Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

North Korea Suspected of Using Zero-Day to Attack South

North Korea-based threat actors are suspected of being behind an attack leveraging a zero-day vulnerability in South Korea’s popular Hangul Word Processor (HWP).

Developed by South Korea-based office software provider Hancom, Hangul is a word processing application that is widely used within the country’s government and public institutions.

North Korea-based threat actors are suspected of being behind an attack leveraging a zero-day vulnerability in South Korea’s popular Hangul Word Processor (HWP).

Developed by South Korea-based office software provider Hancom, Hangul is a word processing application that is widely used within the country’s government and public institutions.

Malicious actors discovered an unpatched vulnerability in the application and used it to create HWPX documents designed to deliver a backdoor.

The flaw, a type confusion caused by a logic error in a HWP component (CVE-2015-6585), allows attackers to drop and execute a malicious payload on targeted systems. The security hole was patched by Hancom on September 7.

The malicious documents spotted by FireEye were designed to deliver a piece of malware dubbed “Hangman.” The threat is capable of harvesting system information, and uploading and downloading files.

Researchers have found several clues that point to North Korea’s involvement in this attack.

Advertisement. Scroll to continue reading.

“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors,” FireEye said.

For instance, one of the hardcoded command and control (C&C) IP addresses was previously used by a variant of a backdoor dubbed “Macktruck.” The malware in question, compiled in April 2015, had been seen in attacks presumably launched by North Korean threat actors.

Another piece of evidence is the similarity between functions used by Hangman and functions used by other malware families linked to North Korean groups, such as the “Peachpit” backdoor. A function incorporated in both these threats appears to be unique, which suggests that Hangman and Peachpit were created by the same developer, or at least they share code.

“Given that we have observed only limited use of backdoors such as PEACHPIT, it is reasonable to theorize that in addition to a common development history, the backdoors may be used by the same or closely related threat actors,” FireEye wrote in its report.

North Korea is often the main suspect for cyberattacks aimed at South Korean entities. In 2013, officials in Seoul officially accused Pyongyang of launching attacks against the systems of financial institutions, broadcasters, and government organizations.

In March 2014, North Korea was accused of attempting to steal sensitive data from South Korea’s defense ministry, and later in the year the South’s National Intelligence Service reported that the North had attempted to hack over 20,000 smartphones. More recently, North Korea was accused of being behind cyberattacks targeting South Korea’s nuclear power plant operator. United States authorities have blamed the country for the devastating attack against Sony Pictures. In many cases Pyongyang came forward to deny the accusations.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.