Malicious LNK File Being Distributed, Impersonating the National Tax Service
Contents
AhnLab Security Emergency response Center (ASEC) has discovered circumstances of a malicious LNK file impersonating the National Tax Service being distributed. Distribution using LNK files is a method that has been used in the past, and recently, there have been multiple cases of distribution to Korean users.
The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file named “Clarification Documents Submission Guide Concerning General Income Tax Report.zip” is downloaded. At the time of analysis, the compressed file contained two files: a malicious LNK file and a normal HWP document. Currently, only three normal HWP documents exist in the compressed file downloaded from the URL, thus it seems like the threat actor only distributed the malicious file for a short amount of time to render future analysis and tracking …
The recently identified LNK file is presumed to be distributed via a URL included in emails. The URL identified through AhnLab Smart Defense (ASD) is as follows, and from it, a compressed file named “Clarification Documents Submission Guide Concerning General Income Tax Report.zip” is downloaded. At the time of analysis, the compressed file contained two files: a malicious LNK file and a normal HWP document. Currently, only three normal HWP documents exist in the compressed file downloaded from the URL, thus it seems like the threat actor only distributed the malicious file for a short amount of time to render future analysis and tracking …
IoC
20f0e8362782c7451993e579336f2f3e
2d0747533d4d3f138481c4c4cda9ea1e
560e5977e5e5ce077adc9478cd93c2ac
7725d117d0bd0a7a5fb8ef101b019415
9c3eef28b4418c40a7071ddcba17f0e8
b5f698fb96835d155fbcc1ccd4f4b520
ca11ba5e641156ff72400e7f5e103aee
http://filehost001.com/list.php?f=%COMPUTERNAME%.txt
http://filehost001.com/upload.php
https://file.gdrive001.com/read/?cu=jaebonghouse&so=
https://file.gdrive001.com/read/?cu=jaebonghouse&so=ClarificationDocuments%20SubmissionGuide%20Concerning%GeneralIncomeTax%20Report.zip
https://file.gdrive001.com/read/get.php?cu=ln3&so=xu6502
2d0747533d4d3f138481c4c4cda9ea1e
560e5977e5e5ce077adc9478cd93c2ac
7725d117d0bd0a7a5fb8ef101b019415
9c3eef28b4418c40a7071ddcba17f0e8
b5f698fb96835d155fbcc1ccd4f4b520
ca11ba5e641156ff72400e7f5e103aee
http://filehost001.com/list.php?f=%COMPUTERNAME%.txt
http://filehost001.com/upload.php
https://file.gdrive001.com/read/?cu=jaebonghouse&so=
https://file.gdrive001.com/read/?cu=jaebonghouse&so=ClarificationDocuments%20SubmissionGuide%20Concerning%GeneralIncomeTax%20Report.zip
https://file.gdrive001.com/read/get.php?cu=ln3&so=xu6502