June 2024 Major Issues on APT Attacks in South Korea
Overview
AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in South Korea. This report discusses the categorization and statistics of APT attacks against Korean targets in June 2024 as well as the features of each type.
Figure 1. Statistics on APT attacks against Korean targets in June 2024
APT attacks in Korea were categorized by penetration type, and most were found to be spear phishing. Among the penetration types in June 2024, spear phishing attacks using LNK files were the most prominent.
Trends on APT Attacks in Korea
The cases and features of APT attacks in Korea identified in June 2024 are as follows.
1. Spear Phishing
Spear phishing is a type of phishing attack launched against specific individuals or groups. Unlike normal phishing attacks, the threat actor conducts reconnaissance before launching the attack to collect information and learn about the target. Because the threat actor uses the collected information to craft the phishing email, the recipient is highly likely to believe that the email is safe and valid. There are also cases where the sender address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
Types distributed using this technique are as follows.
1.1 Attacks Using LNK Files
Type A
For this type, a CAB file containing multiple compressed malicious scripts is created to leak information and download additional malware strains. The LNK file being distributed contains a malicious PowerShell command which extracts the CAB file and decoy document data within the LNK file to create them in the user PC. Afterward, the CAB file is decompressed and multiple scripts (bat, ps1, vbs, etc.) contained within are executed. The executed script files can perform malicious behaviors such as exfiltrating user PC information and downloading additional files.
The confirmed file names are as follows.
|
Fillenames |
|
(Attachment 1) Business Application Template (Modified).lnk |
|
(Attachment 2) 2024 North Korean Civil Human Rights Organization Strategic Activity Support Project_Budget Allocation and Execution Criteria Table.lnk |
|
2024 North Korean Civil Human Rights Organization Strategic Activity Support Project Application Form.hwpx.lnk |
|
xxx Token Distribution Amount and Lockup Schedule.lnk |
|
Corrected VAT report guidelines (Regulations on the handling of VAT).hwp.lnk |
|
Attachment 1 VAT Tax Base and Tax Amount (Tax Refund Amount) Report Receipt.hwp.lnk |
Table 1. Confirmed file names
Below are the decoy files that were used to deceive the user into thinking they executed a legitimate file.
Figure 2. Confirmed decoy file
Figure 3. Confirmed decoy file
