was the devastating attack in November 2014
against Sony Pictures, which lost sensitive corporate data and email and saw
many of its computers rendered inoperable.

“In a rare move, the FBI blamed North Korea for the Sony
hack based on an analysis of malware suspected to have been developed by the country
and used in other attacks,” the news report added.

Leave a Reply