Overview

 

AhnLab has been using the company infrastructure to conduct monitoring for Advanced Persistent Threat (APT) attacks against South Korea. This report will cover the types and statistics of APT attacks in Korea during May 2024 as well as features for each type.

 

Figure 1. The May 2024 statistics on APT attacks in South Korea

 

APT attacks against Korean targets have been categorized by type with most of them found to be spear phishing attacks. In May 2024, spear phishing attacks using LNK files made up most of the attack types.

  

Trends on APT Attacks in Korea

 

The cases and features for each APT attack type identified in May 2024 are as follows.

 

1.    Spear Phishing

Spear phishing is a type of phishing attack against certain individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are cases where the sender address is faked using email spoofing. Also, most spear phishing attacks involve including malicious attachments or links in emails and luring the user to open them. 

Types distributed using this technique are as follows.

 

1.1     Attacks Using LNK Files

 

Type A

 

For this type, a CAB file containing multiple compressed malicious scripts is created to leak information and download additional malware strains. The LNK file being distributed contains a malicious PowerShell command which extracts the CAB file and decoy document data within the LNK file to create them in the user PC. Afterward, the CAB file is decompressed and multiple scripts (bat, ps1, vbs, etc.) contained within are executed. The executed script files can perform malicious behaviors such as exfiltrating user PC information and downloading additional files. 

The confirmed file names are as follows.

 

 

File Name

240517_Main-1st_** Digital_Korean Peninsula Security Strategy-No. 15(182×257)_240517_164317.lnk

Corrected VAT report guidelines (Regulations on the handling of VAT).hwp.lnk

** Hospital(April 2024 Regular Payroll).htm.lnk

Table 1. Confirmed file names

 

The decoy files made to deceive the user into thinking they have executed a normal file are as follows.

 

Figure 2. A confirmed decoy file
 

MD5

0628ff49a663b654931a641b4a6c4e1c

0932a039dd9e9039ee3d5de4b8074023

0993cf18121be84f5b1511318df80f44

09c14cecc077d7b29dec50eaf6b848c4

1222c91f7dd0d10954dfa43b592b731f

URL

http[:]//159[.]100[.]29[.]122[:]9990/

http[:]//167[.]88[.]174[.]135[:]5135/

http[:]//167[.]88[.]174[.]221[:]7777/

http[:]//167[.]88[.]174[.]221[:]9977/

http[:]//216[.]107[.]137[.]73[:]6516/