Malicious LNK File Being Distributed, Impersonating the National Tax Service

AhnLab Security Emergency response Center (ASEC) has discovered circumstances of a malicious LNK file impersonating the National Tax Service being distributed. Distribution using LNK files is a method that has been used in the past, and recently, there have been multiple cases of distribution to Korean users.

The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file named “Clarification Documents Submission Guide Concerning General Income Tax” is downloaded. At the time of analysis, the compressed file contained two files: a malicious LNK file and a normal HWP document. Currently, only three normal HWP documents exist in the compressed file downloaded from the URL, thus it seems like the threat actor only distributed the malicious file for a short amount of time to render future analysis and tracking difficult.

  • Download URL
    hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=종합소득세%20신고관련%20해명자료%20제출%20안내.zip (hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&
Figure 1. Compressed file containing the malicious LNK file

The malicious LNK file named “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.lnk” within the compressed file has about 300 MB of dummy data attached and contains a malicious PowerShell command.

Figure 2. PowerShell command within the LNK file

The PowerShell command is responsible for first creating and opening the normal HWP document within the LNK file under the file name “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.hwp”. Below is the content of the normal HWP file. It is disguised as a tax-related notice from the National Tax Service, and the user is led to believe that a normal HWP document is opened when they execute the malicious LNK file.

Figure 3. Normal HWP file

Afterward, a compressed file within the same LNK file is created in the path “%Public%\”. After decompressing the file that has been created, start.vbs is run, then the LNK file and the decompressed file are deleted. The files created after decompression are shown below, and the features of each file are available in Table 1.

Figure 4. Files created after decompression
File name Feature
start.vbs Executes 74116308.bat
74116308.bat Registers to the RunKey (start.vbs)
Executes 02619992.bat (Download feature)
Executes 86856980.bat (Information breach)
Downloads a CAB file through 20191362.bat
02619992.bat Downloads a ZIP file through 20191362.bat
Decompresses the ZIP file through unzip.exe, then executes rundll32.exe
86856980.bat Collects user information
Executes 53844252.bat
20191362.bat Downloads file
53844252.bat Uploads the user’s information
unzip.exe Decompresses the ZIP file
Table 1. Features of the scripts

At the final stage of their malicious behaviors, the scripts breach the user’s information and download additional malicious files. The breached user information is as follows, and the data is sent to “hxxp://”.

  • Breached Information
    List of files in the downloads folder
    List of files in the documents folder
    List of files in the desktop folder
    IP information
    List of running processes
    System information
Figure 5. Breaching user information

A total of two files are downloaded additionally, which are a ZIP file and a CAB file. First, the ZIP file is decompressed through unzip.exe, and a password (a) is required to decompress the file. Then, the created file is loaded through rundll32.exe.

  • Download URL
Figure 6. Downloading the ZIP file

The CAB file is decompressed using the expand command and executes the file temprun.bat which is created afterward.

  • Download URL
Figure 7. Downloading the CAB file

Both URLs are currently inaccessible, so additional downloaded files could not be confirmed. AhnLab Smart Defense confirmed that Qasar RAT and Amadey were ultimately executed. Depending on the file uploaded by the threat actor, various malicious files can be downloaded.

Aside from the LNK file impersonating the National Tax Service, malicious LNK files are being distributed using various topics below, so caution is advised.

  • File names used in distribution
    230827- Participating Organizations in the Conference.xlsx.lnk
    202308 Explanatory Materials for Restructuring the Ministry of Unification.pdf.lnk
    2023-2-Parking Registration Application – For Students.hwp.lnk
    Course Registration Correction Application.hwp.lnk

Recently, the distribution of malicious LNK files to Korean users has been increasing. As additional harm can be caused depending on the file that is downloaded, users must carefully check the senders of emails and refrain from opening files from unknown sources. Users should also regularly scan their PCs and update their security products to the latest engine.

[File Detection]
Downloader/LNK.Generic (2023.09.13.02)
Infostealer/BAT.Generic.S2319 (2023.09.11.02)
Downloader/BAT.Generic.SC192403 (2023.09.13.03)
Downloader/BAT.Generic.SC192404 (2023.09.13.03)
Downloader/BAT.Generic.SC192405 (2023.09.13.03)
Trojan/BAT.Runner.SC192407 (2023.09.13.03)

[Behavior Detection]


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] post Malicious LNK File Being Distributed, Impersonating the National Tax Service appeared first on ASEC […]