APT EndPoint Malware

LNK Files Distributed Through Breached Legitimate Websites (Detected by EDR)

  • Nov 07 2023
LNK Files Distributed Through Breached Legitimate Websites (Detected by EDR)

AhnLab Security Emergency response Center (ASEC) detected circumstances of a malware strain being distributed through breached legitimate websites using various file names, prompting users to run them. This post will introduce how AhnLab EDR analyzes and detects the method of malware distribution using LNK files as the medium, a method that has been employed often in recent times.

Pomerium Project Related Inquiry Data.txt.lnk
Data Regarding Application for Changes Before the 2023 Iris Agreement.txt.lnk
Suyeon Oh Statement Data.txt.lnk
On Inquiry Confirmation.txt.lnk
Deep Brain AI Interview Guide.txt.lnk
Recruitment Related Information.txt.lnk

Table 1. Distributed file names

Malware distribution occurs using compressed files with the same file name as those in Table 1. The files prompt users to download and execute them. This threat actor is known for breaching legitimate websites to use them as distribution platforms. The attacker uses non-PE files since unlike PE files, non-PE files are relatively easy to modify. As the files are downloaded through websites that are operated normally, users must use products like EDR which has behavior-based loggings and detections.

AhnLab EDR records files infiltration and exfiltration. The screen above shows the infiltration/exfiltration detection feature which allows users to view the infiltration path and file information at a glance.

The downloaded file is shown in Figure 2. When the file is decompressed, a .txt.lnk file disguised with the .txt file extension is created. The LNK file impersonating a Notepad icon contains a script and a CAB file.

Figure 3 shows the content of the LNK file. The left part shows the execution command line of the LNK file and the right part shows the HTML script within that file. The LNK file runs the HTML script within through mshta, a default Windows process. The HTML script in turn runs an obfuscated VBS script.

Figure 4 shows the execution of the aforementioned content in Figure 3. You can see the mshta command line executed through the LNK file as well as the decrypted execution command line of the VBS script within the HTML run through mshta. The lines’ major features are reading the LNK file through the PowerShell process and dropping the CAB file embedded within the LNK file to decompress and execute the CAB file through the expand process.

Figure 5 shows the detection of the dropped CAB file being decompressed with the expand process. The screen displays the command line being decompressed by exploiting the expand process, as well as the path where the malicious file is created.

Figure 6 shows the malicious features of the script decompressed from the CAB file. Its major features include executing another script decompressed from the CAB file, collecting system information, registering itself to the autorun registry, and sending data. Figure 7 shows the detection of these execution details through AhnLab’s EDR product. Additionally, the script also includes features such as attempting to download additional files, decoding and executing the downloaded file through certutil, and so on.

In this post, we covered a method of malware distribution that breaches legitimate websites and uses various file names to prompt users to run them. Figure 8 shows the overall diagram of this distribution process. You can see the details covered above at a glance as well as the attack flow.

Using various file names to prompt users to execute files is currently a commonly used method. Because the distribution platforms are legitimate websites that have been breached, users find it difficult to realize they are downloading malware. To detect such methods of distribution, behavior detection must be activated in V3, an endpoint anti-malware product. If your system is infected, you must take measures after checking the details through EDR.

Because legitimate websites are breached and being used in distribution, the URLs of these distribution sites are not released with the IOC information. Related information will be posted separately on AhnLab TIP (Threat Intelligence Platform) ASEC Notes (This report supports Korean only for now.) to provide information for relevant organizations.

 

[Behavior Detection]
Execution/MDP.Powershell.M2514
Injection/EDR.Behavior.M3695
Fileless/EDR.Powershell.M11335

[File Detection]
Downloader/BAT.Agent.SC194060
Infostealer/BAT.Agent.SC194061
Downloader/BAT.Agent.SC194060

MD5

0040aa9762c2534ac44d9a6ae7024d15
04d9c782702add665a2a984dfa317d49
40b7c3bced2975d70359a07c4f110f18
453e8a0d9b6ca73d58d4742ddb18a736
5e5a87d0034e80e6b86a64387779dc2e
URL

http[:]//38[.]180[.]68[.]238/0906/down/train0[.]php?query=1
http[:]//iso3488[.]co[.]kr/adm/img/up/down0/list[.]php?query=1
http[:]//kyungdaek[.]com/js/sub/aos/dull/down1/list[.]php?query=1
http[:]//kyungdaek[.]com/js/sub/aos/dull/down1/r_enc[.]bin
http[:]//kyungdaek[.]com/js/sub/aos/dull/down1/show[.]php

To learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner below
Previous Post

Next Post