This analysis details a North Korean cyberattack using a malicious HWP document disguised as a cryptocurrency-related external evaluation committee appointment notice. The malware employs PowerShell commands to execute payloads, evade detection, and exfiltrate data to a remote server. #Kimsuky #Lazarus #Konni #SeacuraMalware
Keypoints
- The malware disguises itself as a document named โCryptocurrency-related External Evaluation Committee Appointment Notice.hwpโ and is linked as a .lnk file with identified MD5, SHA-1, and SHA-256 hashes.
- It uses obfuscated PowerShell scripts to search for and execute โrshell.exeโ within the PowerShell directory as part of its operation.
- The malware extracts and decodes encrypted data from specific offsets inside the .lnk file using XOR keys and saves the results as executable PE files.
- The payload setup includes functions to locate specific directories such as โC:UsersPublicDocumentsโ for saving malicious files and to decompress embedded .cab files using the โexpandโ command.
- Batch scripts involved download additional malicious payloads from hxxps://www.seacura.com and execute them, then conduct cleanup by deleting downloaded archives to evade detection.
- A separate script collects system and user file listings and uploads encrypted data to a controlled server, combining computer names to identify infected machines.
- All steps are designed to remove traces, evade security tools, and facilitate data theft, reflecting tactics commonly associated with North Korean threat actors.
MITRE Techniques
- [T1059.001] PowerShell โ The malware uses PowerShell scripts to execute commands, decrypt embedded data, and automate payload deployment. (โPowershell๋ฅผ ์ ์ฉํด์ ํด๋น ์ ์ฑ์ฝ๋๊ฐ ๋์ํ๋ฉด ๋ฏธ๋ผ ํ์ผ์ HWP ๋ก ๋ง๋ค์ด ๋์ ๊ฒ์ ํ์ธํ ์ ์๋คโ โโฆusing PowerShell to operate the malware and display a decoy HWP fileโ)
- [T1105] Ingress Tool Transfer โ Downloads additional payloads from a remote URL using batch scripts. (โํน์ URL์์ ํ์ด๋ก๋ ๋ค์ด๋ก๋โ, โDownload payload from specific URLโ)
- [T1070.004] File Deletion โ Deletes downloaded archives and other files after use to avoid detection. (โ์ ์ฑ์ฝ๋๋ฅผ ์คํํ๋ฉด ํ์ ์ ๊ฑฐ ๋ฐ ํ์ง ํํผ ์ํด ํน์ ํ์ผ ๊ฐ์ ์ญ์ โ, โForcibly deletes specific files to remove traces and evade detectionโ)
- [T1036.005] Masquerading โ The initial malicious file masquerades as a legitimate .hwp document related to cryptocurrency evaluation committee notification. (โ๊ฐ์์์ฐ ๊ด๋ จ ์ธ๋ถํ๊ฐ์์ ์์ด ์๋ด๋ก ์์ฅํ๋ ๊ฒโ, โDisguised as cryptocurrency-related external evaluation committee appointment noticeโ)
- [T1041] Exfiltration Over C2 Channel โ Encrypted system and user data files are uploaded to a remote server via HTTP POST requests. (โํ์ผ ์ ๋ก๋์ฉ ์คํฌ๋ฆฝํธ ์ด์ฉํด ๋ชจ๋ ์ ๋ณด ํ์ผ์ ์ธ๋ถ ์๋ฒ๋ก ์ ๋ก๋โ, โUploads all information files to external server using upload scriptโ)
- [T1140] Deobfuscate/Decode Files or Information โ Uses XOR decryption with specific keys to decode payload data. (โXOR ํค๋ก ์ํธํ๋ ๋ฐ์ดํฐ๋ฅผ ๋ณตํธํโ, โDecrypts data encrypted with XOR keysโ)
Indicators of Compromise
- [File Hashes] Malicious HWP LNK file hashes โ MD5: cbd734874b44e73ce155998db7e6663a, SHA-1: eb4e370782f214d376c6041a06140868ba5f432d, SHA-256: f9f3b762ed1719bf141c38f8c4f21d76cd65c5ac6c62a4b94ce68569ce87178c
- [Domains] Command and control server โ www.seacura.com used as the remote URL for downloading and uploading payload and stolen data
- [File Names] Key malware components and scripts: ๊ฐ์์์ฐ ๊ด๋ จ ์ธ๋ถํ๊ฐ์์ ์์ด ์๋ด.hwp.lnk, 36026239.bat, 43183065.bat, 78126406.bat, 82221413.bat, di3726.zip
Read more: http://wezard4u.tistory.com/429498