Attacks Using Malicious Hangul Word Processor Documents Jaebyung
Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ Kr. CERT/CC
Introduction of HWP l Hangul(한/글) : Word Processor of Hancom Inc. l HWP is a filename extension and abbreviation of Hangul Word Processor l The latest version is Hangul 2014 for Windows, Hangul 2008 for Linux, and Hangul 2006 for Mac OS X l The first version is 0. 9 in 1989
Other Asian Word Processors l 2 byte language Word Processor Ichitaro – Japanese Word Processor NJStar – Chinese Word Processor
History of Hangul l First Generation (~1999, HWP 3. 0) l Second Generation (2000~, HWP 5. 0)
History of Hangul l Save a Local SW Maker (The New York Times, 1999)
Hancom sales composition l Hangul Sales Composition l Office S/W Market Share Etc. 3% 2% 100% 90% 20% 80% 70% 60% Enterprise 36% 50% Government and Education 61% 40% 98% 80% 30% 20% 10% 0% Korea MS Office Global Hancom in Korea(Others in Global)
Stature of Hangul in Korea l Hangul supports the special needs of Korean written language especially government’s needs. l De facto format especially in Korean government, military and public education. l Government officer receives a lot of e-mails attached HWP file EVERYDAY. l Attackers also knew this circumstance so they has researched the HWP document format as well as software vulnerabilities for a long time.
Malicious HWP Document l Can not tell malicious or not before open l The contents of malicious document is related with recipient’s business. l Malicious HWP Composed of • vulnerability part, • exploit part, • malware part • and normal document part.
Composition of malicious document ① Vulnerability part NORMAL. hwp ② Exploit Part MALWARE. exe ③ Normal document ④ Malware part
HWP Document Format l OLE (Object Linking and Embedding)
File structure and memory layout – Exploit l Streams of Bodytext storage are loaded tremendous size in document Heap Spray EB 08 = jmp (here+0 x 08)
On document loading (tmp files) l Normal case (two tmp files) l Malicious case (normal document(hwp. hwp), ~AB. tmp, msloger. exe, tmp. dat)
Malware Action 1 l Hwp. exe process is not opened by user but ~AB. tmp. l ~AB. tmp
Malware Action 2 l System information leakage from compromised PC
Use of Malware Information leakage Key logger, System information Document leakage HWP, DOCX Security bypass Vaccine, firewall Remote desktop Team Viewer
Document Content and social issue Personal Information Protection Act Dokdo issue CONTENTS 5 th generations of Chinese leadership Korean War & Peace Key election promise Diaoyu/Senkaku Islands dispute Solution of North Korea Nuclear ISSUE World Energy Congress
Keyword of Document National Security Future War Armistice 60 years Korean War Military Korea Air force territorial dispute Dokdo Takeshima refugees North Korea and China Kim Jong-un New product research North Korea contacts Tax audit Peace of Korean peninsula Defense Policy Wage Enterprise Contract The public SAMSUNG Movie news Personal Information Energy forum Protection Act How to be loved by wife North Korea Strategies Unification forum Foreign policy Policy recommend ation Ministry Park Geun-hye Next government Gov’t Asia issue China visit East Asia Key pledge Nuclear reunification Ministry of unification leadership LG economic union foreign News Policy election pledge Unified Progressive Party
Scenario of malicious document attack ① Spear phishing mail Government Attacker Military ② Open document Compromised . Organization ③ Information leakage ④ Information gathering E-mail account
Attack feature Use Email account like C&C Use document as decoy Use normal program as malware to avoid detection Use Zero-day Vulnerability Persistent Attack
Attack feature l Use email as command control from aa@example. com id : name pw : pass to bb@example. com Hardcoded in malware Final destination - attacker’s account Malware delivery & info. leakage Mail address & account info. Sign in example. com send malware aa@example. com id : name pw : pass bb@example. com
Attack feature l Information flow through email Leaked Information from compromised PC Sent
Attack feature l Use zero-day vulnerability • About 15% of malicious documents use zero-day vulnerability. • Finding zero-day and making exploit are not easy. • Must understand HWP document format • Own tools to exploit → They have researched the document format and software l Only Korea • Unlike doc & pdf, HWP is used in Korea only • It means opportunity cost is very high
Attack feature l A team not a person - guessing Issue & Target Monitoring Team Vulnerability Research Team Social issue monitoring Malware Team Document Contents Document Format search Research Making malware Gathering target Software Manage C&C person email Vulnerability Manage email account Research
Response - Kr. CERT/CC Vulnerability Reward Program l Since Oct. 2012 l Hancom office, Gom player, Nate. ON Vulnerability (2013, 179 cases) l Especially HWP zero-day
Response - Vendor (Hancom) l Secure Coding in software design step l Detect Abnormal section data and don’t load to memory New version of Hancom office (2014) - Detect and protect of malicious document - Enhanced Secure coding
Response - Conclusion l Software User • MUST Update ALL software • MUST use Vaccine • Take care before opening attached file in email l Vendor • Introduce secure coding • Rapid respond for vulnerability • Effort to make users update l CERT or security company • Make pattern to detect malicious document • Share the vulnerability information
Thank you jbyoon@krcert. or. kr
- Slides: 28