북한인권단체를 사칭한 APT37 공격 사례
Contents
GSC-R230501-Rev-5.3
Distribution TLP : WHITE
위협 분석 보고서
북한인권단체를 사칭한 APT37 공격 사례
2023. 05. 23
엔드포인트보안연구개발실
Genians Security Center
집필 : 문종현 센터장, 유현 전임, 송관용 연구원
※ 본 보고서의 내용은 지니언스(주)와 사전 협의없이 무단전재 및 복사를 금합니다.
Threat Intelligence Report
- 목차 (CONTENTS) -
01. 개요 (Overview)............................................................................................................................................ 2
a. APT37 그룹 위협 징후 포착 (Threat Hunting) ........................................................................................... 2
b. 공격 전술 및 전략 유형 (TTPs) ....................................................................................................................... 3
02. 공격 시나리오 (Attack Scenario) ................................................................................................................ 4
a. 1단계 LNK 공격 (Spear Phishing) ............................................................................................................... 4
b. 2단계 DOC 공격 (Spear Phishing) .............................................................................................................. 4
c. 공격 흐름도 (Attack Flow) ............................................................................................................................ 5
03. 악성파일 분석 (Malware Analysis) .............................................................................................................. 6
a. ‘임원이력서-김**.lnk’ (일부 * 표기 대체) 분석.............................................................................................. 6
b. ‘other32.jpg’ 파일 분석 (Steganography) .............................................................................................. 10
c. '강**.doc' (일부 * 표기 대체) 분석 ............................................................................................................... 18
04. 2017년 ROKRAT 공격과 유사도 비교 (Similarity) ...................................................................................26
a. 정보탈취 코드 유사도 .................................................................................................................................... 26
b. PDB 경로 유사도 ........................................................................................................................................... 28
c. 폼 데이터 구분자 유사도 ............................................................................................................................... 34
d. pCloud API 유사도 ....................................................................................................................................... 36
05. 위협 캠페인 (Threat Campaigns) .............................................................................................................37
a. 캠페인 사례별 연관성 .................................................................................................................................... 37
06. 결론 및 …
Distribution TLP : WHITE
위협 분석 보고서
북한인권단체를 사칭한 APT37 공격 사례
2023. 05. 23
엔드포인트보안연구개발실
Genians Security Center
집필 : 문종현 센터장, 유현 전임, 송관용 연구원
※ 본 보고서의 내용은 지니언스(주)와 사전 협의없이 무단전재 및 복사를 금합니다.
Threat Intelligence Report
- 목차 (CONTENTS) -
01. 개요 (Overview)............................................................................................................................................ 2
a. APT37 그룹 위협 징후 포착 (Threat Hunting) ........................................................................................... 2
b. 공격 전술 및 전략 유형 (TTPs) ....................................................................................................................... 3
02. 공격 시나리오 (Attack Scenario) ................................................................................................................ 4
a. 1단계 LNK 공격 (Spear Phishing) ............................................................................................................... 4
b. 2단계 DOC 공격 (Spear Phishing) .............................................................................................................. 4
c. 공격 흐름도 (Attack Flow) ............................................................................................................................ 5
