Pierluigi Paganini September 10, 2015

FireEye suspects that the North Korea is responsible for a number of attacks against the South Korea relying a 0day in the South most popular Word processor.

Security experts from FireEye speculate that The North Korea has carried out cyber attacks against entities of the South Korea by exploiting a zero-day ( CVE-2015-6585) in a word processing program widely used in that country, the Hangul Word Processor.

According to a report published by FireEye, the Hangul Word Processor is a proprietary software primarily used by government and public institutions in the South Korea, for this reason, the North Korea allegedly exploited it the an attack vector.

The CVE-2015-6585 was fixed a few days ago by the developer of the Hangul Word Processor, Hancom.

Experts at FireEye have warned that the attribution is definitive, but the circumstance, the attack scenario and the target chosen by threat actor led the research to believe that the North Korea is behind the cyber attacks.

“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors.” states the report published by FireEye.

The researchers explained that once an instance of the malicious Hangul Word Processor is opened by victims, it installs a backdoor on the target. FireEye dubbed the backdoor HANGMAN, it implements functionalities common to such category of malware.

“The malicious HWPX documents all install similar copies of a backdoor that we call HANGMAN. HANGMAN is capable of uploading and downloading files, process and file system management, gathering system information, and updating its configuration. The backdoor also wraps its communication protocol with SSL. HANGMAN begins communications by sending a legitimate SSL handshake to its command and control (C2) server. It then continues to communicate using SSL header messages, but the payload of the message is a custom binary protocol. ” continues the report.

By analyzing the code of the HANGMAN backdoor the researchers discovered the presence of hard-coded IP addresses belonging to the command and control infrastructure, these IPs have been linked to other suspected North Korea-related attacks.

Hangman presents several similarities with another backdoor discovered by FireEye dubbed Peachpit, which it attributed by the experts to the North Korea.

“The HANGMAN variants dropped by the HWPX documents use functions that are very similar to those seen in other malware families used by suspected North Korea-based actors, such as the backdoor we call PEACHPIT. Both PEACHPIT and HANGMAN incorporate a function where Windows commands are passed to the backdoor from the remote C2 server.” states the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – North Korea, Information Warfare)

[adrotate banner=”12″]