A cikin 'yan shekarun nan, Trojans na wayar hannu sun kasance suna maye gurbin Trojans don kwamfutoci na sirri, don haka bayyanar sabbin malware don tsofaffin "motoci" masu kyau da kuma amfani da su ta hanyar cybercriminals, ko da yake m, har yanzu wani taron ne. Kwanan nan, CERT Group-IB's XNUMX/XNUMX cibiyar ba da amsa lamarin tsaro na bayanai ta gano wani sabon saƙon saƙon imel wanda ke ɓoye sabon PC malware wanda ya haɗa ayyukan Keylogger da PasswordStealer. An ja hankalin masu sharhi kan yadda kayan leƙen asiri suka shiga na'urar mai amfani - ta hanyar amfani da sanannen saƙon murya. Ilya Pomerantsev, kwararre kan nazarin malware a CERT Group-IB, ya bayyana yadda malware ke aiki, dalilin da ya sa yake da haɗari, har ma ya sami mahaliccinsa a Iraki mai nisa.
Don haka, mu je cikin tsari. A ƙarƙashin abin da aka makala, irin wannan wasiƙar tana ɗauke da hoto, bayan danna abin da aka ɗauka zuwa shafin. cdn.discordapp.com, kuma an zazzage fayil ɗin mugunta daga can.
Amfani da Discord, muryar muryar kyauta da saƙon rubutu, ba al'ada ba ne. Yawanci, ana amfani da wasu saƙon nan take ko shafukan sada zumunta don waɗannan dalilai.
A yayin cikakken bincike, an gano dangin malware. Ya zama sabon shiga kasuwar malware - 404 Keylogger.
An buga tallan farko na siyar da maɓalli hackforums ta mai amfani a ƙarƙashin sunan barkwanci "404 Coder" a ranar 8 ga Agusta.
An yi rajistar yankin kantin kwanan nan - a ranar 7 ga Satumba, 2019.
Kamar yadda masu haɓakawa ke faɗi akan gidan yanar gizon 404projects[.]xyz, 404 kayan aiki ne da aka ƙera don taimaka wa kamfanoni su koyi game da ayyukan abokan cinikinsu (tare da izininsu) ko kuma waɗanda ke son kare binary ɗin su daga injiniyan baya. Duba gaba, bari mu faɗi haka tare da aiki na ƙarshe 404 tabbas baya jurewa.
Mun yanke shawarar juyawa ɗaya daga cikin fayilolin kuma duba menene "BEST SMART KEYLOGGER" shine.
Tsarin muhalli na malware
Loader 1 (AtillaCrypter)
Ana kiyaye fayil ɗin tushen ta amfani da shi EaxObfuscator kuma yana yin lodin matakai biyu AtProtect daga sashin albarkatun. Yayin nazarin wasu samfurori da aka samo akan VirusTotal, ya bayyana a fili cewa wannan mataki ba shi da kansa ya samar da shi ba, amma abokin ciniki ya kara da shi. Daga baya an tantance cewa wannan bootloader shine AtillaCrypter.
Bootloader 2 (AtProtect)
A haƙiƙa, wannan loda wani ɓangare ne na malware kuma, bisa ga niyyar mai haɓakawa, yakamata ya ɗauki aikin tantancewa.
Koyaya, a aikace, hanyoyin kariya suna da matuƙar mahimmanci, kuma tsarinmu sun sami nasarar gano wannan malware.
Ana loda babban module ta amfani da shi Franchy Shell Code iri daban-daban. Koyaya, ba mu ware cewa ana iya amfani da wasu zaɓuɓɓuka, misali, RunPE.
Fayil na tsari
Ƙarfafawa a cikin tsarin
Ana tabbatar da haɓakawa a cikin tsarin ta bootloader AtProtect, idan an saita tutar da ta dace.
- Ana kwafi fayil ɗin tare da hanya %AppData%GFqaakZpzwm.exe.
- An ƙirƙiri fayil ɗin %AppData%GFqaakWinDriv.url, ƙaddamarwa Zpzwm.exe.
- A cikin zaren HKCUSoftwareMicrosoftWindowsCurrentVersionRun an ƙirƙiri maɓallin farawa WinDriv.url.
Yin hulɗa tare da C&C
Loader AtProtect
Idan tutar da ta dace tana nan, malware na iya ƙaddamar da tsari mai ɓoye mai bincike kuma bi ƙayyadadden hanyar haɗi don sanar da uwar garken game da kamuwa da cuta mai nasara.
