Akwai sanannun kungiyoyin yanar gizo da yawa waɗanda suka kware wajen satar kuɗi daga kamfanonin Rasha. Mun ga hare-hare ta hanyar amfani da madogaran tsaro da ke ba da damar shiga hanyar sadarwar da aka yi niyya. Da zarar sun sami dama, maharan suna nazarin tsarin cibiyar sadarwa na kungiyar kuma su tura kayan aikinsu don sace kudade. Babban misali na wannan yanayin shine ƙungiyoyin hacker Buhtrap, Cobalt da Corkow.
Ƙungiyar RTM da wannan rahoto ya mayar da hankali a kai wani ɓangare ne na wannan yanayin. Yana amfani da malware da aka kera na musamman da aka rubuta a Delphi, wanda za mu duba dalla-dalla a cikin sassan masu zuwa. An gano alamun farko na waɗannan kayan aikin a cikin tsarin na'urar telemetry na ESET a ƙarshen 2015. Ƙungiyar tana loda sabbin kayayyaki daban-daban akan tsarin da suka kamu da cutar kamar yadda ake buƙata. An kai hare-haren ne kan masu amfani da tsarin banki na nesa a Rasha da wasu kasashe makwabta.
1. Manufa
Yaƙin neman zaɓe na RTM yana nufin masu amfani da kamfanoni - wannan a bayyane yake daga hanyoyin da maharan ke ƙoƙarin ganowa a cikin tsarin da ba su dace ba. An mayar da hankali kan software na lissafin kudi don aiki tare da tsarin banki mai nisa.
Jerin hanyoyin sha'awa ga RTM yayi kama da jerin madaidaitan rukunin Buhtrap, amma ƙungiyoyin suna da nau'ikan kamuwa da cuta daban-daban. Idan Buhtrap ya yi amfani da shafukan karya sau da yawa, to, RTM ya yi amfani da harin tuƙi ta hanyar zazzagewa (masu hari akan mai binciken ko abubuwan da ke cikinsa) da kuma aika saƙon imel. Dangane da bayanan telemetry, barazanar tana nufin Rasha da wasu ƙasashe da ke kusa (Ukraine, Kazakhstan, Jamhuriyar Czech, Jamus). Koyaya, saboda amfani da hanyoyin rarraba jama'a, gano malware a wajen yankunan da aka yi niyya ba abin mamaki bane.
Jimlar adadin gano malware kaɗan ne. A gefe guda kuma, yaƙin neman zaɓe na RTM yana amfani da hadaddun shirye-shirye, wanda ke nuna cewa ana kai hare-hare sosai.
Mun gano takaddun yaudara da yawa waɗanda RTM ke amfani da su, gami da kwangilolin da ba su wanzu, daftari ko takaddun lissafin haraji. Halin dabi'un, hade da nau'in software da aka yi niyya da harin, yana nuna cewa maharan suna "shiga" cibiyoyin sadarwar kamfanonin Rasha ta sashen lissafin kudi. Ƙungiyar ta yi aiki bisa ga wannan makirci a shekarar 2014-2015
Yayin binciken, mun sami damar yin hulɗa tare da sabobin C&C da yawa. Za mu jera cikakken jerin umarni a cikin sassan da ke gaba, amma a yanzu muna iya cewa abokin ciniki yana canja wurin bayanai daga maɓallan maɓalli kai tsaye zuwa uwar garken da ke kai hari, daga inda ake samun ƙarin umarni.
Koyaya, kwanakin da zaku iya haɗawa kawai zuwa umarni da uwar garken sarrafawa da tattara duk bayanan da kuke sha'awar sun shuɗe. Mun sake ƙirƙirar fayilolin log na gaskiya don samun wasu umarni masu dacewa daga uwar garken.
Na farko daga cikinsu shi ne buƙatun ga bot don canja wurin fayil ɗin 1c_to_kl.txt - fayil ɗin sufuri na shirin 1C: Enterprise 8, wanda RTM ke kulawa da bayyanarsa. 1C yana hulɗa tare da tsarin banki mai nisa ta hanyar loda bayanai kan biyan kuɗi zuwa fayil ɗin rubutu. Bayan haka, ana aika fayil ɗin zuwa tsarin banki mai nisa don sarrafa kansa da aiwatar da odar biyan kuɗi.
Fayil ɗin ya ƙunshi bayanan biyan kuɗi. Idan maharan sun canza bayanin game da biyan kuɗi masu fita, za a aika da canja wurin ta amfani da bayanan karya zuwa asusun maharan.
