North Korean APT Gets Around Macro-Blocking With LNK Switch-Up

APT37 is among a growing list of threat actors that have switched to Windows shortcut files after Microsoft blocked macros last year.

North Korea hacking concept of a computer keyboard and a key painted with the North Korean flag
Source: David Carillet via Shutterstock

North Korea's APT37 threat group is providing fresh evidence of how adversaries have pivoted to using LNK, or shortcut files, to distribute malicious payloads after Microsoft began blocking macros by default last year to prevent malware delivery via Office documents.

Check Point Research, which has been tracking APT37 for years, this week reported seeing the threat actor using LNK files to deliver a remote access trojan (RAT) dubbed RokRAT on systems belonging to entities associated with South Korean domestic and foreign affairs.

Disguised As Legitimate Documents

The LNK files have been landing on target systems disguised as legitimate documents. In one attack that Check Point analyzed, the attacker disguised the malicious LNK file as a PDF and included it in a ZIP archive along with three legitimate — but stolen — documents pertaining to the Libyan Oil & Gas Industry. In an April 2023 attack, the threat actor used an ISO to put two malicious LNKs that purported to contain content pertaining to South Korean diplomacy and policy decisions associated with North Korea.

Check Point researchers found that in both instances when a user clicked on the LNK file, it triggered the execution of a PowerShell script that extracted a document from the LNK, dropped it on disk and opened it. The document was a decoy that tricked victims into thinking they had opened a legitimate PDF or a South Korean's Hangul Word Processor (HWP) file.

However, in the background, the PowerShell scripts also extracted a BAT script from the LNK that, in turn, executes another PowerShell script for downloading a payload from OneDrive that resulted in RokRAT being installed on the system.

Sergey Shykevich, threat intelligence group manager at Check Point, says this kind of a multi-stage malware delivery process can make analysis harder for defender. With the LNK file masquerading as a PDF file, for instance, after the victim clicks on the LNK file it loads a PowerShell that loads two files. 

The first is a legitimate PDF that tricks the victim into thinking everything is fine. The other is a "malicious script that runs a new PowerShell from a specific OneDrive and which runs a payload which loads RokRAT," he says. "Multi-staging makes it more difficult to track the whole infection chain and — if a malware is detected in the network — to understand the initial infection vector.

Switching Up Initial Infection Tactics

APT37, also known as ScarCruft and Reaper, has been active since at least 2012. The group has been associated with numerous campaigns over the years including one dubbed Operation Daybreak targeted at South Korean diplomatic targets, that exploited a zero-day bug, and another involving a backdoor called GoldBackdoor that targeted South Korean journalists.

APT37's switch to using LNK files for malware delivery is part of a trend that, in a sense, began in earnest when Microsoft decided to disable macros by default on files downloaded from the Internet last year. Prior to Microsoft first announcing its decision — in February 2022 — some 31% of all threats involved macros in Office documents, according to one study. That number has dropped dramatically after Microsoft's decision went into effect in the second half of 2022 — after it seemed for a moment that the company would not go through with the plan.

Shell Link, or LNK files, are Windows files that provide a short cut to other files, folders, and drivers on the system. By clicking on a LNK file, a user can open the associated file or app without having to navigate to the app manually. LNK files provide a convenient way for a user to access frequently used files and software and are generally considered safe.

LNK File, Attractive to Cyberattackers

But there are features of LNK files that make it ideal for attackers, Shykevich says. "The effectiveness of LNK is mostly because the attacker can make the LNK file look like almost any other type of file," he says. As examples he points to PDF and Doc files. "It also allows the attacker to easily run different types of scripts [such as] BAT scripts in APT37s case," Shykevich notes. The biggest challenge for the user is paying enough attention to such files and making sure that they actually are LNK files.

Over the past year, attackers have used LNK files to deliver malware such as Emotet, IcedID, and Quakbot, McAfee and others have noted. The attacks have involved threat actors using spam, phishing emails, and malicious URLs to deliver the LNKs to users. Growing attacker adoption of the tactic has also spawned a bevy of commercial link generation tools to create malicious LNK files. Some examples of these tools include Quantum Lnk Builder, which started shipping last year at rates ranging from around $200 per month to around $1,600 for lifetime access, MLNK Builder available for $125 per build, and Macropack.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights