down-01.pdf (3 MB)

KISA described a targeted watering-hole attack in which a compromised Korean website redirected visitors through malicious scripts and IP filtering before delivering malware via software vulnerability exploitation. The attack chain included initial access, command-and-control, RAT download, data collection, and exfiltration over the C2 channel. Technical artifacts in the excerpt include C:\users\public\iexplore.exe, a temporary LNK-named file, Base64 and RC4 decoding details, and TigerRAT identified as ASDCli.exe. The hunting section maps the activity to stages such as reconnaissance, resource development, exploitation for client execution, signed binary proxy execution, command scripting, automated collection, archive collection, and exfiltration.