North Korea exploits 0-day in Seoul's favourite word processor
'Macktruck' attack network sends in the 'Hangman'
FireEye researchers Genwei Jiang and Josiah Kimble say attackers from North Korea exploited a zero day vulnerability in a word processor popular with the South Korea's government.
The attackers went after the vulnerability (CVE-2015-6585) in the Hangul Word Processor prior to a patch issued last Monday.
Accurate attribution of North Korean actors is inherently difficult, however Jiang and Kimble say the attack payloads and infrastructure strongly point to the North. There is no suggestion of Pyongyang's involvement.
"While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye intelligence assesses that this activity may be associated with North Korea-based threat actors," the pair say in an advisory (PDF).
Attackers use a backdoor dubbed Hangman that can receive and send encrypted files and commands and gather system intelligence. Those backdoor samples point to one of the same command and control infrastructure used in a known North Korea attack in June dubbed "Macktruck".
Moreover, the backdoor functions are seen in little else than other backdoor dubbed PeachPit which is pinned on North Korean-based attackers.
"This implies that PeachPit and Hangman were written by the same developers or, at minimum, share some of the same source code. Given that we have observed only limited use of backdoors such as PeachPit, it is reasonable to theorise that in addition to a common development history, the backdoors may be used by the same or closely related threat actors."
While the pair make no mention of intent, it is reasonable to expect the attackers sought access to Seoul government systems or those used by its contractors who are popular adopters of the Hangul Word Processor.
Attacks from the North against South Korea are commonplace. Many outside observers say the North is at an advantage because its internet infrastructure is so small while its target's attack surface is much larger.
Reports suggest the North Korea Government rewards its Bureau 121 hackers handsomely. That unit said to number 1800 staff is fingered for the devastating attack on Sony Pictures. ®