Malicious LNK File Being Distributed, Impersonating the National Tax Service

by Prapattimynk, Thursday, 21 September 2023 (5 months ago)
Malicious LNK File Being Distributed, Impersonating the National Tax Service


AhnLab Security Emergency response Center (ASEC) has discovered circumstances of a malicious LNK file impersonating the National Tax Service being distributed. Distribution using LNK files is a method that has been used in the past, and recently, there have been multiple cases of distribution to Korean users.

The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file named “Clarification Documents Submission Guide Concerning General Income Tax Report.zip” is downloaded. At the time of analysis, the compressed file contained two files: a malicious LNK file and a normal HWP document. Currently, only three normal HWP documents exist in the compressed file downloaded from the URL, thus it seems like the threat actor only distributed the malicious file for a short amount of time to render future analysis and tracking difficult.

  • Download URL
    hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=종합소득세%20신고관련%20해명자료%20제출%20안내.zip (hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=ClarificationDocuments%20SubmissionGuide%20Concerning%GeneralIncomeTax%20Report.zip
Figure 1. Compressed file containing the malicious LNK file

The malicious LNK file named “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.lnk” within the compressed file has about 300 MB of dummy data attached and contains a malicious PowerShell command.

Figure 2. PowerShell command within the LNK file

The PowerShell command is responsible for first creating and opening the normal HWP document within the LNK file under the file name “National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.hwp”. Below is the content of the normal HWP file. It is disguised as a tax-related notice from the National Tax Service, and the user is led to believe that a normal HWP document is opened when they execute the malicious LNK file.

Figure 3. Normal HWP file

Afterward, a compressed file within the same LNK file is created in the path “%Public%2641.zip”. After decompressing the file that has been created, start.vbs is run, then the LNK file and the decompressed file are deleted. The files created after decompression are shown below, and the features of each file are available in Table 1.

Figure 4. Files created after decompression
File nameFeature
start.vbsExecutes 74116308.bat
74116308.batRegisters to the RunKey (start.vbs)
Executes 02619992.bat (Download feature)
Executes 86856980.bat (Information breach)
Downloads a CAB file through 20191362.bat
02619992.batDownloads a ZIP file through 20191362.bat
Decompresses the ZIP file through unzip.exe, then executes rundll32.exe
86856980.batCollects user information
Executes 53844252.bat
20191362.batDownloads file
53844252.batUploads the user’s information
unzip.exeDecompresses the ZIP file
Table 1. Features of the scripts

At the final stage of their malicious behaviors, the scripts breach the user’s information and download additional malicious files. The breached user information is as follows, and the data is sent to “hxxp://filehost001.com/upload.php”.

  • Breached Information
    List of files in the downloads folder
    List of files in the documents folder
    List of files in the desktop folder
    IP information
    List of running processes
    System information
Figure 5. Breaching user information

A total of two files are downloaded additionally, which are a ZIP file and a CAB file. First, the ZIP file is decompressed through unzip.exe, and a password (a) is required to decompress the file. Then, the created file is loaded through rundll32.exe.

  • Download URL
    hxxps://file.gdrive001[.]com/read/get.php?cu=ln3&so=xu6502
Figure 6. Downloading the ZIP file

The CAB file is decompressed using the expand command and executes the file temprun.bat which is created afterward.

  • Download URL
    hxxp://filehost001[.]com/list.php?f=%COMPUTERNAME%.txt
Figure 7. Downloading the CAB file

Both URLs are currently inaccessible, so additional downloaded files could not be confirmed. AhnLab Smart Defense confirmed that Qasar RAT and Amadey were ultimately executed. Depending on the file uploaded by the threat actor, various malicious files can be downloaded.

Aside from the LNK file impersonating the National Tax Service, malicious LNK files are being distributed using various topics below, so caution is advised.

  • File names used in distribution
    230827- Participating Organizations in the Conference.xlsx.lnk
    202308 Explanatory Materials for Restructuring the Ministry of Unification.pdf.lnk
    2023-2-Parking Registration Application – For Students.hwp.lnk
    Course Registration Correction Application.hwp.lnk
    securityMail.html.lnk

Recently, the distribution of malicious LNK files to Korean users has been increasing. As additional harm can be caused depending on the file that is downloaded, users must carefully check the senders of emails and refrain from opening files from unknown sources. Users should also regularly scan their PCs and update their security products to the latest engine.

[File Detection]
Downloader/LNK.Generic (2023.09.13.02)
Infostealer/BAT.Generic.S2319 (2023.09.11.02)
Downloader/BAT.Generic.SC192403 (2023.09.13.03)
Downloader/BAT.Generic.SC192404 (2023.09.13.03)
Downloader/BAT.Generic.SC192405 (2023.09.13.03)
Trojan/BAT.Runner.SC192407 (2023.09.13.03)

[Behavior Detection]
Fileless/EDR.Powershell.M11335

[IOC]
560e5977e5e5ce077adc9478cd93c2ac
7725d117d0bd0a7a5fb8ef101b019415
2d0747533d4d3f138481c4c4cda9ea1e
9c3eef28b4418c40a7071ddcba17f0e8
20f0e8362782c7451993e579336f2f3e
b5f698fb96835d155fbcc1ccd4f4b520
ca11ba5e641156ff72400e7f5e103aee
hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=종합소득세%20신고관련%20해명자료%20제출%20안내.zip
hxxps://file.gdrive001[.]com/read/get.php?cu=ln3&so=xu6502
hxxp://filehost001[.]com/list.php?f=%COMPUTERNAME%.txt

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.