DOKKAEBI: Documents of Korean and Evil Binary

Wednesday 3 October 16:00 - 16:30, Red room

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)



In this talk, we will discuss the threat group known as 'Dokkaebi'. Dokkaebi is a legendary creature from Korean mythology. Dokkaebis, also known as Korean goblins, possess extraordinary powers and abilities that are used to interact with humans, at times playing tricks on them and at times helping them. In this case, Dokkaebi is frequently disguised as a legitimate organization or company in order to lure its targets. Once the HWP malware is executed, it acts in an insidious way.

HWP malware is very well known and is mentioned in many threat intelligence reports. This kind of malware has long been used in spear-phishing attacks due to the fact that the South Korean government and many public organizations have, for many years, used Hangul Word Processor (a.k.a HWP) as their official documentation software.

The interesting part regarding HWP malware is that the payload dropped from this malware is related to well-known malware families and threat groups such as Scarcruft (Group123, Reaper), Bluenoroff, Kimsuky and so on. These malicious payloads have also been observed in several incidents targeting cryptocurrency exchanges located in many other countries as well as in South Korea. This talk will cover a wide range of HWP malware. We attempt to organize and re-categorize these malware families with our own perspective by using vulnerabilities, decoding algorithms, methods of distribution, unique TTPs, etc.

This talk will also present a comparative analysis of the HWP malware features used in many operations. We will include several hidden samples which have not yet been disclosed in public malware repositories such as VirusTotal. We acquired these hidden samples during the investigation of several incidents in South Korea, and we have tracked and monitored their C&C servers which are used respectively for the distribution of malicious Android apps and storage of leaked documents (including HWP). A 1-day exploit was used for the mobile attack vector, and in the end APK malware is installed on specific target devices.

This talk will describe the landscape of HWP malware, which goes by various names, and provide an insight for malware researchers.