DataStealer
Ko da kuwa hanyar da aka yi amfani da ita, sadarwar cibiyar sadarwa tana farawa tare da samun IP na waje na wanda aka azabtar ta amfani da albarkatun [http]://checkip[.]dyndns[.]org/.
Wakilin mai amfani: Mozilla/4.0 (mai jituwa; MSIE 6.0; Windows NT 5.2; NET CLR1.0.3705;)
Gabaɗaya tsarin saƙon ɗaya ne. Shugaban kasa
|——- 404 Keylogger — {Nau'i} ——-|inda {nau'i} yayi daidai da nau'in bayanin da ake watsawa.
Wadannan bayanai ne game da tsarin:
_______ + BAYANIN WASANNI + _______
IP: {IP na waje}
Sunan Mai Shi: {Sunan Kwamfuta}
Sunan OS: {Sunan OS}
Sigar OS: {OS Siffar}
Dandalin OS: {Platform}
Girman RAM: {Girman RAM}
______________________________
Kuma a ƙarshe, bayanan da aka watsa.
SMTP
Batun wasiƙar shine kamar haka: 404 K | {Nau'in Saƙo} | Sunan Abokin ciniki: {Username}.
Abin sha'awa, don isar da wasiƙu ga abokin ciniki 404 Keylogger Ana amfani da uwar garken SMTP na masu haɓakawa.
Wannan ya ba da damar gano wasu abokan ciniki, da kuma imel na ɗaya daga cikin masu haɓakawa.
FTP
Lokacin amfani da wannan hanyar, ana adana bayanan da aka tattara zuwa fayil kuma nan da nan karanta daga can.
Hankalin da ke bayan wannan aikin bai fito fili ba, amma yana haifar da ƙarin kayan tarihi don rubuta ƙa'idodin ɗabi'a.
%HOMEDRIVE%%HOMEPATH%TakarduA{Lambar Sabani}.txt
Pastebin
A lokacin bincike, ana amfani da wannan hanyar kawai don canja wurin kalmomin shiga da aka sace. Bugu da ƙari, ana amfani da shi ba a matsayin madadin biyu na farko ba, amma a cikin layi daya. Halin shine ƙimar madaidaicin daidai da "Vavaa". Mai yiwuwa wannan shine sunan abokin ciniki.
Ma'amala yana faruwa ta hanyar ka'idar https ta API pastebin. Ma'ana api_paste_private daidai PASTE_UNLISTED, wanda ya hana bincika irin waɗannan shafuka a ciki pastebin.
Algorithms na ɓoyewa
Maido da fayil daga albarkatu
Ana adana kayan aikin a cikin albarkatun bootloader AtProtect a cikin siffar Bitmap hotuna. Ana aiwatar da hakar a matakai da yawa:
- Ana fitar da tsararrun bytes daga hoton. Ana kula da kowane pixel azaman jerin bytes 3 a cikin tsari na BGR. Bayan hakar, na farko 4 bytes na tsararrun suna adana tsawon saƙon, waɗanda ke biyo baya suna adana saƙon da kansa.
- Ana lissafta maɓalli. Don yin wannan, ana ƙididdige MD5 daga ƙimar “ZpzwmjMJyfTNiRalKVrcSkxCN” da aka ƙayyade azaman kalmar sirri. Sakamakon zanta an rubuta sau biyu.
- Ana yin ɓarnawa ta amfani da algorithm AES a yanayin ECB.
Ayyukan mugunta
Downloader
An aiwatar a cikin bootloader AtProtect.
- Ta hanyar tuntuɓar juna [activelink-repalce] Ana buƙatar matsayin uwar garken don tabbatar da cewa ya shirya don hidimar fayil ɗin. Ya kamata uwar garken ya dawo "A".
- Haɗi [downloadlink-maye gurbin] An zazzage abin biyan kuɗi.
- Tare da taimakon FranchyShellcode ana shigar da kayan aiki a cikin tsari [inj-majiye].
A lokacin bincike na yanki 404projects[.]xyz An gano ƙarin lokuta akan VirusTotal 404 Keylogger, da nau'ikan loda da yawa.
A al'ada, sun kasu kashi biyu:
- Ana yin zazzagewa daga albarkatun 404projects[.]xyz.
An ɓoye bayanan Base64 kuma an rufaffen AES. - Wannan zaɓin ya ƙunshi matakai da yawa kuma ana iya amfani dashi tare da haɗin gwiwa tare da bootloader AtProtect.
