AhnLab Security Emergency response Center (ASEC) has discovered circumstances of a malicious LNK file impersonating the National Tax Service being distributed. Distribution using LNK files is a method that has been used in the past, and recently, there have been multiple cases of distribution to Korean users.
The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file named “Clarification Documents Submission Guide Concerning General Income Tax Report.zip” is downloaded. At the time of analysis, the compressed file contained two files: a malicious LNK file and a normal HWP document. Currently, only three normal HWP documents exist in the compressed file downloaded from the URL, thus it seems like the threat actor only distributed the malicious file for a short amount of time to render future analysis and tracking difficult.
-
Download URL
hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=종합소득세%20신고관련%20해명자료%20제출%20안내.zip (hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=ClarificationDocuments%20SubmissionGuide%20Concerning%GeneralIncomeTax%20Report.zip
Figure 1. Compressed file containing the malicious LNK file
The malicious LNK file named “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.lnk” within the compressed file has about 300 MB of dummy data attached and contains a malicious PowerShell command.
Figure 2. PowerShell command within the LNK file
The PowerShell command is responsible for first creating and opening the normal HWP document within the LNK file under the file name “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.hwp”. Below is the content of the normal HWP file. It is disguised as a tax-related notice from the National Tax Service, and the user is led to believe that a normal HWP document is opened when they execute the malicious LNK file.
Figure 3. Normal HWP file
Afterward, a compressed file within the same LNK file is created in the path “%Public%\02641.zip”. After decompressing the file that has been created, start.vbs is run, then the LNK file and the decompressed file are deleted. The files created after decompression are shown below, and the features of each file are available in Table 1.
Figure 4. Files created after decompression
| File name | Feature |
|---|---|
| start.vbs | Executes 74116308.bat |
| 74116308.bat | Registers to the RunKey (start.vbs) Executes 02619992.bat (Download feature) Executes 86856980.bat (Information breach) Downloads a CAB file through 20191362.bat |
| 02619992.bat | Downloads a ZIP file through 20191362.bat Decompresses the ZIP file through unzip.exe, then executes rundll32.exe |
| 86856980.bat | Collects user information Executes 53844252.bat |
| 20191362.bat | Downloads file |
| 53844252.bat | Uploads the user’s information |
| unzip.exe | Decompresses the ZIP file |
At the final stage of their malicious behaviors, the scripts breach the user’s information and download additional malicious files. The breached user information is as follows, and the data is sent to “hxxp://filehost001.com/upload.php”.
-
Breached Information
List of files in the downloads folder
List of files in the documents folder
List of files in the desktop folder
IP information
List of running processes
System information
Figure 5. Breaching user information
A total of two files are downloaded additionally, which are a ZIP file and a CAB file. First, the ZIP file is decompressed through unzip.exe, and a password (a) is required to decompress the file. Then, the created file is loaded through rundll32.exe.
-
Download URL
hxxps://file.gdrive001[.]com/read/get.php?cu=ln3&so=xu6502
Figure 6. Downloading the ZIP file
The CAB file is decompressed using the expand command and executes the file temprun.bat which is created afterward.
-
Download URL
hxxp://filehost001[.]com/list.php?f=%COMPUTERNAME%.txt
Figure 7. Downloading the CAB file
Both URLs are currently inaccessible, so additional downloaded files could not be confirmed. AhnLab Smart Defense confirmed that Qasar RAT and Amadey were ultimately executed. Depending on the file uploaded by the threat actor, various malicious files can be downloaded.
Aside from the LNK file impersonating the National Tax Service, malicious LNK files are being distributed using various topics below, so caution is advised.
-
File names used in distribution
230827- Participating Organizations in the Conference.xlsx.lnk
202308 Explanatory Materials for Restructuring the Ministry of Unification.pdf.lnk
2023-2-Parking Registration Application – For Students.hwp.lnk
Course Registration Correction Application.hwp.lnk
securityMail.html.lnk
Recently, the distribution of malicious LNK files to Korean users has been increasing. As additional harm can be caused depending on the file that is downloaded, users must carefully check the senders of emails and refrain from opening files from unknown sources. Users should also regularly scan their PCs and update their security products to the latest engine.
[File Detection]
Downloader/LNK.Generic (2023.09.13.02)
Infostealer/BAT.Generic.S2319 (2023.09.11.02)
Downloader/BAT.Generic.SC192403 (2023.09.13.03)
Downloader/BAT.Generic.SC192404 (2023.09.13.03)
Downloader/BAT.Generic.SC192405 (2023.09.13.03)
Trojan/BAT.Runner.SC192407 (2023.09.13.03)
[Behavior Detection]
Fileless/EDR.Powershell.M11335
[IOC]
560e5977e5e5ce077adc9478cd93c2ac
7725d117d0bd0a7a5fb8ef101b019415
2d0747533d4d3f138481c4c4cda9ea1e
9c3eef28b4418c40a7071ddcba17f0e8
20f0e8362782c7451993e579336f2f3e
b5f698fb96835d155fbcc1ccd4f4b520
ca11ba5e641156ff72400e7f5e103aee
hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=종합소득세%20신고관련%20해명자료%20제출%20안내.zip
hxxps://file.gdrive001[.]com/read/get.php?cu=ln3&so=xu6502
hxxp://filehost001[.]com/list.php?f=%COMPUTERNAME%.txt
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Malicious LNK File Being Distributed, Impersonating the National Tax Service appeared first on ASEC BLOG.
Article Link: Malicious LNK File Being Distributed, Impersonating the National Tax Service - ASEC BLOG