Distribution of Malicious LNK Files Targeting Korean Financial Companies

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Link – The distribution occurs through emails with malicious URLs. Quote: “The recently observed LNK files are believed to be distributed through emails containing a malicious URL.”
• [T1071.001] Web Protocols – Uses HTTP/S for communication with the command and control server. Quote: “Uses HTTP/S for communication with the command and control server.”
• [T1059.001] PowerShell – The LNK file executes a malicious PowerShell command. Quote: “The malicious LNK file may easily be mistaken for an Excel file by an average user. However, the LNK file contains a malicious PowerShell command…”
• [T1027] Obfuscated/Compressed/Encoded Files or Information – The PowerShell command is obfuscated; strings are fragmented to evade detection. Quote: “The PowerShell command is obfuscated, with a higher level of complexity… special characters are used in variable names, and all strings are fragmented to evade analysis and detection.”
• [T1547.001] Registry Run Keys/Startup Folder – Registers to the RunKey (start.vbs). Quote: “Registers to the RunKey (start.vbs)”.
• [T1003] Credential Dumping – Collects user information from the system. Quote: “Collects user information from the system.”
• [T1486] Data Encrypted for Impact – Potentially encrypts user data to extort victims. Quote: “Potentially encrypts user data to extort victims.”
• [T1070.004] File Deletion – Deletes the LNK and CAB files to erase traces of execution. Quote: “The LNK file and the CAB file are then deleted to erase traces of execution.”
• [T1041] Exfiltration Over C2 Channel – Stolen information is sent to a remote server. Quote: “Stolen information includes… and is sent to ‘http://shutss.com/upload.php’.”