This report covers classification and statistics on APT domestic attacks confirmed during the month of August 2024 and introduces the functions of each type.  Below is a summary of some of the information.

 
[Table of Contents]

• Overview
• Trends of APT Attacks in Korea
  • Spear Phishing
    • Attacks Using LNK Files
    • Attacks Using HWP Files
    • Attacks Using JSE Files
    • Attacks Using CHM 
    • Attacks Using MSC
    • Attacks Using EXE Files
    • Attacks Suspected of Using Scripts
• AhnLab Response Overview
• Conclusion
• IoC (Indicators of Compromise)
  • Key File Names
  • File Hashes (MD5s)
  • Relevant Domains, URLs, and IP Addresses

 

[Overview]

 

AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in South Korea. This report will cover the types and statistics of APT attacks in Korea during August 2024 as well as features for each type.

Figure 1. August 2024 statistics on APT attacks in Korea

APT attacks against Korean targets have been categorized by type with most of them found to be spear phishing attacks. In August 2024, spear phishing attacks using HWP and MSC files made up most of the attack types.

 

[Trends of APT Attacks in Korea]

 

The cases and features of each APT attack type identified in August 2024 are as follows.

 

1)   Spear Phishing

 

Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.

Types distributed using this technique are as follows.

 

1.1         LNK를 활용한 공격

 

Type A

 

This type executes RAT malware strains. They are generally distributed as compressed files alongside legitimate files. The LNK files found in distribution contained malicious PowerShell commands. Besides downloading malware using DropBox API or Google Drive, recently identified LNK files create an additional script file and obfuscated RAT malware in the TEMP or PUBLIC folder upon execution. The RAT malware executed in the end can perform various malicious behaviors, such as keylogging and taking screenshots, according to commands from the threat actor. XenoRAT and RoKRAT were some of the RAT types found in this case.

 

The confirmed file name is as follows.

 

File Name

Western Disturbance in the Shinmi Year.lnk

Table 1. Confirmed file name
 

Type Unknown

 

While this type was distributed via spear phishing, it is not included in the aforementioned types. 

The confirmed file names are as follows.

 

File Name

S**** Chemical.Inc_Estimate_240811_1-1400.docx.lnk

[D****] Dismissal Certificate Complimentary Document.docx.lnk

2024_2 Gwanak Union Lecture Plan 0810.lnk

Balu Travel_20240813.docx.lnk

***** Kang Requests.docx.lnk

Balance Sheet Related Document.docx.lnk

Public Waste-to-Energy Related Complimentary Document.docx.lnk

Liberation Day Souvenir (**** Choi) .pdf.lnk

Table 2. Confirmed file names

1.2    Attacks Using HWP Files

 

Type B

 

This type downloads and runs additional malware scripts through a batch file (*.BAT) included in the HWP file. Upon running the HWP file, the malicious batch file within the document is created in the TEMP folder. The threat actor inserts a part that prompts users to click so that the batch file can be executed. When the batch file is run, it accesses an external URL to download and run additional files. It also registers the malware to the Task Scheduler or the run key to maintain persistence. Depending on the downloaded script codes, it can perform various malicious behaviors such as executing command lines.

The confirmed file names are as follows.

 

File Name

[Ministry of Unification Human Rights and Humanitarian Affairs Office] 1.5 Track on Relocating North Korean Defectors and Human Rights Issue (1).hwp

0910-24 Read-Ahead(pw; F15azx@!).hwp

Grieco Kavanagh Passive Supporters.hwp

Lecture Overview (pw13579).hwp

Lecture Request.hwp

Attachment 1.Compensation Request Form.hwp

Rules for Writing Manuscripts.hwp

Table 3. Confirmed file names

Below is the decoy file that was used to deceive the user into thinking they executed a legitimate file.

Figure 2. Confirmed decoy file

 

MD5

085bebd949c45ec39dbe2a2b09d063d6

100e0fdae087054dbc1d8fc364b07e2e

11f1d61cf041bede4911767b580e56dd

1549ede872ca017eea0f053ec08c0f34

17f0dfbaaa9998aa0cffde716ececd4e

URL

http[:]//103[.]251[.]107[.]3/down[.]php?file=2[.]bin

http[:]//103[.]251[.]107[.]3/down[.]php?file=32[.]bin

http[:]//103[.]251[.]107[.]3/down[.]php?file=62[.]bin

http[:]//112[.]217[.]201[.]68[:]54350/

http[:]//159[.]100[.]13[.]216[:]5566/

FQDN

a98f3ce[.]shop

bossmakemoney[.]rest

checker[.]jetos[.]com

flashcore[.]shop

googlesharepoint[.]com