{"id":93510,"date":"2018-10-17T23:12:42","date_gmt":"2018-10-18T06:12:42","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=93510"},"modified":"2018-10-15T23:13:20","modified_gmt":"2018-10-16T06:13:20","slug":"unit42-threat-brief-office-documents-can-dangerous-well-continue-use-anyway","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2018\/10\/unit42-threat-brief-office-documents-can-dangerous-well-continue-use-anyway\/?lang=ko","title":{"rendered":"\uc628\ub77c\uc778 \uc704\ud611 \uc815\ubcf4: \uc5b4\uca54 \uc218 \uc5c6\uc774 \uc0ac\uc6a9\ud574\uc57c \ud558\ub294 Office \ubb38\uc11c\ub3c4 \uc704\ud5d8\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4"},"content":{"rendered":"

\uc6b0\ub9ac\ub294 \ub300\ubd80\ubd84 \uc77c\ud558\uba74\uc11c Microsoft Office \ubb38\uc11c\ub97c \uc0ac\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4. \uc5c5\ubb34\uc6a9 \ubb38\uc11c, \uc804\uc790 \uc601\uc218\uc99d, \uc784\ub300\ucc28 \uacc4\uc57d\uc11c \ub4f1 \ub2e4\uc591\ud55c Office \ubb38\uc11c\uac00 \uc77c\uc0c1\uc0dd\ud65c\uacfc \uc9c1\uc7a5\uc5d0\uc11c \uc0ac\uc6a9\ub418\uae30 \ub54c\ubb38\uc5d0 \uc774\uba54\uc77c\uc5d0 \ucca8\ubd80\ub418\ub294 Office \ubb38\uc11c\ub97c \uc544\ubb34 \uc0dd\uac01 \uc5c6\uc774 \uc5f4\uc5b4\ubcfc \ud655\ub960\ub3c4 \uadf8\ub9cc\ud07c \ub192\uc2b5\ub2c8\ub2e4. \uacf5\uaca9\uc790\ub4e4\uc740 \uc774\ub807\uac8c \ub9ce\uc740 \uc0ac\ub78c\uc774 \uac70\uc758 \ubaa8\ub4e0 Office \ubb38\uc11c\ub97c \uc5f4\uc5b4\ubcfc \uac83\uc784\uc744 \uc54c\uace0 \uc788\uc73c\ubbc0\ub85c \uc774\ub97c \uc545\uc6a9\ud558\uc5ec \uacf5\uaca9\ud558\ub294 \uacbd\uc6b0\uac00 \ub9ce\uc2b5\ub2c8\ub2e4.<\/p>\n

\ubcf8 \uc628\ub77c\uc778 \uc704\ud611 \uc815\ubcf4\uc5d0\uc11c\ub294 \uacf5\uaca9\uc790\ub4e4\uc774 Office \ubb38\uc11c\ub97c \uc545\uc6a9\ud558\uc5ec Windows \uc5d4\ub4dc\ud3ec\uc778\ud2b8\ub97c \uacf5\uaca9\ud558\uace0 \uc190\uc0c1\uc2dc\ud0a4\ub294 \ub2e4\uc12f \uac00\uc9c0 \ubc29\uc2dd\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4. \uc77c\ubd80\ub294 \uc774\uc804\uc5d0 \uc774\ubbf8 \uc18c\uac1c\ud55c \ub0b4\uc6a9\uc77c \uc218 \uc788\uc73c\uba70, \uc0c8\ub85c\uc6b4 \uac83\ub3c4 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n

