Full Report
Overview AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of the APT attacks in South Korea that were identified in March 2025, as well as the attack types. Figure 1. Statistics of APT attacks in South Korea […]
Analysis Summary
# Threat Actor: Unnamed APT Group (Monitoring Focus: South Korea)
## Attribution & Identity
The report details APT attacks actively monitored in South Korea by AhnLab during March 2025. Specific attribution beyond being an APT group operating against South Korea is not provided. The relevant tags suggest potential overlap or familiarity with previously tracked malware/tools like AppleSeed, BeaverTail, NukeSped, and PebbleDash, though this does not confirm a direct link to the current group.
## Activity Summary
The observed APT activity in South Korea during March 2025 was predominantly characterized by **Spear Phishing** attacks. The most frequent infiltration vector involved the distribution of malicious **LNK files**.
Two primary spear-phishing methodologies (Type A and Type B) were identified:
1. **Type A:** LNK files trigger the decompression of a CAB file containing malicious scripts (bat, ps1, vbs) used to exfiltrate user PC information and download additional malware.
2. **Type B:** LNK files execute an obfuscated batch file via PowerShell, which downloads a CAB file. This CAB file contains Python files (one malicious, one legitimate helper) and results in the registration of a malicious Python script via Task Scheduler for persistent execution and downloading of further payloads.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear Phishing, utilizing emails with malicious attachments.
- **Execution:** Chains involving LNK files executing PowerShell commands or creating immediate batch files.
- **Defense Evasion/Persistence:** Use of obfuscated scripts (BAT, PowerShell, Python). Type B specifically utilizes the Task Scheduler to achieve persistence.
- **Staging/Delivery:** Use of CAB archives to bundle multiple malicious components.
- **Obfuscation:** Scripts (Python, BAT) are noted as being obfuscated.
- **Weaponization:** Specific use of LNK files exploiting file handling mechanisms, often referencing common South Korean document types (.hwp).
**MITRE ATT&CK IDs (Inferred from TTPs):**
* T1566.001 (Spearphishing Attachment)
* T1204.002 (User Execution: Malicious File)
* T1059.001 (Command and Scripting Interpreter: PowerShell)
* T1547.001 (Registry Run Keys / Startup Folder - *Inferred from Task Scheduler usage*)
## Targeting
- Sectors: General discussion of APT activity in South Korea; specific sectors are not detailed beyond the nature of the decoy documents.
- Geography: South Korea.
- Victims: No specific victim organizations were named in the report overview. The decoy document names suggest targeting entities dealing with tax administration, finance, or official reporting (e.g., "ftrsm\_total strategy.xlsx," "Reports on foreign financial accounts").
## Tools & Infrastructure
- **Malware Families/Scripts:** LNK, CAB, PowerShell scripts (.ps1), VBScript files (.vbs), Batch files (.bat), Python scripts. Tags mention "AppleSeed," "BeaverTail," "NukeSped," and "PebbleDash," which may be associated tools or capabilities used by this or related threat actors.
- **Infrastructure (C2 Examples):**
* `http[:]//101[.]36[.]114[.]190/accounts[.]kakao[.]comwebloginfind_account/showHeader/kakao[.]php?png=bwindowss`
* `http[:]//158[.]247[.]197[.]181/accounts[.]kakao[.]comwebloginfind_account/showHeader/google[.]php?jpg=bcars`
* `http[:]//158[.]247[.]217[.]8/mail[.]google[.]commailu[.]inbox/gmail[.]php?png=bmens`
* `http[:]//158[.]247[.]217[.]8/mail[.]google[.]commailu[.]inbox/naver[.]php?jpg=bmans`
* `http[:]//158[.]247[.]217[.]8/news[.]mail[.]rupolitics386912834/mail[.]ru[.]php?png=bmens`
## Implications
The identified threat actors are highly proficient in using standard operating system features (PowerShell, Task Scheduler) combined with archive and shortcut files (CAB, LNK) for initial access and complex infection chains. The use of decoy documents mimicking local South Korean templates (HWP, tax forms) underscores strong reconnaissance and localization efforts, indicating focused, persistent adversary operations within the region.
## Mitigations
- **Email Security:** Implement robust email filtering to block suspicious LNK file attachments and executable content embedded in archives.
- **Application Control:** Restrict the execution of scripts (PowerShell, VBScript) from non-standard locations (e.g., TEMP, ProgramData) using Application Whitelisting or Constrained Language Mode for PowerShell.
- **Shortcut File Awareness:** Educate users on the security risks associated with LNK files, especially when received via email.
- **Task Scheduler Monitoring:** Implement strict monitoring and alert rules for the creation of new scheduled tasks by non-administrative processes or scripts, which is a key persistence mechanism used here.
- **Network Monitoring:** Block or inspect traffic heading to the identified C2 infrastructure ranges and URLs.