Warning Against Distribution of Malware Impersonating a Public Organization (LNK)
AhnLab Security Emergency response Center (ASEC) observed the distribution of malicious shortcut (*.lnk) files impersonating a public organization. The threat actor seems to be distributing a malicious script (HTML) file disguised as a security email by attaching it to emails. These usually target individuals in the field of Korean reunification and national security. Notably, these were disguised with topics of honorarium payment to make them seem like legitimate documents. The malware’s operation method and C2 format are similar to those in previously published posts, [1] [2] allowing us to assume that the same threat actor is behind this incident.
This type of malware breaches user information and downloads additional malware. A brief summary of its operation process is shown below.
When the HTML file attachment is executed, a window disguised as a security email is displayed as shown below. It is presumed that a password would have been included in the email to make it seem like an actual security mail. However, clicking the OK button without filling in the input field also displays the content.
Inside, there is a text impersonating a public organization and an attachment with a relevant title.
Each compressed file contains a legitimate Hangul Word Processor (HWP) document with an honorarium template alongside a malicious shortcut (LNK) file.
Below are the confirmed filenames of the malicious LNK.
| Filename |
|---|
| Oct 2023 Professor ** Lee Ministry of Unification Brown Bag Lunch China Issue Related Lecture Request (Draft).hwp.lnk |
| Oct 25 2023 (Ministry of Unification-Office of Unification Policy) Proposal for the 1.5 Track Specialist Conference Regarding Yoon Suk Yeol Government’s North Korean policies.hwp.lnk |
| Oct 25 2023 (Ministry of Unification-Office of Unification Policy) Proposal for the 1.5 Track Specialist Conference (Undisclosed) Regarding Yoon Suk Yeol Government’s North Korean policies.hwp.lnk |
| Nov 2023 Professor ** Choi Ministry of Unification Brown Bag Lunch China-US Issue Related Lecture Request (Draft).hwp.lnk |
Table 1. Filenames of malicious LNK
Because a legitimate HWP document is opened when the LNK file is run, it can be difficult for users to notice the malicious behavior.
When the file ‘Oct 2023 Professor ** Lee Ministry of Unification Brown Bag Lunch China Issue Related Lecture Request (Draft).hwp.lnk’ in Table 1 is executed, a legitimate HWP document and a malicious VBS script file are created in the TEMP folder before being executed.
The VBS code is obfuscated, and when deobfuscated, there is a code that makes changes to the registry and connects to an external URL to execute an additional script.
- Accessed URL: hxxp://iso****.co[.]kr/adm/img/up/down0/list.php?query=1
Out of the LNK files in Table 1, the file ‘Nov 2023 Professor ** Choi Ministry of Unification Brown Bag Lunch China-US Issue Related Lecture Request (Draft).hwp.lnk’ downloads the TutRAT malware from hxxp://m****[.]com/pg/adm/tdr/upi/down0/r_enc.bin and executes the fileless malware. The threat actor uses this to decode the data encoded in Base64, saving it as %temp%\client.ps1 and %tamp%\\version103.vbs respectively.
Afterward, it sets the server IP to the threat actor’s address and executes the ‘Main’ method to receive commands from the threat actor. This allows malicious behaviors such as keylogging, stealing browser account information, and taking screenshots.
- C&C: 165.154.230[.]24:8020
The features of each created file are as follows.
| Filename | Feature |
|---|---|
| client.ps1 | Downloads and executes an additional malware from hxxp://ky****ek[.]com/js/sub/aos/dull/down1/r_enc.bin |
| version103.vbs | Downloads and executes an additional script code from hxxp://ky****ek[.]com/js/sub/aos/dull/down1/list.php?query=1 |
Table 2. Names and features of the created files
Upon accessing the URL hxxp://ky****ek[.]com/js/sub/aos/dull/down1/list.php?query=1 identified in version103.vbs, an additional HWP document is downloaded, and similar to the one identified before, it collects user information and transmits it to hxxp://ky****ek[.]com/js/sub/aos/dull/down1/show.php.
This type was also found to be distributed with the filenames below, thus caution is required from individuals working in the relevant fields.
| Filename |
|---|
| Foreign_News_Channel_Written Interview Questionnaire_Professor ** Byeon (NK-Russia_Summit Related).hwp |
| Nov 2023_Dr ** Park_Ministry of Unification_Brown Bag Lunch_China Issue Related_Lecture Request.hwp |
| Oct 2023_Professor ** Cho_Ministry of Unification_Brown Bag Lunch_Korea-Japan Issue Related_Lecture Request.hwp |
| Oct 2023_Ambassador ** Ahn_Ministry of Unification_Brown Bag Lunch_US Issue Related_Lecture Request.hwp |
Table 3. Filenames of additionally identified decoy documents
[File Detection]
Dropper/LNK.Agent (2023.09.07.02)
LNK/Runner.S1 (2019.04.25.00)
Trojan/LNK.PowerShell (2023.11.01.00)
Trojan/VBS.Obfuscated (2023.11.01.00)
Dropper/Script.Generic (2023.11.01.02)
Downloader/VBS.Agent (2023.11.09.00)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