Kusan wata guda bayan buƙatar waɗannan fayiloli daga umarni da uwar garken sarrafawa, mun lura da sabon plugin, 1c_2_kl.dll, ana loda shi a kan tsarin da aka lalata. An ƙirƙira ƙirar (DLL) don bincika fayil ɗin zazzagewa ta atomatik ta shigar da tsarin software na lissafin kuɗi. Za mu yi bayaninsa dalla-dalla a cikin sassan da ke gaba.
Abin sha'awa shine, FinCERT na Bankin Rasha a ƙarshen 2016 ya ba da sanarwar sanarwa game da masu aikata laifuka ta yanar gizo ta amfani da fayilolin loda 1c_to_kl.txt. Masu haɓakawa daga 1C suma sun san wannan makirci; sun riga sun yi sanarwa a hukumance kuma sun jera matakan tsaro.
An kuma loda wasu kayayyaki daga uwar garken umarni, musamman VNC (nau'ikansa na 32 da 64-bit). Ya yi kama da tsarin VNC wanda aka yi amfani da shi a baya a harin Dridex Trojan. Ana tsammanin ana amfani da wannan tsarin don haɗawa da kwamfutar da ke da cutar da kuma gudanar da cikakken nazarin tsarin. Bayan haka, maharan suna ƙoƙari su zagaya hanyar sadarwa, cire kalmomin shiga masu amfani, tattara bayanai da tabbatar da kasancewar malware.
2. Vectors na kamuwa da cuta
Hoto na gaba yana nuna cututtukan cututtukan da aka gano a lokacin binciken yakin. Ƙungiya tana amfani da nau'i-nau'i iri-iri, amma yawancin hare-haren zazzagewa da kuma spam. Wadannan kayan aikin sun dace da hare-haren da aka yi niyya, tun da farko, maharan za su iya zaɓar wuraren da wadanda abin ya shafa suka ziyarta, kuma a cikin na biyu, za su iya aika imel tare da haɗe-haɗe kai tsaye ga ma'aikatan kamfanin da ake so.
Ana rarraba malware ta hanyar tashoshi da yawa, gami da RIG da Sundown kayan amfani da kayan aiki ko aika wasikun banza, yana nuna alaƙa tsakanin maharan da sauran maharan yanar gizo waɗanda ke ba da waɗannan ayyukan.
2.1. Yaya RTM da Buhtrap suke da alaƙa?
Yaƙin neman zaɓe na RTM yayi kama da Buhtrap. Tambayar dabi'a ita ce: yaya suke da alaka da juna?
A cikin Satumba 2016, mun lura da ana rarraba samfurin RTM ta amfani da mai shigar da Buhtrap. Bugu da ƙari, mun sami takaddun shaida na dijital guda biyu da aka yi amfani da su a cikin Buhtrap da RTM.
Na farko, wanda ake zargi da bayar wa kamfanin DNISTER-M, an yi amfani da shi don sanya hannu a cikin nau'i na Delphi ta biyu ta hanyar lambobi (SHA-1: 025C718BA31E43DB1B87DC13F94A61A9338C11CE) da Buhtrap DLL (SHA-1: 1E2642B454C2FD889F6D41116A83F6F2 ).
Na biyu, wanda aka bayar ga Bit-Tredj, an yi amfani da shi don sanya hannu a buhtrap loaders (SHA-1: 7C1B6B1713BD923FC243DFEC80002FE9B93EB292 da B74F71560E48488D2153AE2FB51207A0AC206 kamar yadda zazzagewar da RTME2FBXNUMXAXNUMXACXNUMX),
Masu aiki na RTM suna amfani da takaddun shaida waɗanda suka zama gama gari ga sauran iyalai na malware, amma kuma suna da takaddun shaida na musamman. Dangane da telemetry na ESET, an bayar da shi ga Kit-SD kuma an yi amfani dashi kawai don sanya hannu akan wasu malware na RTM (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6).
RTM yana amfani da kaya iri ɗaya da Buhtrap, ana ɗora abubuwan RTM daga kayan aikin Buhtrap, don haka ƙungiyoyin suna da alamomin cibiyar sadarwa iri ɗaya. Duk da haka, bisa ga kiyasin mu, RTM da Buhtrap ƙungiyoyi ne daban-daban, aƙalla saboda ana rarraba RTM ta hanyoyi daban-daban (ba kawai ta amfani da mai saukewa na "kasashen waje" ba).
