Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

North Korea Suspected of Using Zero-Day to Attack South

North Korea-based threat actors are suspected of being behind an attack leveraging a zero-day vulnerability in South Korea’s popular Hangul Word Processor (HWP).

Developed by South Korea-based office software provider Hancom, Hangul is a word processing application that is widely used within the country’s government and public institutions.

North Korea-based threat actors are suspected of being behind an attack leveraging a zero-day vulnerability in South Korea’s popular Hangul Word Processor (HWP).

Developed by South Korea-based office software provider Hancom, Hangul is a word processing application that is widely used within the country’s government and public institutions.

Malicious actors discovered an unpatched vulnerability in the application and used it to create HWPX documents designed to deliver a backdoor.

The flaw, a type confusion caused by a logic error in a HWP component (CVE-2015-6585), allows attackers to drop and execute a malicious payload on targeted systems. The security hole was patched by Hancom on September 7.

The malicious documents spotted by FireEye were designed to deliver a piece of malware dubbed “Hangman.” The threat is capable of harvesting system information, and uploading and downloading files.

Researchers have found several clues that point to North Korea’s involvement in this attack.

“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors,” FireEye said.

For instance, one of the hardcoded command and control (C&C) IP addresses was previously used by a variant of a backdoor dubbed “Macktruck.” The malware in question, compiled in April 2015, had been seen in attacks presumably launched by North Korean threat actors.

Advertisement. Scroll to continue reading.

Another piece of evidence is the similarity between functions used by Hangman and functions used by other malware families linked to North Korean groups, such as the “Peachpit” backdoor. A function incorporated in both these threats appears to be unique, which suggests that Hangman and Peachpit were created by the same developer, or at least they share code.

“Given that we have observed only limited use of backdoors such as PEACHPIT, it is reasonable to theorize that in addition to a common development history, the backdoors may be used by the same or closely related threat actors,” FireEye wrote in its report.

North Korea is often the main suspect for cyberattacks aimed at South Korean entities. In 2013, officials in Seoul officially accused Pyongyang of launching attacks against the systems of financial institutions, broadcasters, and government organizations.

In March 2014, North Korea was accused of attempting to steal sensitive data from South Korea’s defense ministry, and later in the year the South’s National Intelligence Service reported that the North had attempted to hack over 20,000 smartphones. More recently, North Korea was accused of being behind cyberattacks targeting South Korea’s nuclear power plant operator. United States authorities have blamed the country for the devastating attack against Sony Pictures. In many cases Pyongyang came forward to deny the accusations.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.