Tun daga ƙarshen shekarar da ta gabata, mun fara bin sabon kamfen ɗin ɓarna don rarraba Trojan na banki. Maharan sun mayar da hankali ne kan yin sulhu da kamfanonin Rasha, watau masu amfani da kamfanoni. Yaƙin neman zaɓe ya kasance aƙalla shekara guda kuma, baya ga Trojan na banki, maharan sun koma yin amfani da wasu kayan aikin software daban-daban. Waɗannan sun haɗa da na'ura mai ɗaukar nauyi na musamman da aka yi amfani da su , da kayan leƙen asiri, wanda aka canza azaman sanannen halaltaccen software na Yandex Punto. Da zarar maharan sun yi nasarar yin sulhu da kwamfutar wanda aka azabtar, sun shigar da bayan gida sannan kuma Trojan na banki.
Don malware ɗin su, maharan sun yi amfani da takaddun shaida na dijital da yawa (a wancan lokacin) da dama don ketare samfuran AV. Kamfen ɗin na ɓarna ya shafi ɗimbin bankunan Rasha kuma yana da sha'awa ta musamman domin maharan sun yi amfani da hanyoyin da ake yawan amfani da su wajen kai hare-hare, wato hare-haren da ba sa yin zagon ƙasa kawai. Za mu iya lura da wasu kamanceceniya tsakanin wannan yaƙin neman zaɓe da wani babban lamari da ya samu babban talla a baya. Muna magana ne game da ƙungiyar masu aikata laifuka ta yanar gizo da suka yi amfani da Trojan na banki /.
Maharan sun shigar da malware akan waɗancan kwamfutocin da suka yi amfani da harshen Rashanci a cikin Windows (wasu wuri) ta tsohuwa. Babban ɓangarorin rarraba Trojan shine takaddar Word tare da amfani. , wanda aka aika azaman abin haɗe-haɗe ga takaddar. Hotunan da ke ƙasa suna nuna bayyanar irin waɗannan takardun bogi. Takaddun farko yana da taken "Daftari No. 522375-FLORL-14-115.doc", da na biyu "kontrakt87.doc", kwafin kwangilar samar da sabis na sadarwa ta hanyar sadarwar wayar hannu Megafon.
Shinkafa 1. Takardun phishing.
Shinkafa 2. Wani gyare-gyaren daftarin aiki na phishing.
Abubuwan da ke biyo baya sun nuna cewa maharan sun nufi kasuwancin Rasha:
- rarraba malware ta amfani da takardun karya akan takamaiman batu;
- dabarun maharan da munanan kayan aikin da suke amfani da su;
- haɗi zuwa aikace-aikacen kasuwanci a cikin wasu sassa masu aiwatarwa;
- sunayen wuraren da aka yi amfani da su a cikin wannan kamfen.
Kayan aikin software na musamman waɗanda maharan ke sanyawa akan tsarin da ba su dace ba suna ba su damar samun iko na nesa na tsarin da lura da ayyukan mai amfani. Don yin waɗannan ayyuka, suna shigar da bayan gida kuma suna ƙoƙarin samun kalmar sirri ta asusun Windows ko ƙirƙirar sabon asusu. Har ila yau, maharan suna amfani da sabis na maɓalli (keylogger), mai satar allo na Windows, da software na musamman don aiki tare da katunan wayo. Wannan rukunin ya yi ƙoƙarin yin sulhu da wasu kwamfutoci waɗanda ke kan hanyar sadarwar gida ɗaya da kwamfutar wanda abin ya shafa.
Tsarin wayar mu na ESET LiveGrid, wanda ke ba mu damar bin kididdigar rarraba malware cikin sauri, ya ba mu kididdigar yanki mai ban sha'awa kan rarraba malware da maharan ke amfani da su a yakin da aka ambata.
Shinkafa 3. Ƙididdiga kan rarraba yanki na malware da aka yi amfani da su a cikin wannan kamfen ɗin ƙeta.
Shigar da malware
Bayan mai amfani ya buɗe daftarin ɓarna tare da amfani akan tsarin mara ƙarfi, za a zazzage mai saukewa na musamman da aka haɗa ta amfani da NSIS kuma a kashe shi a can. A farkon aikinsa, shirin yana bincika yanayin Windows don kasancewar masu lalata a can ko don aiki a cikin mahallin injin kama-da-wane. Har ila yau, yana duba yadda ake sarrafa Windows da kuma ko mai amfani ya ziyarci URLs da aka jera a ƙasa a cikin tebur a cikin burauzar. Ana amfani da APIs don wannan Nemo Farko/NextUrlCacheEntry da maɓallin rajista na SoftwareMicrosoftInternet ExplorerTypedURLs.
Bootloader yana bincika kasancewar waɗannan aikace-aikacen akan tsarin.