Duk da wannan, ƙungiyoyin hacker suna amfani da ka'idodin aiki iri ɗaya. Suna kaiwa kasuwancin hari ta hanyar amfani da software na lissafin kudi, haka nan tattara bayanan tsarin, neman masu karanta katin wayo, da tura kayan aikin mugunta don leken asiri ga wadanda abin ya shafa.
3. Juyin Halitta
A cikin wannan sashe, za mu kalli nau'ikan malware daban-daban da aka samu yayin binciken.
3.1. Siffar
RTM tana adana bayanan sanyi a cikin sashin rajista, mafi ban sha'awa sashi shine botnet-prefix. An gabatar da lissafin duk ƙimar da muka gani a cikin samfuran da muka yi nazari a cikin teburin da ke ƙasa.
Yana yiwuwa a iya amfani da ƙimar don yin rikodin nau'ikan malware. Duk da haka, ba mu lura da bambanci sosai tsakanin nau'ikan kamar bit2 da bit3, 0.1.6.4 da 0.1.6.6 ba. Bugu da ƙari, ɗaya daga cikin prefixes ya kasance tun farkon kuma ya samo asali daga wani yanki na C&C na yau da kullun zuwa yankin .bit, kamar yadda za a nuna a ƙasa.
3.2. Jadawalin
Yin amfani da bayanan telemetry, mun ƙirƙiri jadawali na abin da ya faru na samfurori.
4. Binciken fasaha
A cikin wannan sashe, za mu bayyana manyan ayyuka na Trojan na banki na RTM, gami da hanyoyin juriya, sigar sa ta RC4 algorithm, ka'idar hanyar sadarwa, ayyukan leƙen asiri da wasu fasalulluka. Musamman, za mu mai da hankali kan samfuran SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 da 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B.
4.1. Shigarwa da adanawa
4.1.1. Aiwatarwa
Babban RTM DLL ne, ana loda ɗakin karatu akan faifai ta amfani da .EXE. Fayil ɗin da ake aiwatarwa galibi ana tattara shi kuma yana ɗauke da lambar DLL. Da zarar an ƙaddamar da shi, yana fitar da DLL kuma yana gudanar da shi ta amfani da umarni mai zuwa:
rundll32.exe “%PROGRAMDATA%Winlogonwinlogon.lnk”,DllGetClassObject host4.1.2. DLL
Ana loda babban DLL koyaushe zuwa diski azaman winlogon.lnk a cikin %PROGRAMDATA%Winlogon babban fayil. Wannan tsawo na fayil yawanci ana haɗa shi da gajeriyar hanya, amma fayil ɗin ainihin DLL ne da aka rubuta a Delphi, mai suna core.dll ta mai haɓakawa, kamar yadda aka nuna a hoton da ke ƙasa.
Пример названия DLL F4C746696B0F5BB565D445EC49DD912993DE6361
Da zarar an ƙaddamar da shi, Trojan yana kunna tsarin juriya. Ana iya yin hakan ta hanyoyi biyu daban-daban, ya danganta ga gatan wanda aka azabtar a cikin tsarin. Idan kana da haƙƙin gudanarwa, Trojan ɗin yana ƙara shigarwar Sabunta Windows zuwa HKLMSOFTWAREMIcrosoftWindowsCurrentVersionRun rajista. Dokokin da ke ƙunshe a cikin Sabuntawar Windows za su gudana a farkon zaman mai amfani.
HKLMSOFTWAREMIcrosoftWindowsCurrentVersionRunWindows Update [REG_SZ] = rundll32.exe "% PROGRAMDATA%winlogon.lnk", DllGetClassObject mai watsa shiri
Trojan kuma yana ƙoƙarin ƙara ɗawainiya zuwa Jadawalin Aiki na Windows. Aikin zai ƙaddamar da winlogon.lnk DLL tare da sigogi iri ɗaya kamar na sama. Haƙƙin mai amfani na yau da kullun yana ba Trojan damar ƙara shigarwar Sabunta Windows tare da bayanai iri ɗaya zuwa wurin rajistar HKCUSoftwareMicrosoftWindowsCurrentVersionRun:
rundll32.exe “%PROGRAMDATA%winlogon.lnk”,DllGetClassObject host4.2. RC4 algorithm gyara
Duk da sanannen gazawarsa, RC4 algorithm na yau da kullun ana amfani da shi ta hanyar marubutan malware. Koyaya, waɗanda suka ƙirƙira na RTM sun ɗan gyara shi, wataƙila don sanya aikin manazarta ƙwayoyin cuta ya fi wahala. Ana amfani da sigar RC4 da aka gyara sosai a cikin kayan aikin RTM masu ƙeta don ɓoye kirtani, bayanan cibiyar sadarwa, daidaitawa da kayayyaki.
