Malicious LNK File Being Distributed, Impersonating the National Tax Service
AhnLab Security Emergency response Center (ASEC) has discovered circumstances of a malicious LNK file impersonating the National Tax Service being distributed. Distribution using LNK files is a method that has been used in the past, and recently, there have been multiple cases of distribution to Korean users. The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file named “Clarification Documents Submission Guide Concerning General Income Tax Report.zip” is downloaded. At the time of analysis, the compressed file contained two files: a malicious LNK file and a normal HWP document. Currently, only three normal HWP documents exist in the compressed file downloaded from the URL, thus it seems like the threat actor only distributed the malicious file for a short amount of time to render future analysis and tracking difficult.
- Download URL hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=종합소득세%20신고관련%20해명자료%20제출%20안내.zip (hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=ClarificationDocuments%20SubmissionGuide%20Concerning%GeneralIncomeTax%20Report.zip
The malicious LNK file named “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.lnk” within the compressed file has about 300 MB of dummy data attached and contains a malicious PowerShell command.
The PowerShell command is responsible for first creating and opening the normal HWP document within the LNK file under the file name “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.hwp”. Below is the content of the normal HWP file. It is disguised as a tax-related notice from the National Tax Service, and the user is led to believe that a normal HWP document is opened when they execute the malicious LNK file.
Afterward, a compressed file within the same LNK file is created in the path “%Public%\02641.zip”. After decompressing the file that has been created, start.vbs is run, then the LNK file and the decompressed file are deleted. The files created after decompression are shown below, and the features of each file are available in Table 1.
| File name | Feature |
|---|---|
| start.vbs | Executes 74116308.bat |
| 74116308.bat | Registers to the RunKey (start.vbs) Executes 02619992.bat (Download feature) Executes 86856980.bat (Information breach) Downloads a CAB file through 20191362.bat |
| 02619992.bat | Downloads a ZIP file through 20191362.bat Decompresses the ZIP file through unzip.exe, then executes rundll32.exe |
| 86856980.bat | Collects user information Executes 53844252.bat |
| 20191362.bat | Downloads file |
| 53844252.bat | Uploads the user’s information |
| unzip.exe | Decompresses the ZIP file |
Table 1. Features of the scripts
At the final stage of their malicious behaviors, the scripts breach the user’s information and download additional malicious files. The breached user information is as follows, and the data is sent to “hxxp://filehost001.com/upload.php”.
- Breached Information List of files in the downloads folder List of files in the documents folder List of files in the desktop folder IP information List of running processes System information
A total of two files are downloaded additionally, which are a ZIP file and a CAB file. First, the ZIP file is decompressed through unzip.exe, and a password (a) is required to decompress the file. Then, the created file is loaded through rundll32.exe.
- Download URL hxxps://file.gdrive001[.]com/read/get.php?cu=ln3&so=xu6502
The CAB file is decompressed using the expand command and executes the file temprun.bat which is created afterward.
- Download URL hxxp://filehost001[.]com/list.php?f=%COMPUTERNAME%.txt
Both URLs are currently inaccessible, so additional downloaded files could not be confirmed. AhnLab Smart Defense confirmed that Qasar RAT and Amadey were ultimately executed. Depending on the file uploaded by the threat actor, various malicious files can be downloaded. Aside from the LNK file impersonating the National Tax Service, malicious LNK files are being distributed using various topics below, so caution is advised.
- File names used in distribution 230827- Participating Organizations in the Conference.xlsx.lnk 202308 Explanatory Materials for Restructuring the Ministry of Unification.pdf.lnk 2023-2-Parking Registration Application – For Students.hwp.lnk Course Registration Correction Application.hwp.lnk securityMail.html.lnk
Recently, the distribution of malicious LNK files to Korean users has been increasing. As additional harm can be caused depending on the file that is downloaded, users must carefully check the senders of emails and refrain from opening files from unknown sources. Users should also regularly scan their PCs and update their security products to the latest engine. [File Detection] Downloader/LNK.Generic (2023.09.13.02) Infostealer/BAT.Generic.S2319 (2023.09.11.02) Downloader/BAT.Generic.SC192403 (2023.09.13.03) Downloader/BAT.Generic.SC192404 (2023.09.13.03) Downloader/BAT.Generic.SC192405 (2023.09.13.03) Trojan/BAT.Runner.SC192407 (2023.09.13.03) [Behavior Detection] Fileless/EDR.Powershell.M11335
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
