A few days ago, ESTsecurity published a post detailing a newly identified malicious Hangul Word Processor (HWP) document that shared technical characteristics with previously reported malicious activity attributed to North Korean threat actors (an important note: this particular group is not typically associated with or clustered with the SWIFT/ATM adversary detailed in other posts on this blog, although this blog avoids using specific vendor naming classifications where possible).
The Hangul Office suite is widely used in South Korea; in the West, it’s significantly less common. As a result of this, there is limited public documentation regarding how to analyze exploit-laden HWP documents. This blog post is intended to provide additional documentation from start to finish of the file identified by ESTsecurity. As such, the language used will be somewhat less formal than the content typically posted here.
Month: February 2019
How the Silence Downloader Has Evolved Over Time
In a previous post this blog briefly compared two versions of the Silence group’s proxy malware, a post-intrusion tool used to relay network traffic between a C2 endpoint and a non-internet facing device. This post examines three versions of the group’s downloader and documents how it has changed over the last eighteen months. While some characteristics have persisted, several notable functions have been removed, added, or modified in newer versions of this tool.
Tracking such changes helps analysts determine whether or not a newly discovered sample (on the network or in an online repository) is truly new; in the event that the sample is older and forensic data is missing, it can help approximate when the sample might have been deployed.
Some Notes on the Silence Proxy
In August 2018, Group-IB published research (available in translated form here) regarding a financially-motivated group referred to by the community as Silence. Included in this report is the mention of a proxy tool that the group uses to route traffic to and from devices on an infected network that are normally isolated from the Internet.
Although the tool is simple (and in development), it has not yet been well-documented in the public space. This may partly be because the tool is relatively rare: Group-IB describes Silence as a small group performing a limited set of activities. For researchers to obtain a copy, the Silence proxy would have to be deployed post-compromise, identified during incident response, and uploaded online. Given the rarity, some notes on the .NET version of this tool are below as a reference to future analysts.
Technical Details
Read more “Some Notes on the Silence Proxy”