Threat Trend Report on APT Attacks (South Korea) – April 2024 Major Issues on APT Attacks Against South Korea
Overview
AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in South Korea. This report discusses the categorization and statistics of APT attacks against Korean targets in April 2024 as well as the features of each type.
Figure 1. Statistics on APT attacks against Korean targets in April 2024
APT attacks in Korea were categorized by penetration type, and most were found to be spear phishing. Among the penetration types in April 2024, spear phishing attacks using LNK files were the most prominent.
Trends of APT Attacks in Korea
The cases and features of APT attacks in Korea identified in April 2024 are as follows.
1) Spear Phishing
Spear phishing is a type of phishing attack launched against specific individuals or groups. Unlike normal phishing attacks, the threat actor conducts reconnaissance before launching the attack to collect information and learn about the target. Because the threat actor uses the collected information to craft the phishing email, the recipient is highly likely to believe that the email is safe and valid. There are also cases where the sender address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
Below are the types distributed using said technique.
1.1 Attacks Using LNK Files
Type A
This type executes RAT malware. They are generally distributed as compressed files alongside legitimate files. The LNK files found in distribution contained malicious PowerShell commands. Besides downloading malware using DropBox API or Google Drive, recently identified LNK files create an additional script file and obfuscated RAT malware in the TEMP or PUBLIC folder upon execution. The RAT malware executed in the end can perform various malicious behaviors, such as keylogging and taking screenshots, according to commands from the threat actor. XenoRAT and RoKRAT were some of the RAT types found in this case.
The confirmed file names are as follows.
|
File Name |
|
국가** 아카데미 수료증.lnk (National ** Academy Completion Certificate.lnk) |
|
통일부 특강 (2024.2.14) 강의용 최종.lnk (Ministry of Unification Special Lecture (Feb. 14, 2024) Final Lecture Material.lnk) |
|
설비목록.lnk (Equipment List.lnk) |
|
Gate access roster 2024.lnk |
|
국가** 아카데미 8기 통합과정 수료증(최종본).lnk (8th National ** Academy General Course Completion Certificate (Final Version).lnk) |
|
*우회 소식지(2024.3월호).lnk (* Society Newsletter (March 2024 Issue).lnk) |
|
상임이사회 회의록.lnk (Minutes of Meeting for Board of Executive Directors.lnk) |
|
2023경기*지회 회원명부.lnk (2023 Gyeonggi * Regional Assembly Membership Roster.lnk) |
|
북한동향.lnk (North Korean Trends.lnk) |
|
월간 북한.lnk (Monthly North Korea.lnk) |
|
동북공정(미국의회조사국(CRS Report).lnk (Northeast Project (US Congress Research Service (CRS Report).lnk) |
Table 1. Confirmed file names
Below are the decoy files that were used to deceive the user into thinking they executed a legitimate file.
Figure 2. Confirmed decoy file
