A karshen watan Mayu, mun gano wani kamfen don rarraba malware ta hanyar isa ga Nesa (RAT) - shirye-shiryen da ke ba maharan damar sarrafa tsarin kamuwa da cuta.
Ƙungiyar da muka bincika ta bambanta da gaskiyar cewa ba ta zaɓi wani takamaiman dangin RAT don kamuwa da cuta ba. An lura da Trojans da yawa a cikin hare-hare a cikin yaƙin neman zaɓe (dukkan su suna da yawa). Tare da wannan fasalin, ƙungiyar ta tunatar da mu game da sarkin bera - dabbar tatsuniya wacce ta ƙunshi rodents tare da wutsiyoyi masu alaƙa.
An samo asali daga rubutun ta KN Rossikov "Mice da linzamin kwamfuta-kamar rodents, mafi mahimmancin tattalin arziki" (1908)
Don girmama wannan halitta, mun sanya sunan kungiyar da muke la'akari da RATKing. A cikin wannan sakon, za mu yi bayani dalla-dalla game da yadda maharan suka kai harin, da irin kayan aikin da suka yi amfani da su, da kuma raba ra'ayoyinmu kan ra'ayi na wannan yakin.
Ci gaban harin
Dukkan hare-hare a cikin wannan kamfen sun faru ne bisa ga algorithm mai zuwa:
Mai amfani ya karɓi imel ɗin phishing tare da hanyar haɗi zuwa Google Drive.
Yin amfani da hanyar haɗin yanar gizon, wanda aka azabtar ya zazzage wani mugun rubutun VBS wanda ya ƙayyadad da ɗakin karatu na DLL don ɗora nauyin kaya na ƙarshe a cikin rajistar Windows kuma ya ƙaddamar da PowerShell don aiwatar da shi.
Laburaren DLL ya yi allurar nauyin biyan kuɗi na ƙarshe - a haƙiƙa, ɗaya daga cikin RATs da maharan ke amfani da su - cikin tsarin tsarin kuma sun yi rajistar rubutun VBS a cikin autorun don samun gindin zama a cikin injin da ya kamu da cutar.
An aiwatar da nauyin biyan kuɗi na ƙarshe a cikin tsarin tsari kuma ya ba maharin ikon sarrafa kwamfutar da ta kamu da cutar.
A tsari za a iya wakilta kamar haka:
Na gaba, za mu mai da hankali kan matakai uku na farko, tunda muna sha'awar tsarin isar da malware. Ba za mu bayyana dalla-dalla tsarin aikin malware ɗin kansa ba. Ana samun su ko'ina - ko dai ana siyar da su akan taruka na musamman, ko ma ana rarraba su azaman ayyukan buɗaɗɗen tushe - don haka ba su keɓanta ga rukunin RATKing ba.
Binciken matakan kai hari
Mataki na 1. Imel na phishing
Harin ya fara ne da wanda aka azabtar ya karɓi wasiƙar mugunta (masu hari sun yi amfani da samfura daban-daban tare da rubutu; hoton da ke ƙasa yana nuna misali ɗaya). Saƙon ya ƙunshi hanyar haɗi zuwa wurin ajiyar halal drive.google.com, wanda ake zaton ya kai ga shafin zazzage daftarin aiki na PDF.
Misalin imel na phishing
Koyaya, a zahiri, ba takaddun PDF ba ne aka ɗora shi kwata-kwata, amma rubutun VBS.
Lokacin da ka danna mahaɗin daga imel ɗin a cikin hoton da ke sama, fayil mai suna Cargo Flight Details.vbs. A wannan yanayin, maharan ba su ma yi ƙoƙari su ɓad da fayil ɗin a matsayin halaltacciyar takarda ba.
A lokaci guda, a matsayin wani ɓangare na wannan kamfen, mun gano wani rubutun mai suna Cargo Trip Detail.pdf.vbs. Zai iya riga ya wuce don halaltaccen PDF saboda Windows yana ɓoye kari na fayil ta tsohuwa. Gaskiya ne, a cikin wannan yanayin, har yanzu ana iya tayar da zato ta gunkinsa, wanda ya dace da rubutun VBS.
