문서파일로 위장한 LNK 악성코드
2023-11-24 • Secu I • LNK malware disguised as a document file •
SECUi describes 2023 Kimsuky attacks in South Korea that used ZIP archives containing a decoy document and an LNK file disguised as a document to start reconnaissance malware. The LNK embeds obfuscated PowerShell, a lure document, and script modules; execution extracts BAT/VBS components, registers start.vbs under HKCU Run for persistence, and downloads RC4-encrypted payloads from attacker infrastructure. The BAT chain collects directory listings, public IP lookup data, task lists, and system information, then encrypts and uploads the results to C2. The report also notes tax, document-submission, and university-related Korean lures and C2 domains such as drives001.com, gdrive001.com, and cldservice.net.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 9762d5c00cdc58e774676ab868a5928… | 2023-11-24 | 2024-09-02 |
| URL | https://downwarding.com/v2/read… | 2023-11-24 | 2024-08-22 |
| URL | https://bgfile.com/v2/read/get.… | 2023-11-24 | 2024-08-22 |
| DOMAIN | downwarding.com | 2023-11-24 | 2024-08-22 |
| DOMAIN | bgfile.com | 2023-11-24 | 2024-08-22 |
| URL | http://ttzcloud.com/upload.php | 2023-09-15 | 2024-08-22 |
| DOMAIN | ttzcloud.com | 2023-09-15 | 2024-08-22 |
| HASH | d245f208d2a682f4d2c4464557973bf… | 2023-09-12 | 2024-05-20 |
| URL | http://cldservice.net/upload.php | 2023-11-24 | 2023-12-18 |
| DOMAIN | file.drives001.com | 2023-11-24 | 2023-12-18 |
| DOMAIN | cldservice.net | 2023-11-24 | 2023-12-18 |
| DOMAIN | resolver1.opendns.com | 2023-05-05 | 2023-12-18 |
| HASH | a4c00736fa82551b45a9a71c90d0e21… | 2023-11-24 | 2023-11-24 |
| HASH | 8673b43ac3a89dba13a9511d2219750… | 2023-11-24 | 2023-11-24 |
| HASH | 0ea2f85e1fe3ab360bc595e7179a385… | 2023-11-24 | 2023-11-24 |
| HASH | f6e55f4421ea27f1aea461ac6b6489b… | 2023-11-24 | 2023-11-24 |
| HASH | daaf822e53f952de2c112c1dd8860d0… | 2023-11-24 | 2023-11-24 |
| HASH | 4754b7aba735a6fb6e49b77db29af34… | 2023-11-24 | 2023-11-24 |
| HASH | be59fcf56d3bc1c9a97e00574400600… | 2023-11-24 | 2023-11-24 |
| HASH | 4e9d8f2d6bd17f71ed2a6c356deebc8… | 2023-11-24 | 2023-11-24 |
| HASH | ec8d50b7cfd7c2b95e9ebdddc13ea38… | 2023-11-24 | 2023-11-24 |
| HASH | e220f804878bb90b2ff36f3d479a373… | 2023-11-24 | 2023-11-24 |
| HASH | c95536b0612d47956a2fdb49fa64ea9… | 2023-11-24 | 2023-11-24 |
| HASH | 5de09f0281a161ae690fdcc757e3d1d… | 2023-11-24 | 2023-11-24 |
| HASH | f60c0d12fcc3d55cb7aa027be7b3b89… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.files001.com/v2/r… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.drive001.com/v2/r… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.filedowns.net/v2/… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.filedowns.net/v2/… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.filedowns.net/v2/… | 2023-11-24 | 2023-11-24 |
| URL | https://filecompact.com/upload.… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.xfiles001.com/v2/… | 2023-11-24 | 2023-11-24 |
| URL | https://file.drives001.com/read… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.down-files.com/v2… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.xfiles001.com/v2/… | 2023-11-24 | 2023-11-24 |
| URL | https://filecompact.com/list.ph… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.cloudfiles001.com… | 2023-11-24 | 2023-11-24 |
| URL | https://file.gdrive001.com/read… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.files-download.or… | 2023-11-24 | 2023-11-24 |
| URL | https://naver.files-download.or… | 2023-11-24 | 2023-11-24 |
| URL | https://file.drives001.com/read… | 2023-11-24 | 2023-11-24 |
| URL | http://cldservice.net/list.php?… | 2023-11-24 | 2023-11-24 |
| URL | https://lafile001.com/v2/read/?… | 2023-11-24 | 2023-11-24 |
| URL | http://file.gdrive001.com/read/… | 2023-11-24 | 2023-11-24 |
| DOMAIN | filecompact.com | 2023-11-24 | 2023-11-24 |
| DOMAIN | naver.files-download.org | 2023-11-24 | 2023-11-24 |
| DOMAIN | naver.filedowns.net | 2023-11-24 | 2023-11-24 |
| DOMAIN | naver.xfiles001.com | 2023-11-24 | 2023-11-24 |
| DOMAIN | naver.files001.com | 2023-11-24 | 2023-11-24 |
| DOMAIN | naver.cloudfiles001.com | 2023-11-24 | 2023-11-24 |
| DOMAIN | lafile001.com | 2023-11-24 | 2023-11-24 |
| URL | http://anrun.kr/movie/contents.… | 2023-09-26 | 2023-11-24 |
| URL | http://ttzcloud.com/list.php?f=… | 2023-09-15 | 2023-11-24 |
| URL | https://file.gdrive001.com/read… | 2023-09-14 | 2023-11-24 |
| DOMAIN | file.gdrive001.com | 2023-09-14 | 2023-11-24 |
| HASH | dd85c8400fb30e4d02f0159aab3c3db… | 2023-09-01 | 2023-11-24 |
| URL | http://anrun.kr/movie/contents.… | 2023-09-01 | 2023-11-24 |
| DOMAIN | anrun.kr | 2023-09-01 | 2023-11-24 |
| URL | https://naver.drive001.com/v2/r… | 2023-08-08 | 2023-11-24 |
| DOMAIN | naver.drive001.com | 2023-08-08 | 2023-11-24 |
| HASH | c0ac380c3dcf94eef84e40ef964a662… | 2023-05-05 | 2023-11-24 |
| URL | http://centhosting.net/upload.p… | 2023-05-05 | 2023-11-24 |
| URL | http://centhosting.net/list.php… | 2023-05-05 | 2023-11-24 |
| DOMAIN | centhosting.net | 2023-05-05 | 2023-11-24 |
| URL | http://expressionkey.com/list.p… | 2023-02-02 | 2023-11-24 |
| URL | http://expressionkey.com/upload… | 2023-02-02 | 2023-11-24 |
| DOMAIN | naver.down-files.com | 2023-02-02 | 2023-11-24 |
| DOMAIN | expressionkey.com | 2023-02-02 | 2023-11-24 |
Related Actors
Related Reports
Shares tags: Kimsuky, LNK • Published within a month
Shares tags: Kimsuky, LNK • Published within a month
Shares tags: Kimsuky, LNK • Published within a month
Shares tags: Kimsuky, LNK
2023-09-26 •
70% Match
김수키(Kimsuky) 사례비 지급의서로 위장한 악성코드-231025 (통일부 통일정책실)윤석열 정부의 대북 정책 관련 1.5트랙 전문가 간담회(비공개) 기획안.hwp.lnk(2023.9.14)
Sakai
Shares tags: Kimsuky, LNK
Shares tags: Kimsuky, LNK