 <\/p>\n

\ub9e4\ud06c\ub85c<\/strong><\/p>\n

\ub9e4\ud06c\ub85c\ub294 \uacf5\uaca9\uc790\ub4e4\uc774 Office \ubb38\uc11c\ub97c \ubb34\uae30\ub85c \ud65c\uc6a9\ud558\ub294 \uac00\uc7a5 \uc9c1\uad00\uc801\uc778 \ubc29\ubc95\uc785\ub2c8\ub2e4. Office \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0\ub294 VBA(Visual Basic for Applications) \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \ube4c\ud2b8\uc778 \uc2a4\ud06c\ub9bd\ud2b8 \uc5d4\uc9c4\uc774 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uc0ac\uc6a9\uc790\uac00 \uc608\uc804\uc5d0 \ub9e4\ud06c\ub85c\ub97c \ud65c\uc131\ud654\ud55c \uacbd\uc6b0 \uc544\ubb34\ub7f0 \uc791\uc5c5\uc744 \ud558\uc9c0 \uc54a\uc544\ub3c4 \ubb38\uc11c\uac00 \uc5f4\ub9ac\ub294 \uc989\uc2dc \uc791\ub3d9\ud558\uc5ec \uc2dc\uc2a4\ud15c\uc5d0\uc11c \uc545\uc131 \ucf54\ub4dc\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4. \ub9e4\ud06c\ub85c\uac00 \ud65c\uc131\ud654\ub418\uc5b4 \uc788\uc9c0 \uc54a\uc740 \uacbd\uc6b0 \ud31d\uc5c5 \ucc3d\uc774 \uc5f4\ub824 \ub9e4\ud06c\ub85c\ub97c \ud65c\uc131\ud654\ud560 \uac83\uc778\uc9c0 \ubb3b\uc2b5\ub2c8\ub2e4. \uc774 \ud31d\uc5c5\uc740 Microsoft\uc5d0\uc11c \ub9e4\ud06c\ub85c\uc5d0 \uc758\ud55c \ubcf4\uc548 \uc704\ud611\uc744 \uc644\ud654\ud558\uae30 \uc704\ud574 \ucd94\uac00\ud55c \ubcf4\uc548 \uba54\ucee4\ub2c8\uc998 \uc911 \ud558\ub098\uc785\ub2c8\ub2e4. \ub610\ud55c, Microsoft\ub294 \ub9e4\ud06c\ub85c\uac00 \ub4e4\uc5b4 \uc788\ub294 \ubb38\uc11c\ub97c \uc0c8\ub85c \ub9cc\ub4e4 \uc2dc .docx\uac00 \uc544\ub2cc .docm\uacfc \uac19\uc740 \ud30c\uc77c \ud655\uc7a5\uc790\ub97c \uac15\uc81c\ub85c \uc0ac\uc6a9\ud558\ub3c4\ub85d \ub9cc\ub4e4\uae30\ub3c4 \ud569\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uc870\uce58\uc5d0\ub3c4 \ubd88\uad6c\ud558\uace0, \uc0ac\uc6a9\uc790\ub4e4\uc740 \uc544\ubb34 \uc0dd\uac01 \uc5c6\uc774 \uc774\ub7f0 \ud30c\uc77c\uc744 \uc5f4\uace0 \ucf58\ud150\uce20\ub97c \ud65c\uc131\ud654\ud558\uc5ec \ub9e4\ud06c\ub85c\uac00 \uc77c\ubc18\uc801\uc778 \uacf5\uaca9 \ubca1\ud130\ub85c \uc791\uc6a9\ud558\uac8c \ud569\ub2c8\ub2e4. \uc774\ub85c \uc778\ud574 Emotet<\/a><\/u>\uacfc \uac19\uc740 \ub2e8\uc21c \uad11\uc5ed \uacf5\uaca9\ubfd0 \uc544\ub2c8\ub77c Sofacy campaign<\/a><\/u>\uacfc \uac19\uc740 \ubcf5\uc7a1\ud55c \uacf5\uaca9\uc774 \uac00\ub2a5\ud574\uc9d1\ub2c8\ub2e4.<\/p>\n

\"\"<\/span><\/div><\/p>\n

\uadf8\ub9bc 1. \ucf58\ud150\uce20\uac00 \ud65c\uc131\ud654\ub418\uae30 \uc804\uacfc \ud6c4\uc758 Sofacy \ubb38\uc11c<\/em><\/p>\n

