NSHC 2014. 11. 17 악성코드분석보고서 [ 인터넷뱅킹메모리해킹 ] 인터넷뱅킹파밍용악성코드가지속적으로배포되고있습니다. 해당악성코드는우리은행, 외환은행, 농협의인터넷뱅킹공인인증서에관련된 ActiveX모듈의메모리를변조하며, 기존보고되었던악성코드기능에추가적으로 Bitcoin Minor 등의기능이추가되었습니다. 감염이의심되는시스템에서는대응방안에따른조치와백신을통한치료가필요합니다. Information Service about a new vulnerability Version 1.0 External 2014 Red Alert. All Rights Reserved.
목차 1. Malware Stub...2 2. Technical Details...7 3. Opinion of Red Alert... 12 4. Removal Recommendations... 12 5. Reference... 14 facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 1
Confidentiality Agreements 본문서는 Red Alert 팀에서작성한분석보고서로써, Red Alert 팀허가없이배포및공유가 가능하나수정은금합니다. 분석보고서는 Red Alert 팀에서운영하는 Facebook 페이지 (https://www.facebook.com/nshc.redalert) 에서확인할수있습니다. Facebook 에등록되는분석보고서를포함한이외의자료들은프리미엄서비스인 isac 페이지 (https://isac.nshc.net) 에서제공받으실수있습니다. facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 2
1. Malware Stub Malware Name E41C30E6F394B76905432BB71DCDE05B.exe File Size 732,342 Byte MD5 E41C30E6F394B76905432BB71DCDE05B Compiled Date 1976.09.27 05:45:12 Etc Main Module Table 1. File Info-1 Malware Name A1.zip File Size 19,968 Byte MD5 90AFFACB3C4F110BA63DF2BE93F2E41A Compiled Date 2008.04.14 11:27:28 Etc N/A Table 2. File Info-2 Malware Name B1.zip File Size 19,456 Byte MD5 0B14DFD82A538CF8933435397DBC4925 Compiled Date 2008.04.14 11:27:38 Etc N/A Table 3. File Info-3 Malware Name C1.zip File Size 18,944 Byte MD5 6DDF2D7E4F60752B9832B574F4198428 Compiled Date 2008.04.14 11:26:13 Etc N/A Table 4. File Info-4 Malware Name D1.zip File Size 18,944 Byte MD5 743CAC2A53BA132D086853141246D7D7 Compiled Date 2008.04.14 11:12:51 Etc N/A Table 5. File Info-5 Malware Name doit.rar File Size 732,342 Byte MD5 E41C30E6F394B76905432BB71DCDE05B Compiled Date 1976.09.27 05:45:12 Etc N/A Table 6. File Info-6 facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 3
Malware Name 09d8ab85.sys File Size 22,848 Byte MD5 DDC027DCA198D4A4C8F3FDB24805CD30 Compiled Date 2014.10.26 14:30:24 Etc Drivers Table 7. File Info-7 Malware Name 75739e03.sys File Size 11,264 Byte MD5 1A969B91339A754AA81115752828CC4F Compiled Date 2014.10.25 00:46:39 Etc Drivers Table 8. File Info-8 Malware Name [RndName].dll File Size 7,864,320 Byte MD5 6141956C29263D7E043F02A39B46F34F Compiled Date 2014.10.26 18:00:28 Etc %TEMP% Table 9. File Info-10 Malware Name [RndName].dll File Size 7,864,320 Byte MD5 ADA277C99CC66BD169AFD59A07C28F2B Compiled Date 2014.10.26 18:00:28 Etc %TEMP% Table 10. File Info-11 Malware Name ahnmove.bat File Size 118 Byte MD5 DAD9604A9D9B5C7FDE5827E3BC8A5ADC Compiled Date N/A Etc Self-Delete Batch File Table 11. File Info-12 Index Description OS Windows XP SP3 KOR Browser Windows Internet Explorer 8 Table 12. Analysis Environment facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 4
악성코드감염시접속하는 C&C 서버정보입니다. - hxxp://66.**.***.146/ Figure 1. IP Info-1 Figure 2. IP Info-2 facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 5
악성코드가시스템에감염되면감염된시스템정보를 C2C서버에전송하여시스템을등록시킵니다. - mac = 암호화된맥주소 - os = 운영체제버전 - avs = 검색된프로세스이름 avp.exe ayagent.aye v3ltray.exe avgnt.exe AvastSvc.exe Mctray.exe msseces.exe ekrn.exe ccsvchst.exe bdagent.exe avgwdsvc.exe dnf.exe maplestory.exe - ps = dnf.exe 존재여부 - ver = 악성코드버전 - pnum = 현재실행중인프로세스개수 Figure 3. Initial connection facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 6
2. Technical Details 특정 FTP 서버에접속하여 Bitcoin Minor 프로그램을다운받습니다. - Address : ftp://98.***.**.68 - Username : xxoo - Password : 123456 - Path : /test/ Figure 4. FTP Server Info 아래경로에비트코인관련된키가존재하는지확인합니다. Figure 5. Registry Check strdatadir 키가존재할경우해당키의데이터에해당하는경로에 wallet.dat 이름으로마이너 프로그램을다운받아실행시킵니다. Figure 6. Download to wallet.dat facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 7
