Full Report
Overview AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report will cover the types and statistics of APT attacks in Korea during November 2024 as well as features of each type. Figure 1. November 2024 statistics on APT attacks in Korea […] 게시물 November 2024 Threat Trend Report on APT Attacks (South Korea)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Threat Actor: Unspecified APT Group Conducting Attacks in South Korea
## Attribution & Identity
The threat actor is an Advanced Persistent Threat (APT) group that was active against targets in South Korea during November 2024. No specific attribution (name or known group association) is provided in the summary, only that they are characterized as an APT.
## Activity Summary
The key activity detailed is the execution of **spear phishing campaigns** targeting entities in South Korea during November 2024. These attacks relied heavily on LNK file extensions delivered via email to compromise systems, using social engineering tactics based on pre-attack reconnaissance.
## Tactics, Techniques & Procedures
The actor employs sophisticated spear-phishing methods utilizing LNK files:
* **Initial Access via Spear Phishing:** Using reconnaissance to craft highly convincing emails.
* **LNK File Exploitation (Type A):**
* Distributing CAB files containing malicious scripts.
* Using malicious PowerShell commands embedded within the LNK link to extract and execute scripts (bat, ps1, vbs) inside the LNK file.
* Purpose: Information exfiltration and downloading secondary malware.
* **LNK File Exploitation (Type B):**
* Using malicious PowerShell commands embedded within the LNK link.
* Downloading malware via cloud services (Dropbox API, Google Drive).
* Creating dropped script files and obfuscated Remote Access Trojans (RATs) in temporary directories (`TEMP`, `PUBLIC`).
* Purpose: Establishing persistence and control, enabling keylogging and screen capturing.
* **Decoy Usage:** Employing decoy documents (e.g., agreement files, policy documents) to mask the malicious nature of the execution.
## Targeting
* **Sectors:** Not explicitly listed beyond the general "APT attacks against Korean targets," suggesting a broad range but likely involving sectors of interest to espionage/data theft.
* **Geography:** South Korea.
* **Victims:** Specific organizations are not named, but examples of decoy file names suggest potential targeting related to government, military, or regulatory bodies (e.g., "Yeongju-si," "Value-added tax processing regulations," "Korean People’s Army").
## Tools & Infrastructure
* **Malware Families used:**
* XenoRAT
* RoKRAT (Remote Access Trojans)
* **Infrastructure (C2, domains, IPs - defang URLs):**
* `http[:]//118[.]193[.]69[.]53/mail[.]google[.]commailu0ui=2&ik=3a0f035e61&view=lg&permmsgid=msg`
* `http[:]//154[.]90[.]62[.]248/wHk4tMu9XpWA/b[.]ps1`
* `http[:]//154[.]90[.]62[.]248/wHk4tMu9XpWA/get-command[.]php`
* `http[:]//158[.]247[.]201[.]113/apache[.]com/sdgrjlbmcs/anti[.]php`
* `http[:]//158[.]247[.]201[.]113/apache[.]com/sdgrjlbmcs/daummail[.]php`
* IP: `95[.]164[.]68[.]22`
## Implications
This threat actor group demonstrates strong tradecraft focused on **initial access via LNK files**, indicating an adaptation to common email gateway defenses by using complex, multi-stage execution methods involving PowerShell and compressed files to deliver RATs. Continued vigilance against LNK/script-based spear phishing is critical for organizations in South Korea.
## Mitigations
Defense recommendations should focus on blocking or strictly controlling LNK file execution and multi-stage payloads:
* Implement strict controls or blocks on the execution of downloaded LNK files.
* Monitor for PowerShell activities that attempt to extract and execute contents of compressed files (like CAB files).
* Implement defenses against script execution from temporary directories (`TEMP`, `PUBLIC`).
* Monitor for network traffic communicating with the listed C2 infrastructure.
* Enhance email filtering to detect suspicious attachments disguised as common documents (like HWP or DOCX appearing as LNK files).