Full Report
Overview AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of APT attacks in Korea that were identified over the course of a month in May 2025. Figure 1. Statistics of APT attacks in South Korea in May 2025 […]
Analysis Summary
# Threat Actor: Unnamed APT Actor(s) Active in South Korea
## Attribution & Identity
Attribution is not explicitly provided in the summary beyond identifying them as Advanced Persistent Threat (APT) actors observed by AhnLab operating within South Korea. Multiple distinct attack types (Type A and Type B) suggest potentially differing or collaborating threat groups, or evolving methodologies used by a single entity.
## Activity Summary
The report covers APT attacks active in South Korea during May 2025. The primary infiltration vector observed was spear phishing. The activities detailed focus on two distinct spear-phishing methodologies using malicious LNK files to deploy secondary payloads via CAB archives.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear Phishing, utilizing meticulously crafted messages based on reconnaissance.
- **Execution/Defense Evasion:**
- Use of `.lnk` files to initiate malicious processes.
- **Type A:** Malicious PowerShell commands embedded in LNK files to extract and execute scripts (bat, ps1, vbs) from a compressed CAB file.
- **Type B:** LNK file execution creates and runs an obfuscated batch file via PowerShell.
- **Persistence/Discovery:** In Type B, a malicious Python script is registered in the Task Scheduler for execution.
- **Command and Control:** Downloading additional malware/components via external URLs.
- **Payload Delivery:** Use of CAB archive files to store and deliver secondary payloads, including a legitimate `pythonw.exe` alongside malicious Python scripts.
- **Defense Evasion (Decoys):** Use of decoy documents (e.g., compliance reports, tax forms) to mask malicious LNK file activity.
## Targeting
- **Sectors:** The nature of the decoy documents (financial reports, tax acts, compliance, virtual assets) strongly suggests targeting entities involved in **Finance, Government/Regulatory Compliance, and potentially Asset Management** within South Korea.
- **Geography:** South Korea.
- **Victims:** Specific victim organizations are not named, but the targets were specific individuals or groups susceptible to targeted lures.
## Tools & Infrastructure
- **Malware Families Used:**
- Malicious Scripts: PowerShell (ps1), Batch (.bat), VBScript (.vbs), and obfuscated Python scripts.
- Delivery Mechanism: CAB files used to package scripts and legitimate executables.
- **Infrastructure (C2, domains, IPs):**
- **IPs (Defanged):**
- 103[.]149[.]98[.]230
- 103[.]149[.]98[.]239
- 174[.]138[.]186[.]157
- 213[.]145[.]86[.]223
- 64[.]20[.]59[.]148
- **URLs (Defanged):**
- http[:]//103[.]149[.]98[.]230/pprb/0220_pprb_man_1/an/d[.]php?newpa=myapp
- http[:]//103[.]149[.]98[.]230/pprb/0220_pprb_man_1/an/d[.]php?newpa=myappfest
- http[:]//103[.]149[.]98[.]230/pprb/0329_pprb/pm/d[.]php?newpa=myapp
- http[:]//103[.]149[.]98[.]230/pprb/0329_pprb/pm/d[.]php?newpa=myappfest
- http[:]//103[.]149[.]98[.]239/pprb/0520_pprb/d[.]php?newpa=myapp
- **FQDNs (Defanged):**
- mugem[.]n-e[.]kr
- nauji[.]n-e[.]kr
- teacafe[.]n-e[.]kr
- tongsoju[.]n-e[.]kr
## Implications
This activity highlights a sophisticated use of file system confusion and built-in operating system utilities (PowerShell, Task Scheduler, Python) executed via trusted file extensions (`.lnk`, `.hwp`, `.pdf`) in spear-phishing campaigns. The reliance on CAB files to stage subsequent execution chains suggests an attempt to bypass traditional endpoint detection focusing only on direct executable launches. The actors are actively targeting South Korean entities with high-value lures related to regulatory and financial matters.
## Mitigations
- **Application Control:** Implement strict controls on LNK file execution or leverage security tools that analyze the behavior of LNK files rather than just their extensions.
- **Script Execution Prevention:** Harden PowerShell configurations (e.g., Constrained Language Mode) and restrict the ability of standard users to execute obfuscated scripts or install scheduled tasks without authorization.
- **Email Filtering:** Enhance advanced heuristic scanning for spear-phishing attachments, especially those wrapping multiple stages within archives (like CAB files).
- **IOC Blocking:** Block all listed IP addresses, URLs, and FQDNs at network egress and ingress points.
- **User Training:** Conduct specific training regarding lures related to compliance, finance, and tax documents, emphasizing the danger of LNK files masquerading as common documents.