가상머신의하드디스크이름을레지스트리에서찾아가상머신을특정하는문자열을찾는방법으 로가상머신을탐지합니다. - HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum Figure 7. Registry Check strstr 함수를이용해문자열이있는지확인합니다. Figure 8. Search to String 가상머신으로특정짓는문자열은아래와같습니다. - Virtual - Vmware - vbox Figure 9. Virtual Machin Detection facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 8
V3Lite, Alyac, 네이버백신등국내에서주요사용되는백신들에대해탐지를하며, 악성코드가 동작하는동안지속적으로탐지를합니다. 탐지를위한주요로직은프로세스이름을기반으로 PID 를획득하여 Terminate 시키는방법과 WM_QUIT 메시지를이용한프로세스종료가있습니다. Figure 10. Terminate AV Process 탐지대상이되는백신프로세스와윈도우이름은아래와같습니다. 1. Terminate 방식 01015330 01015A54 ASCII "AYAgent.aye" 01015334 01015A44 ASCII "AYUpdSrv.aye" 01015338 01015A38 ASCII "AYRTSrv.aye" 0101533C 01015A2C ASCII "V3LSvc.exe" 01015340 01015A20 ASCII "V3LTray.exe" 01015344 01015A14 ASCII "Nsvmon.npc" 01015348 01015A08 ASCII "Nsavsvc.npc" 0101534C 010159F8 ASCII "NaverAgent.exe" 01015350 010159EC ASCII "ASDsvc.exe" 01015354 010159E0 ASCII "V3Lite.exe" 2. WM_QUIT 방식 010153B8 01015848 ASCII "Tray Application" 010153BC 01015840 ASCII "V3 Lite" 010153C0 01015954 ASCII "AhnLab" Table 13. Detection Target List facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 9
V3 제품과알약제품에대해서는관련드라이버언로드및서비스삭제를이용해추가적인탐지작 업을진행합니다. V3 제품의경우드라이버의심볼릭링크를확인하여존재여부를확인합니다. - \\.\v3engine Figure 11. Get Driver Handle 드라이버가확인되면서비스중지및삭제작업을진행합니다. Figure 12. Delete Service 알약드라이버의경우필터라이브러리를이용하여대상드라이버를언로드시킵니다. Figure 13. Driver Unload facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 10
WFP(Windows File Protection) 무력화와 takeown, icacls 를이용한권한변경을통해윈도우시스 템폴더에있는 wshtcpip.dll 파일을교체합니다. takeown 과 icacls 를이용해대상파일의권한을변경합니다. Figure 14. Takeown SFC_OS.dll 의 ordinal 5 함수를이용해대상파일에대해 1 분간 WFP 를무력화합니다. Figure 15. Bypass WFP WFP 가무력화된파일은이름을변경시켜백업하며, %TEMP% 에있는악성코드를복사하는방법 으로파일교체가이루어집니다. Figure 16. Backup Figure 17. Copy to Malicious File facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 11
3. Opinion of Red Alert 인터넷뱅킹파밍공격은메모리변조, Host파일변조등다양한유형의공격기법을이용해지속적으로공격이이루어지고있습니다. 메모리변조악성코드의경우시스템감염방식이다른방법으로업데이트가되었고메모리를변조하는방법은 1월에보고된 Internet Bank Phishing - ActiveX 문서를 (5.2 항목 ) 참고하시기바랍니다. 또한해당악성코드는 10월에보고된 변종 Gh0st RAT 에서사용되는루트킷드라이버를사용하는것으로미루어보아같은조직에서제작된악성코드인것으로판단됩니다. 4. Removal Recommendations 윈도우탐색기의폴더옵션에서 보호된운영체제파일숨기기 ( 권장 ) 체크박스의체크를해제하시고 숨김파일및폴더표시 의라디오버튼을클릭하여적용한뒤아래경로의파일을삭제하시기바립니다. - %TEMP%\A1.zip - %TEMP%\B1.zip - %TEMP%\C1.zip - %TEMP%\D1.zip - %TEMP%\[RndName]\doit.rar - %TEMP%\[RndName].dll or safemon.dll - HKCR\CLSID\SYS_DLL의 name키에해당하는 Dll Name(%TEMP%) - %SYSTEMROOT%\system32\wshtcpip.dll 윈도우레지스트리편집기를이용하여악성코드관련레지스트리를삭제합니다. - HKEY_CLASSES_ROOT\CLSID\HOOK_ID Value : name - HKEY_CLASSES_ROOT\CLSID\SYS_DLL Value : name - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\09d8ab85 하위키모두삭제 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\75739e03 하위키모두삭제 facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 12
루트킷탐지툴을이용하여드라이버를삭제한후재부팅하기바랍니다. - File Name 1# : 09d8ab85.sys - File Name 2# : 75739e03.sys - Kernel Detective : http://www.at4re.com/news.php Figure 18. Delete Drivers Reference. [1] Virus Total 을참고하여해당악성코드를치료할수있는 Anti-Virus 제품을이용하 여시스템정밀검사를진행하시기바립니다. facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 13
5. Reference [1] Virus Total https://www.virustotal.com/ko/file/0aa8e8011462b3f2fee08b3788ab18301c3b169543387f338 98cdddf4cc5a1dc/analysis/ [2] RedAlert Report - 20140129_Internet_Bank_Phishing_-_ActiveX_Ver_External.pdf http://goo.gl/uwylp1 [3] RedAlert Report - 20141029_ 변종 _Gh0st_RAT_Ver_1.0_External.pdf http://goo.gl/6t4div facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 14