Threat Trend Report on APT Attacks (South Korea) – January 2024 Major Issues on APT Attacks
Overview
AhnLab monitors Advanced Persistent Threat (APT) attacks targeting South Korean entities using its infrastructure. This report will cover the classification and statistics of APT attacks in South Korea detected during January 2024, and introduce their features by type.
Figure 1. Statistics of APT attacks in South Korea in January 2024
APT attacks confirmed to have occurred in South Korea are classified by penetration type, with spear phishing and supply chain attacks having been identified. In January 2024, LNK distribution using spear phishing was predominant among the penetration types.
Threat Trend on APT Attacks in South Korea
The cases and features of APT attacks in South Korea detected in January 2024 have been categorized by penetration type and are as follows.
1) Spear Phishing
Spear phishing is a type of phishing attack that targets specific individuals or groups. Unlike typical phishing attacks, threat actors who perform spear phishing gather and assess information about their target before executing their attack. Threat actors create phishing emails by utilizing the collected information, making it more likely for recipients to perceive the emails as trustworthy. Additionally, there are cases of email spoofing where the sender’s address is forged. In most spear phishing cases, malicious attachments or links are included in the emails and recipients are lured into opening them.
The types that are distributed using this technique are as follows.
1.1 Attacks Utilizing LNK
Type A
This type involves generating a CAB file containing multiple malicious scripts to exfiltrate information and download additional malware. The distributed LNK file contains malicious PowerShell commands to extract CAB files and decoy document data contained within the LNK file to the user’s PC. Subsequently, the CAB file is decompressed, and multiple script files (bat, ps1, vbs, etc.) contained within are executed. These executed script files can perform malicious activities such as exfiltrating user information and downloading additional files
The confirmed file name is as follows: File Nam
|
File Name |
|
Teaching English.lnk |
Table 1. Confirmed file name
Type B
This type involves downloading RAT malware using the DropBox API or Google Drive. It is mainly distributed in the form of compressed files along with legitimate files. The distributed LNK files contain malicious PowerShell commands. Upon executing the LNK files, PowerShell commands are used to access Google Drive and download malware uploaded by the threat actor or to download AES-encrypted malware using the DropBox API. Typically, RAT-type malware is downloaded, enabling various malicious activities such as keylogging and screen capturing based on the threat actor’s commands. Confirmed RAT types include XenoRAT, RokRAT, and tutRAT. Additionally, cases have been identified where additional malicious script codes are downloaded to perform activities such as information exfiltration.
The confirmed file name is as follows: File Nam
|
File Name |
|
(동북아 1과)「2024년 국가안보의 중대 도전 및 정책적 함의」.docx.lnk |
|
세종연구소 제30기 세종국가전략연수과정 강의의뢰서 박** 박사님.hwp.lnk |
|
트레이딩 스파르타코스 강의안-100불남(2차)___________________.pdf.lnk |
|
제73차 통일전략포럼 안내장.lnk |
Table 1. Confirmed file name
