This report covers classification and statistics on APT domestic attacks confirmed during the month of July 2024 and introduces the functions of each type.  Below is a summary of some of the information.

[Table of Contents]

• Overview
• Trends of APT Attacks in Korea
  • Spear Phishing
    • Attacks Using LNK Files
    • Attacks Using HWP Files
    • Attacks Using JSE Files
    • Attacks Using DOC Files
    • Attacks Using CHM Files
• AhnLab Response Overview
• Conclusion
• IoC (Indicators of Compromise)
  • Key File Names
  • File Hashes (MD5s)
  • Relevant Domains, URLs, and IP Addresses

 

[Overview]

 

AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in South Korea. This report will cover the types and statistics of APT attacks in Korea during July 2024 as well as features for each type.

 

Figure 1. July 2024 statistics on APT attacks in Korea

APT attacks against Korean targets have been categorized by penetration type, and in July 2024, the spear phishing type was identified the most.

 

[Trends of APT Attacks in Korea]
 

The cases and features of each APT attack type identified in July 2024 are as follows.

 

 Spear Phishing

Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them. 

Types distributed using this technique are as follows.

• Attacks Using LNK Files
  • Type A

    For this type, a CAB file containing multiple compressed malicious scripts is created to leak information and download additional malware strains. The LNK file being distributed contains a malicious PowerShell command which extracts the CAB file and decoy document data within the LNK file to create them in the user PC. Afterward, the CAB file is decompressed and multiple scripts (bat, ps1, vbs, etc.) contained within are executed. The executed script files can perform malicious behaviors such as exfiltrating user PC information and downloading additional files.
    The confirmed file name is as follows..

File Name

#1. Project Info Update Request.xlsx.lnk

Table 1. Confirmed file name

Below is the decoy file that was used to deceive the user into thinking they executed a legitimate file.

 

 

Figure 2. Confirmed decoy file

 

• • Type B

    This type executes RAT malware. They are generally distributed as compressed files alongside legitimate files. The LNK files found in distribution contained malicious PowerShell commands. Besides using DropBox API or Google Drive to download malware, the recently identified LNK files also use the method of creating additional script files and obfuscated RAT in the TEMP or PUBLIC folder upon execution. The RAT malware executed in the end can perform various malicious behaviors, such as keylogging and taking screenshots, based on the commands from the threat actor. XenoRAT and RoKRAT were some of the RAT types found in this case.
     

 

MD5

0808710ecfdb1fb2274209853a256b82

0aea7e23c016a2bb0b48c1779044b285

0c8b71f04eadf4c6c6dcadb2ed47b63a

16074a3f76b7860a180e0ec54dd19ed6

1bb62f16635e0bcaf7b4ac2c27ceac71

URL

http[:]//159[.]100[.]13[.]216[:]5566/

http[:]//216[.]107[.]137[.]73[:]6516/

http[:]//27[.]255[.]80[.]162/bbs/leop/leon[.]php?id=0

http[:]//27[.]255[.]80[.]162/bbs/leop/leon[.]php?id=1

http[:]//79[.]133[.]56[.]173[:]6626/

FQDN

amazing[.]cab