Warning Against Distribution of Malware Impersonating a Public Organization (LNK)
Contents
AhnLab Security Emergency response Center (ASEC) observed the distribution of malicious shortcut (*.lnk) files impersonating a public organization. The threat actor seems to be distributing a malicious script (HTML) file disguised as a security email by attaching it to emails. These usually target individuals in the field of Korean reunification and national security. Notably, these were disguised with topics of honorarium payment to make them seem like legitimate documents. The malware’s operation method and C2 format are similar to those in previously published posts, [1] [2] allowing us to assume that the same threat actor is behind this incident.
This type of malware breaches user information and downloads additional malware. A brief summary of its operation process is shown below.
When the HTML file attachment is executed, a window disguised as a security email is displayed as shown below. It is presumed that a password would have been included in the email …
This type of malware breaches user information and downloads additional malware. A brief summary of its operation process is shown below.
When the HTML file attachment is executed, a window disguised as a security email is displayed as shown below. It is presumed that a password would have been included in the email …
IoC
0040aa9762c2534ac44d9a6ae7024d15
165.154.230.24
209ac4185dfc1e4d72c035ecb7f98eac
40b7c3bced2975d70359a07c4f110f18
5E5A87D0034E80E6B86A64387779DC2E
64dee04b6e6404c14d10971adf35c3a7
b70bc31b537caf411f97a991d8292c5a
d00aa4b1a3cd9373d49c023580711170
de7cd0de5372e7801dab5aafd9c19148
eb614c99614c3365bdc926a73ef7a492
fb5aec165279015f17b29f9f2c730976
http://165.154.230.24:8020
165.154.230.24
209ac4185dfc1e4d72c035ecb7f98eac
40b7c3bced2975d70359a07c4f110f18
5E5A87D0034E80E6B86A64387779DC2E
64dee04b6e6404c14d10971adf35c3a7
b70bc31b537caf411f97a991d8292c5a
d00aa4b1a3cd9373d49c023580711170
de7cd0de5372e7801dab5aafd9c19148
eb614c99614c3365bdc926a73ef7a492
fb5aec165279015f17b29f9f2c730976
http://165.154.230.24:8020