Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

HWP Documents and PostScript Abused to Spread Malware

A recently malware attack has been leveraging the Hangul Word Processor (HWP) word processing application and its ability to run PostScript code, Trend Micro reveals.

A recently malware attack has been leveraging the Hangul Word Processor (HWP) word processing application and its ability to run PostScript code, Trend Micro reveals.

Highly popular in South Korea, HWP has been long used in targeted attacks to perform reconnaissance or to spread remote access Trojans. In some attacks, the HWP documents were used alongside JPG, PDF, XLS, and other file formats.

As part of the recent incidents, the attackers abused HWP in association with PostScript, a language originally used for printing and desktop publishing. The campaign relies on emails containing malicious attachments to distribute malware, the researchers say.

Although a branch of PostScript called Encapsulated PostScript adds restrictions so as to make the opening of documents safer, older HWP versions implement these restrictions improperly. As a result, attackers have started using attachments containing malicious PostScript to drop shortcuts (or actual malicious files) onto the affected system.

The attack relies solely on PostScript to gain a foothold onto a victim’s machine and doesn’t use an actual exploit, the researchers say. Instead, it abuses a feature of PostScript that can manipulate files.

Although the language doesn’t have the ability to execute shell commands, it is used to drop files into various startup folders. Thus, these files are executed when the user reboots their machine.

The attack is used not only to drop executable files in the startup folder, but also to drop a shortcut to execute MSHTA.exe and run a JavaScript file. As part of other attacks, a shortcut is dropped in a startup folder, along with a DLL file in the %Temp% directory. The shortcut would call rundll32.exe to execute said DLL file.

One of the observed samples, Trend Micro says, would overwrite the file gswin32c.exe – which is the PostScript interpreter used by HWP – with a legitimate version of Calc.exe. Thus, other embedded PostScript content cannot be executed.

Because newer versions of the Hangul Word Processor implement EPS correctly, users are advised to upgrade the application to stay protected. The 2014 versions and later aren’t susceptible to this type of attack, Trend Micro says.

Related: Targeted Malware Campaign Uses HWP Documents

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...