North Korean Threat Group APT37 Adopts LNK Tactic for Malware Delivery
North Korean cyber threat group, APT37, has adapted their malware delivery tactics to utilize LNK files, commonly known as shortcut files, in response to Microsoft’s blocking of macros by default since 2022. Check Point Research, which has been tracking APT37, reported seeing the group using LNK files to distribute a remote access trojan (RAT) to targets associated with South Korean domestic and foreign affairs. The disguised LNK files have been landing on target systems as apparently legitimate documents.
Multi-Stage Malware Delivery Tactics
When the user clicks on the LNK file, it triggers the execution of a PowerShell script that extracts a decoy document and drops it on disk, making it seem like the victim has opened a legitimate PDF or HWP file. Meanwhile, the PowerShell script extracts a BAT script from the LNK, which then executes another PowerShell script to download a payload from OneDrive, resulting in RokRAT being installed on the system.
The multi-staging technique makes it challenging for defenders to track the entire infection chain and understand the initial infection vector. The victim unknowingly runs legitimate code alongside malicious code in LNK files that mimic more benign files such as PDFs or document files produced by replace processors.
APT37 Previous Malicious Campaigns
ScarCruft and Reaper, also known as APT37, have been operating since at least 2012. The group has been involved in several campaigns, including Operation Daybreak, which was an attack on South Korean diplomatic targets and involved exploiting a zero-day bug. The group also used a backdoor known as GoldBackdoor that targeted South Korean journalists.
The Increasing Popularity of LNK Files for Malware
Microsoft’s disabling of macros by default on files downloaded from the Internet last year tackled the high number of threats previously associated with macros in Office documents. This move led to a dramatic reduction in the number of threats in the second half of 2022. As a result, attackers shifted their tactics toward LNK files, which have features that make the tactic ideal for attackers. For example, attackers can make LNK files appear as almost any type of file, such as PDFs or document files from word processors, and enable the easy running of different types of scripts such as BAT scripts.
Be Aware of LNK Files
As attackers increasingly adopt the tactic, users must remain vigilant of LNK files and ensure they are not deceived by their appearance. Attackers are using spam, phishing emails, and malicious URLs to deliver LNK files to users. A bevy of commercial link generation tools, including Quantum Lnk Builder, MLNK Builder and Macropack, is currently available to create malicious LNK files.
Users undoubtedly face new and more demanding threat environments. At the same time, technology providers, researchers, and industry associations are working tirelessly to ensure businesses, organizations, and individuals remain protected. It is imperative for every user or corporation to strengthen their security posture by adopting necessary safeguards and take extra care when handling files, especially suspicious LNK files.
<< photo by ThisIsEngineering >>
