A new malicious HWP document has been discovered today, while the activities of the Lazarus group, one of the leading hacking organizations sponsored by the government, continue to be captured.
The file name of this document is ‘(Required) Subcontractor Statement .hwp’ , and the production date is July 12, 2019. the type of document is aimed at the outsourcing staff of a particular company.
And it is similar to the ‘ investment contract_20190619.hwp’ attack code, but there is one more feature to add code obfuscation.
‘(Required) Subcontractor’s personal statement .hwp’ Malicious documents also appear to have been used by the same Lazarus threat group , and include the following malicious postscripts:
When the document is run, malicious code will work, depending on the vulnerability, while showing the following normal text:
If you look at the content, it contains a template for a new financial statement from a specific financial related subcontractor.
PostScript has the following hexadecimal code encrypted with XOR logic:
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)