Distribution of Malicious LNK Files Targeting Korean Financial Companies

“`html
Short Summary:

AhnLab Security Emergency response Center (ASEC) has reported the distribution of malicious LNK files targeting Korean financial companies. These files are being sent via emails with malicious URLs, leading to the download of a compressed file that contains both a legitimate PDF and a malicious LNK file. The LNK file executes an obfuscated PowerShell command that ultimately leads to the theft of user information and the download of additional malicious files.

Key Points:

• Malicious LNK files are being distributed to Korean financial companies.
• Distribution occurs through emails with malicious URLs.
• Downloaded compressed file contains a legitimate PDF and a malicious LNK file.
• The LNK file executes an obfuscated PowerShell command.
• Malicious activities include user information theft and downloading additional malicious files.
• The threat actor uses complex and obfuscated scripts to evade detection.
• Users are advised to avoid executing files from unknown sources.

MITRE ATT&CK TTPs – created by AI

• Command and Control (C2) – T1071
  • Uses HTTP/S for communication with the command and control server.
• Data Encrypted for Impact – T1486
  • Potentially encrypts user data to extort victims.
• Credential Dumping – T1003
  • Collects user information from the system.
• Obfuscated Files or Information – T1027
  • Obfuscates PowerShell commands to evade detection.
• Execution – T1203
  • Executes malicious scripts and commands through LNK files.

“`

AhnLab Security Emergency response Center (ASEC) has discovered that malicious LNK files are being distributed to Korean financial companies. Caution is advised as attacks using LNK files have been consistently utilized since the past.

The recently observed LNK files are believed to be distributed through emails containing a malicious URL. The URL is as follows, and a compressed file named “금융당국 요청에 따른 프로젝트 정보 확인 요청의 건.zip” (“Request for Project Information as per Financial Authority.zip”) is downloaded. Currently, only legitimate documents are included in the downloaded zip file, suggesting that the threat actor distributes malicious files only for a short period to make analysis and tracking more difficult.

• Download URL
  hxxps://cumasufitness[.]com/wp-includes/js/inc/?aEFrmRUBjZHtF=cfv0wxmIIUr%2BJAwMxATk9fG%2B8bF2B4KmBd7fe3KYw594YW%2B4GMISiUDCi6d3o8rjLWk
  vIZyD%2BDGFejKC5K%2BM2jACfRH%2Baq6HxTGuHd0ZXc8yANAvFQ3Zduafgo1P2JU%2FBSN1e3uNA6w%3D

In the distributed malicious compressed file, there are both a malicious LNK file and a legitimate PDF file inside.

Figure 1. Inside the compressed file

The legitimate PDF file requests an update on information related to a cryptocurrency project and prompts the user to execute the malicious LNK file.

Figure 2. Legitimate PDF

The malicious LNK file may easily be mistaken for an Excel file by an average user. However, the LNK file contains a malicious PowerShell command, and the total file size is approximately 300 MB.

Figure 3. Malicious LNK file

The PowerShell command is obfuscated, with a higher level of complexity compared to previously distributed types. It appears that special characters are used in variable names, and all strings are fragmented to evade analysis and detection.

Figure 4. The obfuscated malicious PowerShell command

The functionality of the PowerShell command remains the same as before. The command performs an XOR operation on data located at a specific position within the LNK file and then create the following file.

• {Current path}#1. 프로젝트 정보 업데이트 요청사항.xlsx (Project Information Update Request.xlsx) (normal)
• %Public%transfer.cab (malicious)

Afterward, the generated legitimate Excel file is executed to make it difficult for the user to detect any malicious activity. At this point, the accompanying malicious CAB file is extracted, and the “start.vbs” file is executed. The LNK file and the CAB file are then deleted to erase traces of execution.

Figure 5. Legitimate Excel file

Figure 6. Inside transfer.cab

The features of each script, including start.vbs, are as follows:

Table 1. Functions of the scripts

The final malicious behaviors performed by each script are the theft of user information and the download of additional malicious files. The stolen user information includes the following details, which are sent to “hxxp://shutss[.]com/upload.php“.

• Stolen information (39054408.bat function)
  The list of files in the “downloads” folder
  The list of files in the “documents” folder
  The list of files in the “desktop” folder
  System information

Two files are downloaded in total: a ZIP file and a CAB file. The ZIP file is decompressed through unzip.exe, and a password (a0) is required to decompress the file. After extracting, the 1.bat file among the generated files is executed.

• Download URL (57089304.bat function)
  hxxps://thevintagegarage[.]com/plugins/content/src/inc/get.php?ra=iew&zw=lk0100

The CAB file is decompressed using the expand command and executes the file temprun.bat which is created afterward.

• Download URL (69299856.bat function)
  hxxp://shutss[.]com/list.php?f=%COMPUTERNAME%.txt

Currently, additional files cannot be downloaded, so the subsequent malicious behaviors remain unknown. However, various attacks could be carried out depending on the files uploaded by the threat actor.

Moreover, the file formats, commands, and URL structures used in the attack appear similar to those from previous incidents, suggesting that the same threat actor may be involved. Although the attack process has not changed, the scripts used in the attack have become more complex and obfuscated, indicating that the threat actor is making efforts to evade detection.

Attacks using LNK files have been consistently observed from the past to the present, and they are being distributed with various themes tailored to specific targets. Therefore, users should refrain from executing files of unknown origin.

[File Detection]
Trojan/LNK.Agent (2024.07.24.02)