The Study on YARA Rules and Detection Tool for HWP Document-Type Malware

HWP 문서형 악성코드 탐지를 위한 YARA규칙 및 탐지도구에 관한 연구

  • Joongjin Kook (Dept. of Electronics and Information System Engineering, Sangmyung University) ;
  • Heechan Won (Dept. of Electronics and Information System Engineering, Sangmyung University) ;
  • Sungwoo Kim (Dept. of Information Security Engineering, Sangmyung University) ;
  • Dohee Kim (Dept. of Information Security Engineering, Sangmyung University) ;
  • Junghoon Lee (Dept. of Information Security Engineering, Sangmyung University)
  • 국중진 (상명대학교 전자정보시스템공학과) ;
  • 원희찬 (상명대학교 전자정보시스템공학과) ;
  • 김성우 (상명대학교 정보보안공학과) ;
  • 김도희 (상명대학교 정보보안공학과) ;
  • 이정훈 (상명대학교 정보보안공학과)
  • Received : 2024.08.28
  • Accepted : 2024.09.14
  • Published : 2024.09.30

Abstract

This study details the development of YARA rules and a detection program specifically designed to identify malware in HWP documents, a common target in cyber-attacks within South Korea. By thoroughly analyzing the unique structural features of HWP files, we developed precise YARA rules that were subsequently integrated into a custom detection tool. The program was rigorously tested on a dataset of benign and malicious HWP documents, demonstrating high detection accuracy and a low false-positive rate. This research offers a robust and practical solution for enhancing cybersecurity in environments where HWP files are frequently used, contributing valuable tools for the targeted detection of document-based malware.

Keywords

References

  1. Kim, B.S., Kim, J.H., and Kim, M.S., "A Study of Reinforcement Learning-based Cyber Attack Prediction using Network Attack Simulator (NASim)," Journal of the Semiconductor & Display Technology, Vol. 22, No. 3, pp. 112-118, Sep. 2023.
  2. Son, J.H., Ko, G., and Cho, H., "Learning Data Augmentation Method for Effective Detection of HWP Malware," Korea Software Congress (KSC), pp. 923-931, Dec. 2022.
  3. Son, S., Cho, H., and Jung, D., "Generating of Optimal Common Detection Signature for MS-OFFICE Malware Detection," Proceedings of the Korean Institute of Information Scientists and Engineers (KIISE) Conference, Dec. 2022.
  4. Shin, K., and Cho, H., "Efficient Preprocessing Architecture Design for PDF Document Type Malware Detection," Proceedings of the Korean Institute of Information Scientists and Engineers (KIISE) Conference, Jun. 2021.
  5. Choe, M., Jung, D., Cho, H., and Won, Y., "Signature Generation to Detect HWP Malware Based on Threat Factors and Attack Patterns," Journal of the Korean Institute of Information Scientists and Engineers (KIISE), Vol. 50, No. 6, pp. 451-459, 2023. doi:10.5626/JOK.2023.50.6.451.
  6. https://www.mitec.cz/ssv.html
  7. Pandey, S.K., and Mehtre, B.M., "Performance of Malware Detection Tools: A Comparison," International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 1811-1817, May 2014.