Hackers linked to North Korea exploited a backdoor in Hangul, the most popular word processor widely used in South Korean government offices. The online battle against espionage is taking place globally!
According to the company's research FireEye, the attackers used a known vulnerability (CVE-2015 – 6585), which has been patched as of Monday, September 7.
Το zero-day exploit βρισκόταν σε ένα έγγραφο τύπου .hwpx (παρόμοιο με .docx που χρησιμοποιείται από το Microsoft Office), το οποίο εκμεταλλευόταν σφάλματα στον επεξεργαστή κειμένου Hangul (ο διασημότερος Processor text in Korea, Microsoft's equivalent of Word) to open a backdoor in the software.
According to the security company FireEye, this backdoor, called HANGMAN, is capable of stealing files and sending them to a Command & Control Server, while also being able to download new files to the victim's computer.
The Hangman backdoor was also very well designed, as it used SSL connections to encrypt its communications with the C&C Server (management and control server), hiding data transfer from prying eyes.
Targeting South Korea's own proprietary word processing software clearly indicates a particular interest in South Korea, based on the similarities between the code used and the infrastructure, FireEye Intelligence estimates that this activity is possibly related to agents in the North Korean.
For more and in-depth technical details regarding its distribution attacks, you can download the full efireEye report (PDF).