ASEC reports a campaign distributing malicious LNK shortcuts impersonating a public organization, delivered via email disguised as a security notice. The payload drops a legitimate decoy Hangul Word Processor document and a malicious VBS script, then retrieves TutRAT for remote control actions such as keylogging, browser credential theft, and screenshots. #TutRAT #MinistryOfUnification
Keypoints
- Malicious LNK/HTML attachments impersonate a public organization and are delivered via phishing emails.
- Decoy Hangul Word Processor documents are used alongside malicious shortcuts to lure users.
- Executing the HTML attachment triggers drop of a legitimate HWP file and a malicious VBS script in TEMP.
- VBS code is obfuscated, then decodes and modifies the registry while connecting to a remote URL to fetch more scripts.
- One LNK downloads TutRAT from a remote server and decodes data into client.ps1 and version103.vbs for fileless activity.
- TutRAT components enable keylogging, browser credential theft, and screenshot capture via C2 communications.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Attaches malicious LNK/HTML attachments impersonating a public organization in emails to deliver malware. ‘observed the distribution of malicious shortcut (*.lnk) files impersonating a public organization… by attaching it to emails.’
- [T1023] Shortcut Modification – The LNK file triggers the creation of a legitimate HWP document and a malicious VBS in TEMP before execution. ‘When the file … is executed, a legitimate HWP document and a malicious VBS script file are created in the TEMP folder before being executed.’
- [T1059.005] VBScript – The VBS code is obfuscated and, when deobfuscated, changes the registry and connects to an external URL to execute an additional script. ‘The VBS code is obfuscated, and when deobfuscated, there is a code that makes changes to the registry and connects to an external URL to execute an additional script.’
- [T1112] Modify Registry – The VBS component makes changes to the registry as part of its routine. ‘changes to the registry.’
- [T1105] Ingress Tool Transfer – Downloads TutRAT from a remote server and executes fileless malware (client.ps1 and version103.vbs). ‘downloads the TutRAT malware from hxxp://m****[.]com/pg/adm/tdr/upi/down0/r_enc.bin and executes the fileless malware. The threat actor uses this to decode the data encoded in Base64, saving it as %temp%client.ps1 and %tamp%version103.vbs respectively.’
- [T1059.001] PowerShell – PowerShell-based components are used to execute and run decoded payloads (client.ps1) and commands from the C2. ‘PowerShell code executed via the malicious LNK file’ and ‘Main’ method to receive commands from the threat actor.’
- [T1113] Screen Capture – Implements screenshot-taking as part of its activities. ‘taking screenshots.’
- [T1555.003] Credentials from Web Browsers – Steals browser account information as part of data collection. ‘stealing browser account information.’
- [T1056.001] Keylogging – Records keystrokes to capture user input. ‘keylogging, …’
- [T1071.001] Web Protocols – C2 communication over web protocols to receive commands. ‘C&C: 165.154.230[.]24:8020’
Indicators of Compromise
- [MD5] context – example1, example2, and other items (if applicable)
- [URL] context – http://list.php?query=1, http://show.php?query=1
- [Domain] context – iso****.co[.]kr, ky****ek[.]com
- [IP] context – 165.154.230.24:8020
- [File name] context – Oct 2023 Professor ** Lee Ministry of Unification Brown Bag Lunch China Issue Related Lecture Request (Draft).hwp.lnk, Nov 2023 Professor ** Choi Ministry of Unification Brown Bag Lunch China-US Issue Related Lecture Request (Draft).hwp.lnk
Read more: https://asec.ahnlab.com/en/59042/