2023-09-14 • Ahnlab • Spreading of malicious LNK impersonating the National Tax Service •
AhnLab ASEC observed malicious LNK files distributed to South Korean users under a National Tax Service tax-explanation theme. The suspected email-delivered ZIP downloaded from file.gdrive001.com contained a large dummy-padded LNK that ran PowerShell, opened a decoy HWP document, unpacked scripts under Public, and registered start.vbs for RunKey persistence. The script chain collected user information, uploaded it to filehost001.com, and attempted to download ZIP and CAB payloads for execution with rundll32 and batch scripts. ASEC said its infrastructure ultimately identified Qasar RAT and Amadey as final malware, while noting the attacker appeared to keep the malicious download available only briefly to hinder analysis.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://file.gdrive001.com/read… | 2023-09-14 | 2023-11-24 |
| DOMAIN | file.gdrive001.com | 2023-09-14 | 2023-11-24 |
| HASH | 560e5977e5e5ce077adc9478cd93c2ac | 2023-09-14 | 2023-09-21 |
| HASH | 9c3eef28b4418c40a7071ddcba17f0e8 | 2023-09-14 | 2023-09-21 |
| HASH | 2d0747533d4d3f138481c4c4cda9ea1e | 2023-09-14 | 2023-09-21 |
| HASH | ca11ba5e641156ff72400e7f5e103aee | 2023-09-14 | 2023-09-21 |
| HASH | b5f698fb96835d155fbcc1ccd4f4b520 | 2023-09-14 | 2023-09-21 |
| HASH | 7725d117d0bd0a7a5fb8ef101b019415 | 2023-09-14 | 2023-09-21 |
| HASH | 20f0e8362782c7451993e579336f2f3e | 2023-09-14 | 2023-09-21 |
| URL | http://filehost001.com/upload.p… | 2023-09-14 | 2023-09-21 |
| URL | https://file.gdrive001.com/read… | 2023-09-14 | 2023-09-21 |
| URL | http://filehost001.com/list.php… | 2023-09-14 | 2023-09-21 |
| DOMAIN | filehost001.com | 2023-09-14 | 2023-09-21 |