Attacks on these individuals could be an attempt to gain a foothold into assets that can be deemed extremely valuable.
Cisco Talos discovered the campaign was active between November 2016 and January 2017, targeting a limited number of people.
The malicious document in question, which is written in Korean, is a Hangul Word Processor (HWP), a popular alternative to Microsoft Office in South Korea.
Cisco Talos reported that “many security devices are not equipped to process HWP files. This can allow an attacker a vector with a much lower risk of detection by any security scanning devices.”
The Korean Ministry of Unification, which included its logo in the footer, allegedly wrote the document. This Ministry is working towards reuniting North and South Korea.
An “interesting twist” came with the analysed malicious document as it attempts to download the file from an official Korean government website, kgls.or.kr. The file downloaded is a binary disguised as a jpeg file, which is later carried out as part of the infection.
The attackers were careful to remove their malicious payloads and not repeat use of their infrastructure.
“Due to these elements it's likely that this loader has been designed by a well-funded group in order to target public sector entities in South Korea. Many of these techniques fit the profile of campaigns previously associated with attacks by certain government groups,” Cisco Talos said.