ASEC detected a malicious LNK file distributed to financial and blockchain personnel via email and other distribution methods, masquerading as Blockchain Corporate Solution Handbook Production.zip. The LNK leads to a multi-stage chain of payloads, including obfuscated PowerShell, batch/VBS scripts, and potential downloads of Quasar RAT or Amadey, with self-deletion to erase traces. #QuasarRAT #Amadey
Keypoints
- The malicious LNK file is distributed through URLs and targets financial and blockchain company personnel.
- The downloaded archive contains a malicious LNK instead of a DOCX and uses a large 300MB file to house the payload.
- The LNK delivers obfuscated PowerShell commands inside the dropper, enabling payload execution.
- A VBScript (start.vbs) simply delegates execution to a BAT (66022014.bat), forming a multi-stage dropper chain.
- Persistence is achieved by registering a Run key entry (HKCU) to auto-start the dropper.
- The dropper collects system information, lists files, and exfiltrates data to a C2, while URL-based downloads shift to evade detection.
- When the C2 is reachable, additional malware such as Quasar RAT and Amadey may be downloaded and deployed.
MITRE Techniques
- [T1059.001] PowerShell – The LNK file contains obfuscated PowerShell commands used to perform actions after decoding. Quote: “The LNK file has an abnormally large size of about 300MB and contains obfuscated PowerShell commands.”
- [T1059.005] Windows Script – The start.vbs file only performs the role of executing the batch file 66022014.bat. Quote: “The start.vbs file only performs the role of executing the batch file 66022014.bat.”
- [T1547.001] Run Keys/Startup Folder – The dropper registers itself to the HKCU Run path to maintain persistence. Quote: “Register autorun: Registers itself to the HKCU SoftwareMicrosoftWindowsCurrentVersionRun path to maintain persistence”
- [T1105] Ingress Tool Transfer – The dropper downloads additional files from remote URLs. Quote: “Downloads additional files: hxxp://accwebcloud[.]com/list.php?f=%COMPUTERNAME%.txt&r={Key} – Currently the C2 is unavailable for access”
- [T1041] Exfiltration Over C2 Channel – Collected data is sent to the C2 (upload.php). Quote: “uses the information to the C2: hxxp://accwebcloud[.]com/upload.php”
- [T1082] System Information Discovery – 73505966.bat collects system information (computer info) and lists files in Downloads/Documents/Desktop. Quote: “73505966.bat file performs the following behaviors. 1. Collects system information … 2. Uses the 05210957.bat file to send the information to the C2: hxxp://accwebcloud[.]com/upload.php”
- [T1083] File and Directory Discovery – 73505966.bat enumerates files in %username%downloads, %username%documents, and %username%desktop. Quote: “List of files in the %username%downloads path … List of files in the %username%documents path … List of files in the %username%desktop path”
- [T1070.004] File Deletion – The LNK file deletes itself and the CAB to remove traces. Quote: “the LNK file deletes itself as well as the .cab file to remove traces.”
- [T1036] Masquerading – The LNK file’s icon mimics a DOCX document, creating confusion for users. Quote: “the LNK file’s icon is shown below… difficult to distinguish them from ordinary .docx document files if one does not pay attention to the shortcut arrow image.””/>
Indicators of Compromise
- [MD5] context – a95bd06ea44ca87c6ace0ad00fccdebb (1. Form.docx.lnk), df243512be8f0eafd7ba7ad77f05e8f3 (start.vbs), a6e811d205a9189ea0f82ac33a307cec (88730413.bat), 79b0289faf6f82118f2e8cdfa3f6be53 (73505966.bat)
- [URL] context – hxxps://file.ssdrive001[.]com/read/, hxxps://file.lgclouds001[.]com/read/, hxxps://file.lgclouds001[.]com/read/get.php, hxxp://accwebcloud[.]com/list.php, hxxp://accwebcloud[.]com/upload.php
- [File name] context – 1._Form.docx, %public%qDLgNa.cab, temprun.bat, 66022014.bat
- [Domain] context – accwebcloud[.]com, file.lgclouds001[.]com, file.ssdrive001[.]com
- [C2] context – hxxp://accwebcloud[.]com/upload.php, hxxps:// file.lgclouds001[.]com/read/get.php
Read more: https://asec.ahnlab.com/en/59057/