North Korea’s APT37 risk group is offering contemporary proof of how adversaries have pivoted to utilizing LNK, or shortcut information, to distribute malicious payloads after Microsoft started blocking macros by default final yr to stop malware supply by way of Workplace paperwork.
Test Level Analysis, which has been monitoring APT37 for years, this week reported seeing the risk actor utilizing LNK information to ship a distant entry trojan (RAT) dubbed RokRAT on methods belonging to entities related to South Korean home and overseas affairs.
Disguised As Reputable Paperwork
The LNK information have been touchdown on track methods disguised as reputable paperwork. In a single assault that Test Level analyzed, the attacker disguised the malicious LNK file as a PDF and included it in a ZIP archive together with three reputable — however stolen — paperwork pertaining to the Libyan Oil & Fuel Trade. In an April 2023 assault, the risk actor used an ISO to place two malicious LNKs that presupposed to include content material pertaining to South Korean diplomacy and coverage selections related to North Korea.
Test Level researchers discovered that in each cases when a person clicked on the LNK file, it triggered the execution of a PowerShell script that extracted a doc from the LNK, dropped it on disk and opened it. The doc was a decoy that tricked victims into pondering they’d opened a reputable PDF or a South Korean’s Hangul Phrase Processor (HWP) file.
Nevertheless, within the background, the PowerShell scripts additionally extracted a BAT script from the LNK that, in flip, executes one other PowerShell script for downloading a payload from OneDrive that resulted in RokRAT being put in on the system.
Sergey Shykevich, risk intelligence group supervisor at Test Level, says this type of a multi-stage malware supply course of could make evaluation tougher for defender. With the LNK file masquerading as a PDF file, for example, after the sufferer clicks on the LNK file it masses a PowerShell that masses two information.
The primary is a reputable PDF that tips the sufferer into pondering every part is okay. The opposite is a “malicious script that runs a brand new PowerShell from a particular OneDrive and which runs a payload which masses RokRAT,” he says. “Multi-staging makes it tougher to trace the entire an infection chain and — if a malware is detected within the community — to grasp the preliminary an infection vector.
Switching Up Preliminary An infection Techniques
APT37, also called ScarCruft and Reaper, has been energetic since at the very least 2012. The group has been related to quite a few campaigns over time together with one dubbed Operation Dawn focused at South Korean diplomatic targets, that exploited a zero-day bug, and one other involving a backdoor referred to as GoldBackdoor that focused South Korean journalists.
APT37’s change to utilizing LNK information for malware supply is a part of a development that, in a way, started in earnest when Microsoft determined to disable macros by default on information downloaded from the Web final yr. Previous to Microsoft first asserting its determination — in February 2022 — some 31% of all threats concerned macros in Workplace paperwork, in response to one examine. That quantity has dropped dramatically after Microsoft’s determination went into impact within the second half of 2022 — after it appeared for a second that the corporate wouldn’t undergo with the plan.
Shell Hyperlink, or LNK information, are Home windows information that present a brief minimize to different information, folders, and drivers on the system. By clicking on a LNK file, a person can open the related file or app with out having to navigate to the app manually. LNK information present a handy means for a person to entry steadily used information and software program and are typically thought of secure.
LNK File, Engaging to Cyberattackers
However there are options of LNK information that make it ideally suited for attackers, Shykevich says. “The effectiveness of LNK is usually as a result of the attacker could make the LNK file seem like virtually every other kind of file,” he says. As examples he factors to PDF and Doc information. “It additionally permits the attacker to simply run various kinds of scripts [such as] BAT scripts in APT37s case,” Shykevich notes. The largest problem for the person is paying sufficient consideration to such information and ensuring that they really are LNK information.
Over the previous yr, attackers have used LNK information to ship malware corresponding to Emotet, IcedID, and Quakbot, McAfee and others have famous. The assaults have concerned risk actors utilizing spam, phishing emails, and malicious URLs to ship the LNKs to customers. Rising attacker adoption of the tactic has additionally spawned a bevy of economic hyperlink technology instruments to create malicious LNK information. Some examples of those instruments embrace Quantum Lnk Builder, which began delivery final yr at charges starting from round $200 monthly to round $1,600 for lifetime entry, MLNK Builder out there for $125 per construct, and Macropack.
