AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT

AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month.

RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)

The LNK file contains a PowerShell command and performs malicious behavior without the knowledge of the individual who uses the normal pdf file by creating and executing script files along with normal files in the temp path.

If a malicious LNK file is injected into a user’s system and executed, then AhnLab EDR detects the suspicious execution of a PowerShell command in the following way:

Figure. Suspicious PowerShell.exe execution being detected (normal pdf file executed)

Clicking on cmd.exe in the figure shown above displays the execution history of the .bat file and the command it contains, as shown below.

Figure. .bat execution history and its command
Figure. PowerShell detection screen executed due to bat file

If the suspicious execution of a Porshell.exe command via a batch (.bat) file is detected, the user can identify the system and individual that logged in to execute the command by checking the host information on the top right corner.

As shown in the figure below, it is possible to confirm the download URL used to install additional malware if the PC in question is investigated further.

Figure. Malware download URL

If suspicious logs are confirmed, managers can respond through EDR’s features that allow them to terminate processes and quarantine the network of the system in question.

Figure. EDR’s process termination feature
Figure. Response to suspicious system (network blocking, malware scanning, etc.)

RokRAT has been continuously distributed since the past, and as shown in the case above, it also executes a normal file, making it difficult for users to detect the infection. EDR products that are also capable of detecting and responding to suspicious behavior are required to handle malware as they continue to evolve.

 [File Detection]
Dropper/LNK.Agent (2023.04.08.00)
Downloader/BAT.Agent (2023.04.08.00)

[IOC]
0f5eeb23d701a2b342fc15aa90d97ae0 (LNK)
aa8ba9a029fa98b868be66b7d46e927b (LNK)
657fd7317ccde5a0e0c182a626951a9f (LNK)
be32725e676d49eaa11ff51c61f18907 (LNK)
8fef5eb77e0a9ef2f97591d4d150a363 (bat)
461ce7d6c6062d1ae33895d1f44d98fb (bat)
hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content

More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.

The post AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT appeared first on ASEC BLOG.

Article Link: AhnLab EDR Tracks and Responds against Link File (*.lnk) Distributing RokRAT - ASEC BLOG