January 2025 Threat Trend Report on APT Attacks (South Korea)
Overview
AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that have been identified over the course of a month in January 2025, as well as the features of each attack type.
Figure 1. January 2025 statistics of APT attacks in Korea
APT attacks against Korean targets have been categorized by penetration type, and most were found to be spear phishing. In January 2025, the highest proportion of attacks involved the distribution of LNK files using spear phishing.
Trends of APT Attacks in Korea
The cases and features for each APT attack type identified in January 2025 are as follows.
1. Spear Phishing
Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
Types distributed using this technique are as follows.
1.1 Attacks Using LNK Files
Type A
This type involves creating a compressed CAB file containing multiple malicious scripts to exfiltrate information and download additional malware. The distributed LNK file contains a malicious PowerShell command, which is used to extract the data of the CAB file and decoy document inside the LNK file, creating them on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as exfiltrating information from the user’s PC and downloading additional files.
The confirmed file names are as follows.
|
File Name |
| Request for cooperation on the 2025 special feature article.docx.lnk |
| Virtual Asset Provider+Examination Plan+Inspection Planning Democratic Party Political Council+Presentation Material_FN2.hwp.lnk |
| Personal information collection agreement.docx.lnk |
| Submission Request for Errors and Correction (Enforcement Decree of the National Tax Collection Act).hwp.lnk |
Table 1. Confirmed file names
The decoy file to make it look like the user has executed a normal file is as follows:
Figure 2. Confirmed decoy file
Figure 3. Confirmed decoy file
Type B
This type involves downloading a CAB file containing a malicious Python script. When the LNK file is executed, a obfuscated batch file (*.bat) is created and executed in the TEMP folder through PowerShell. The created BAT file accesses an external URL to download the CAB file, which is then decompressed in the ProgramData folder. The CAB file contains a legitimate pythonw.exe and a malicious Python script (*.config). The Python script is also obfuscated and registered in the Task Scheduler for execution. Ultimately, an additional malicious file is downloaded and executed from the external URL, allowing various malicious behaviors to be performed.
The confirmed file names are as follows:
|
File Name |
| The Truth and Lies of North Korea.lnk |
| Focus on Inter-Korean Issues (Revised).lnk |
Table 2. Confirmed file name