- A mataki na farko, ana loda bayanai daga pastebin da kuma yanke hukunci ta amfani da aikin HexToByte.
- A mataki na biyu, tushen loading shi ne 404projects[.]xyz. Koyaya, ayyukan yankewa da yankewa suna kama da waɗanda aka samu a cikin DataStealer. Wataƙila an riga an shirya shi don aiwatar da aikin bootloader a cikin babban tsarin.
- A wannan mataki, nauyin biyan kuɗi ya riga ya kasance a cikin bayanan albarkatun a cikin nau'i mai matsi. Hakanan an sami irin wannan ayyukan hakar a cikin babban tsarin.
An sami masu saukewa a cikin fayilolin da aka tantance njRat, SpyGate da sauran RATs.
Keylogger
Lokacin aikawa: Minti 30.
Ana goyan bayan duk haruffa. Haruffa na musamman sun tsere. Akwai sarrafa maɓallan BackSpace da Share. Harka m.
ClipboardLogger
Lokacin aikawa: Minti 30.
Lokacin kada kuri'a: 0,1 seconds.
An aiwatar da hanyar tserewa.
ScreenLogger
Lokacin aikawa: Minti 60.
Ana ajiye hotuna a ciki %GIDA%%HOMEPATH%Takardu404k404pic.png.
Bayan aika babban fayil ɗin 404k an share.
Kalmar sirriStealer
Masu bincike | Abokan imel | FTP abokan ciniki |
---|---|---|
Chrome | Outlook | FileZilla |
Firefox | Thunderbird | |
SeaMonkey | Foxmail | |
icedragon | ||
Rariya | ||
cyberfox | ||
Chrome | ||
BraveBrowser | ||
QQBrowser | ||
Iridium Browser | ||
XvastBrowser | ||
Chedot | ||
360 Mai lilo | ||
ComodoDragon | ||
360 Chrome | ||
SuperBird | ||
CentBrowser | ||
GhostBrowser | ||
IronBrowser | ||
chromium | ||
Vivaldi | ||
Slimjet Browser | ||
Kewaya | ||
CocCoc | ||
tocilan | ||
UCBrowser | ||
EpicBrowser | ||
BliskBrowser | ||
Opera |
Yin adawa da bincike mai ƙarfi
- Dubawa ko tsari yana ƙarƙashin bincike
An yi ta amfani da bincike na tsari takaddara, ProcessHacker, aiki 64, procexp, procmon. Idan aka sami aƙalla ɗaya, malware ɗin yana fita.
- Dubawa idan kuna cikin yanayin kama-da-wane
An yi ta amfani da bincike na tsari vmtoolsd, VGAuthService, vmacthlp, VBoxService, VBoxTray. Idan aka sami aƙalla ɗaya, malware ɗin yana fita.
- Yin barci na daƙiƙa 5
- Nuna nau'ikan akwatunan maganganu daban-daban
Ana iya amfani da su don ketare wasu akwatunan yashi.
- Haɓaka UAC
Anyi ta hanyar gyara maɓallin yin rajista EnableLUA a cikin saitunan Manufofin Rukuni.
- Yana aiki da sifa ta "Boye" ga fayil na yanzu.
- Ikon share fayil na yanzu.
Siffofin marasa aiki
A lokacin nazarin bootloader da babban tsarin, an gano ayyukan da ke da alhakin ƙarin ayyuka, amma ba a yi amfani da su a ko'ina ba. Wannan yana yiwuwa saboda gaskiyar cewa malware yana ci gaba kuma za a fadada aikin nan ba da jimawa ba.
Loader AtProtect
An samo wani aiki wanda ke da alhakin lodawa da allura a cikin tsari msiexec.exe sabani module.
