Attacks Using Malicious Hangul Word Processor Documents
If you can't read please download the document
description
Attacks Using Malicious Hangul Word Processor Documents. Jaebyung Yoon @ KrCERT /CC. Introduction of HWP. Hangul ( 한 / 글 ) : W ord P rocessor of Hancom Inc . HWP is a filename extension and abbreviation of Hangul Word Processor - PowerPoint PPT Presentation
Transcript of Attacks Using Malicious Hangul Word Processor Documents
Attacks Using Malicious Hangul Word Processor DocumentsJaebyung Yoon @ KrCERT/CCIntroduction of HWPHangul(/) : Word Processor of Hancom Inc.HWP is a filename extension and abbreviation of Hangul Word ProcessorThe latest version is Hangul 2014 for Windows, Hangul 2008 for Linux, and Hangul 2006 for Mac OS XThe first version is 0.9 in 1989
2 byte language Word ProcessorOther Asian Word Processors
Ichitaro Japanese Word ProcessorNJStar Chinese Word ProcessorFirst Generation (~1999, HWP 3.0)
Second Generation (2000~, HWP 5.0)
History of Hangul
Save a Local SW Maker (The New York Times, 1999)
History of HangulHangul Sales Composition
Hancom sales compositionOffice S/W Market Share
Hangul supports the special needs of Korean written language especially governments needs.
De facto format especially in Korean government, military and public education.
Government officer receives a lot of e-mails attached HWP file EVERYDAY.
Attackers also knew this circumstance so they has researched the HWP document format as well as software vulnerabilities for a long time.Stature of Hangul in KoreaCan not tell malicious or not before open
The contents of malicious document is related with recipients business.
Malicious HWP Composed of vulnerability part, exploit part, malware part and normal document part.
Malicious HWP DocumentComposition of malicious document
Normal document
Malware part
Vulnerability part
Exploit Part
NORMAL.hwp
MALWARE.exeOLE (Object Linking and Embedding)
HWP Document Format
Streams of Bodytext storage are loaded
File structure and memory layout Exploit
tremendous size in documentHeap SprayEB 08 = jmp (here+0x08)Normal case (two tmp files)
Malicious case (normal document(hwp.hwp), ~AB.tmp, msloger.exe, tmp.dat)
On document loading (tmp files)
Hwp.exe process is not opened by user but ~AB.tmp.
~AB.tmpMalware Action 1
System information leakage from compromised PCMalware Action 2
Use of MalwareInformation leakageDocument leakageSecurity bypassRemote desktop
Key logger,System informationHWP, DOCXVaccine, firewallTeam ViewerDocument Content and social issueRobert King visited South Korea (US special envoy for North Korean Human Rights Issues)Solution of North Korea NuclearDokdo issueDiaoyu/Senkaku Islands disputeWorld Energy Congress5th generations of Chinese leadership60th anniversary of ArmisticeWorld Energy Congress Daegu 201312. 612. 712. 912. 1012. 1113. 8Just before new china leader inaugurationSouth Korean presidential election, 2012Dokdo ceremony by Korean national football playerChinese navy exercise near Diaoyu/SenkakusThe Day of Information Security 2012Personal Information Protection ActKey election promiseKorean War & PeaceCONTENTSISSUEKeyword of DocumentKorean WarNational SecurityDefense PolicyKorea Air forceFuture Warterritorial disputeDokdoPeace of Korean peninsulaArmistice 60 yearsMilitaryNew product researchWageContractPersonal Information Protection ActEnergy forumEnterpriseleadershipcontactsSAMSUNGTax auditMovie newsThe publicNorth Korea and ChinaKim Jong-unreunificationMinistry of unificationNuclearUnification forumNorth Korea StrategiesrefugeesNorth KoreaForeign policyAsia issuePark Geun-hyeEast AsiaMinistryKey pledgeUnified Progressive PartyPolicyforeign NewsChina visiteconomic unionNext governmentPolicy recommendationGovtHow to be loved by wifeelection pledgeTakeshimaLGScenario of malicious document attack
Government
.
MilitaryOrganization Spear phishing mail Open document Information leakage Information gathering
AttackerCompromised
E-mail accountAttack featureUse Email account like C&C Use document as decoyUse normal program as malware to avoid detectionUse Zero-day VulnerabilityPersistent Attack
Use email as command and control
Attack feature
Mail address & account info.
example.com [email protected]@example.comid : namepw : [email protected]@example.comid : namepw : passexample.comMalware delivery & info. leakageFinal destination- attackers account
Sign insend
malwarefromtoHardcoded in malwareInformation flow through emailAttack feature
SentLeaked Information from compromised PCUse zero-day vulnerabilityAbout 15% of malicious documents use zero-day vulnerability.Finding zero-day and making exploit are not easy.Must understand HWP document formatOwn tools to exploit They have researched the document format and software
Only KoreaUnlike doc & pdf, HWP is used in Korea onlyIt means opportunity cost is very high
Attack featureA team not a person - guessing
Attack featureSince Oct. 2012Hancom office, Gom player, NateON Vulnerability(2013, 179 cases)Especially HWP zero-day
Response - KrCERT/CC Vulnerability Reward ProgramSecure Coding in software design step
Detect Abnormal section data and dont load to memory
Response - Vendor (Hancom)
New version of Hancom office (2014)Detect and protect of malicious document Enhanced Secure codingSoftware UserMUST Update ALL softwareMUST use VaccineTake care before opening attached file in email
VendorIntroduce secure codingRapid respond for vulnerabilityEffort to make users update
CERT or security companyMake pattern to detect malicious documentShare the vulnerability information
Response - ConclusionThank [email protected]
