Security specialist company ESTsecurity (CEO Jung Jin-il) announced on the 23rd that special attention is required as a malicious HWP document disguised as an offer to appear on a YouTube broadcast of the Korea Policy Broadcasting Corporation (KTV), under the Ministry of Culture, Sports and Tourism, is being spread.

The attack discovered this time was disguised as an HWP document requesting an appearance on KTV's online policy current affairs journal program. In other words, it is an attack targeting experts in the field of North Korea under the guise of an existing YouTube broadcast.

Inside the malicious document file, there is content inquiring whether it is possible to appear on a broadcast on May 24th (Tuesday) with the theme of 'Yoon Suk-yeol government's North and South policies - North Korean coronavirus support, direction of North-South dialogue?'.

The attacker has employed a strategy that induces the document to be executed without suspicion by adding malicious OLE (Object Linking and Embedding) commands inside the HWP Korean document and displaying a fake message window ['The document was created in a higher version.'] similar to what users have often seen when the document is executed.

Recently, the trend of Advanced Persistent Threat (APT) attacks based on HWP OLE has been notably increasing. However, it is important to remember that users of the latest version of Hancom Office are also vulnerable to similar threats, as this is not a technique that exploits security vulnerabilities (Exploit).

According to an analysis by the ESTsecurity Security Response Center (hereafter ESRC), a malicious OLE file is embedded within the HWP document, and communication attempts with a specific server 'work3.b4a[.]app' have been confirmed through the OLE using Batch (Bat) files and Powershell commands. This C2 server address has been repeatedly discovered in North Korea-related hacking incidents, requiring swift blocking.

A comprehensive analysis of the threat data used by this attack organization reveals several commonalities with 'Geumseong121', a group thought to be behind previous attacks. Primarily, the use of Russian Yandex email and the exploitation of overseas cloud services for storing stolen personal information are common traits.

Furthermore, it has been confirmed that the 'Geumseong121' North-linked hacking organization actively uses HWP-based malicious documents for APT attacks and is constantly attempting covert approaches to North Korean human rights workers, North Korean defector support activists, and journalists from North Korea-focused media.

This is especially noteworthy given the recent rapid emergence of cyber security as a key issue, following the joint declaration of the South Korea-U.S. summit between President Yoon Suk-yeol and President Joe Biden, which included major topics like cyber adversary deterrence and cyber security for critical infrastructure, in addition to significantly expanding cooperation in responding to North Korean cyber threats.

While it is true that a large number of hacking attacks attributed to North Korea to date have involved MS Office-based DOC malicious files, HWP-based OLE attacks have also been discovered in succession. Therefore, Hancom Office users need to be more careful than before when confronted with a message window guidance screen, and it is necessary to keep the document security level set to 'High'.

ESRC Center Director Moon Jong-hyun stated, "The cyber security threats deemed to be North Korean actions have shown no sign of stopping even after the new government's launch, and the methods of approach to hacking targets are evolving with more sophisticated techniques," and stressed, "Especially, the North-linked cyber threats targeting the private sector are escalating day by day, making the strengthening of joint public-private cooperation more important than anything."

Meanwhile, ESTsecurity ESRC is maintaining cooperation to prevent the spread of known threats by closely sharing related cyber threat information with relevant authorities such as the Korea Internet & Security Agency (KISA).