November 2024 Threat Trend Report on APT Attacks (South Korea)
Overview
AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report will cover the types and statistics of APT attacks in Korea during November 2024 as well as features of each type.
Figure 1. November 2024 statistics on APT attacks in Korea
APT attacks against Korean targets have been categorized by penetration type, and most were found to be spear phishing. In November 2024, spear phishing attacks using LNK file extension are found in large numbers.
Trends of APT Attacks in Korea
The cases and features for each APT attack type identified in November 2024 are as follows.
1. Spear Phishing
Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
Types distributed using this technique are as follows.
1.1 Attacks Using LNK Files
Type A
This type involves creating a compressed CAB file containing multiple malicious scripts to exfiltrate information and download additional malware. The distributed LNK file contains a malicious PowerShell command, which is used to extract the data of the CAB file and decoy document inside the LNK file, creating them on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as exfiltrating information from the user’s PC and downloading additional files.
The confirmed file names are as follows.
|
File Name |
| #1. Bit*Korea_Agreement.docx.lnk |
| 1. Du*mu(Up*t)_Agreement.docx.lnk |
| Information on value-added tax revision report (Value-added tax processing regulations).hwp.lnk |
Table 1. Identified file names
Below are decoy files that were used to deceive the user into thinking they executed a legitimate file.
Figure 2. Confirmed decoy file
Figure 3. Confirmed decoy file
Type B
This type executes RAT malware. They are generally distributed as compressed files alongside legitimate files. The LNK files found in distribution contained malicious PowerShell commands. Besides using DropBox API or Google Drive to download malware, the recently identified LNK files also use the method of creating additional script files and obfuscated RAT in the TEMP or PUBLIC folder upon execution. The RAT malware executed in the end can perform various malicious behaviors, such as keylogging and taking screenshots, according to commands from the threat actor. XenoRAT and RoKRAT were some of the RAT types found in this case.
The confirmed file names are as follows.
|
File Name |
| (Yeongju-si, Gyeongsangbuk-do) Drone Special Free Zones Plan.lnk |
| August 15 Unification Doctrine.lnk |
| To the soldiers of the Korean People’s Army deployed to the Russian battlefield (Kim*gil).lnk |
| New weapon system-2024-Dec.lnk |
| Changes in policy to support North Korean defectors_20241114_Submitted (1).lnk |
| Trump Trade Policy, Silicon Valley (Jung*shin).lnk |
Table 2. Identified file names
Below are decoy files that were used to deceive the user into thinking they executed a legitimate file.
Figure 4. Confirmed decoy file
Figure 5. Confirmed decoy file