4.2.1. Bambance-bambance
Algorithm na asali na RC4 ya ƙunshi matakai biyu: s-block farawa (aka KSA - Algorithm Maɓalli-tsara) da tsararrun jerin bazuwar (PRGA-Pseudo-Random Generation Algorithm). Mataki na farko ya ƙunshi fara s-box ta amfani da maɓalli, kuma a mataki na biyu ana sarrafa rubutun tushen ta amfani da akwatin s don ɓoyewa.
Marubutan RTM sun kara matsakaita mataki tsakanin fara s-box da boye-boye. Ƙarin maɓalli yana da canji kuma an saita shi a lokaci guda da bayanan da za a rufaffen da kuma ɓoye su. Ana nuna aikin da ke yin wannan ƙarin mataki a cikin hoton da ke ƙasa.
4.2.2. Rufaffen kirtani
A kallon farko, akwai layukan da za a iya karantawa a cikin babban DLL. Sauran an ɓoye su ta amfani da algorithm da aka bayyana a sama, tsarin wanda aka nuna a cikin adadi mai zuwa. Mun sami maɓallan RC25 sama da 4 daban-daban don ɓoye kirtani a cikin samfuran da aka bincika. Maɓallin XOR ya bambanta ga kowane jere. Darajar filin keɓan layin lamba koyaushe shine 0xFFFFFFFF.
A farkon aiwatarwa, RTM yana yanke kirtani zuwa madaidaicin duniya. Lokacin da ya zama dole don samun damar kirtani, Trojan ɗin yana ƙididdige adireshi na zaren da aka ruɓe bisa tushen adireshin da kashewa.
Igiyoyin sun ƙunshi bayanai masu ban sha'awa game da ayyukan malware. An bayar da wasu igiyoyin misali a Sashe na 6.8.
4.3. Network
Yadda RTM malware ke tuntuɓar uwar garken C&C ya bambanta daga siga zuwa sigar. Sauye-sauye na farko (Oktoba 2015 - Afrilu 2016) sun yi amfani da sunayen yanki na gargajiya tare da ciyarwar RSS akan livejournal.com don sabunta jerin umarni.
Tun daga Afrilu 2016, mun ga canji zuwa .bit domains a cikin bayanan telemetry. An tabbatar da wannan ta ranar rajistar yankin - farkon RTM yankin fde05d0573da.bit an yi rajista a ranar 13 ga Maris, 2016.
Duk URLs da muka gani yayin sa ido kan yakin suna da hanya gama gari: /r/z.php. Yana da sabon sabon abu kuma zai taimaka gano buƙatun RTM a cikin hanyoyin sadarwa.
4.3.1. Tashoshi don umarni da sarrafawa
Misalai na gado sun yi amfani da wannan tashar don sabunta jerin umarni da sabar sabar su. Hosting yana a livejournal.com, a lokacin rubuta rahoton ya kasance a URL hxxp://f72bba81c921(.)livejournal(.)com/ data/rss.
Livejournal kamfani ne na Rasha-Amurka wanda ke ba da dandalin rubutun ra'ayin kanka a yanar gizo. Ma'aikatan RTM sun ƙirƙiri blog na LJ wanda a cikinsa suke buga labarin tare da umarni masu lamba - duba hoton allo.
An lullube umarni da layin sarrafawa ta amfani da RC4 algorithm da aka gyara (Sashe 4.2). Sigar ta yanzu (Nuwamba 2016) ta tashar ta ƙunshi umarni da adiresoshin uwar garken mai zuwa:
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. .yankin yanki
A cikin samfuran RTM na baya-bayan nan, mawallafa suna haɗawa zuwa wuraren C&C ta amfani da yankin babban matakin .bit TLD. Ba ya cikin jerin manyan wuraren yanki na ICANN (Sunan Domain da Intanet Corporation). Madadin haka, yana amfani da tsarin Namecoin, wanda aka gina akan fasahar Bitcoin. Marubutan Malware ba sa yawan amfani da .bit TLD don yankunansu, kodayake a baya an lura da misalin irin wannan amfani a cikin sigar Necurs botnet.
Ba kamar Bitcoin ba, masu amfani da bayanan Namecoin da aka rarraba suna da ikon adana bayanai. Babban aikace-aikacen wannan fasalin shine yankin babban matakin .bit. Kuna iya yin rajistar wuraren da za a adana a cikin bayanan da aka rarraba. Abubuwan da suka dace a cikin bayanan sun ƙunshi adiresoshin IP wanda yankin ya warware. Wannan TLD “mai jurewa cece-kuce” saboda mai rijista ne kawai zai iya canza ƙudurin yankin .bit. Wannan yana nufin cewa yana da matukar wahala a dakatar da yanki mara kyau ta amfani da irin wannan TLD.