03. 악성파일 분석 (Malware Analysis) .............................................................................................................. 6
a. ‘임원이력서-김**.lnk’ (일부 * 표기 대체) 분석.............................................................................................. 6
b. ‘other32.jpg’ 파일 분석 (Steganography) .............................................................................................. 10
c. '강**.doc' (일부 * 표기 대체) 분석 ............................................................................................................... 18
04. 2017년 ROKRAT 공격과 유사도 비교 (Similarity) ...................................................................................26
a. 정보탈취 코드 유사도 .................................................................................................................................... 26
b. PDB 경로 유사도 ........................................................................................................................................... 28
c. 폼 데이터 구분자 유사도 ............................................................................................................................... 34
d. pCloud API 유사도 ....................................................................................................................................... 36
05. 위협 캠페인 (Threat Campaigns) .............................................................................................................37
a. 캠페인 사례별 연관성 .................................................................................................................................... 37
06. 결론 및 …
IoC
[email protected]
[email protected]
[email protected]
0f5eeb23d701a2b342fc15aa90d97ae0
16a3f7b7191fc3c70b3a9aad7dd44a25
1a085ef749e2cb832a1ac2aabcc58aef
1b046ab2261bc0dc5c6cd999f9a8b1c6
1ebf7d506d83fb5415c890bba175feac
35ac9f5ab3caba22c4ca204074cd8c01
3b06e73ccb903b71f9ff1a60218f4b42
44.199.48.119
445e7fd6bb684420d6b8523fe0c55228
44bdeb6c0af7c36a08c64e31ceadc63c
54.164.68.94
59c146243f3b9315c71cacdaf838ddd5
657fd7317ccde5a0e0c182a626951a9f
6ffa17d5da06a643a2d4231497e66ee1
71c5990bd1c04488b3f99cbebbcbfc19
74e3d84492845067a0da6cfa00c064eb
7ca1e08fc07166a440576d1af0a15bb1
85e71578ad7fea3c15095b6185b14881
8f106544bfd4755d17a353064666426a
904781cfcc946573bd2bf8882c85edbd
9ef215b13d1e0140ac563d6cdc7a1495
a36fcd7190b706e0c9eb4ef943db8487
a8a82038d1a91e9fdf538cb765d1be66
aa8ba9a029fa98b868be66b7d46e927b
be32725e676d49eaa11ff51c61f18907
be9de72058ba12acad5f4185cd551daf
ce0620a21b0ae4c5a527c5379b9d6664
cfe96e925f8bfbe7ace33ddd41ead1fb
[email protected]
d716d836a9b904a03886a262f783c15f
dac8aa9112bf51b88236adec2ddd0869
e233e4da734f75388b40fed1717bfb6a
e5fc86a7bae1e2269d543dfe83fd6625
ea0da915cd2da86f77d28bb96441ef43
f1487347285b392bfc61724111863f91
f28b17886120556c00874b15efad6a76
f948adbdfd39c63d226b0699c8b84bf0
http://docx1.b4a.app
http://dost.b4a.app
http://filestorage.b4a.app
http://filestorage.b4a.app/download.html
[email protected]
[email protected]
0f5eeb23d701a2b342fc15aa90d97ae0
16a3f7b7191fc3c70b3a9aad7dd44a25
1a085ef749e2cb832a1ac2aabcc58aef
1b046ab2261bc0dc5c6cd999f9a8b1c6
1ebf7d506d83fb5415c890bba175feac
35ac9f5ab3caba22c4ca204074cd8c01
3b06e73ccb903b71f9ff1a60218f4b42
44.199.48.119
445e7fd6bb684420d6b8523fe0c55228
44bdeb6c0af7c36a08c64e31ceadc63c
54.164.68.94
59c146243f3b9315c71cacdaf838ddd5
657fd7317ccde5a0e0c182a626951a9f
6ffa17d5da06a643a2d4231497e66ee1
71c5990bd1c04488b3f99cbebbcbfc19
74e3d84492845067a0da6cfa00c064eb
7ca1e08fc07166a440576d1af0a15bb1
85e71578ad7fea3c15095b6185b14881
8f106544bfd4755d17a353064666426a
904781cfcc946573bd2bf8882c85edbd
9ef215b13d1e0140ac563d6cdc7a1495
a36fcd7190b706e0c9eb4ef943db8487
a8a82038d1a91e9fdf538cb765d1be66
aa8ba9a029fa98b868be66b7d46e927b
be32725e676d49eaa11ff51c61f18907
be9de72058ba12acad5f4185cd551daf
ce0620a21b0ae4c5a527c5379b9d6664
cfe96e925f8bfbe7ace33ddd41ead1fb
[email protected]
d716d836a9b904a03886a262f783c15f
dac8aa9112bf51b88236adec2ddd0869
e233e4da734f75388b40fed1717bfb6a
e5fc86a7bae1e2269d543dfe83fd6625
ea0da915cd2da86f77d28bb96441ef43
f1487347285b392bfc61724111863f91
f28b17886120556c00874b15efad6a76
f948adbdfd39c63d226b0699c8b84bf0
http://docx1.b4a.app
http://dost.b4a.app
http://filestorage.b4a.app
http://filestorage.b4a.app/download.html