Malicious LNK Disguised as Notices
AhnLab SEcurity intelligence Center (ASEC) recently discovered a malicious LNK file being distributed to Korean users for the purpose of stealing user information. This type of malware collects various valuable data for threat actors, such as data related to virtual assets, browsers, public certificates, and email files, and it also performs keylogging.
The confirmed malicious LNK file has the following file name disguised as a notice.
| Local Tax Bill.pdf.lnk |
| Public Disclosure of Sex Offender Information.pdf.lnk |
Table 1. Distributed file names
When the user executes the LNK file, an additional HTA file is downloaded from the threat actor’s server and executed in the temp folder. The HTA file contains a compressed file (ZIP) and a bait document (PDF). The bait document is shown below.
 |
 |
Figure 1. Bait document disguised as notices (i.e., Local tax bill and public disclosure of sex offender information)
The compressed file (ZIP) contains a total of four files (1.log, 2.log, 1.ps1, 1.vbs), and among these, the files that actually perform malicious behaviors are the PowerShell scripts encoded in Base64, 1.log and 2.log.
 |
 |
Figure 2. Part of the decoded PowerShell script (Left: 1.log, Right: 2.log)
1.log performs information collection and executes commands from the threat actor, while 2.log performs keylogging. The functions of each file are as follows.
| File | Function Name | Feature |
|---|---|---|
| 1.log | UploadFile | File Transferred to Attacker Server |
| Unprotect-Data | Decrypt and collect encrypted browser information using the Data Protection API (DPAPI) | |
| GetExWFile | Collect data files of multiple cryptocurrency wallet browser extensions | |
| GetBrowserData | Collect login data, bookmarks, and extension program data files of browsers (Edge, Chrome, Naver Whale, Firefox) | |
| Init | Collect System Information, Government Public Key Infrastructure (GPKI), and NPKI Certificate | |
| DownloadFile | Download File | |
| CreateFileList |
Collect the path of a specific file
[Target Extension]
Target Filename
|
|
| RegisterTask | Maintain persistence via Run Key registration | |
| Send | Collect data is compressed and then uploaded via the UploadFile function | |
| Get-ShortcutTargetPath | Obtain the target path of a shortcut (LNK) file | |
| RecentFiles | Collect paths of recently accessed documents and files (Exist in LNK format in the Recent folder, using Get-ShortcutTargetPath) | |
| Work | Communicate with the threat actor’s server periodically and receives additional commands (run commands, upload/download files) | |
| 2.log | Keylog | Keylog and collect clipboard data |
Table 2. Functions of the file by type
Additionally, some of the 1.vbs scripts that are responsible for executing 1.log are found to have comments in Korean left by the threat actor.
Figure 3. Part of the 1.vbs script (after obfuscation)
The URL used in the distribution of ‘Local Tax Notice.pdf.lnk’ disguised a Korean portal site. As shown in Table 2, there is a feature that collects data, administrative electronic signature certificate (GPKI), and public certificate (NPKI) of Naver Whale browser. This supports the fact that the attack targets Korean users.
- Distribution URL of Local Tax Notice.pdf.lnk: hxxps://nid-naveroup.servepics[.]com/docs/revenue.zip
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
