Beware of '*.lnk' Files... North Korean Hacking Group Distributes Malware

by Choi Seungwoo

Published 23 Apr.2023 16:46(KST)

North Korean Hacking Group ‘APT37’ Distributes Malware
Disguised as Shortcut for Infiltration... Special Caution Required

North Korean hacking groups are distributing malicious code using Windows shortcut files, prompting the need for caution.

According to domestic security company AhnLab on the 23rd, the North Korean hacking group ‘APT37’ has recently been distributing the malicious code RokRAT through Windows shortcut files with the extension ‘*.link’.

RokRAT collects user information and can additionally download malicious code, which may cause secondary damage if infected. RokRAT has previously been distributed through Hangul and Word documents.

[Image source=Pixabay]

The lnk filenames confirmed so far include ‘230407jeongboji.lnk’, ‘2023nyeondo 4wol 29il seminar.lnk’, ‘2023nyeondo gaeinpyeongga silsi.hwp.lnk’, ‘buk oegyo gwan seonbalpadang mit haeo gonggwan.lnk’, and ‘bukhan oegyo jeongchaek gyeoljeong gwajeong.lnk’.

The lnk files identified this time contain PowerShell commands, a programming language natively installed on Windows. They operate by creating and executing script files alongside legitimate files in the temporary folder path to perform malicious actions.

AhnLab urged, “RokRAT malware has been steadily distributed since the past and is spread not only through Word documents but also through various file formats, so users need to exercise special caution.”

Hot Picks Today

"Could I Also Receive 370 Billion Won?"... No Limit on 'Stock Manipulation Whistleblower Rewards' Starting the 26th

Meanwhile, APT37, identified as the distributor, is a group that has attacked domestic North Korea-related organizations and defense sector personnel using the latest security vulnerabilities. It is known by various names such as ‘Geumseong121’, ‘Skarkraft’, ‘RedEyes’, and ‘Group123’.

한글 기사 보기

This content was produced with the assistance of AI translation services.