Short Bytes: According to the security firm FireEye, Hangul Word Processor program used by the South Korean government was recently hacked by North Korean hackers. This backdoor called HANGMAN was able to steal the documents and upload them to a C&C server.
Few days ago, a vulnerability CVE-2015-6585 was reported and patched by its developer Hancom. The security firm examined the vulnerability and told that a group of hackers used the flaw in software to send and receive encrypted documents.
This 0-day exploit, used a .hwpx document, that helped to infect the Hangul Word Processor and opened a backdoor in the same. This backdoor called HANGMAN was able to steal the documents and upload them to a C&C server. The HANGMAN backdoor is finely crafted as it used SSL to encrypt the communications it made with C&C server.
FireEye researchers said: “The backdoor also wraps its communication protocol with SSL. HANGMAN begins communications by sending a legitimate SSL handshake to its command and control (C2) server. It then continues to communicate using SSL header messages, but the payload of the message is a custom binary protocol.”
However, the firm didn’t directly confirm the involvement of North Korea. It attributed the hack to North Korea as the backdoor made use of an IP address earlier spotted in another backdoor called MACKTRUCK. Also, the HANGMAN code was similar as seen in PEACHPIT and MACKTRUCK backdoors. It should be noted that these older backdoors were linked to North Korean government.
FireEye writes: “Both PEACHPIT and HANGMAN incorporate a function where Windows commands are passed to the backdoor from the remote C2 server. “
Did you like this story? Tell your views in comments below.