A deceptive HWP document, masquerading as a reunification education support application, was discovered on March 5. The document, when opened, creates multiple files in the TEMP folder, including a malicious BAT file. This BAT file executes various actions to ensure persistent malware operation, including registering task schedulers and executing additional malicious files. The malware ultimately accesses an external URL to download and execute additional files, allowing threat actors to execute various commands. This incident is part of a recent trend of malware distribution using HWP documents, with attacks now targeting the general public rather than specific users. Users are advised to be cautious and keep their security software updated. Author: AlienVault
Related Tags:
T1053.005
downloader
T1204.002
T1547.001
T1059.003
dropper
T1105
T1036
Korea
Republic of
Associated Indicators:
A845E674C5B4B532F5FAE07AE2BCEEE181858F9C4A781C2C1B315B4F13D06F77
D55AC7208A576BA203924617F0DF0C52212ACDE8
6A8228C9BAE4C60E0A08B97195367088B0B3C087
49C91F24B6E11773ACD7323612470FFB
34D8C6E9426DC6C01BB47A53EBFC4EFB
7B6B6471072B8F359435F998A96176E7
4EDAE618F59180577A196FA5BAB89BB4
CE7FA1DC1E5A776DACB27FE2C4385AC2