DataStealer
- Ƙarfafawa a cikin tsarin
- Decompression da ayyukan ɓarna
Da alama nan ba da jimawa ba za a aiwatar da ɓoyayyen bayanai yayin sadarwar sadarwar. - Kashe hanyoyin riga-kafi
zlclient | Dvp95_0 | Pavsched | abgserv9 |
egui | Ecengine | Pavw | avgserv9schedapp |
bdagent | Esafe | PCCIOMON | avgemc |
npfmsg | Espwatch | PCCMAIN | ashwebsv |
olydbg | F-Agnt95 | PCwin98 | ashdisp |
anubis | Findvir | Pcfwallicon | ashmaisv |
wireshark | Fprot | Persfw | ashserv |
avastui | F-Prot | POP3TRAP | aswUpdSv |
_Avp32 | F-Prot95 | Farashin PVIEW95 | symwsc |
vsmon | Fp-Win | Rav 7 | Norton |
mbam | Frw | Raw7win | Norton Auto-Kare |
keyscrambler | F-Stopw | Rescue | norton_av |
_Avpc | Iamapp | Safeweb | nortonav |
_Avpm | Iamserv | Dubawa32 | ccsetmgr |
Akwin32 | Ibmasn | Dubawa95 | ccevtmgr |
Takaitaccen bayani | Ibmavsp | Scanpm | avadmin |
Anti-Trojan | Saukewa: 95 | Scscan | avcenter |
MAGANA | Icloadnt | Bauta95 | avgnt |
Apvxdwin | Icmon | Smc | avguard |
HANKALI | Icsup95 | SMCSERVICE | warware |
Sauke atomatik | Icsupnt | Snort | avscan |
Avconsol | Iface | Sphinx | guardgui |
Hanya 32 | Imon98 | Shara95 | ku 32kr |
Avgctrl | Jedi | SYMPROXYSVC | nufa32 ku |
Avkserv | Kulle 2000 | Tbscan | clamscan |
Avnt | Yi hankali | Tca | clamTray |
Avp | Luall | Tds2-98 | clamWin |
Ap32 | kafe | Tds2-Nt | freshclam |
Avpcc | Motsi | TermiNET | oladdin |
Abpdos32 | MPftray | Matashi95 | sigtool |
Avpm | N32 | Vetray | w9 zuw |
Abptc32 | NAVAPSVC | Vscan40 | Kusa |
Abpupd | NAVAPW32 | Vsecomr | cmgrdian |
Avsched32 | NAVLU32 | Vshwin32 | alogserver |
AVSYNMGR | Navnt | Vsstat | mcshield |
Abin95 | NAVRUNR | Webscanx | vshwin32 |
Awupd32 | Nawa32 | YANAR GIZO | avconsol |
Blackd | Navwnt | Wfindv32 | vsstat |
Baƙar fata | NeoWatch | Alamar yanki | avsynmgr |
Cfiadmin | NISSERV | LOCKDOWN2000 | avcmd |
Cfiudit | Nisum | Ceto32 | avconfig |
Cfinet | Nmain | LUCOMSERVER | licmgr |
Cfinet32 | Normist | avgcc | shirya |
Kashi95 | NORTON | avgcc | preupd |
Kawu95cf | Gyara | avgamsvr | MsMpEng |
Mai tsabta | Nvc95 | avgupsvc | MSASCui |
Mai tsaftacewa3 | Takaitaccen bayani | abgw | Avira.Systray |
Defwatch | Padmin | avgcc32 | |
Dvp95 | Pavcl | avgserv |
- Lalacewar kai
- Ana loda bayanai daga ƙayyadaddun bayanan albarkatu
- Ana kwafin fayil tare da hanya %Temp%tmpG[Yanzu kwanan wata da lokaci a cikin millise seconds].tmp
Abin sha'awa, aiki iri ɗaya yana nan a cikin AgentTesla malware. - Ayyukan tsutsa
Malware yana karɓar jerin kafofin watsa labarai masu cirewa. An ƙirƙiri kwafin malware a tushen tsarin fayilolin mai jarida tare da sunan Sys.exe. Ana aiwatar da Autorun ta amfani da fayil karar.inf.
Bayanan martaba
A lokacin nazarin cibiyar umarni, yana yiwuwa a kafa imel da sunan laƙabi na mai haɓakawa - Razer, aka Brwa, Brwa65, HiDDen PerSOn, 404 Coder. Na gaba, mun sami bidiyo mai ban sha'awa akan YouTube wanda ke nuna aiki tare da magini.
Wannan ya ba da damar samun asalin tashar mai haɓakawa.
Ya bayyana a fili cewa yana da gogewa wajen rubuta masu rubutun kalmomi. Akwai kuma hanyoyin haɗin yanar gizo a shafukan sada zumunta, da kuma ainihin sunan marubucin. Ya zama mazaunin Iraki.
Wannan shi ne abin da ake tsammani mai haɓaka Keylogger 404 yayi kama. Hoto daga bayanin martabarsa na Facebook.
Kungiyar CERT-IB ta sanar da wata sabuwar barazana - 404 Keylogger - cibiyar sa ido da mayar da martani na sa'o'i XNUMX don barazanar intanet (SOC) a Bahrain.
source: www.habr.com