We currently assess with medium confidence that this campaign and NavRAT are linked to Group123. Previously, we published several articles concerning Group123 ( here, here, here, here and here). One of the most interesting questions we still have is regarding attribution - and who is behind this malware. These files are document files created by the Korean equivalent to Microsoft Word, Hangul Word Processor by Haansoft.
There is a corresponding version for Windows, Linux (x86 platform), and Mac OS X. ppt.The latest version of the Office Suite is the 2010 version. Users are also allowed to save their documents in MS Office formats including.
We have already observed malware using free email platforms for abuse, but this is the first time we have identified a malware that uses Naver - which is known for its popularity in South Korea. This is a free utility that can be downloaded from the developer’s website. The uploaded file(s) are sent by email, and the downloaded files are retrieved from an email attachment. HWP files, up to the versions created with Hangul 97, can be opened with OpenOffice or.
Step 3 Download your pdf-file Wait till your conversion process will be completed and click download converted pdf file. Hangul saves documents in HWP format, with the filename extension. Step 2 Convert hwp to pdf Select pdf or any other format, which you want to convert. It uses the legitimate Naver email platform in order to communicate with the attackers via email. Step 1 Upload hwp-file Select hwp file, which you want to convert, from your computer, Google Drive, Dropbox or drag and drop it on the page. However, the command and control (C2) infrastructure is very specific. This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. You may have Hangul Word Processor File but your computer is not configured to associate HWP files with the relevant software. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. Download Supported File Types (Text Files) HWP is the file format used to describe document files that have been created using Hangul Word Processor which is a Korean word processing application (Text Files) Dictionarys are usually lists of words with definitions for them and often includes the correct way to pronounce the word. The HWP file format is mainly used in South Korea. The decoy document is named “미북 정상회담 전망 및 대비.hwp” (Prospects for US-North Korea Summit.hwp). If a malicious document is opened, a remote access trojan that we’re calling “NavRAT” is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities. Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. The HWP binary format specification has been published online, free by Hancom on June 29, 2010.
This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An. Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc.