✅ Report Title:
Analysis of Malware Disguised as Exploiting Domestic Social Issues (December 11, 2024)
✅ Report Summary:
On December 11, 2024, malware disguised as documents related to recent domestic social issues was discovered, and initial analysis was conducted.
Malware Operation and Key Features Include:
- The malware, disguised as a Hangul Word Processor (HWP) file, appears to display an actual document related to domestic social issues when executed. However, it was found to download additional payloads and execute malicious code.
- The malware downloads decoy documents and additional malicious code from a pre-configured GitHub repository set up by the attacker.
- The additional downloaded malware was identified as a stealer-type malicious code that exfiltrates information from infected PCs and downloads further files from the attacker's GitHub.
Response Strategy Includes:
- The attacker has been active on GitHub since at least July 2023 and has a history of distributing QuasarRAT malware through resume-themed files.
📌 What are examples of malware disguised as HWP (Hangul Word Processor) files?
- MD5: 35b4f28dd2d50dbf48e5c63c3ef5efb7
- SHA256: 64a77edc15aad8bfc6829363926dd7f3020751c821a04015b43bf06aae27a956
- The file disguised as a document related to domestic social issues has been identified as a downloader-type malware that downloads and executes additional files from a hardcoded GitHub address.
- The binary contains a hardcoded GitHub address, from which it downloads an encoded decoy document and decodes it using XOR operations.
- Download URL: hxxps[:]//github[.]com/adrhpbrn29/iqWThPAGUQ/raw/main/data1
- Save location: %LocalAppData%/Temp/[Korean] XXX-XX Headquarters Operational Reference [Original].hwp
- MD5: 5a8d7925887255eb742f4f32e91aeb50
- SHA256: 734c916aa14ea88530b31defeef687c7e5be78cbd3e291571944ca0ff4ddec33
- To conceal the malware infection from the user, the decoy document was executed using the ShellExecute API. The attacker downloaded a malicious file from another hardcoded GitHub address. The downloaded file was initially saved in the %Temp% directory, then extracted under %LocalAppData%/GoogleUpdater, where updater.exe was executed using the CreateProcessA API.
- Download URL: hxxps[:]//github[.]com/adrhpbrn29/iqWThPAGUQ/raw/main/GoogleUpdater.zip
- Download location: %Temp%/pbnscf
- After extraction: %LocalAppData%/GoogleUpdater/
- updater.exe (legitimate)
- MD5: 823816b4a601c69c89435ee17ef7b9e0
- SHA256: c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2
- version.dll (Stealer)
- MD5: 66e8096b9b061550314a82654ce0fabd
- SHA256: c43507b6f2c2cb033d3f55229b20adfde9cda4dfb93dc3db45556847638ec7f8
- Among the two files dropped under the %LocalAppData%/GoogleUpdater directory, updater.exe was identified as legitimate. However, version.dll was confirmed to be stealer-type malware that exfiltrates information from the infected PC and downloads additional files, executed via DLL side-loading.
✅ Recommended Threat Detection and Mitigation Measures:
- On December 11, 2024, malware disguised as documents related to recent domestic social issues was discovered, and initial analysis was conducted.
- The malware, disguised as a Hangul Word Processor (HWP) file, appears to display an actual document related to social issues when executed but was found to download additional payloads and execute malicious code.
- Upon execution of the additional malware, it was identified as a stealer-type malware that exfiltrates information from the infected PC and downloads further files from the attacker's GitHub repository.
- The attacker has been active on GitHub since at least July 2023 and has a history of distributing QuasarRAT malware through resume-themed files.
- Malicious code targeting domestic users continues to be distributed from the attacker's GitHub repository. Users are strongly advised to exercise caution and avoid executing files with double extensions.
🧑💻 Report Author: S2W TALON
👉 For inquiries about the full report: https://s2w.inc/en/contact
*The full report is available upon request and for QUAXAR subscribers.