\uc5ec\uae30\uc11c \ubcfc \uc218 \uc788\ub4ef\uc774, \uacf5\uaca9\uc790\ub4e4\uc740 \uc804\uccb4 \ubb38\uc11c\ub97c \ubcf4\ub824\uba74 \ucf58\ud150\uce20\ub97c \ud65c\uc131\ud654\ud574\uc57c \ud55c\ub2e4\ub294 \uc18d\uc784\uc218\uc640 \uac19\uc740 \uc0ac\ud68c\uacf5\ud559\uc801 \uc218\ubc95\uc744 \uc368\uc11c Microsoft\uac00 \ucd94\uac00\ud55c \ubcf4\uc548 \uba54\ucee4\ub2c8\uc998\uc744 \uc0ac\uc6a9\uc790\uac00 \uc9c1\uc811 \ube44\ud65c\uc131\ud654\ud558\uac8c \ub9cc\ub4e6\uc73c\ub85c\uc368 \uacf5\uaca9\uc744 \uc2dc\ub3c4\ud569\ub2c8\ub2e4. Sofacy\uc758 \uacbd\uc6b0, \uacf5\uaca9\uc790\uac00 \uae00\uaf34\uc744 \ud770\uc0c9\uc73c\ub85c \uc124\uc815\ud558\uae30\ub9cc \ud558\uba74 \uc0ac\uc6a9\uc790\uac00 \ub9e4\ud06c\ub85c\ub97c \ud65c\uc131\ud654\ud560 \ud544\uc694\ub3c4 \uc5c6\uc2b5\ub2c8\ub2e4.<\/p>\n

 <\/p>\n

\uc784\ubca0\ub4dc\ub41c Flash \ud30c\uc77c<\/strong><\/p>\n

Office \ubb38\uc11c\uc5d0\ub294 \ub9e4\ud06c\ub85c\uc640 \uac19\uc740 \ube4c\ud2b8\uc778 \uae30\ub2a5 \uc678\uc5d0\ub3c4 Adobe Flash \ud30c\uc77c\uacfc \uac19\uc740 \uc678\ubd80 \uc624\ube0c\uc81d\ud2b8\ub97c \ud3ec\ud568\uc2dc\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uc624\ube0c\uc81d\ud2b8\ub294 \ud574\ub2f9\ud558\ub294 \uc18c\ud504\ud2b8\uc6e8\uc5b4\ub97c \ud1b5\ud574 \uc804\ub2ec\ub418\uae30 \ub54c\ubb38\uc5d0 Office \ubb38\uc11c \uc548\uc758 Adobe Flash \ucf58\ud150\uce20\ub85c \uc774 \uc18c\ud504\ud2b8\uc6e8\uc5b4\uc758 \ucde8\uc57d\uc810\uc744 \uc774\uc6a9\ud558\uc5ec \uacf5\uaca9\uc744 \uc2e4\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uacf5\uaca9 \ubca1\ud130\uc758 \uc608\ub85c\ub294 Excel \ubb38\uc11c\uc5d0 SWF \ud30c\uc77c\uc744 \ud3ec\ud568\uc2dc\ucf1c\uc11c \uc2e4\ud589\ud558\ub294 Adobe Flash \uc81c\ub85c \ub370\uc774(Zero-Day) \uacf5\uaca9\uc778CVE-2018-4878<\/a><\/u>\uc774 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uc720\ud615\uc758 \uacf5\uaca9\uc5d0\uc11c\ub294 Flash\uc758 \ucde8\uc57d\uc810\uc744 \uc791\ub3d9\uc2dc\ud0a4\uace0 \uc784\ubca0\ub4dc\ub41c \uc178\ucf54\ub4dc\ub97c \uc2e4\ud589\ud558\ub294 Adobe Flash \ucf58\ud150\uce20\uac00 \uc784\ubca0\ub4dc\ub41c \uc545\uc131 Excel \ud30c\uc77c\uc744 \uc0ac\uc6a9\ud569\ub2c8\ub2e4.<\/p>\n

 <\/p>\n

Microsoft \uc218\uc2dd \ud3b8\uc9d1\uae30<\/strong><\/p>\n

Adobe Flash \ud30c\uc77c\uc744 Office \ubb38\uc11c\uc5d0 \uc784\ubca0\ub4dc\ud558\ub294 \uac83\uacfc \uc720\uc0ac\ud558\uac8c, \uc218\ud559 \uacf5\uc2dd\uc744 \uc27d\uac8c \uc791\uc131\ud560 \uc218 \uc788\ub3c4\ub85d \ub3c4\uc640\uc8fc\ub294 Microsoft \uc218\uc2dd \ud3b8\uc9d1\uae30\uac00 \uad6c\ubb38 \ubd84\uc11d\ud558\ub294 \uacf5\uc2dd\uc744 \ubb38\uc11c\uc5d0 \uc784\ubca0\ub4dc\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n

