Distribution of Malicious LNK File Disguised as Producing Corporate Promotional Materials

by Prapattimynk, Monday, 20 November 2023 (3 months ago)
Distribution of Malicious LNK File Disguised as Producing Corporate Promotional Materials


Recently, AhnLab Security Emergency response Center (ASEC) has identified a malicious LNK file being distributed to financial and blockchain corporation personnel through email and other ways.

The malicious LNK file is distributed via URLs and AhnLab Smart Defense (ASD) has confirmed the following URLs.

  • Download URLs
    hxxps://file.lgclouds001[.]com/read/?[이메일 계정]&zw=블록체인%20기업%20솔루션%20편람%20제작.zip (hxxps://file.lgclouds001[.]com/read/?[email-account]&zw=blockchain%20corporate%20solution%20handbook%20production.zip)

    hxxps://file.ssdrive001[.]com/read/?[이메일 계정]&zw=블록체인%20기업%20솔루션%20편람%20제작.zip (hxxps://file.ssdrive001[.]com/read/?[email-account]&zw=blockchain20corporate%20solution%20solution%20production.zip)

The file being downloaded is a compressed file named “Blockchain Corporate Solution Handbook Production.zip”. The threat actor alternately uploaded a malicious file and a legitimate file at the URLs, causing confusion in analysis.

Downloading a malicious file
Downloading a legitimate file

When the malicious file is downloaded, the compressed file contains a malicious LNK file instead of a DOCX file. The malicious LNK file’s icon is shown below. Since LNK files do not have file extensions attached behind the file name, it is difficult to distinguish them from ordinary .docx document files if one does not pay attention to the shortcut arrow image included in the icon.

LNK file icon

The LNK file has an abnormally large size of about 300MB and contains obfuscated PowerShell commands. The unobfuscated PowerShell script is as follows.

Unobfuscated PowerShell script

This PowerShell script performs an xor calculation on the binary included within itself (LNK) and creates the following files.

  • {Current path}1._Form.docx (legitimate file)
  • %public%qDLgNa.cab (malicious file)

Afterward, it executes the legitimate document file (1._Form.docx) and prompts users to enter information for the production of corporate promotional materials as shown in the image below, deceiving them into thinking that the document has been opened correctly.

Legitimate document file (1._Form.docx)

Among the created files, the .cab file contains additional malicious scripts (vbs and bat) which are decompressed into the “%public%documents” folder and made to run start.vbs. Then, the LNK file deletes itself as well as the .cab file to remove traces.

CAB file containing multiple malicious BAT scripts (qDLgNa.cab)

The start.vbs file only performs the role of executing the batch file 66022014.bat.

start.vbs

Afterward, many features divided into each .bat files are run. A simplified diagram of the relationship between the .bat files is as follows.

Diagram showing the relationship between the BAT scripts

The 66022014.bat file performs the following behaviors.

1. Register autorun: Registers itself to the HKCUSoftwareMicrosoftWindowsCurrentVersionRun path to maintain persistence
2. Executes 07915735.bat (downloads additional files)
3. Executes 73505966.bat (collects system info)
4. Downloads additional files: hxxp://accwebcloud[.]com/list.php?f=%COMPUTERNAME%.txt&r={Key} – Currently the C2 is unavailable for access
5. Decompresses files then runs temprun.bat

66022014.bat

The 07915735.bat file performs the following behaviors.

1. Downloads additional files: hxxps:// file.lgclouds001[.]com/read/get.php?ra={string}&r={key} – Currently the C2 is unavailable for access
2. Decompresses files: Password “a”
3. Launches the included 1.bat file

07915735.bat

The 73505966.bat file performs the following behaviors.

1. Collects system information
    – List of files in the %username%downloads path
    – List of files in the %username%documents path
    – List of files in the %username%desktop path
    – List of currently running processes
    – Computer information
2. Uses the 05210957.bat file to send the information to the C2: hxxp://accwebcloud[.]com/upload.php

73505966.bat

The 88730413.bat file that operates when downloading additional files contains a PowerShell script, designed to send the strings after encrypting it with the following method: a part of the URL string received as an argument is encrypted with the current system time (key) and the key value is added to the URL by being attached after “r=”.

The reason why the malicious URL request keeps changing is thought to be an attempt to make detection difficult.

PowerShell script contained within 88730413.bat

The threat actor seems to ultimately execute the temprun.bat file, but because the URL is currently unavailable for access, subsequent behaviors cannot be tracked. When the connection to URLs is available, a variety of malware files could be downloaded depending on what the threat actor uploaded, such as Quasar RAT and Amadey.

Recently, malicious LNK files using various topics have been distributed to South Korean users, so particular caution is advised. Users must carefully check the senders of emails and refrain from opening files from unknown sources. They should also perform routine PC checks and always keep their security products updated to the latest version.

[File Detection]

Dropper/LNK.Generic (2023.11.09.01)
Trojan/BAT.RUNNER.SC194022 (2023.11.03.00)
Trojan/BAT.Agent.SC194303 (2023.11.10.03)
Downloader/BAT.Agent.SC194304 (2023.11.10.03)
Downloader/BAT.Agent.SC194305 (2023.11.10.03)
Infostealer/BAT.Agent.SC194301 (2023.11.10.03)
Infostealer/BAT.Agent.SC194302 (2023.11.10.03)

[IOC]

MD5
a95bd06ea44ca87c6ace0ad00fccdebb (1. Form.docx.lnk)
df243512be8f0eafd7ba7ad77f05e8f3 (start.vbs)
a6e811d205a9189ea0f82ac33a307cec (88730413.bat)
79b0289faf6f82118f2e8cdfa3f6be53 (73505966.bat)
f8ebdb67fa4e7ba5f2723f6de6c389c8 (98543203.bat)
49caa5d4cbb8655ec8f349f0d4238344 (66022014.bat)
feb594bbb8c0c853ab3c23049f374441 (07915735.bat)
51dbeea3d0d003115365a01481c9115b (05210957.bat)

URL & C2
hxxps://file.ssdrive001[.]com/read/
hxxps://file.lgclouds001[.]com/read/
hxxps://file.lgclouds001[.]com/read/get.php
hxxp://accwebcloud[.]com/list.php
hxxp://accwebcloud[.]com/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.