Full Report
On March 5, AhnLab SEcurity intelligence Center (ASEC) found a post recruiting students for a unification-related course, which included a link to download a malicious HWP document. At the time of analysis, there were download links for JPG, HWP, and DOC files at the bottom of the post. The HWP file among them was identified […]
Analysis Summary
# Incident Report: Malicious HWP Document Distributing Malware Campaign
## Executive Summary
A malicious cyber campaign was discovered distributing malware disguised as an application form for a unification-related course via an online post. The attack utilized a compromised HWP document to drop and execute multiple files, including a BAT script for persistence via Task Scheduler and execution of ancillary files, ultimately downloading and executing further payloads from an external source. The incident highlights a growing trend of threats targeting the general public using seemingly benign Korean document formats.
## Incident Details
- Discovery Date: March 5, 2025
- Incident Date: On or before March 5, 2025 (When the malicious post was observed)
- Affected Organization: Unspecified organization hosting the recruitment post (Potential victim of initial compromise or the threat actor posting the link)
- Sector: Education/Recruitment (Apparent lure); General Public
- Geography: Not explicitly disclosed, but the use of HWP suggests a focus on South Korea.
## Timeline of Events
### Initial Access
- Date/Time: On or before March 5, 2025
- Vector: Malicious HWP Document distributed via a post recruiting students.
- Details: A public post contained links to download JPG, HWP, and DOC files, with the HWP file identified as the malicious application form dropper.
### Lateral Movement
- Details: Not explicitly detailed as lateral movement across a network, but the malware established persistence locally using Task Scheduler and executed dropped files like `document.bat`.
### Data Exfiltration/Impact
- Impact: The malware downloads and executes additional files from an external URL, allowing for arbitrary command execution dictated by the threat actor. Potential for significant compromise hinges on the nature of the remotely executed payload.
### Detection & Response
- Detection: AhnLab SEcurity intelligence Center (ASEC) found and analyzed the post recruiting students on March 5, 2025.
- Response: Analysis of the dropped files, identification of persistence mechanisms (Task Scheduler), and discovery of the external download link. AhnLab recommends users update endpoint protection (V3).
## Attack Methodology
- Initial Access: Malicious HWP Document (Leveraging the document structure and embedded hyperlinks/relative paths to extract and execute files).
- Persistence: The `document.bat` file registers tasks in the Task Scheduler (`sch_0304.db` and `sch_0304_1.db` define tasks) to execute dropped executables (`0304.exe` and `0304_1.exe`) as services, ensuring continued operation.
- Privilege Escalation: Implicitly achieved by registering tasks/services that run post-extraction.
- Defense Evasion: Files are created in the standard `%TEMP%` folder; file renaming occurs (e.g., renaming `wis.db` to `wins.bat`) before execution.
- Credential Access: Not explicitly detailed in the provided text.
- Discovery: Not explicitly detailed in the provided text, but the final payload execution allows for arbitrary commands.
- Lateral Movement: Not explicitly detailed beyond local persistence mechanisms.
- Collection: Not explicitly detailed in the provided text, but the final payload dictates collection capabilities.
- Exfiltration: Not explicitly detailed; the final objective appears to be remote command execution.
- Impact: Execution of arbitrary external command and control (C2) payload.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Potential for various forms of data theft based on the final remote payload.
- Operational: Local system compromise on any machine that opened the HWP file and executed the embedded links/scripts.
- Reputational: Low direct impact, but highlights security risks associated with legitimate-looking document exchange.
## Indicators of Compromise
- Network Indicators (Defanged): `http[:]//103[.]149[.]98[.]231/pprb/0304_pprb/d[.]php?newpa=comline`
- File Indicators (MD5 Hashes):
- `34d8c6e9426dc6c01bb47a53ebfc4efb`
- `49c91f24b6e11773acd7323612470ffb`
- `4edae618f59180577a196fa5bab89bb4`
- `7b6b6471072b8f359435f998a96176e7`
- `ce7fa1dc1e5a776dacb27fe2c4385ac2`
- Behavioral Indicators: Execution path involving creation of multiple files in TEMP, execution of a BAT file which uses Task Scheduler to ensure persistence via execution of associated EXE/MANIFEST files, followed by external payload download.
## Response Actions
- Containment Measures: Identification of the malicious post and file distribution method. (Containment/eradication for infected end-users not detailed, assumed process involving patching/AV update).
- Eradication Steps: Deletion of dropped files (`0304.exe`, `document.bat`, manifest files, etc.) and removal of persistence entries from Task Scheduler.
- Recovery Actions: Updating endpoint security software (V3) to the latest version for prevention.
## Lessons Learned
- The threat landscape is rapidly evolving to target general users with socially engineered documents (HWP) disguised as legitimate opportunities (education support/recruitment).
- Relying on file associations alone is insufficient; embedded relative paths or hyperlinks within documents used to trigger external actions are active evasion techniques.
- Persistence mechanisms (Task Scheduler) were established early to maintain access even after the initial document interaction ended.
## Recommendations
- Users must exercise extreme caution with files that require additional steps or external actions to "execute" content, regardless of the document type (especially HWP).
- Site administrators must implement strict file upload monitoring and scanning protocols to prevent malicious binaries or documents from being hosted on their platforms.
- Ensure all endpoint security solutions (e.g., V3) are updated immediately to detect known file hashes and behavioral patterns associated with this dropper chain.