Full Report
Overview AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report will cover the types and statistics of APT attacks in Korea during October 2024 as well as features of each type. Figure 1. October 2024 statistics on APT attacks in […] 게시물 October 2024 Threat Trend Report on APT Attacks (South Korea)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Threat Actor: Unspecified APT Actor (Observed via Korean Targets)
## Attribution & Identity
The article describes threat activity observed against targets in South Korea during October 2024, categorized generally as Advanced Persistent Threat (APT) attacks. No specific threat actor name or definitive attribution is provided in the summary paragraphs, only that the activity constitutes APT attacks.
## Activity Summary
The primary activity detailed involves extensive **spear phishing** campaigns targeting entities in Korea during October 2024. These attacks utilized malicious attachments, often employing specific file types to initiate infection chains.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear Phishing (Email).
- **Execution/Delivery Method (Type A):** Use of compressed CAB files containing malicious scripts (bat, ps1, vbs) triggered via malicious LNK files. The LNK file contained commands to extract the CAB and decoy documents.
- **Execution/Delivery Method (Type B):** Use of LNK files containing malicious PowerShell commands to retrieve staged malware.
- **Defense Evasion/Persistence:** Malware staged in common user directories such as `TEMP` or `PUBLIC`.
- **Command & Control (C2):** Malware utilizes C2 infrastructure hosted on vulnerable servers or cloud storage (DropBox API, Google Drive).
- **Payloads:** Execution of Remote Access Trojan (RAT) malware, specifically **XenoRAT** and **RoKRAT**.
- **Collection/Action on Objectives:** Keylogging and screen capturing capabilities observed via RAT payloads.
## Targeting
- **Sectors:** Not explicitly listed, but the context suggests organizations within **South Korea** are the primary target domain.
- **Geography:** **South Korea** (Korea).
- **Victims:** Not specifically named organizations.
## Tools & Infrastructure
- **Malware families used:** XenoRAT, RoKRAT (RATs), unspecified malicious scripts (bat, ps1, vbs).
- **Infrastructure (C2, domains, IPs):**
- `http[:]//206[.]206[.]127[.]152[:]6105/`
- `http[:]//206[.]206[.]127[.]152[:]7032/`
- `http[:]//cdn[.]glitch[.]global/0072eaa8-5487-460c-9a1e-184c9e9cd32a/upb[.]hta`
- `http[:]//cdn[.]glitch[.]global/17443dac-272c-421c-80ac-53a3695ede0e/main64[.]log`
- `http[:]//cdn[.]glitch[.]global/17443dac-272c-421c-80ac-53a3695ede0e/net64[.]log`
## Implications
This activity indicates persistent, targeted intrusion attempts against Korean entities utilizing social engineering (spear phishing) combined with file-based execution chains (LNK/CAB) designed to deploy sophisticated remote access tools (RATs). The use of PowerShell obfuscation and staging in common directories suggests an attempt to bypass basic endpoint detection.
## Mitigations
- Strict email filtering and robust anti-phishing awareness training, focusing on identifying suspicious spear phishing attempts, particularly those involving LNK or HWP attachments.
- Implement security policies to restrict the execution of PowerShell scripts originating from unexpected file types or unusual paths.
- Monitor for suspicious activity related to the extraction and execution of scripts from compressed archives within user profiles (TEMP, PUBLIC).
- Monitor C2 traffic patterns, specifically connections to the identified IP ranges and domain hosting infrastructure.