Jerin hanyoyin yana da ban sha'awa da gaske kuma, kamar yadda kuke gani, ya haɗa ba kawai aikace-aikacen banki ba. Misali, fayil mai aiwatarwa mai suna “scardsvr.exe” yana nufin software don aiki da katunan wayo (Microsoft SmartCard reader). Trojan banki kanta ya haɗa da ikon yin aiki tare da katunan wayo.
Shinkafa 4. Gabaɗaya zane na tsarin shigar da malware.
Idan an kammala duk cak ɗin cikin nasara, mai ɗaukar kaya yana zazzage fayil na musamman (Takarda) daga sabar mai nisa, wanda ya ƙunshi duk nau'ikan aiwatar da mugunta da maharan ke amfani da su. Yana da ban sha'awa a lura cewa dangane da aiwatar da cak ɗin da ke sama, rumbun adana bayanan da aka sauke daga sabar C&C mai nisa na iya bambanta. Rumbun yana iya ko a'a ya zama qeta. Idan ba ƙeta ba, yana shigar da kayan aikin Windows Live don mai amfani. Wataƙila, maharan sun yi amfani da dabaru iri ɗaya don yaudarar tsarin binciken fayil na atomatik da injunan kama-da-wane waɗanda ake aiwatar da fayilolin da ake tuhuma.
Fayil ɗin da mai saukar da NSIS ya zazzage shi rumbun adana bayanai ne na 7z wanda ya ƙunshi nau'ikan malware iri-iri. Hoton da ke ƙasa yana nuna gaba ɗaya tsarin shigarwa na wannan malware da nau'ikansa daban-daban.
Shinkafa 5. Gabaɗaya tsarin yadda malware ke aiki.
Kodayake kayan aikin da aka ɗorawa suna yin amfani da dalilai daban-daban ga maharan, an tattara su iri ɗaya kuma yawancinsu an sanya hannu tare da ingantattun takaddun shaida na dijital. Mun sami irin waɗannan takaddun guda huɗu waɗanda maharan suka yi amfani da su tun farkon yaƙin neman zaɓe. Bayan korafinmu, an soke wadannan takaddun. Yana da ban sha'awa a lura cewa an ba da duk takaddun shaida ga kamfanonin rajista a Moscow.
Shinkafa 6. Certificate na dijital da aka yi amfani da shi don sanya hannu kan malware.
Tebu mai zuwa yana gano takaddun shaida na dijital waɗanda maharan suka yi amfani da su a cikin wannan kamfen ɗin ƙeta.
Kusan duk munanan kayayyaki da maharan ke amfani da su suna da tsarin shigarwa iri ɗaya. Suna fitar da kansu 7zip archives waɗanda ke da kariyar kalmar sirri.
Shinkafa 7. Guntun fayil ɗin batch.cmd.
Fayil ɗin batch .cmd yana da alhakin shigar da malware akan tsarin da ƙaddamar da kayan aikin maharan daban-daban. Idan kisa yana buƙatar ɓacewar haƙƙin gudanarwa, lambar ƙeta tana amfani da hanyoyi da yawa don samun su (ketare UAC). Don aiwatar da hanyar farko, ana amfani da fayiloli guda biyu masu aiwatarwa da ake kira l1.exe da cc1.exe, waɗanda suka ƙware wajen ketare UAC ta amfani da Lambar tushe ta Carberp. Wata hanyar kuma ta dogara ne akan cin gajiyar CVE-2013-3660. Kowane nau'in malware wanda ke buƙatar haɓaka gata ya ƙunshi nau'ikan 32-bit da 64-bit na amfani.
Yayin da muke bibiyar wannan kamfen, mun bincika rumbun adana bayanai da yawa da mai saukewa ya ɗora. Abubuwan da ke cikin rumbunan sun bambanta, ma'ana maharan na iya daidaita ma'auni na ɓarna don dalilai daban-daban.
Amincewa mai amfani
Kamar yadda muka ambata a sama, maharan suna amfani da kayan aiki na musamman don lalata kwamfutocin masu amfani. Waɗannan kayan aikin sun haɗa da shirye-shirye tare da sunayen fayil masu aiwatarwa mimi.exe da xtm.exe. Suna taimaka wa maharan su mallaki kwamfutar wanda aka azabtar da su kuma sun kware wajen yin ayyuka masu zuwa: samun / dawo da kalmomin shiga don asusun Windows, ba da damar sabis na RDP, ƙirƙirar sabon asusu a cikin OS.
Mai aiwatarwa na mimi.exe ya haɗa da ingantaccen sigar sanannen kayan aikin buɗe tushen . Wannan kayan aikin yana ba ku damar samun kalmomin shiga asusun mai amfani na Windows. Maharan sun cire sashin daga Mimikatz wanda ke da alhakin hulɗar mai amfani. An kuma canza lambar da za a iya aiwatarwa ta yadda lokacin da aka ƙaddamar da shi, Mimikatz yana gudana tare da gata:: gyara kuskure da sekurlsa:logonPasswords umarni.
