North Korean APT Gets Around Macro-Blocking With LNK Switch-Up

  /     /     /  
Publicated : 23/11/2024   Category : security


North Korean APT Gets Around Macro-Blocking With LNK Switch-Up


APT37 is among a growing list of threat actors that have switched to Windows shortcut files after Microsoft blocked macros last year.



North Koreas APT37 threat group is providing fresh evidence of how adversaries have pivoted to using LNK, or shortcut files, to distribute malicious payloads after Microsoft began blocking macros by default last year to prevent malware delivery via Office documents.
Check Point Research, which has been tracking APT37 for years, this week reported seeing the threat actor using LNK files to deliver a remote access trojan (RAT) dubbed RokRAT on systems belonging to entities associated with South Korean domestic and foreign affairs.
The LNK files have been landing on target systems disguised as legitimate documents. In one attack that Check Point analyzed, the attacker disguised the malicious LNK file as a PDF and included it in a ZIP archive along with three legitimate — but stolen — documents pertaining to the Libyan Oil & Gas Industry. In an April 2023 attack, the threat actor used an ISO to put two malicious LNKs that purported to contain content pertaining to South Korean diplomacy and policy decisions associated with North Korea.
Check Point researchers found
that in both instances when a user clicked on the LNK file, it triggered the execution of a PowerShell script that extracted a document from the LNK, dropped it on disk and opened it. The document was a decoy that tricked victims into thinking they had opened a legitimate PDF or a South Koreans Hangul Word Processor (HWP) file.
However, in the background, the PowerShell scripts also extracted a BAT script from the LNK that, in turn, executes another PowerShell script for downloading a payload from OneDrive that resulted in RokRAT being installed on the system.
Sergey Shykevich, threat intelligence group manager at Check Point, says this kind of a multi-stage malware delivery process can make analysis harder for defender. With the LNK file masquerading as a PDF file, for instance, after the victim clicks on the LNK file it loads a PowerShell that loads two files. 
The first is a legitimate PDF that tricks the victim into thinking everything is fine. The other is a malicious script that runs a new PowerShell from a specific OneDrive and which runs a payload which loads RokRAT, he says. Multi-staging makes it more difficult to track the whole infection chain and — if a malware is detected in the network — to understand the initial infection vector.
APT37, also known as ScarCruft and Reaper, has been active since at least 2012. The group has been associated with numerous campaigns over the years including one dubbed
Operation Daybreak
targeted at South Korean diplomatic targets, that exploited a zero-day bug, and another involving a backdoor called
GoldBackdoor
that targeted South Korean journalists.
APT37s switch to using LNK files for malware delivery is part of a trend that, in a sense, began in earnest when
Microsoft decided to disable macros
by default on files downloaded from the Internet last year. Prior to Microsoft first announcing its decision — in February 2022 —
some 31% of all threats
involved macros in Office documents, according to one study. That number has dropped dramatically after Microsofts decision went into effect in the second half of 2022 — after it seemed for a moment that the company
would not go through
with the plan.
Shell Link,
or LNK files, are Windows files that provide a short cut to other files, folders, and drivers on the system. By clicking on a LNK file, a user can open the associated file or app without having to navigate to the app manually. LNK files provide a convenient way for a user to access frequently used files and software and are generally considered safe.
But there are features of LNK files that make it ideal for attackers, Shykevich says. The effectiveness of LNK is mostly because the attacker can make the LNK file look like almost any other type of file, he says. As examples he points to PDF and Doc files. It also allows the attacker to easily run different types of scripts [such as] BAT scripts in APT37s case, Shykevich notes. The biggest challenge for the user is paying enough attention to such files and making sure that they actually are LNK files.
Over the past year, attackers have used LNK files to deliver malware such as Emotet, IcedID, and Quakbot, McAfee and others have noted. The attacks have involved threat actors using
spam, phishing emails, and malicious URLs
to deliver the LNKs to users. Growing attacker adoption of the tactic has also spawned a bevy of commercial link generation tools to create malicious LNK files. Some examples of these tools include
Quantum Lnk Builder
, which started shipping last year at rates ranging from around $200 per month to around $1,600 for lifetime access,
MLNK Builder
available for $125 per build, and
Macropack
.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
North Korean APT Gets Around Macro-Blocking With LNK Switch-Up