RTM Trojan ba ya shigar da software da ake buƙata don karanta bayanan Namecoin da aka rarraba. Yana amfani da sabar DNS ta tsakiya kamar dns.dot-bit.org ko OpenNic sabar don warware .bit domains. Saboda haka, yana da karko iri ɗaya da sabar DNS. Mun lura cewa ba a sake gano wasu wuraren ƙungiyar ba bayan an ambaci su a cikin gidan yanar gizo.
Wani fa'idar .bit TLD ga masu fashin kwamfuta shine farashi. Don yin rajistar yanki, masu aiki suna buƙatar biyan 0,01 NK kawai, wanda yayi daidai da $0,00185 (daga Disamba 5, 2016). Don kwatanta, domain.com farashin aƙalla $10.
4.3.3. Yarjejeniya
Don sadarwa tare da umarni da uwar garken sarrafawa, RTM yana amfani da buƙatun HTTP POST tare da tsara bayanai ta amfani da ƙa'idar al'ada. Ƙimar hanyar koyaushe /r/z.php; Mozilla/5.0 wakilin mai amfani (mai jituwa; MSIE 9.0; Windows NT 6.1; Trident/5.0). A cikin buƙatun zuwa uwar garken, an tsara bayanan kamar haka, inda aka bayyana ƙimar ƙimar a cikin bytes:
Ba a rufaffen baiti 0 zuwa 6; ana rufaffen bytes da suka fara daga 6 ta amfani da ingantaccen RC4 algorithm. Tsarin fakitin amsawar C&C ya fi sauƙi. An lissafta baiti daga 4 zuwa girman fakiti.
An gabatar da lissafin ƙimar ƙimar aikin byte a cikin tebur da ke ƙasa:
malware koyaushe yana ƙididdige CRC32 na bayanan da aka ɓoye kuma yana kwatanta shi da abin da ke cikin fakiti. Idan sun bambanta, Trojan ya sauke fakitin.
Ƙarin bayanan na iya ƙunsar abubuwa daban-daban, gami da fayil ɗin PE, fayil ɗin da za a bincika a cikin tsarin fayil, ko sabbin URLs.
4.3.4. Panel
Mun lura cewa RTM yana amfani da panel akan sabobin C&C. Hoton hoto a ƙasa:
4.4. Alamar sifa
RTM Trojan banki ne na al'ada. Ba abin mamaki ba ne cewa masu aiki suna son bayani game da tsarin wanda aka azabtar. A gefe guda, bot ɗin yana tattara bayanan gabaɗaya game da OS. A gefe guda kuma, yana gano ko tsarin da aka lalata ya ƙunshi halayen da ke da alaƙa da tsarin banki na nesa na Rasha.
4.4.1. Gabaɗaya Bayani
Lokacin da aka shigar ko ƙaddamar da malware bayan sake kunnawa, ana aika rahoto zuwa umarni da uwar garken sarrafawa mai ɗauke da cikakken bayani gami da:
- Yankin lokaci;
- harshen tsarin tsoho;
- Shaidar mai amfani da izini;
- tsari matakin mutunci;
- Sunan mai amfani;
- sunan kwamfuta;
- Sigar OS;
- ƙarin kayan aikin da aka shigar;
- shigar riga-kafi shirin;
- jerin masu karanta katin wayo.
4.4.2 Tsarin banki mai nisa
Manufar Trojan na yau da kullun shine tsarin banki mai nisa, kuma RTM ba banda. Daya daga cikin manhajojin shirin shi ake kira TBdo, wanda ke gudanar da ayyuka daban-daban, da suka hada da na’urar daukar hoto da kuma tarihin bincike.
Ta hanyar duba faifai, Trojan yana bincika ko an shigar da software na banki akan injin. Cikakken jerin shirye-shiryen manufa yana cikin tebur da ke ƙasa. Bayan gano fayil ɗin sha'awa, shirin yana aika bayanai zuwa uwar garken umarni. Ayyuka na gaba sun dogara da ma'anar da cibiyar umarni (C&C) algorithms ta kayyade.
