Overview

 

AhnLab has been using its infrastructure to monitor advanced persistent threat (APT) attacks against Korean targets. This report will cover the categories of APT attacks targeting Korea detected during March 2024 as well as features for each type.

Figure 1. March 2024 statistics on APT attacks against Korea

APT attacks confirmed to be against Korean targets were categorized by infiltration type, with most being classified as spear phishing. Out of the infiltration types in March 2024, LNK distribution using spear phishing was the most prominent. DOC and HWP (Hangul Word Processor) distributions also increased.

 

APT Attack Trends in South Korea

 

The cases for each infiltration type of APT attacks against Korea identified in March 2024 and the features of each type are as follows.

 

1)   Spear Phishing

 

Spear phishing is a type of phishing attack that targets specific individuals or groups. Unlike ordinary phishing, the threat actor conducts reconnaissance before launching the attack to collect and learn information on the attack target. Because the threat actor uses the collected information to create the phishing emails, the recipients of said emails are highly likely to determine to trust the emails. There are also cases where the sender’s email address is modified using the email spoofing technique. Most spear phishing attacks include malicious attachments or links within the emails and lure the recipients to open them.

The types distributed using this technique are as follows.

 

1.1      Attacks Using LNK

Type A

This type creates a CAB file containing multiple compressed malicious scripts that extort information and download additional malware. The distributed LNK file contains malicious PowerShell commands that extract the CAB file and decoy document data inside the LNK file to create them in the user PC. Afterward, the CAB file is decompressed and the numerous scripts within the file (bat, ps1, vbs, etc.) are executed. The executed script files can perform malicious behaviors including exfiltrating the user PC information and downloading additional files.

The confirmed file names are as follows:

File Name

가상자산업감독규정_제정안.docx.lnk (Virtual Asset Business Supervision Guidelines_Establishment Proposal.docx.lnk)

첨부1_성명_개인정보수집이용동의서.docx.lnk (Attachment1_Name_Personal Information Use Agreement.docx.lnk)

Table 1. Confirmed file names

The following decoy files were used to deceive users into thinking a legitimate file was executed. 

Figure 2. A confirmed decoy file

Figure 3. A confirmed decoy file

 

MD5

01cff54ae58abcd3da9636535f4fca46

05871b6372b506106d631784a1bb7b11

07f9b185b0cc9e2fd5facb5110186d23

0abb611b2542b200a5fab26198dc6c79

2a4ccdf2a891de8b580cf6a1939f4280

URL

http[:]//ai[.]hyyeo[.]p-e[.]kr/index[.]php

http[:]//buildings[.]n-e[.]kr/

http[:]//centre[.]o-r[.]kr/cen/tre[.]php

http[:]//centre[.]o-r[.]kr/cen/tre[.]txt

http[:]//exce[.]r-e[.]kr/hades/hades[.]rong