Suspicious HWP Sub Processes

calendar Feb 1, 2023 · attack.initial_access attack.t1566.001 attack.execution attack.t1203 attack.t1059.003 attack.g0032  ·
Share on: linkedin copy

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Sigma rule (View on GitHub)

 1title: Suspicious HWP Sub Processes
 2id: 023394c4-29d5-46ab-92b8-6a534c6f447b
 3status: test
 4description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
 5references:
 6    - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
 7    - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
 8    - https://twitter.com/cyberwar_15/status/1187287262054076416
 9    - https://blog.alyac.co.kr/1901
10    - https://en.wikipedia.org/wiki/Hangul_(word_processor)
11author: Florian Roth (Nextron Systems)
12date: 2019/10/24
13modified: 2021/11/27
14tags:
15    - attack.initial_access
16    - attack.t1566.001
17    - attack.execution
18    - attack.t1203
19    - attack.t1059.003
20    - attack.g0032
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        ParentImage|endswith: '\Hwp.exe'
27        Image|endswith: '\gbb.exe'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

  • [ TECHNICAL TEARDOWN: EXPLOIT & MALWARE IN .HWP FILES ]

    [ TECHNICAL TEARDOWN: EXPLOIT & MALWARE IN .HWP FILES ] - Vulnerabilities - Information Security Newspaper | Hacking News


    Read More

  • Free Automated Malware Analysis Service - powered by Falcon Sandbox - Login

    Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • 라자루스(Lazarus) APT, 유령 꼭두각시(Operation Ghost Puppet)

    1. 최신 APT 캠페인, 작전명 유령 꼭두각시(Operation Ghost Puppet) 안녕하세요. 이스트시큐리티 시큐리티대응센터(ESRC)입니다. 2018년 8월경, 악성 한글 문서 파일 ‘유사수신행위 위반통보.hwp’가 발견되었습니다. 해당 문서 파일은 특정인의 유사 수신 행위에 대한 고발 내용을 담고 있지만 파일 내부에 ‘GhostScript’ 취약점 코드를 포함하고 있습니다. 이용자가 무심결에 실행할 경우, 취약점으로부터 원격 제어 기능을 수행하는 악성코드(페이로드)에 감염됩니다. 공격 과정에서 주목할 점은 공격자는 악성코드 감염을 위해 한글 문서 파일을 사용하였다는 것입니다. 공격자가 한글 문서를 사용한 이유는 ‘한글’ 워드프로세서 제품은 MS Office 제품군(Excel, Word 등)과..


    Read More

  • Hangul (word processor) - Wikipedia

    Hangul (Korean: 한글) is a proprietary word processing application published by the South Korean company Hancom Inc. Hangul's specialized support for the Korean written language has gained it widespr...


    Read More

Related rules

to-top