\"\"<\/span><\/div><\/p>\n

\uadf8\ub9bc 2. \u00a0Microsoft \uc218\uc2dd \ud3b8\uc9d1\uae30<\/em><\/p>\n

\uc774 \uacbd\uc6b0 \uc545\uc131 Office \ubb38\uc11c\ub97c \ud1b5\ud574 \uc218\uc2dd \ud3b8\uc9d1\uae30\uc758 \ucde8\uc57d\uc810\uc744 \uc545\uc6a9\ud558\uac8c \ub429\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uacf5\uaca9\uc740 CVE-2017-11882<\/a><\/u> \ubc0f CVE-2018-0802<\/a><\/u> \uc775\uc2a4\ud50c\ub85c\uc787\uacfc \uac19\uc774 \uac00\uc7a5 \ucd5c\uadfc\uc5d0 \ubc1c\uc0dd\ud55c \uac83\uc73c\ub85c, \uacf5\uaca9\uc790\uac00 \uc218\uc2dd \ud3b8\uc9d1\uae30\uc758 \ubc84\uadf8\ub97c \uc774\uc6a9\ud558\uc5ec Office \ubb38\uc11c\ub97c \uc5ec\ub294 \uc0ac\uc6a9\uc790\ub97c \ud1b5\ud574 \uc6d0\uaca9 \ucf54\ub4dc\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\uac8c \ub429\ub2c8\ub2e4. \uc544\uc9c1 \uacf5\uc2dd\uc801\uc73c\ub85c \ud655\uc778\ub418\uc9c0\ub294 \uc54a\uc558\uc9c0\ub9cc, Unit 42\uc758 \uc5f0\uad6c\uc6d0\ub4e4\uc740 CVE-2018-0807<\/a><\/u>\u00a0\ubc0f CVE-2018-0798<\/a><\/u>\uacfc \uac19\uc774 Microsoft \uc218\uc2dd \ud3b8\uc9d1\uae30\ub97c \uc720\uc0ac\ud558\uac8c \uc545\uc6a9\ud558\ub294 \uc775\uc2a4\ud50c\ub85c\uc787\uc744 \ubc1c\uacac\ud558\uae30\ub3c4 \ud588\uc2b5\ub2c8\ub2e4.<\/p>\n

\ucc38\uace0\ub85c Microsoft \uc218\uc2dd \ud3b8\uc9d1\uae30\ub294 eqnedt32.exe\ub77c\ub294 \ub3c5\ub9bd\uc801\uc778 \ud504\ub85c\uc138\uc2a4\ub85c \uc2e4\ud589\ub418\uae30 \ub54c\ubb38\uc5d0 winword.exe \ub4f1\uc758 Microsoft Office \ud504\ub85c\uc138\uc2a4\uc5d0 \ub300\ud55c EMET \ubc0f Windows Defender Exploit Guard\uc640 \uac19\uc740 \uc804\uc6a9 \ubcf4\ud638 \uc18c\ud504\ud2b8\uc6e8\uc5b4\uac00 \uae30\ubcf8\uc801\uc73c\ub85c \uc801\uc6a9\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<\/p>\n

 <\/p>\n

OLE \uc624\ube0c\uc81d\ud2b8 \ubc0f HTA \ud578\ub4e4\ub7ec<\/strong><\/p>\n

OLE \uc624\ube0c\uc81d\ud2b8\uc640 HTA \ud578\ub4e4\ub7ec\ub294 Office \ubb38\uc11c\uc5d0\uc11c \ub2e4\ub978 \ubb38\uc11c\ub97c \ucc38\uc870\ud560 \uc2dc\uc5d0 \uc0ac\uc6a9\ud558\ub294 \uba54\ucee4\ub2c8\uc998\uc785\ub2c8\ub2e4. \uc774\ub97c \uc774\uc6a9\ud558\uc5ec \ub2e4\uc74c\uacfc \uac19\uc774 \uc5d4\ub4dc\ud3ec\uc778\ud2b8\ub97c \uc190\uc0c1\uc2dc\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n