Threat Research Blog

Zero-Day HWP Exploit

FireEye recently identified several malicious documents in the wild that exploit a previously unknown vulnerability (CVE-2015-6585) in the Hangul Word Processor (HWP). HWP, published by a South Korean company, is a Korean word processing application. It is widely used in South Korea, primarily by government and public institutions. Some HWP programs are frequently used by private organizations, such as HWP Viewer. The payloads and infrastructure in the attack are linked to suspected North Korean threat actors. Hancom patched CVE-2015-6585 with a security update on September 7, 2015.

Exploit Details

HWP 2014 introduced support for the KS (Korean Industrial Standards) standardized HWP file format (HWPX). Although HWPX-formatted documents use the .hwpx extension by default, they may also use the file extension .hwp of older HWP files. The new format, OWPML (Open Word- Processor Markup Language), uses XML files within a zip archive. The structural differences between HWP and HWPX documents are similar to those between Microsoft Word .doc and .docx files.

Para text is a data record type that stores the content of each paragraph in body text. When parsing a para text tag within an .hwpx file, a logic error in hwpapp.dll results in a type confusion scenario. When paired with an appropriate heap spray, this vulnerability can affect code execution.

Read more about the exploit here.