A wannan mataki, wanda aka azabtar zai iya gane yaudarar: kawai ku dubi fayilolin da aka sauke na dakika daya. Koyaya, a cikin irin waɗannan kamfen ɗin phishing, maharan galibi suna dogara ga mai amfani mara hankali ko gaugawa.
Mataki na 2. Ayyukan rubutun VBS
Rubutun VBS, wanda mai amfani zai iya buɗewa ba da gangan ba, ya yi rajistar ɗakin karatu na DLL a cikin rajistar Windows. Rubutun ya ruɗe: an rubuta layukan da ke cikinsa a matsayin bytes da wani hali na sabani ya raba.
Misalin rubutun rufaffe
Algorithm na deobfuscation abu ne mai sauƙi: kowane hali na uku an cire shi daga igiyar da ba a rufe ba, bayan haka an yanke sakamakon daga tushe16 zuwa asalin kirtani. Misali, daga darajar 57Q53s63t72s69J70r74e2El53v68m65j6CH6Ct (wanda aka haskaka a hoton da ke sama) sakamakon layin ya kasance WScript.Shell.
Don warware kirtani, mun yi amfani da aikin Python:
def decode_str(data_enc):
return binascii.unhexlify(''.join([data_enc[i:i+2] for i in range(0, len(data_enc), 3)]))
A ƙasa, akan layi na 9 – 10, muna haskaka ƙimar wanda ɓarnawarsa ya haifar da fayil ɗin DLL. Shi ne wanda aka kaddamar a mataki na gaba ta amfani da PowerShell.
Zaure tare da obfused DLL
An aiwatar da kowane aiki a cikin rubutun VBS yayin da aka cire kirtani.
Bayan gudanar da rubutun, an kira aikin wscript.sleep - an yi amfani da shi don aiwatar da kisa da aka jinkirta.
Bayan haka, rubutun yayi aiki tare da rajistar Windows. Ya yi amfani da fasahar WMI don wannan. Tare da taimakonsa, an ƙirƙiri maɓalli na musamman, kuma an rubuta jikin fayil ɗin da za a iya aiwatarwa zuwa sigar sa. An isa wurin yin rajista ta hanyar WMI ta amfani da umarni mai zuwa:
A mataki na uku, DLL mai ƙeta ya ɗora nauyin kaya na ƙarshe, ya shigar da shi cikin tsarin tsarin, kuma ya tabbatar da cewa rubutun VBS ya fara atomatik lokacin da mai amfani ya shiga.
Gudu ta hanyar PowerShell
An kashe DLL ta amfani da umarni mai zuwa a cikin PowerShell:
an karɓi bayanan ƙimar rajista tare da suna rnd_value_name - wannan bayanan fayil din DLL ne da aka rubuta akan dandalin .Net;
ɗora Kwatancen .Net module ɗin da aka samu cikin ƙwaƙwalwar tsari powershell.exe amfani da aikin [System.Threading.Thread]::GetDomain().Load()(cikakken bayanin aikin Load(). akwai a gidan yanar gizon Microsoft);
yayi aikin GUyyvmzVhebFCw]::EhwwK() - an fara aiwatar da ɗakin karatu na DLL da shi - tare da sigogi vbsScriptPath, xorKey, vbsScriptName. Siga xorKey an adana maɓalli don ƙaddamar da ƙimar ƙarshe, da sigogi vbsScriptPath и vbsScriptName an canza su don yin rijistar rubutun VBS a cikin autorun.
Bayanin ɗakin karatu na DLL
A cikin sigar da ba a tattara ba, bootloader yayi kama da haka:
Loader a cikin nau'i mai ɓarna (aikin da aka fara aiwatar da ɗakin karatu na DLL yana ƙarƙashin ja).
Ana kiyaye bootloader ta .Net Reactor kariya. De4dot mai amfani yana yin kyakkyawan aiki na cire wannan mai karewa.
Wannan Loader:
allurar da aka biya a cikin tsarin tsarin (a cikin wannan misalin shi svchost.exe);
Na kara rubutun VBS zuwa autorun.
