The ASEC analysis team discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service. A normal HWP document with related contents is opened simultaneously, making it difficult for users to realize the file is rogue. The malicious script file executed in the end is the same type as the script covered in ‘Malicious Word Files Disguised as Product Introduction‘ and is deemed to be created by the same threat actor.
The recently discovered LNK file is usually distributed with the following file names related to tax investigations.
Tax Investigation Summon.hwp.lnk
Application for Transactions Confirmation (for issuing buyer-issued tax invoice)(Enforcement Ordinance of the Value-Added Tax Act).hwp.lnk
Statement for Source of Funds (Enforcement Ordinance of the Value-Added Tax Act).hwp.lnk
Other Form No.00 Faithful Reporting Confirmation.hwp.lnk
Income Tax Law No20(5) Bill of Major Expenses.hwp.lnk
Statement for Reception of Receipt.hwp.lnk
We deduce that the LNK file is distributed in a compressed file format along with a normal text file. The threat actor includes contents impersonating a member of the National Tax Service to induce users to execute the malicious LNK file that is also included in the compressed file.
The following image shows the contents of the ‘Guidelines for Reporting Documents.txt’ file included in the above compressed file.
The malicious LNK file is disguised with an HWP document icon as shown in the image below, and upon opening this file, malicious behaviors are performed through Powershell.
The Powershell command executed by the LNK file generates the normal HWP document within the LNK file under the file name ‘Other Form No.00 Faithful Reporting Confirmation.hwp’ and opens this document, leading users to think they have opened a normal document file.
Afterward, it creates the 21358.cab and 24360.vbs files in the %Public% directory then executes 24360.vbs. The following image shows the major obfuscated strings within the aforementioned script code.
When the above script is run, the files compressed inside 21358.cab are copied inside the %public%documents directory. Among these, the start.vbs file is then run. Afterward, it deletes the 21358.cab and 24360.vbs files.
The code within start.vbs also has the main strings obfuscated, and the code executed in the end is responsible for running the fully.bat file, as shown below.
ngqjeia = Left(WScript.ScriptFullName, InstrRev(WScript.ScriptFullName, «» ) – 1)
nnbhpbt.Run ngqjeia & «fully.bat», 0
Set nnbhpbt = Nothing
This bat file registers the start.vbs file as svchostno2 in HKCUSoftwareMicrosoftWindowsCurrentVersionRun so it can be executed automatically.
Subsequently, it executes the no1.bat and no4.bat files and uses download.vbs to download an additional file from hxxps://filecompact.com/list.php?q=%COMPUTERNAME%.txt. The downloaded file is saved as setup.cab, decompressed, then deleted.
The no1.bat file executed above runs start01.vbs and start02.vbs, and the no4.bat file includes a code that leaks user PC information.
The targeted pieces of information are as follows.
dir C:Users%username%downloads /s Results
dir C:Users%username%documents /s Results
dir C:Users%username%desktop /s Results
dir “C:Program Files” /s Results
nslookup myip.opendns.com resolver1.opendns.com Results
tasklist Results
systeminfo Results
Each collected piece of information is saved as cuserdown.txt, cuserdocu.txt, tskit.txt. etc. inside the %public%documents folder. These files are then transmitted to hxxps://filecompact.com/upload.php using upload.vbs.
The start01.vbs file executed by no1.bat also includes obfuscated strings and downloads an additional file from hxxps://naver.filetodownload.com/v2/read/get.php?mi=ln3&te=10294765.txt which is saved as %public%740997.zip.
Like the start01.vbs file, start02.vbs which is executed by no1.bat unzips the downloaded 740997.zip file into the %public% directory before using the ‘cmd.exe /c rundll32.exe “File Name” “,Run” command to execute the decompressed file. At the time of analysis, no additional files were downloaded from the URL, but various malware may be downloaded as intended by the threat actor.
Besides the HWP document covered above, multiple malicious LNK files disguised as normal HWP documents with tax and statement-related contents are being detected, therefore, users are advised to be particularly cautious.
[File Detection]
Dropper/LNK.Agent (2023.01.18.02)
Trojan/BAT.Agent (2023.01.19.00)
Trojan/VBS.Agent (2023.01.19.00)
Downloader/VBS.Generic (2023.01.19.00)
Trojan/VBS.Obfuscated (2023.01.19.00)
Trojan/VBS.Runner (2023.01.19.02)
Trojan/VBS.Uploader (2023.01.19.00)
[IOC Info]
85cc9cfe13f71967aca7b961a3cdf0be (LNK)
1bfe8d93ca1b2711fcf9958aa907abac (LNK)
5d479cbb619c98df370a1bb6c4190dff (LNK)
c34cf6d8ef370906b12b42a0b83a3869 (LNK)
ee8e160336bddbcc5f94f5f93565bfe8 (LNK)
8c0528c92510f100fe81b9e0ed0d3698 (LNK)
d2470fe8a0c3b73acedadc284b380d00 (LNK)
5773b236d2263979c4af83efb661ad37 (LNK)
6ac02caaad3490df88ebc59e5e2ea6fa
ceca17155cc484711a7df2d6c85de4ba
743f963dca043db8769cdfb6015af3af
e60022a1e871de0f093edaa81a2ed762
c11f2d5d9651f82007b6de56bac05652
a05493d7f163c534e2a923789225ab82
9f4993fe2163df12812ec2ad42860334
306cd4d12bf80fd6f581d438f7e31c3c
hxxps://filecompact[.]com/list.php?q=%COMPUTERNAME%.txt
hxxps://filecompact[.]com/upload.php
hxxps://naver.filetodownload[.]com/v2/read/get.php?mi=ln3&te=10294765.txt
hxxps://the-fast-file[.]com/list.php?q=%COMPUTERNAME%.txt
hxxps://the-fast-file[.]com/upload.php
hxxps://naver.filedowns[.]net/v2/read/get.php?kioz=ln3&uwac=10294765.txt
hxxps://fastfilestore[.]com/files/list.php?q=%COMPUTERNAME%.txt
hxxps://fastfilestore[.]com/files/upload.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Malicious LNK File Disguised as a Normal HWP Document appeared first on ASEC BLOG.
Article Link: Malicious LNK File Disguised as a Normal HWP Document – ASEC BLOG
1 post – 1 participant