A recently malware attack has been leveraging the Hangul Word Processor (HWP) word processing application and its ability to run PostScript code, Trend Micro reveals.
Highly popular in South Korea, HWP has been long used in targeted attacks to perform reconnaissance or to spread remote access Trojans. In some attacks, the HWP documents were used alongside JPG, PDF, XLS, and other file formats.
As part of the recent incidents, the attackers abused HWP in association with PostScript, a language originally used for printing and desktop publishing. The campaign relies on emails containing malicious attachments to distribute malware, the researchers say.
Although a branch of PostScript called Encapsulated PostScript adds restrictions so as to make the opening of documents safer, older HWP versions implement these restrictions improperly. As a result, attackers have started using attachments containing malicious PostScript to drop shortcuts (or actual malicious files) onto the affected system.
The attack relies solely on PostScript to gain a foothold onto a victim’s machine and doesn’t use an actual exploit, the researchers say. Instead, it abuses a feature of PostScript that can manipulate files.
Although the language doesn’t have the ability to execute shell commands, it is used to drop files into various startup folders. Thus, these files are executed when the user reboots their machine.
The attack is used not only to drop executable files in the startup folder, but also to drop a shortcut to execute MSHTA.exe and run a JavaScript file. As part of other attacks, a shortcut is dropped in a startup folder, along with a DLL file in the %Temp% directory. The shortcut would call rundll32.exe to execute said DLL file.
One of the observed samples, Trend Micro says, would overwrite the file gswin32c.exe – which is the PostScript interpreter used by HWP – with a legitimate version of Calc.exe. Thus, other embedded PostScript content cannot be executed.
Because newer versions of the Hangul Word Processor implement EPS correctly, users are advised to upgrade the application to stay protected. The 2014 versions and later aren’t susceptible to this type of attack, Trend Micro says.