Hakanan RTM yana neman tsarin URL a cikin tarihin burauzar ku da buɗe shafuka. Bugu da ƙari, shirin yana nazarin amfani da ayyukan FindNextUrlCacheEntryA da FindFirstUrlCacheEntryA, kuma yana duba kowace shigarwa don dacewa da URL zuwa ɗaya daga cikin waɗannan alamu:
Bayan an gano buɗaɗɗen shafuka, Trojan suna hulɗa da Internet Explorer ko Firefox ta hanyar Dynamic Data Exchange (DDE) don bincika ko shafin ya dace da ƙirar.
Ana bincika tarihin binciken ku da buɗe shafuka a cikin madaidaicin madauki (madaidaicin madaidaici) tare da hutun daƙiƙa 1 tsakanin cak. Sauran bayanan da aka sa ido a ainihin lokacin za a tattauna su a cikin sashe na 4.5.
Idan an sami tsari, shirin ya ba da rahoton wannan ga uwar garken umarni ta amfani da jerin kirtani daga tebur mai zuwa:
4.5 Saka idanu
Yayin da Trojan ke gudana, ana aika bayanai game da sifofin halayen tsarin cutar (ciki har da bayanin kasancewar software na banki) zuwa umarni da uwar garken sarrafawa. Buga yatsa yana faruwa lokacin da RTM ta fara gudanar da tsarin sa ido nan da nan bayan fara binciken OS.
4.5.1. Banki mai nisa
Hakanan tsarin TBdo yana da alhakin sa ido kan hanyoyin da suka danganci banki. Yana amfani da musayar bayanai masu ƙarfi don bincika shafuka a Firefox da Internet Explorer yayin binciken farko. Ana amfani da wani tsarin TShell don saka idanu windows (Internet Explorer ko File Explorer).
Tsarin yana amfani da mu'amalar COM IShellWindows, iWebBrowser, DWebBrowserEvents2 da IConnectionPointContainer don saka idanu windows. Lokacin da mai amfani ya kewaya zuwa sabon shafin yanar gizon, malware yana lura da wannan. Daga nan sai ya kwatanta URL na shafin tare da alamu na sama. Bayan gano wasa, Trojan yana ɗaukar hotunan kariyar kwamfuta guda shida a jere tare da tazara na daƙiƙa 5 kuma yana aika su zuwa uwar garken umarni na C&S. Shirin kuma yana duba wasu sunaye na taga masu alaka da software na banki - cikakken jerin suna a ƙasa:
4.5.2. Katin wayo
RTM yana ba ku damar saka idanu masu karanta katin kati da aka haɗa da kwamfutoci masu kamuwa da cuta. Ana amfani da waɗannan na'urori a wasu ƙasashe don daidaita odar biyan kuɗi. Idan irin wannan nau'in na'urar an haɗa shi da kwamfuta, yana iya nuna wa Trojan cewa ana amfani da na'ura don hada-hadar banki.
Ba kamar sauran Trojans na banki ba, RTM ba zai iya hulɗa da irin waɗannan katunan wayo ba. Wataƙila an haɗa wannan aikin a cikin ƙarin ƙirar da ba mu gani ba tukuna.
4.5.3. Keylogger
Wani muhimmin sashi na lura da PC mai kamuwa da cuta shine ɗaukar maɓalli. Da alama masu haɓaka RTM ba su rasa wani bayani ba, tunda suna saka idanu ba maɓallan yau da kullun ba, har ma da maɓalli mai kama da allo da allo.
Don yin wannan, yi amfani da aikin SetWindowsHookExA. Maharan suna shigar da maɓallan da aka latsa ko maɓallan da suka dace da madannai na kama-da-wane, tare da suna da ranar shirin. Sannan ana aika da buffer zuwa uwar garken umarni na C&C.
Ana amfani da aikin SetClipboardViewer don kutse allon allo. Hackers suna shiga abubuwan da ke cikin allo lokacin da bayanan rubutu ne. Ana kuma shigar da suna da kwanan wata kafin a aika buffer zuwa uwar garken.
4.5.4. Hotunan hotuna
Wani aikin RTM shine tsagewar hoton allo. Ana amfani da fasalin lokacin da tsarin sa ido na taga ya gano wani shafi ko software na banki na sha'awa. Ana ɗaukar hotunan kariyar kwamfuta ta amfani da ɗakin karatu na hotuna masu hoto kuma ana tura su zuwa uwar garken umarni.
4.6. Uninstallation
Sabar C&C na iya dakatar da malware daga aiki da tsaftace kwamfutarka. Umurnin yana ba ku damar share fayiloli da shigarwar rajista da aka ƙirƙira yayin da RTM ke gudana. Ana amfani da DLL don cire malware da fayil ɗin winlogon, bayan haka umarnin yana rufe kwamfutar. Kamar yadda aka nuna a hoton da ke ƙasa, ana cire DLL ta masu haɓakawa ta amfani da erase.dll.
