AhnLab’s ASEC reports a malicious LNK file that impersonates the National Tax Service and is being distributed to Korean users via a URL in emails. The dropped payload delivers a multi-stage downloader using PowerShell and VBScript, leading to data collection and exfiltration, with Qasar RAT and Amadey ultimately executed. #QasarRAT #Amadey
Keypoints
- The malicious LNK is distributed through an email-linked URL that downloads a ZIP containing the LNK and a harmless HWP document.
- The LNK file carries about 300 MB of dummy data and embeds a malicious PowerShell command.
- The PowerShell command creates and opens a normal HWP document disguised as a National Tax Service notice.
- A multi-stage dropper (start.vbs, several .bat files, and unzip.exe) downloads additional payloads and subsequently runs via rundll32.exe.
- The dropper exfiltrates breached user information (e.g., file lists, IP, system info) to hxxp://filehost001.com/upload.php.
- Qasar RAT and Amadey were ultimately executed, indicating multiple payloads can be downloaded based on the actor’s file.
- The report notes increasing distribution of malicious LNKs to Korean users and provides several IOC indicators.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Access via a URL in email to download ZIP and LNK. “The recently identified LNK file is presumed to be distributed via a URL included in emails.”
- [T1059.001] PowerShell – The LNK contains a malicious PowerShell command used to initiate the dropper. “PowerShell command is responsible for first creating and opening the normal HWP document within the LNK file.”
- [T1059.005] VBScript – The dropper uses VBScript (start.vbs) to drive execution. “start.vbs … Executes 74116308.bat”
- [T1218.011] Rundll32 – Final stage uses rundll32.exe to load the payload. “the created file is loaded through rundll32.exe.”
- [T1547.001] Boot or Logon Autostart: Registry Run Keys/Startup Folder – Persistence via RunKey registration. “Registers to the RunKey (start.vbs)”
- [T1105] Ingress Tool Transfer – The dropper downloads additional components from remote URLs. “Downloads a ZIP file through 20191362.bat”
- [T1560.001] Decompress archives – The dropper decompresses ZIP using unzip.exe. “Decompresses the ZIP file through unzip.exe”
- [T1041] Exfiltration Over C2 Channel – Data is sent to a remote server. “Breached information … hxxp://filehost001.com/upload.php”
- [T1005] Data from Local System – The malware collects local system information before exfiltration. “List of files in the downloads folder … System information”
Indicators of Compromise
- [Hash] data used for detection – 560e5977e5e5ce077adc9478cd93c2ac, 7725d117d0bd0a7a5fb8ef101b019415, and 5 more hashes
- [URL] context – hxxps://file.gdrive001[.]com/read/?cu=jaebonghouse&so=종합소득세%20신고관련%20해명자료%20제출%20안내.zip, hxxps://file.gdrive001[.]com/read/get.php?cu=ln3&so=xu6502, and 1 more URL
- [Domain] context – filehost001.com, file.gdrive001[.]com, and 1 more domain
- [File name] context – National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.lnk, National Tax Service Clarification Documents Submission Guide Concerning General Income Tax Report.hwp, and 2 more file names
Read more: https://asec.ahnlab.com/en/57176/