Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.
-
Upload
gordon-taylor -
Category
Documents
-
view
218 -
download
1
Transcript of Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.
![Page 1: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/1.jpg)
![Page 2: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/2.jpg)
Attacks Using Malicious Hangul Word Processor
DocumentsJaebyung Yoon @ KrCERT/CC
![Page 3: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/3.jpg)
Introduction of HWP
Hangul(한 /글 ) : Word Processor of Hancom Inc. HWP is a filename extension and abbreviation of Hangul
Word Processor The latest version is Hangul 2014 for Windows, Hangul
2008 for Linux, and Hangul 2006 for Mac OS X The first version is 0.9 in 1989
![Page 4: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/4.jpg)
2 byte language Word Processor
Other Asian Word Processors
Ichitaro – Japanese Word Processor NJStar – Chinese Word Processor
![Page 5: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/5.jpg)
First Generation (~1999, HWP 3.0)
Second Generation (2000~, HWP 5.0)
History of Hangul
![Page 6: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/6.jpg)
Save a Local SW Maker (The New York Times, 1999)
History of Hangul
![Page 7: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/7.jpg)
Hangul Sales Composition
Hancom sales composition
Office S/W Market Share
Korea Global0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
80%
98%
20%
2%
MS OfficeHancom in Korea(Others in Global)
Govern-ment and Education
61%
Enterprise36%
Etc. 3%
![Page 8: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/8.jpg)
Hangul supports the special needs of Korean written language especially government’s needs.
De facto format especially in Korean government, military and public education.
Government officer receives a lot of e-mails attached HWP file EVERYDAY.
Attackers also knew this circumstance so they has researched the HWP document format as well as software vulnerabilities for a long time.
Stature of Hangul in Korea
![Page 9: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/9.jpg)
Can not tell malicious or not before open
The contents of malicious document is related with recipient’s business.
Malicious HWP Composed of • vulnerability part, • exploit part, • malware part • and normal document part.
Malicious HWP Document
![Page 10: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/10.jpg)
Composition of malicious document
③ Normal document④ Malware part
① Vulnerability part
② Exploit PartNORMAL.hwp
MALWARE.exe
![Page 11: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/11.jpg)
OLE (Object Linking and Embedding)
HWP Document Format
![Page 12: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/12.jpg)
Streams of Bodytext storage are loaded
File structure and memory layout – Exploit
tremendous size in document
Heap Spray EB 08 = jmp (here+0x08)
![Page 13: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/13.jpg)
Normal case (two tmp files)
Malicious case (normal document(hwp.hwp), ~AB.tmp, msloger.exe, tmp.dat)
On document loading (tmp files)
![Page 14: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/14.jpg)
Hwp.exe process is not opened by user but ~AB.tmp.
~AB.tmp
Malware Action 1
![Page 15: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/15.jpg)
System information leakage from compromised PC
Malware Action 2
![Page 16: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/16.jpg)
Use of Malware
Information leakage
Document leakage
Security bypass
Remote desktop
Key logger,System information HWP, DOCX Vaccine, firewall Team Viewer
![Page 17: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/17.jpg)
Document Content and social issue
Robert King visited South Korea (US special envoy for North Korean Human Rights Issues)
Solution of North Korea Nuclear
Dokdo issue
Diaoyu/Senkaku Islands dispute
World Energy Congress
5th generations of Chinese leadership
60th anniversary of Armistice
World Energy Congress Daegu 2013
’12. 6 ’12. 7 ’12. 9 ’12. 10 ’12. 11 ’13. 8
Just before new china leader inauguration
South Korean presidential election, 2012
Dokdo ceremony by Korean national football player
Chinese navy exercise near Diaoyu/Senkakus
The Day of Information Security 2012
Personal Information Protection Act
Key election promiseKorean War & Peace
CONTENTS
ISSUE
![Page 18: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/18.jpg)
Keyword of Document
Korean War
National Security
Defense Policy
Korea Air force
Future War
territorial dis-pute Dokd
o
Peace of Korean penin-
sula
Armistice 60 years
Military
New product re-search
Wage Contract
Personal Informa-tion Protection
ActEnergy fo-
rum
Enterprise
leadership
contacts
SAMSUNGTax audit
Movie news
The public
North Ko-rea and China
Kim Jong-un reunifica-
tionMinistry of unification
Nuclear
Unification fo-rum
North Ko-rea
Strate-gies
refugees
North Korea
Foreign pol-icy Asia issue
Park Geun-hye East Asia
Ministry
Key pledge
Unified Progressive Party
Policyforeign News
China visit
economic union
Next govern-ment
Policy recom-menda-
tionGov’t
How to be loved by wife
election pledge
Takeshima
LG
![Page 19: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/19.jpg)
Scenario of malicious document attack
Government
.
Military
Organization
① Spear phishing mail ② Open document
③ Information leakage ④ Information gathering
Attacker
Compromised
E-mail account
![Page 20: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/20.jpg)
Attack feature
Use Email account like C&C
Use document as decoy
Use normal program as malware to avoid detection
Use Zero-day Vulnerability
Persistent Attack
![Page 21: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/21.jpg)
Use email as command and control
Attack feature
Mail address & account
info.example.com
[email protected] : namepw : pass
[email protected]@example.com
id : namepw : pass
example.com
Malware delivery & info.
leakage
Final destination- attacker’s account
Sign in
send
malware
from
to
Hardcoded in malware
![Page 22: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/22.jpg)
Information flow through email
Attack feature
Sent
Leaked Information from compromised PC
![Page 23: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/23.jpg)
Use zero-day vulnerability• About 15% of malicious documents use zero-day
vulnerability.• Finding zero-day and making exploit are not easy.• Must understand HWP document format• Own tools to exploit→ They have researched the document format and software
Only Korea• Unlike doc & pdf, HWP is used in Korea only• It means opportunity cost is very high
Attack feature
![Page 24: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/24.jpg)
A team not a person - guessing
Attack feature
Issue & Target Monitoring Team
Social issue monitoring
Document Contents searchGathering target person email
Vulnerability Research Team
Document Format ResearchSoftware Vulnera-bility Research
Malware Team
Making malwareManage C&CManage email account
![Page 25: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/25.jpg)
Since Oct. 2012 Hancom office, Gom player, NateON Vulnerability
(2013, 179 cases) Especially HWP zero-day
Response - KrCERT/CC Vulnerability Reward Program
![Page 26: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/26.jpg)
Secure Coding in software design step
Detect Abnormal section data and don’t load to memory
Response - Vendor (Hancom)
New version of Hancom office (2014)- Detect and protect of malicious document - Enhanced Secure coding
![Page 27: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/27.jpg)
Software User• MUST Update ALL software• MUST use Vaccine• Take care before opening attached file in email
Vendor• Introduce secure coding• Rapid respond for vulnerability• Effort to make users update
CERT or security company• Make pattern to detect malicious document• Share the vulnerability information
Response - Conclusion
![Page 28: Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC.](https://reader030.fdocuments.us/reader030/viewer/2022032518/56649cc95503460f94990d1e/html5/thumbnails/28.jpg)
Thank [email protected]