Threat Actors Using .hwp Files to Distribute RokRAT Malware and Evade Detection Mechanisms

The AhnLab Security intelligence Center (ASEC) has identified a sophisticated campaign where threat actors are leveraging Hangul Word Processor (.hwp) documents to disseminate the RokRAT remote access trojan (RAT), marking a departure from traditional methods that relied on shortcut (LNK) files embedded with decoy content and malicious scripts.

This shift to .hwp files, commonly used in South Korea for document processing, allows attackers to exploit legitimate software behaviors to bypass security detections, including antivirus scans and user suspicions.

Novel Distribution Technique

The discovered samples include file names such as “250615_Operation status of grain store.hwp,” “Recent major portal site.hwpx,” and “[Notice] Q1 VAT Return Filing Deadline (Final),” designed to mimic innocuous business or operational documents.

For instance, the “250615_Operation status of grain store.hwp” file contains content detailing North Korea’s grain distribution points, aligning seamlessly with its filename to reduce user wariness and enhance social engineering efficacy.

The infection chain begins when a victim opens the malicious .hwp document in the Hangul Word Processor.

Embedded within the document are Object Linking and Embedding (OLE) objects that automatically extract and place files like ShellRunas.exe and credui.dll into the system’s %TEMP% directory upon rendering the relevant page, orchestrated by the Hangul process itself without requiring external downloads from a command-and-control (C2) server.

A strategically placed hyperlink at the document’s bottom, labeled “[Appendix] Reference Materials.docx,” points directly to %TEMP%ShellRunas.exe.

Exploitation of OLE Objects

Upon clicking, a warning prompt appears, querying the user to execute the file; affirmative action triggers the malware deployment.

ShellRunas.exe, a legitimate Microsoft-signed executable, is hijacked via DLL side-loading, wherein it inadvertently loads the adjacent malicious credui.dll from the same path.

This technique exploits dynamic link library (DLL) resolution priorities in Windows, allowing the rogue DLL to execute arbitrary code under the guise of trusted processes.

ASEC noted similar usages of other benign programs, including accessenum.exe paired with mpr.dll and hhc.exe with hha.dll, expanding the attackers’ toolkit for evading endpoint detection and response (EDR) systems.

Once loaded, credui.dll initiates a connection to Dropbox to fetch a seemingly benign image file named Father.jpg.

However, steganographic analysis reveals embedded shellcode within the image, which decrypts and injects RokRAT directly into memory, avoiding disk-based persistence that could trigger forensic alerts.

This in-memory execution enables RokRAT to perform reconnaissance, exfiltrate sensitive user data such as credentials and system information, and execute commands from the threat actor’s C2 infrastructure, potentially leading to data theft, lateral movement, or further payload deployment.

The malware’s modular design supports versatile malicious behaviors, including keylogging, screenshot capture, and file manipulation, making it a potent tool for advanced persistent threats (APTs), often attributed to North Korean-linked groups.

ASEC has released MD5 hashes for the implicated files a2ee8d2aa9f79551eb5dd8f9610ad557, d5fe744b9623a0cc7f0ef6464c5530da, e13c3a38ca58fb0fa9da753e857dd3d5, and e4813c34fe2327de1a94c51e630213d1 to aid in threat hunting and signature-based blocking.

Organizations, particularly those handling .hwp files in regions like South Korea, are urged to implement strict macro and hyperlink controls, monitor %TEMP% for anomalous file creations, and employ behavioral analytics to detect DLL side-loading anomalies.

This evolution in RokRAT distribution underscores the need for layered defenses against file-based threats, as attackers continue to refine techniques to exploit trusted applications and cloud storage for stealthy operations.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!