Uwar garken na iya aika Trojan umarni mai lalata-ƙulle. A wannan yanayin, idan kuna da haƙƙin gudanarwa, RTM zata share sashin taya MBR akan rumbun kwamfutarka. Idan wannan ya kasa, Trojan zai yi ƙoƙarin canza sashin taya na MBR zuwa sashin bazuwar - to kwamfutar ba za ta iya yin booting OS ba bayan rufewa. Wannan na iya haifar da cikakken sake shigar da OS, wanda ke nufin lalata shaida.
Ba tare da gata mai gudanarwa ba, malware yana rubuta .EXE wanda aka lulluɓe a cikin RTM DLL mai tushe. Mai aiwatarwa yana aiwatar da lambar da ake buƙata don rufe kwamfutar kuma yana yin rijistar module a cikin maɓallin rajista na HKCUCurrentVersionRun. Duk lokacin da mai amfani ya fara zama, kwamfutar nan take ta mutu.
4.7. Fayil ɗin daidaitawa
Ta hanyar tsoho, RTM kusan ba shi da fayil ɗin sanyi, amma umarni da uwar garken sarrafawa na iya aika ƙimar sanyi waɗanda za a adana su a cikin wurin yin rajista kuma shirin ya yi amfani da su. An gabatar da jerin maɓallan daidaitawa a cikin teburin da ke ƙasa:
Ana adana saitin a cikin maɓallin rajista na Software[Pseudo-random string]. Kowace ƙima ta yi daidai da ɗaya daga cikin layuka da aka gabatar a teburin da ya gabata. Ana ƙididdige ƙima da bayanai ta amfani da RC4 algorithm a cikin RTM.
Bayanan yana da tsari iri ɗaya da hanyar sadarwa ko kirtani. Ana ƙara maɓallin XOR-byte huɗu a farkon bayanan da aka ɓoye. Don ƙimar daidaitawa, maɓallin XOR ya bambanta kuma ya dogara da girman ƙimar. Ana iya lissafta shi kamar haka:
xor_key = (len(config_value) << 24) | (len(config_value) << 16)
| len(config_value)| (len(config_value) << 8)
4.8. Sauran ayyuka
Na gaba, bari mu kalli wasu ayyuka da RTM ke tallafawa.
4.8.1. Ƙarin kayayyaki
Trojan ɗin ya haɗa da ƙarin kayayyaki, waɗanda fayilolin DLL ne. Modules da aka aika daga uwar garken umarni na C&C za a iya aiwatar da su azaman shirye-shiryen waje, suna nunawa a cikin RAM kuma an ƙaddamar da su cikin sabbin zaren. Don ajiya, ana adana kayayyaki a cikin fayilolin .dtt kuma an sanya su ta amfani da RC4 algorithm tare da maɓalli iri ɗaya da ake amfani da su don sadarwar cibiyar sadarwa.
Ya zuwa yanzu mun lura da shigarwa na VNC module (8966319882494077C21F66A8354E2CBCA0370464), da browser data hakar module (03DE8622BE6B2F75A364A275995C3411626C4D9F)1 da 2C1D562F (1DE69BE6B58F88753A7A0C3C4DXNUMXF) XNUMXFBAXNUMX BXNUMXBEXNUMXDXNUMXBXNUMXEXNUMXCFAB).
Don loda tsarin VNC, uwar garken C&C yana ba da umarnin neman haɗin kai zuwa uwar garken VNC a takamaiman adireshin IP akan tashar jiragen ruwa 44443. Kayan aikin dawo da bayanan mai binciken yana aiwatar da TBrowserDataCollector, wanda zai iya karanta tarihin binciken IE. Sannan ta aika da cikakken jerin URLs da aka ziyarta zuwa uwar garken umarni na C&C.
Na'urar karshe da aka gano ana kiranta 1c_2_kl. Yana iya hulɗa tare da kunshin software na 1C Enterprise. Tsarin ya ƙunshi sassa biyu: babban ɓangaren - DLL da wakilai biyu (32 da 64 bit), waɗanda za a yi musu allura a cikin kowane tsari, yin rijistar ɗaure zuwa WH_CBT. Bayan an gabatar da shi cikin tsarin 1C, tsarin yana ɗaure ayyukan CreateFile da WriteFile. A duk lokacin da aka kira aikin daure CreateFile, tsarin yana adana hanyar fayil 1c_to_kl.txt a cikin ƙwaƙwalwar ajiya. Bayan katse kiran WriteFile, yana kiran aikin WriteFile kuma ya aika hanyar fayil ɗin 1c_to_kl.txt zuwa babban tsarin DLL, yana aika saƙon Windows WM_COPYDATA da aka kera.
