Security Experts:

North Korea Suspected of Using Zero-Day to Attack South

North Korea-based threat actors are suspected of being behind an attack leveraging a zero-day vulnerability in South Korea’s popular Hangul Word Processor (HWP).

Developed by South Korea-based office software provider Hancom, Hangul is a word processing application that is widely used within the country’s government and public institutions.

Malicious actors discovered an unpatched vulnerability in the application and used it to create HWPX documents designed to deliver a backdoor.

The flaw, a type confusion caused by a logic error in a HWP component (CVE-2015-6585), allows attackers to drop and execute a malicious payload on targeted systems. The security hole was patched by Hancom on September 7.

The malicious documents spotted by FireEye were designed to deliver a piece of malware dubbed “Hangman.” The threat is capable of harvesting system information, and uploading and downloading files.

Researchers have found several clues that point to North Korea’s involvement in this attack.

“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors,” FireEye said.

For instance, one of the hardcoded command and control (C&C) IP addresses was previously used by a variant of a backdoor dubbed “Macktruck.” The malware in question, compiled in April 2015, had been seen in attacks presumably launched by North Korean threat actors.

Another piece of evidence is the similarity between functions used by Hangman and functions used by other malware families linked to North Korean groups, such as the “Peachpit” backdoor. A function incorporated in both these threats appears to be unique, which suggests that Hangman and Peachpit were created by the same developer, or at least they share code.

“Given that we have observed only limited use of backdoors such as PEACHPIT, it is reasonable to theorize that in addition to a common development history, the backdoors may be used by the same or closely related threat actors,” FireEye wrote in its report.

North Korea is often the main suspect for cyberattacks aimed at South Korean entities. In 2013, officials in Seoul officially accused Pyongyang of launching attacks against the systems of financial institutions, broadcasters, and government organizations.

In March 2014, North Korea was accused of attempting to steal sensitive data from South Korea’s defense ministry, and later in the year the South’s National Intelligence Service reported that the North had attempted to hack over 20,000 smartphones. More recently, North Korea was accused of being behind cyberattacks targeting South Korea’s nuclear power plant operator. United States authorities have blamed the country for the devastating attack against Sony Pictures. In many cases Pyongyang came forward to deny the accusations.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.