AhnLab Security Emergency response Center (ASEC) observed the distribution of malicious shortcut (*.lnk) files impersonating a public organization. The threat actor seems to be distributing a malicious script (HTML) file disguised as a security email by attaching it to emails. These usually target individuals in the field of Korean reunification and national security. Notably, these were disguised with topics of honorarium payment to make them seem like legitimate documents. The malware’s operation method and C2 format are similar to those in previously published posts, [1] [2] allowing us to assume that the same threat actor is behind this incident.
This type of malware breaches user information and downloads additional malware. A brief summary of its operation process is shown below.
When the HTML file attachment is executed, a window disguised as a security email is displayed as shown below. It is presumed that a password would have been included in the email to make it seem like an actual security mail. However, clicking the OK button without filling in the input field also displays the content.
Inside, there is a text impersonating a public organization and an attachment with a relevant title.
Each compressed file contains a legitimate Hangul Word Processor (HWP) document with an honorarium template alongside a malicious shortcut (LNK) file.
Below are the confirmed filenames of the malicious LNK.
| Filename |
|---|
| Oct 2023 Professor ** Lee Ministry of Unification Brown Bag Lunch China Issue Related Lecture Request (Draft).hwp.lnk |
| Oct 25 2023 (Ministry of Unification-Office of Unification Policy) Proposal for the 1.5 Track Specialist Conference Regarding Yoon Suk Yeol Government’s North Korean policies.hwp.lnk |
| Oct 25 2023 (Ministry of Unification-Office of Unification Policy) Proposal for the 1.5 Track Specialist Conference (Undisclosed) Regarding Yoon Suk Yeol Government’s North Korean policies.hwp.lnk |
| Nov 2023 Professor ** Choi Ministry of Unification Brown Bag Lunch China-US Issue Related Lecture Request (Draft).hwp.lnk |
Because a legitimate HWP document is opened when the LNK file is run, it can be difficult for users to notice the malicious behavior.
When the file ‘Oct 2023 Professor ** Lee Ministry of Unification Brown Bag Lunch China Issue Related Lecture Request (Draft).hwp.lnk’ in Table 1 is executed, a legitimate HWP document and a malicious VBS script file are created in the TEMP folder before being executed.
The VBS code is obfuscated, and when deobfuscated, there is a code that makes changes to the registry and connects to an external URL to execute an additional script.
- Accessed URL: hxxp://iso****.co[.]kr/adm/img/up/down0/list.php?query=1
Out of the LNK files in Table 1, the file ‘Nov 2023 Professor ** Choi Ministry of Unification Brown Bag Lunch China-US Issue Related Lecture Request (Draft).hwp.lnk’ downloads the TutRAT malware from hxxp://m****[.]com/pg/adm/tdr/upi/down0/r_enc.bin and executes the fileless malware. The threat actor uses this to decode the data encoded in Base64, saving it as %temp%client.ps1 and %tamp%version103.vbs respectively.
Afterward, it sets the server IP to the threat actor’s address and executes the ‘Main’ method to receive commands from the threat actor. This allows malicious behaviors such as keylogging, stealing browser account information, and taking screenshots.
- C&C: 165.154.230[.]24:8020
The features of each created file are as follows.
| Filename | Feature |
|---|---|
| client.ps1 | Downloads and executes an additional malware from hxxp://ky****ek[.]com/js/sub/aos/dull/down1/r_enc.bin |
| version103.vbs | Downloads and executes an additional script code from hxxp://ky****ek[.]com/js/sub/aos/dull/down1/list.php?query=1 |
Upon accessing the URL hxxp://ky****ek[.]com/js/sub/aos/dull/down1/list.php?query=1 identified in version103.vbs, an additional HWP document is downloaded, and similar to the one identified before, it collects user information and transmits it to hxxp://ky****ek[.]com/js/sub/aos/dull/down1/show.php.
This type was also found to be distributed with the filenames below, thus caution is required from individuals working in the relevant fields.
| Filename |
|---|
| Foreign_News_Channel_Written Interview Questionnaire_Professor ** Byeon (NK-Russia_Summit Related).hwp |
| Nov 2023_Dr ** Park_Ministry of Unification_Brown Bag Lunch_China Issue Related_Lecture Request.hwp |
| Oct 2023_Professor ** Cho_Ministry of Unification_Brown Bag Lunch_Korea-Japan Issue Related_Lecture Request.hwp |
| Oct 2023_Ambassador ** Ahn_Ministry of Unification_Brown Bag Lunch_US Issue Related_Lecture Request.hwp |
[File Detection]
Dropper/LNK.Agent (2023.09.07.02)
LNK/Runner.S1 (2019.04.25.00)
Trojan/LNK.PowerShell (2023.11.01.00)
Trojan/VBS.Obfuscated (2023.11.01.00)
Dropper/Script.Generic (2023.11.01.02)
Downloader/VBS.Agent (2023.11.09.00)
[IOC]
MD5
-lnk
b70bc31b537caf411f97a991d8292c5a
64dee04b6e6404c14d10971adf35c3a7
eb614c99614c3365bdc926a73ef7a492
fb5aec165279015f17b29f9f2c730976
-html
de7cd0de5372e7801dab5aafd9c19148
d00aa4b1a3cd9373d49c023580711170
209ac4185dfc1e4d72c035ecb7f98eac
-script
5E5A87D0034E80E6B86A64387779DC2E
40b7c3bced2975d70359a07c4f110f18
0040aa9762c2534ac44d9a6ae7024d15
C2
165.154.230[.]24:8020
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.