Malicious LNK File Disguised as a Normal HWP Document

Malware Analysis
1

The ASEC analysis team discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service. A normal HWP document with related contents is opened simultaneously, making it difficult for users to realize the file is rogue. The malicious script file executed in the end is the same type as the script covered in ‘Malicious Word Files Disguised as Product Introduction‘ and is deemed to be created by the same threat actor.

The recently discovered LNK file is usually distributed with the following file names related to tax investigations.

  • Tax Investigation Summon.hwp.lnk
  • Application for Transactions Confirmation (for issuing buyer-issued tax invoice)(Enforcement Ordinance of the Value-Added Tax Act).hwp.lnk
  • Statement for Source of Funds (Enforcement Ordinance of the Value-Added Tax Act).hwp.lnk
  • Other Form No.00 Faithful Reporting Confirmation.hwp.lnk
  • Income Tax Law No20(5) Bill of Major Expenses.hwp.lnk
  • Statement for Reception of Receipt.hwp.lnk

We deduce that the LNK file is distributed in a compressed file format along with a normal text file. The threat actor includes contents impersonating a member of the National Tax Service to induce users to execute the malicious LNK file that is also included in the compressed file.

Inside the compressed file

The following image shows the contents of the ‘Guidelines for Reporting Documents.txt’ file included in the above compressed file.

Normal text file

The malicious LNK file is disguised with an HWP document icon as shown in the image below, and upon opening this file, malicious behaviors are performed through Powershell.

LNK file disguised with a HWP icon
LNK properties and embedded Powershell command

The Powershell command executed by the LNK file generates the normal HWP document within the LNK file under the file name ‘Other Form No.00 Faithful Reporting Confirmation.hwp’ and opens this document, leading users to think they have opened a normal document file.

Normal HWP document

Afterward, it creates the 21358.cab and 24360.vbs files in the %Public% directory then executes 24360.vbs. The following image shows the major obfuscated strings within the aforementioned script code.

Code inside 24360.vbs

When the above script is run, the files compressed inside 21358.cab are copied inside the %public%\documents directory. Among these, the start.vbs file is then run. Afterward, it deletes the 21358.cab and 24360.vbs files.

Files inside 21358.cab

The code within start.vbs also has the main strings obfuscated, and the code executed in the end is responsible for running the fully.bat file, as shown below.

Set nnbhpbt = CreateObject("WScript.Shell") 
ngqjeia = Left(WScript.ScriptFullName, InstrRev(WScript.ScriptFullName, "\" ) - 1) 
nnbhpbt.Run ngqjeia & "\fully.bat", 0 
Set nnbhpbt = Nothing

This bat file registers the start.vbs file as svchostno2 in HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it can be executed automatically.
Subsequently, it executes the no1.bat and no4.bat files and uses download.vbs to download an additional file from hxxps://filecompact.com/list.php?q=%COMPUTERNAME%.txt. The downloaded file is saved as setup.cab, decompressed, then deleted.

Internal code of fully.bat

The no1.bat file executed above runs start01.vbs and start02.vbs, and the no4.bat file includes a code that leaks user PC information.
The targeted pieces of information are as follows.

  • dir  C:\Users\%username%\downloads\ /s Results
  • dir C:\Users\%username%\documents\ /s Results
  • dir C:\Users\%username%\desktop\ /s Results
  • dir “C:\Program Files\” /s Results
  • nslookup myip.opendns.com resolver1.opendns.com Results
  • tasklist Results
  • systeminfo Results

Each collected piece of information is saved as cuserdown.txt, cuserdocu.txt, tskit.txt. etc. inside the %public%\documents folder. These files are then transmitted to hxxps://filecompact.com/upload.php using upload.vbs.

List of files created inside %public%\documents

The start01.vbs file executed by no1.bat also includes obfuscated strings and downloads an additional file from hxxps://naver.filetodownload.com/v2/read/get.php?mi=ln3&te=10294765.txt which is saved as %public%\740997.zip.

Code inside start01.vbs

Like the start01.vbs file, start02.vbs which is executed by no1.bat unzips the downloaded 740997.zip file into the %public% directory before using the ‘cmd.exe /c rundll32.exe “File Name” “,Run” command to execute the decompressed file. At the time of analysis, no additional files were downloaded from the URL, but various malware may be downloaded as intended by the threat actor.

Besides the HWP document covered above, multiple malicious LNK files disguised as normal HWP documents with tax and statement-related contents are being detected, therefore, users are advised to be particularly cautious.

Normal HWP documents opened through additionally identified malicious LNK files

[File Detection]

  • Dropper/LNK.Agent (2023.01.18.02)
  • Trojan/BAT.Agent (2023.01.19.00)
  • Trojan/VBS.Agent (2023.01.19.00)
  • Downloader/VBS.Generic (2023.01.19.00)
  • Trojan/VBS.Obfuscated (2023.01.19.00)
  • Trojan/VBS.Runner (2023.01.19.02)
  • Trojan/VBS.Uploader (2023.01.19.00)

[IOC Info]

  • 85cc9cfe13f71967aca7b961a3cdf0be (LNK)
  • 1bfe8d93ca1b2711fcf9958aa907abac (LNK)
  • 5d479cbb619c98df370a1bb6c4190dff (LNK)
  • c34cf6d8ef370906b12b42a0b83a3869 (LNK)
  • ee8e160336bddbcc5f94f5f93565bfe8 (LNK)
  • 8c0528c92510f100fe81b9e0ed0d3698 (LNK)
  • d2470fe8a0c3b73acedadc284b380d00 (LNK)
  • 5773b236d2263979c4af83efb661ad37 (LNK)
  • 6ac02caaad3490df88ebc59e5e2ea6fa
  • ceca17155cc484711a7df2d6c85de4ba
  • 743f963dca043db8769cdfb6015af3af
  • e60022a1e871de0f093edaa81a2ed762
  • c11f2d5d9651f82007b6de56bac05652
  • a05493d7f163c534e2a923789225ab82
  • 9f4993fe2163df12812ec2ad42860334
  • 306cd4d12bf80fd6f581d438f7e31c3c
  • hxxps://filecompact[.]com/list.php?q=%COMPUTERNAME%.txt
  • hxxps://filecompact[.]com/upload.php
  • hxxps://naver.filetodownload[.]com/v2/read/get.php?mi=ln3&te=10294765.txt
  • hxxps://the-fast-file[.]com/list.php?q=%COMPUTERNAME%.txt
  • hxxps://the-fast-file[.]com/upload.php
  • hxxps://naver.filedowns[.]net/v2/read/get.php?kioz=ln3&uwac=10294765.txt
  • hxxps://fastfilestore[.]com/files/list.php?q=%COMPUTERNAME%.txt
  • hxxps://fastfilestore[.]com/files/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Malicious LNK File Disguised as a Normal HWP Document appeared first on ASEC BLOG.

Article Link: Malicious LNK File Disguised as a Normal HWP Document - ASEC BLOG