Full Report
Overview AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report will cover the types and statistics of APT attacks in Korea during December 2024 as well as features of each type. Figure 1. December 2024 statistics of APT attacks in Korea APT attacks […]
Analysis Summary
# Threat Actor: Undisclosed APT Group (Focused on South Korea)
## Attribution & Identity
Attribution to a specific, named, state-sponsored group is not provided in the summary. The activity is broadly categorized as Advanced Persistent Threat (APT) attacks monitored by AhnLab Smart Defense (ASD).
## Activity Summary
The activity summarized covers APT attacks observed against targets in South Korea during **December 2024**. The dominant initial access vector was **spear phishing**. Two distinct variants of LNK file usage within spear phishing campaigns were identified:
1. **Type A:** Utilized LNK files to execute PowerShell commands that extract and decompress a CAB file containing malicious scripts (bat, ps1, vbs) used for information exfiltration and downloading secondary malware.
2. **Type B:** Utilized LNK files to execute PowerShell commands that download and deploy Remote Access Trojan (RAT) malware, often using cloud services like Dropbox API or Google Drive for retrieval.
## Tactics, Techniques & Procedures
- **Spear Phishing:** Used to deliver malicious content after conducting initial reconnaissance on targets.
- **Email Spoofing:** Mentioned as a technique used alongside spear phishing to enhance trustworthiness.
- **LNK File Delivery:** Primary initial access method.
- Malicious payload hidden within compressed formats (CAB files) delivered via LNK files.
- Malicious LNK files contain PowerShell commands.
- **Script Execution:** Execution of multiple scripts (bat, ps1, vbs) via PowerShell.
- **Information Exfiltration** (Type A).
- **Downloader Functionality** (Type A and Type B).
- **Remote Access Trojan (RAT) Deployment** (Type B).
- **Use of Cloud Storage APIs:** Utilizing Dropbox API or Google Drive to fetch malware payloads (Type B).
*Note: Specific MITRE ATT&CK IDs are not provided in the source material.*
## Targeting
- **Sectors:** Not explicitly listed by sector, but the victims are implied to be located in South Korea and related to governmental/business entities evidenced by decoy file names (e.g., tax documents, contracts, trading details).
- **Geography:** South Korea.
- **Victims:** Specific organizations are not named, but file names suggest targets involved with finance/taxation (e.g., Bithumb Korea, tax regulations) and potentially diplomatic/educational matters (e.g., research journals, seminar invitations).
## Tools & Infrastructure
- **Malware Families Used:**
- RAT malware (specifically noted: **XenoRAT** and **RoKRAT**).
- Various unspecified malicious scripts (bat, ps1, vbs).
- **Infrastructure (C2, domains, IPs - defanged):**
- `http[:]//118[.]193[.]69[.]53`
- `http[:]//118[.]194[.]249[.]90`
- `http[:]//206[.]206[.]127[.]152:8328`
## Implications
The primary threat involves highly targeted spear phishing campaigns actively utilizing system shortcuts (.LNK) to bypass typical application control measures. The deployment of sophisticated RATs like XenoRAT and RoKRAT indicates a high capability group seeking persistent access, data theft, and espionage against Korean targets. The use of legitimate cloud services for malware staging suggests an attempt to blend in with normal network traffic.
## Mitigations
- **Enhanced Email Filtering:** Implement strong filters to block suspicious LNK files, especially those attempting to download content.
- **Application Control/Whitelisting:** Restrict the execution of scripts (PowerShell, VBS) originating from untrusted locations or executed in non-standard ways (e.g., triggered indirectly by LNK files).
- **User Education:** Aggressively train personnel on identifying spear phishing, especially emails containing seemingly benign shortcuts or referencing sensitive internal topics.
- **Network Monitoring:** Monitor network traffic for connections to the identified IP ranges/URLs, paying special attention to downloads initiated by processes spawned from user interactions with office documents or shortcuts.
- **Sandbox Execution:** Automatically detonate and analyze potentially malicious LNK files in a controlled environment to determine script behavior and final payload before delivery.