Babban tsarin DLL yana buɗewa yana rarraba fayil ɗin don tantance odar biyan kuɗi. Yana gane adadin da lambar ma'amala da ke cikin fayil ɗin. Ana aika wannan bayanin zuwa uwar garken umarni. Mun yi imanin cewa a halin yanzu wannan tsarin yana kan haɓakawa saboda yana ɗauke da saƙon kuskure kuma ba zai iya gyara 1c_to_kl.txt ta atomatik ba.
4.8.2. Girman gata
RTM na iya ƙoƙarin haɓaka gata ta hanyar nuna saƙonnin kuskuren ƙarya. Malware yana kwatanta rajistan rajista (duba hoton da ke ƙasa) ko yana amfani da gunkin editan rajista na gaske. Da fatan za a lura da kuskuren jira - menene. Bayan ƴan daƙiƙa na dubawa, shirin yana nuna saƙon kuskuren ƙarya.
Saƙon ƙarya zai yaudari matsakaicin mai amfani cikin sauƙi, duk da kurakuran nahawu. Idan mai amfani ya danna ɗaya daga cikin hanyoyin haɗin biyu, RTM zai yi ƙoƙarin haɓaka gata a cikin tsarin.
Bayan zaɓar ɗaya daga cikin zaɓuɓɓukan dawo da biyu, Trojan ya ƙaddamar da DLL ta amfani da zaɓin runas a cikin aikin ShellExecute tare da gata mai gudanarwa. Mai amfani zai ga ainihin faɗakarwar Windows (duba hoton da ke ƙasa) don haɓakawa. Idan mai amfani ya ba da izini masu dacewa, Trojan ɗin zai gudana tare da gatan gudanarwa.
Dangane da tsohowar harshen da aka shigar akan tsarin, Trojan yana nuna saƙonnin kuskure a cikin Rashanci ko Ingilishi.
4.8.3. Takaddun shaida
RTM na iya ƙara takaddun shaida zuwa Shagon Windows kuma ya tabbatar da amincin ƙari ta danna maɓallin "eh" kai tsaye a cikin akwatin maganganu csrss.exe. Wannan hali ba sabon abu bane; misali, Trojan Retefe na banki shima yana tabbatar da shigar da sabuwar takardar shaida da kansa.
4.8.4. Juya haɗi
Mawallafin RTM kuma sun ƙirƙiri rami na TCP na Backconnect. Ba mu ga fasalin da ake amfani da shi ba tukuna, amma an ƙirƙira shi don sa ido kan kwamfutocin da suka kamu da cutar.
4.8.5. Gudanarwar fayil ɗin mai watsa shiri
Sabar C&C na iya aika umarni zuwa Trojan don gyara fayil ɗin rundunan Windows. Ana amfani da fayil ɗin mai watsa shiri don ƙirƙirar ƙudurin DNS na al'ada.
4.8.6. Nemo kuma aika fayil
Sabar na iya buƙatar bincika da zazzage fayil akan tsarin da ya kamu da cutar. Misali, yayin binciken mun sami buƙatun fayil ɗin 1c_to_kl.txt. Kamar yadda aka bayyana a baya, tsarin lissafin 1C: Enterprise 8 ne ya samar da wannan fayil ɗin.
4.8.7. Sabuntawa
A ƙarshe, marubutan RTM na iya sabunta software ta hanyar ƙaddamar da sabon DLL don maye gurbin sigar yanzu.
5. Kammalawa
Binciken RTM ya nuna cewa har yanzu tsarin banki na Rasha yana jan hankalin masu kai hare-hare ta yanar gizo. Ƙungiyoyi irin su Buhtrap, Corkow da Carbanak sun yi nasarar satar kuɗi daga cibiyoyin kuɗi da abokan cinikinsu a Rasha. RTM sabon dan wasa ne a wannan masana'antar.
Ana amfani da kayan aikin RTM na ƙeta tun aƙalla ƙarshen 2015, bisa ga telemetry na ESET. Shirin yana da cikakkiyar damar leƙen asiri, gami da karanta katunan wayo, katse maɓalli da sa ido kan ma'amalar banki, da kuma neman fayilolin jigilar kayayyaki na 1C: Enterprise 8.
Amfani da yanki mai girma, wanda ba a tantance shi ba.
source: www.habr.com