Recently, AhnLab Security Emergency response Center (ASEC) has identified a malicious LNK file being distributed to financial and blockchain corporation personnel through email and other ways.
The malicious LNK file is distributed via URLs and AhnLab Smart Defense (ASD) has confirmed the following URLs.
-
Download URLs
hxxps://file.lgclouds001[.]com/read/?[이메일 계정]&zw=블록체인%20기업%20솔루션%20편람%20제작.zip (hxxps://file.lgclouds001[.]com/read/?[email-account]&zw=blockchain%20corporate%20solution%20handbook%20production.zip)
hxxps://file.ssdrive001[.]com/read/?[이메일 계정]&zw=블록체인%20기업%20솔루션%20편람%20제작.zip (hxxps://file.ssdrive001[.]com/read/?[email-account]&zw=blockchain20corporate%20solution%20solution%20production.zip)
The file being downloaded is a compressed file named “Blockchain Corporate Solution Handbook Production.zip”. The threat actor alternately uploaded a malicious file and a legitimate file at the URLs, causing confusion in analysis.
Downloading a malicious file
Downloading a legitimate file
When the malicious file is downloaded, the compressed file contains a malicious LNK file instead of a DOCX file. The malicious LNK file’s icon is shown below. Since LNK files do not have file extensions attached behind the file name, it is difficult to distinguish them from ordinary .docx document files if one does not pay attention to the shortcut arrow image included in the icon.
LNK file icon
The LNK file has an abnormally large size of about 300MB and contains obfuscated PowerShell commands. The unobfuscated PowerShell script is as follows.
Unobfuscated PowerShell script
This PowerShell script performs an xor calculation on the binary included within itself (LNK) and creates the following files.
- {Current path}\1._Form.docx (legitimate file)
- %public%\qDLgNa.cab (malicious file)
Afterward, it executes the legitimate document file (1._Form.docx) and prompts users to enter information for the production of corporate promotional materials as shown in the image below, deceiving them into thinking that the document has been opened correctly.
Legitimate document file (1._Form.docx)
Among the created files, the .cab file contains additional malicious scripts (vbs and bat) which are decompressed into the “%public%\documents\” folder and made to run start.vbs. Then, the LNK file deletes itself as well as the .cab file to remove traces.
CAB file containing multiple malicious BAT scripts (qDLgNa.cab)
The start.vbs file only performs the role of executing the batch file 66022014.bat.
start.vbs
Afterward, many features divided into each .bat files are run. A simplified diagram of the relationship between the .bat files is as follows.
Diagram showing the relationship between the BAT scripts
The 66022014.bat file performs the following behaviors.
1. Register autorun: Registers itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run path to maintain persistence
2. Executes 07915735.bat (downloads additional files)
3. Executes 73505966.bat (collects system info)
4. Downloads additional files: hxxp://accwebcloud[.]com/list.php?f=%COMPUTERNAME%.txt&r={Key} – Currently the C2 is unavailable for access
5. Decompresses files then runs temprun.bat
66022014.bat
The 07915735.bat file performs the following behaviors.
1. Downloads additional files: hxxps:// file.lgclouds001[.]com/read/get.php?ra={string}&r={key} – Currently the C2 is unavailable for access
2. Decompresses files: Password “a”
3. Launches the included 1.bat file
07915735.bat
The 73505966.bat file performs the following behaviors.
1. Collects system information
– List of files in the %username%\downloads path
– List of files in the %username%\documents path
– List of files in the %username%\desktop path
– List of currently running processes
– Computer information
2. Uses the 05210957.bat file to send the information to the C2: hxxp://accwebcloud[.]com/upload.php
73505966.bat
The 88730413.bat file that operates when downloading additional files contains a PowerShell script, designed to send the strings after encrypting it with the following method: a part of the URL string received as an argument is encrypted with the current system time (key) and the key value is added to the URL by being attached after “r=”.
The reason why the malicious URL request keeps changing is thought to be an attempt to make detection difficult.
PowerShell script contained within 88730413.bat
The threat actor seems to ultimately execute the temprun.bat file, but because the URL is currently unavailable for access, subsequent behaviors cannot be tracked. When the connection to URLs is available, a variety of malware files could be downloaded depending on what the threat actor uploaded, such as Quasar RAT and Amadey.
Recently, malicious LNK files using various topics have been distributed to South Korean users, so particular caution is advised. Users must carefully check the senders of emails and refrain from opening files from unknown sources. They should also perform routine PC checks and always keep their security products updated to the latest version.
[File Detection]
Dropper/LNK.Generic (2023.11.09.01)
Trojan/BAT.RUNNER.SC194022 (2023.11.03.00)
Trojan/BAT.Agent.SC194303 (2023.11.10.03)
Downloader/BAT.Agent.SC194304 (2023.11.10.03)
Downloader/BAT.Agent.SC194305 (2023.11.10.03)
Infostealer/BAT.Agent.SC194301 (2023.11.10.03)
Infostealer/BAT.Agent.SC194302 (2023.11.10.03)
[IOC]
MD5
a95bd06ea44ca87c6ace0ad00fccdebb (1. Form.docx.lnk)
df243512be8f0eafd7ba7ad77f05e8f3 (start.vbs)
a6e811d205a9189ea0f82ac33a307cec (88730413.bat)
79b0289faf6f82118f2e8cdfa3f6be53 (73505966.bat)
f8ebdb67fa4e7ba5f2723f6de6c389c8 (98543203.bat)
49caa5d4cbb8655ec8f349f0d4238344 (66022014.bat)
feb594bbb8c0c853ab3c23049f374441 (07915735.bat)
51dbeea3d0d003115365a01481c9115b (05210957.bat)
URL & C2
hxxps://file.ssdrive001[.]com/read/
hxxps://file.lgclouds001[.]com/read/
hxxps://file.lgclouds001[.]com/read/get.php
hxxp://accwebcloud[.]com/list.php
hxxp://accwebcloud[.]com/upload.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Distribution of Malicious LNK File Disguised as Producing Corporate Promotional Materials appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/59057/