북한 해킹 단체 APT37 Reaper(리퍼)에서 만든 악성코드-(안보칼럼) 반국가세력에 안보기관이 무기력해서는 안된다.zip(2024.02.22)
2024-03-04 • Sakai • zip->lnk->bat->shellcode •
The post analyzes an APT37, also known as Reaper, malware package distributed as a ZIP archive with a Korean security commentary lure. The infection chain runs from ZIP to LNK to BAT to shellcode, with PowerShell hidden from the user, embedded HWP lure content extracted from the LNK, and additional payload data written under public and temporary paths before execution. The lure impersonates a national security researcher and abuses a topical article about anti state forces to make the file credible to Korean targets. Reported network indicators include pCloud API endpoints and several defanged IP addresses and URLs used for command and control or payload retrieval.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 5f6682ad9da4590cba106e2f1a8cbe26 | 2024-03-04 | 2024-11-04 |
| HASH | dbd5d662cc53d4b91cf7da9979cdffd… | 2024-03-04 | 2024-11-04 |
| HASH | 7043c7c101532df47c832ce5270745d… | 2024-03-04 | 2024-11-04 |
| URL | http://trust.quovadisglobal.com… | 2024-03-04 | 2024-03-04 |
| URL | https://api.pcloud.com/uploadfi… | 2024-03-04 | 2024-03-04 |
| URL | https://api.pcloud.com/uploadfi… | 2024-03-04 | 2024-03-04 |
| URL | https://api.pcloud.com/listfold… | 2024-03-04 | 2024-03-04 |
| URL | https://api.pcloud.com/uploadfi… | 2024-03-04 | 2024-03-04 |
| URL | https://api.pcloud.com/getfilel… | 2024-03-04 | 2024-03-04 |
| URL | https://api.pcloud.com/getfilel… | 2024-03-04 | 2024-03-04 |
| DOMAIN | mattres-fabrics.com | 2024-03-04 | 2024-03-04 |
| IPv4 | 23.55.161.142 | 2024-03-04 | 2024-03-04 |
| IPv4 | 104.123.41.162 | 2024-03-04 | 2024-03-04 |
| IPv4 | 74.120.8.15 | 2024-03-04 | 2024-03-04 |
| IPv4 | 52.219.169.16 | 2024-03-04 | 2024-03-04 |