Wani fayil ɗin da za a iya aiwatarwa, xtm.exe, yana ƙaddamar da rubutun musamman waɗanda ke ba da damar sabis na RDP a cikin tsarin, ƙoƙarin ƙirƙirar sabon asusu a cikin OS, sannan kuma canza saitunan tsarin don ba da damar masu amfani da yawa su haɗa lokaci guda zuwa kwamfuta mai rikitarwa ta hanyar RDP. Babu shakka, waɗannan matakan suna da mahimmanci don samun cikakken iko akan tsarin da aka daidaita.
Shinkafa 8. Umurnin da xtm.exe ke aiwatarwa akan tsarin.
Maharan suna amfani da wani fayil ɗin da za a iya aiwatarwa mai suna impack.exe, wanda ake amfani da shi don shigar da software na musamman akan tsarin. Ana kiran wannan software LiteManager kuma maharan suna amfani da ita azaman kofa.
Shinkafa 9. LiteManager dubawa.
Da zarar an shigar da shi akan tsarin mai amfani, LiteManager yana bawa maharan damar haɗa kai tsaye zuwa wannan tsarin kuma su sarrafa shi daga nesa. Wannan software tana da sigogin layin umarni na musamman don shigar da ɓoyayyun sa, ƙirƙirar ƙa'idodin Tacewar zaɓi na musamman, da ƙaddamar da tsarin sa. Ana amfani da duk sigogi ta hanyar maharan.
Tsarin ƙarshe na fakitin malware wanda maharan ke amfani da shi shine shirin banki na malware (mai banki) tare da sunan fayil mai aiwatarwa pn_pack.exe. Ta kware wajen yin leken asiri akan mai amfani kuma tana da alhakin mu'amala da uwar garken C&C. An ƙaddamar da ma'aikacin banki ta amfani da halaltaccen software na Yandex Punto. Punto ne maharan ke amfani da shi don ƙaddamar da dakunan karatu na DLL (hanyar Loading Side-DLL). Malware da kanta na iya yin ayyuka masu zuwa:
- waƙa da maɓallan madannai da abubuwan da ke cikin allo don watsa su na gaba zuwa uwar garken nesa;
- jera duk katunan wayo waɗanda ke cikin tsarin;
- yi hulɗa tare da uwar garken C&C mai nisa.
Tsarin malware, wanda ke da alhakin aiwatar da duk waɗannan ayyuka, ɗakin karatu ne na DLL rufaffen. An rusa shi kuma an loda shi cikin ƙwaƙwalwar ajiya yayin aiwatar da Punto. Don aiwatar da ayyukan da ke sama, lambar aiwatar da DLL ta fara zaren guda uku.
Gaskiyar cewa maharan sun zaɓi software na Punto don manufarsu ba abin mamaki ba ne: wasu tarukan Rasha suna ba da cikakkun bayanai a fili kan batutuwa kamar yin amfani da lahani a cikin ingantaccen software don yin sulhu da masu amfani.
Laburaren ƙeta yana amfani da algorithm na RC4 don ɓoye kirtaninsa, da kuma yayin hulɗar cibiyar sadarwa tare da uwar garken C&C. Yana tuntuɓar uwar garken kowane minti biyu kuma yana watsa duk bayanan da aka tattara akan tsarin da aka lalata a cikin wannan lokacin.
Shinkafa 10. Rushewar hulɗar hanyar sadarwa tsakanin bot da uwar garken.
A ƙasa akwai wasu umarnin uwar garken C&C waɗanda ɗakin karatu zai iya karɓa.
Dangane da karɓar umarni daga uwar garken C&C, malware yana amsawa da lambar matsayi. Yana da ban sha'awa a lura cewa duk tsarin ma'aikatan banki da muka bincika (na baya-bayan nan tare da kwanan watan Janairu 18th) yana ɗauke da kirtani "TEST_BOTNET", wanda aka aika a cikin kowane saƙo zuwa uwar garken C&C.
ƙarshe
Don daidaita masu amfani da kamfanoni, maharan a matakin farko suna yin sulhu da ma'aikaci ɗaya na kamfanin ta hanyar aika saƙon phishing tare da cin zarafi. Bayan haka, da zarar an shigar da malware a cikin tsarin, za su yi amfani da kayan aikin software wanda zai taimaka musu sosai wajen faɗaɗa ikonsu akan tsarin tare da yin ƙarin ayyuka akansa: yin sulhu da sauran kwamfutoci akan hanyar sadarwar kamfanoni da leken asiri ga masu amfani da su, da kuma yin amfani da su. hada-hadar banki da yake yi.
source: www.habr.com