Allurar biya
Bari mu kalli aikin da rubutun PowerShell ya kira.
Ayyukan da ake kira ta rubutun PowerShell
Wannan aikin ya yi ayyuka masu zuwa:
saitin bayanai guda biyu (array и array2 a cikin screenshot). An matsa su ta asali ta amfani da gzip kuma an rufaffen su tare da XOR algorithm tare da maɓalli xorKey;
kwafi bayanai zuwa wuraren da aka keɓe. Bayanai daga array - zuwa wurin ƙwaƙwalwar ajiya da aka nuna intPtr (payload pointer a cikin hoton allo; data daga array2 - zuwa wurin ƙwaƙwalwar ajiya da aka nuna intPtr2 (shellcode pointer a cikin hoton allo;
ake kira aikin CallWindowProcA(kwatancin Ana samun wannan aikin akan gidan yanar gizon Microsoft) tare da sigogi masu zuwa (sunan sigogin an jera su a ƙasa, a cikin hoton hoton suna cikin tsari iri ɗaya, amma tare da ƙimar aiki):
lpPrevWndFunc - mai nuna bayanai daga array2;
hWnd - mai nuni ga kirtani mai ɗauke da hanyar zuwa fayil ɗin da za a iya aiwatarwa svchost.exe;
Msg - mai nuna bayanai daga array;
wParam, lParam - sigogin saƙo (a wannan yanayin, ba a yi amfani da waɗannan sigogi ba kuma suna da ƙimar 0);
halitta fayil %AppData%MicrosoftWindowsStart MenuProgramsStartup<name>.urlinda <name> - Waɗannan su ne haruffa 4 na farko na siga vbsScriptName (a cikin hoton allo, guntun lambar tare da wannan aikin yana farawa da umarnin File.Copy). Ta wannan hanyar, malware ɗin ya ƙara fayil ɗin URL zuwa jerin fayilolin autorun lokacin da mai amfani ya shiga kuma ta haka ya zama makala ga kwamfutar da ta kamu da cutar. Fayil ɗin URL ya ƙunshi hanyar haɗi zuwa rubutun:
Don fahimtar yadda aka yi allurar, mun ɓoye bayanan bayanan array и array2. Don yin wannan, mun yi amfani da aikin Python mai zuwa:
def decrypt(data, key):
return gzip.decompress(
bytearray([data[i] ^ key[i % len(key)] for i in range(len(data))])[4:])
A sakamakon haka, mun gano cewa:
array Fayil ɗin PE ne - wannan shine ɗaukar nauyi na ƙarshe;
array2 shine lambar shell da ake buƙata don aiwatar da allurar.
Shellcode daga tsararru array2 wuce azaman ƙimar aiki lpPrevWndFunc cikin aiki CallWindowProcA. lpPrevWndFunc - Aikin dawo da kira, samfurin sa yayi kama da haka:
Don haka lokacin da kuke gudanar da aikin CallWindowProcA tare da sigogi hWnd, Msg, wParam, lParam Shellcode daga tsararru ana aiwatar da shi array2 tare da jayayya hWnd и Msg. hWnd mai nuni ne ga kirtani mai ɗauke da hanyar zuwa fayil ɗin da za a iya aiwatarwa svchost.exeda kuma Msg - mai nuni ga kaya na ƙarshe.
Lambar shell ta karɓi adiresoshin ayyuka daga kernel32.dll и ntdll32.dll bisa la'akari da ƙimar zanta daga sunayensu kuma an yi musu allura na ƙarshe a cikin ƙwaƙwalwar ajiya svchost.exeta amfani da dabarar Hollowing Process (zaku iya karanta ƙarin game da shi a cikin wannan labarin). Lokacin yin allurar shellcode:
halitta tsari svchost.exe a cikin yanayin da aka dakatar ta amfani da aikin CreateProcessW;
sa'an nan kuma ɓoye nunin sashin a cikin sararin adireshi na tsari svchost.exe amfani da aikin NtUnmapViewOfSection. Don haka, shirin ya 'yantar da ƙwaƙwalwar ajiyar tsarin asali svchost.exeto sai a ware memory ga abin da ake biya a wannan adireshin;
Ƙwaƙwalwar ajiya da aka keɓe don ɗaukar nauyi a cikin sararin adireshin tsari svchost.exe amfani da aikin VirtualAllocEx;
Fara tsarin allura
ya rubuta abubuwan da ke cikin nauyin biyan kuɗi zuwa sararin adireshin tsari svchost.exe amfani da aikin WriteProcessMemory (kamar yadda a cikin hoton da ke ƙasa);
ya ci gaba da aiki svchost.exe amfani da aikin ResumeThread.
