LNK File Disguised as Certificate Distributing RokRAT Malware
Contents
AhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (*.LNK) of abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea. The confirmed LNK file names are as follows:
National Information Academy 8th Integrated Course Certificate (Final).lnk
Gate access roster 2024.lnk
Northeast Project (US Congressional Research Service (CRS Report).lnk
Facility list.lnk
Figure 1. Confirmed properties of the LNK files
The confirmed LNK files contain a command to execute PowerShell via CMD, and their type is similar to the type found in “RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)” [1] posted last year. A notable fact about this type is that it includes legitimate document files, script code, and malicious PE data inside the LNK files.
Figure 2. PDF file and script code contained within an LNK file
The simplified operation process of the malware is as …
National Information Academy 8th Integrated Course Certificate (Final).lnk
Gate access roster 2024.lnk
Northeast Project (US Congressional Research Service (CRS Report).lnk
Facility list.lnk
Figure 1. Confirmed properties of the LNK files
The confirmed LNK files contain a command to execute PowerShell via CMD, and their type is similar to the type found in “RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)” [1] posted last year. A notable fact about this type is that it includes legitimate document files, script code, and malicious PE data inside the LNK files.
Figure 2. PDF file and script code contained within an LNK file
The simplified operation process of the malware is as …
IoC
3114a3d092e269128f72cfd34812ddc8
35441efd293d9c9fb4788a3f0b4f2e6b
358122718ba11b3e8bb56340dbe94f51
68386fa9933b2dc5711dffcee0748115
6e5e5ec38454ecf94e723897a42450ea
b85a6b1eb7418aa5da108bc0df824fc0
bd07b927bb765ccfc94fadbc912b0226
bd98fe95107ed54df3c809d7925f2d2c
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
https://content.dropboxapi.com/2/files/download
https://content.dropboxapi.com/2/files/upload
[email protected]
[email protected]
[email protected]
[email protected]
35441efd293d9c9fb4788a3f0b4f2e6b
358122718ba11b3e8bb56340dbe94f51
68386fa9933b2dc5711dffcee0748115
6e5e5ec38454ecf94e723897a42450ea
b85a6b1eb7418aa5da108bc0df824fc0
bd07b927bb765ccfc94fadbc912b0226
bd98fe95107ed54df3c809d7925f2d2c
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
https://content.dropboxapi.com/2/files/download
https://content.dropboxapi.com/2/files/upload
[email protected]
[email protected]
[email protected]
[email protected]