An ASEC analysis uncovers a malicious LNK file disguised as a normal HWP document, bundled with a text file impersonating the National Tax Service. The attack chain uses PowerShell to run payloads, iterates through multiple VBScript/Batch components, and exfiltrates collected data to remote servers. Hashtags: #LNK #HWP #NationalTaxService #PowerShell #VBScript #CAB #filecompact #naverFileTodownload
Keypoints
- The threat uses a malicious LNK file disguised with an HWP icon, distributed with a text file impersonating the National Tax Service.
- Filenames in the distribution include tax-related HWP.lnk items such as “Tax Investigation Summon.hwp.lnk” and other tax-content names.
- Opening the LNK triggers PowerShell-driven actions that create and reveal a normal-looking HWP document to mislead users.
- Subsequent components (21358.cab, 24360.vbs, start.vbs, and several bat/VBS files) obfuscate strings and auto-run via a Run key to download and execute further payloads.
- The malware collects system information and user data, then uploads it to remote servers (filecompact.com) using VBS scripts.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The attack uses a compressed file with content impersonating a government agency to lure users into executing the LNK file. ‘The threat actor includes contents impersonating a member of the National Tax Service to induce users to execute the malicious LNK file that is also included in the compressed file.’
- [T1059.001] PowerShell – The malicious LNK file, when opened, performs malicious behaviors through PowerShell. ‘upon opening this file, malicious behaviors are performed through Powershell.’
- [T1027] Obfuscated/Compressed Files and Information – The code within start.vbs also has the main strings obfuscated, and the code executed in the end is responsible for running the fully.bat file. ‘The code within start.vbs also has the main strings obfuscated…’
- [T1547.001] Registry Run Keys/Startup Folder – The bat file registers start.vbs as svchostno2 in HKCUSoftwareMicrosoftWindowsCurrentVersionRun so it can be executed automatically. ‘…Run so it can be executed automatically.’
- [T1105] Ingress Tool Transfer – download.vbs downloads an additional file from a remote URL, saved as setup.cab, then decompressed and deleted. ‘download.vbs to download an additional file from hxxps://filecompact.com/list.php?q=%COMPUTERNAME%.txt. The downloaded file is saved as setup.cab, decompressed, then deleted.’
- [T1041] Exfiltration – The collected data is transmitted to a remote server via upload.vbs. ‘files… transmitted to hxxps://filecompact.com/upload.php using upload.vbs.’
- [T1082] System Information Discovery – The malware collects system information (e.g., systeminfo, nslookup, tasklist) and saves it for exfiltration. ‘The targeted pieces of information are as follows… systeminfo’ (and listed commands).’
- [T1083] File and Directory Discovery – The malware enumerates directories (e.g., dir C:Users%username%downloads /s Results) to locate data before exfiltration. ‘dir C:Users%username%downloads /s Results’ etc.
Indicators of Compromise
- [LNK] Hashes – 85cc9cfe13f71967aca7b961a3cdf0be, 1bfe8d93ca1b2711fcf9958aa907abac, and 14 more hashes
- [File Name] setup.cab – example in the dropped payloads, plus cuserdown.txt and cuserdocu.txt
- [Domain] filecompact.com – used for command and control and data exfiltration (e.g., list.php, upload.php)
- [Domain] the-fast-file.com – another domain observed in the IOCs
- [Domain] naver.filetodownload.com – used for initial download of additional payloads
- [Domain] naver.filedowns.net – additional download/exfiltration domain observed
Read more: https://asec.ahnlab.com/en/46865/