Kammala aikin allura
malware mai saukewa
Sakamakon ayyukan da aka bayyana, an shigar da ɗaya daga cikin nau'ikan malware da yawa na RAT akan tsarin cutar. Teburin da ke ƙasa ya lissafa malware da aka yi amfani da su a harin, wanda za mu iya amincewa da shi ga rukunin maharan guda ɗaya, tun da samfuran sun sami dama ga umarni da sabar sarrafawa iri ɗaya.
Misalai na malware da aka rarraba tare da uwar garken sarrafawa iri ɗaya
Abubuwa biyu abin lura anan.
Na farko, ainihin gaskiyar cewa maharan sun yi amfani da iyalai RAT daban-daban lokaci guda. Wannan ɗabi'a ba ta dace da sanannun ƙungiyoyin Intanet ba, waɗanda galibi ke amfani da kusan saitin kayan aikin da suka saba da su.
Abu na biyu, RATKing ya yi amfani da malware wanda ko dai ana siyar da shi akan taruka na musamman akan farashi mai rahusa, ko ma aikin buɗaɗɗen tushe ne.
An ba da ƙarin cikakken jerin malware da aka yi amfani da su a cikin yaƙin neman zaɓe-tare da faɗakarwa ɗaya mai mahimmanci-a ƙarshen labarin.
Game da kungiyar
Ba za mu iya danganta kamfen ɗin da aka kwatanta ga kowane sanannen maharan. A yanzu, mun yi imanin cewa wata sabuwar kungiya ce ta kai wadannan hare-hare. Kamar yadda muka rubuta a farkon, mun kira shi RATKing.
Don ƙirƙirar rubutun VBS, ƙila ƙungiyar ta yi amfani da kayan aiki mai kama da mai amfani VBS-Crypter daga mai haɓakawa NYAN-x-CAT. Ana nuna wannan ta kamannin rubutun da wannan shirin ke haifarwa tare da rubutun maharan. Musamman, su biyun:
aiwatar da jinkirin kisa ta amfani da aikin Sleep;
amfani da WMI;
yi rajistar jikin fayil ɗin da za a iya aiwatarwa azaman madaidaicin maɓallin rajista;
aiwatar da wannan fayil ta amfani da PowerShell a cikin sararin adireshinsa.
Don tsabta, kwatanta umarnin PowerShell don gudanar da fayil daga wurin yin rajista, wanda rubutun da aka ƙirƙira ke amfani da shi ta amfani da VBS-Crypter:
Lura cewa maharan sun yi amfani da wani kayan aiki daga NYAN-x-CAT a matsayin ɗaya daga cikin abubuwan da aka biya - LimeRAT.
Adireshin sabar C&C suna nuna wani fasali na musamman na RATKing: ƙungiyar ta fi son ayyukan DNS masu ƙarfi (duba jerin C&Cs a cikin tebur na IoC).
IoC
Teburin da ke ƙasa yana ba da cikakken jerin rubutun VBS waɗanda za a iya danganta su ga yakin da aka kwatanta. Duk waɗannan rubutun suna kama da juna kuma suna yin kusan jerin ayyuka iri ɗaya. Dukkansu suna shigar da malware ajin RAT cikin amintaccen tsarin Windows. Dukkansu suna da adiresoshin C&C masu rijista ta amfani da sabis na DNS mai ƙarfi.
Duk da haka, ba za mu iya da'awar cewa duk waɗannan rubutun maharan iri ɗaya ne suka rarraba su ba, ban da samfurori masu adiresoshin C&C iri ɗaya (misali, kimjoy007.dyndns.org).