Friday, April 29, 2011

Hwp.exe in Apr. 8 CVE-2011-0611 Flash Player Zero day - SWF in DOC/ XLS - Disentangling Industrial Policy..

According to Cédric Gilbert (SkyRecon R&D), the shellcode’s last command include a “taskkill /im hwp.exe”. This hwp.exe file could be related to a South-Korean Word Processor Software :
“Hangul Word Processor or HWP”. According to Wikipedia :
It is used extensively in South Korea, especially by the government.
According to Hangul’s website, this word processor handle Microsoft .DOC & .DOCX documents.
So the questions are
  1. Is the infected doc with zero-day also ‘compatible’ with it ?
  2. Was it used on targets in Korea or targets who use this processor?
  3. Was it made in Korea?

Your comments and thoughts are welcome.

No comments:

Post a Comment