Malicious LNK File Being Distributed, Impersonating the National Tax Service

2023-09-21 • Ahnlab •

https://asec.ahnlab.com/en/57176/

#LNK

Thumbnail for Malicious LNK File Being Distributed, Impersonating the National Tax Service

ASEC analyzed a Korean campaign distributing a malicious LNK file disguised as a National Tax Service income-tax clarification package. The ZIP was delivered from a file.gdrive001.com URL and briefly contained a large LNK plus a benign HWP decoy; the LNK used PowerShell and batch/VBS scripts to show the decoy, create files under %Public%, persist through the Run key, collect process and user-folder listings, and upload them to filehost001.com. The chain attempted to fetch additional ZIP and CAB payloads, and AhnLab telemetry ultimately observed Qasar RAT and Amadey execution. The report lists related Korean lures and hashes, showing an active LNK-based delivery pattern against Korean users.

Indicators of Compromise

Type	Value	First Seen	Last Seen
URL	https://file.gdrive001.com/read…	2023-09-14	2023-11-24
DOMAIN	file.gdrive001.com	2023-09-14	2023-11-24
URL	https://file.gdrive001.com/read…	2023-09-21	2023-09-21
HASH	560e5977e5e5ce077adc9478cd93c2ac	2023-09-14	2023-09-21
HASH	9c3eef28b4418c40a7071ddcba17f0e8	2023-09-14	2023-09-21
HASH	2d0747533d4d3f138481c4c4cda9ea1e	2023-09-14	2023-09-21
HASH	ca11ba5e641156ff72400e7f5e103aee	2023-09-14	2023-09-21
HASH	b5f698fb96835d155fbcc1ccd4f4b520	2023-09-14	2023-09-21
HASH	7725d117d0bd0a7a5fb8ef101b019415	2023-09-14	2023-09-21
HASH	20f0e8362782c7451993e579336f2f3e	2023-09-14	2023-09-21
URL	http://filehost001.com/upload.p…	2023-09-14	2023-09-21
URL	https://file.gdrive001.com/read…	2023-09-14	2023-09-21
URL	http://filehost001.com/list.php…	2023-09-14	2023-09-21
DOMAIN	filehost001.com	2023-09-14	2023-09-21