Threat Trend Report on APT Attacks (South Korea) – February 2024 Major Issues on APT Attacks
Overview
AhnLab monitors Advanced Persistent Threat (APT) attacks targeting South Korean entities using its infrastructure. This report will cover the classification and statistics of APT attacks in South Korea detected during February 2024, and introduce their features by type.
Figure 1. Statistics on APT attacks in South Korea in February 2024
APT attacks confirmed to have occurred in South Korea are classified by penetration type, with spear phishing and supply chain attacks having been identified. In February 2024, LNK distribution using spear phishing was predominant among the penetration types.
APT Attack Trends in South Korea
The cases and features of APT attacks in South Korea detected in February 2024 have been categorized by penetration type and are as follows.
1) Spear Phishing
Spear phishing is a type of phishing attack that targets specific individuals or groups. Unlike typical phishing attacks, threat actors who perform spear phishing gather and assess information about their target before executing their attack. Threat actors create phishing emails by utilizing the collected information, making it more likely for recipients to perceive the emails as trustworthy. Additionally, there are cases of email spoofing where the sender’s address is forged. In most spear phishing cases, malicious attachments or links are included in the emails and recipients are lured into opening them.
The types that are distributed using this technique are as follows.
1.1 Attacks Using LNK
Type A
This type involves multiple malicious scripts creating a compressed CAB file to leak information and download additional malware. The circulating LNK file contains a malicious PowerShell command that extracts the CAB file and decoy document data inside the LNK file and saves them to the PC of the user. It then decompresses the CAB file and executes a number of script (bat, ps1, vbs, etc.) files contained in it. The executed script files can perform malicious behaviors, such as leaking user PC information and downloading additional files.
The confirmed file name is as follows:
|
File name |
|
제20회 북한자유주간 일정및 참가자 명단.hwp.lnk (20th North Korea freedom week schedule and participant list.hwp.lnk) |
Table 1. Confirmed file name
The decoy file designed to make it appear as if the user executed a legitimate file is as follows:
Figure 2. Confirmed decoy files
Type B
The relevant type uses the DropBox API or Google Drive to download the RAT malicious code. It is mainly found in circulation with legitimate files in the form of compressed files, and the confirmed LNK files contain malicious PowerShell commands. When executed, the LNK file connects to Google Drive through the PowerShell command and downloads the malware uploaded by the attacker or uses the DropBox API to download malware encrypted with AES. The malware—mainly of the RAT type—gets downloaded and performs various malicious behaviors based on the commands of the attacker, such as keylogging and screen capture. Confirmed RAT types include XenoRAT, RokRAT, and tutRAT. In addition, it is confirmed to download additional malicious script code and perform activities such as leaking information.
The confirmed file names are as follows:
|
File name |
|
(붙임2)202404 국회입법조사처태영호 위원실 정책간담회 회의 일정 계획(안).hwp.lnk ((Appendix 2) 202404 National Assembly Legislative Research Service Tae Young-ho Committee Office Policy Meeting Schedule Plan (Draft).hwp.lnk) |
|
202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp.lnk (202404_Embassy of the People’s Republic of China in the Republic of Korea South Korea- China North Korea-China Security Issues 1.5 Track Closed-door Policy Meeting Plan (Draft).hwp.lnk) |
|
IMG_20240214_0001.pdf.lnk |
|
2024_조찬세미나_한국품질재단_강연수락서_박** 교수님.xlsx.lnk (2024_Morning Seminar_Korea Quality Foundation_Acceptance of Lecture_of Professor Park**.xlsx.lnk) |
|
(안보칼럼) 반국가세력에 안보기관이 무기력해서는 안된다.lnk ((Security Column) Security agencies must not be powerless against anti-national forces.lnk) |
|
대한민국은 아직도 건국전쟁과 민주주의전쟁중(초안2024028).lnk (South Korea is still in the midst of the Korean War and democracy war (Draft 2024028).lnk) |
|
이**.lnk (Lee**.lnk) |
|
원고 윤정부 대공수사권 인식202401.lnk (Manuscript Yun Government’s Perception of National Security Investigation Rights 202401.lnk) |
|
**연구소_제30기_**국가전략연수과정_강의의뢰서_한**원장님.hwp.lnk (**Research Institute_30th Session_** National Strategy Training Course_Lecture Request Letter_Director Han**.hwp.lnk) |
Table 2. Confirmed file names
