AhnLab Security Emergency response Center (ASEC) has discovered circumstances of a malicious LNK file impersonating the National Tax Service being distributed. Distribution using LNK files is a method that has been used in the past, and recently, there have been multiple cases of distribution to Korean users.
The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file named “Clarification Documents Submission Guide Concerning General Income Tax Report.zip” is downloaded. At the time of analysis, the compressed file contained two files: a malicious LNK file and a normal HWP document. Currently, only three normal HWP documents exist in the compressed file downloaded from the URL, thus it seems like the threat actor only distributed the malicious file for a short amount of time to render future analysis and tracking difficult.
- Download URL
The malicious LNK file named “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.lnk” within the compressed file has about 300 MB of dummy data attached and contains a malicious PowerShell command.
The PowerShell command is responsible for first creating and opening the normal HWP document within the LNK file under the file name “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.hwp”. Below is the content of the normal HWP file. It is disguised as a tax-related notice from the National Tax Service, and the user is led to believe that a normal HWP document is opened when they execute the malicious LNK file.
Afterward, a compressed file within the same LNK file is created in the path “%Public%\02641.zip”. After decompressing the file that has been created, start.vbs is run, then the LNK file and the decompressed file are deleted. The files created after decompression are shown below, and the features of each file are available in Table 1.
|74116308.bat||Registers to the RunKey (start.vbs)
Executes 02619992.bat (Download feature)
Executes 86856980.bat (Information breach)
Downloads a CAB file through 20191362.bat
|02619992.bat||Downloads a ZIP file through 20191362.bat
Decompresses the ZIP file through unzip.exe, then executes rundll32.exe
|86856980.bat||Collects user information
|53844252.bat||Uploads the user’s information|
|unzip.exe||Decompresses the ZIP file|
At the final stage of their malicious behaviors, the scripts breach the user’s information and download additional malicious files. The breached user information is as follows, and the data is sent to “hxxp://filehost001.com/upload.php”.
- Breached Information
List of files in the downloads folder
List of files in the documents folder
List of files in the desktop folder
List of running processes
A total of two files are downloaded additionally, which are a ZIP file and a CAB file. First, the ZIP file is decompressed through unzip.exe, and a password (a) is required to decompress the file. Then, the created file is loaded through rundll32.exe.
- Download URL
The CAB file is decompressed using the expand command and executes the file temprun.bat which is created afterward.
- Download URL
Both URLs are currently inaccessible, so additional downloaded files could not be confirmed. AhnLab Smart Defense confirmed that Qasar RAT and Amadey were ultimately executed. Depending on the file uploaded by the threat actor, various malicious files can be downloaded.
Aside from the LNK file impersonating the National Tax Service, malicious LNK files are being distributed using various topics below, so caution is advised.
- File names used in distribution
230827- Participating Organizations in the Conference.xlsx.lnk
202308 Explanatory Materials for Restructuring the Ministry of Unification.pdf.lnk
2023-2-Parking Registration Application – For Students.hwp.lnk
Course Registration Correction Application.hwp.lnk
Recently, the distribution of malicious LNK files to Korean users has been increasing. As additional harm can be caused depending on the file that is downloaded, users must carefully check the senders of emails and refrain from opening files from unknown sources. Users should also regularly scan their PCs and update their security products to the latest engine.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.