티스토리 뷰
Malware
HWP Malware disguised as Korea Development Association (Real Estate Association).
분석가E 2018. 9. 13. 16:52
한국 부동산 협회의 일일동향 보고로 위장한 한글 악성코드가 등장했다.
Hangul malicious code disguised as "daily trend report" of "Korea Real Estate Association" appeared.
이전과 크게 다르지 않으며 EPS에서 16바이트 키를 통해 복호화를 수행하고 악성코드를 다운로드 한다.
It is not much different from the previous one, decrypting shell code via EPS with 16 byte key and downloading malware.
아래의 주소에서 manuscrypt를 다운로드 한다.
Download manuscrypt from the address below.
C2
hxxps://tamil[.]eronow[.]in/wp-content/uploads/2018/04/profile_1[.]gif
hxxps://tamil[.]eronow[.]in/wp-content/uploads/2018/04/profile_2[.]gif
다운로드된 manuscrypt는 0xAA로 XOR 인코딩 되어있다.
The downloaded manuscrypt is XOR encoded with 0xAA.
Manuscrypt가 사용하는 C2는 다음과 같다.
Manuscrypt uses three C2's.
C2
hxxp://aurumgroup[.]co[.]id/wp-includes/rest[.]php
hxxp://www[.]51shousheng[.]com/include/partview[.]php
hxxp://new[.]titanik[.]fr/wp-includes/common[.]php
IOC
MD5 : f392492ef5ea1b399b4c0af38810b0d6
SHA-1 : b59c5b8b9f2c0676c31a88abd9653f1630d8d77d
SHA-256 : a299bdc3fc07def4b0d5a409484f4717884a78749796960a560a9b30fab2435b
Download URL
hxxps://tamil[.]eronow[.]in/wp-content/uploads/2018/04/profile_1[.]gif
Encoded Manuscrypt (SHA-1)
profile_1.gif : 8f8899046cb0e4f948c54d52e4066dbd506d5368
profile_2.gif : 201add03aef92bf9c2724b7c8fd5a90723e1d2ee
Manuscrypt C2
hxxp://aurumgroup[.]co[.]id/wp-includes/rest[.]php
hxxp://www[.]51shousheng[.]com/include/partview[.]php
hxxp://new[.]titanik[.]fr/wp-includes/common[.]php
부록
Appendix 1. KODA = Korea Development Association
Appendix 2.
일일동향 보고는 회원사만 다운로드 할 수 있다.
Daily trend reports can only be downloaded by members.
Appendix 3.
manuscrypt가 HWP파일보다 먼저 VT에 등록되었다.
manuscrypt was registered in the VT before the HWP file.
Manuscrypt
HWP
댓글