Keylogger tare da mamaki: nazarin maɓalli da shugaban mawallafin sa

A cikin 'yan shekarun nan, Trojans na wayar hannu sun kasance suna maye gurbin Trojans don kwamfutoci na sirri, don haka bayyanar sabbin malware don tsofaffin "motoci" masu kyau da kuma amfani da su ta hanyar cybercriminals, ko da yake m, har yanzu wani taron ne. Kwanan nan, CERT Group-IB's XNUMX/XNUMX cibiyar ba da amsa lamarin tsaro na bayanai ta gano wani sabon saƙon saƙon imel wanda ke ɓoye sabon PC malware wanda ya haɗa ayyukan Keylogger da PasswordStealer. An ja hankalin masu sharhi kan yadda kayan leƙen asiri suka shiga na'urar mai amfani - ta hanyar amfani da sanannen saƙon murya. Ilya Pomerantsev, kwararre kan nazarin malware a CERT Group-IB, ya bayyana yadda malware ke aiki, dalilin da ya sa yake da haɗari, har ma ya sami mahaliccinsa a Iraki mai nisa.

Don haka, mu je cikin tsari. A ƙarƙashin abin da aka makala, irin wannan wasiƙar tana ɗauke da hoto, bayan danna abin da aka ɗauka zuwa shafin. cdn.discordapp.com, kuma an zazzage fayil ɗin mugunta daga can.

Amfani da Discord, muryar muryar kyauta da saƙon rubutu, ba al'ada ba ne. Yawanci, ana amfani da wasu saƙon nan take ko shafukan sada zumunta don waɗannan dalilai.

A yayin cikakken bincike, an gano dangin malware. Ya zama sabon shiga kasuwar malware - 404 Keylogger.

An buga tallan farko na siyar da maɓalli hackforums ta mai amfani a ƙarƙashin sunan barkwanci "404 Coder" a ranar 8 ga Agusta.

An yi rajistar yankin kantin kwanan nan - a ranar 7 ga Satumba, 2019.

Kamar yadda masu haɓakawa ke faɗi akan gidan yanar gizon 404projects[.]xyz, 404 kayan aiki ne da aka ƙera don taimaka wa kamfanoni su koyi game da ayyukan abokan cinikinsu (tare da izininsu) ko kuma waɗanda ke son kare binary ɗin su daga injiniyan baya. Duba gaba, bari mu faɗi haka tare da aiki na ƙarshe 404 tabbas baya jurewa.

Mun yanke shawarar juyawa ɗaya daga cikin fayilolin kuma duba menene "BEST SMART KEYLOGGER" shine.

Tsarin muhalli na malware

Loader 1 (AtillaCrypter)

Ana kiyaye fayil ɗin tushen ta amfani da shi EaxObfuscator kuma yana yin lodin matakai biyu AtProtect daga sashin albarkatun. Yayin nazarin wasu samfurori da aka samo akan VirusTotal, ya bayyana a fili cewa wannan mataki ba shi da kansa ya samar da shi ba, amma abokin ciniki ya kara da shi. Daga baya an tantance cewa wannan bootloader shine AtillaCrypter.

Bootloader 2 (AtProtect)

A haƙiƙa, wannan loda wani ɓangare ne na malware kuma, bisa ga niyyar mai haɓakawa, yakamata ya ɗauki aikin tantancewa.

Koyaya, a aikace, hanyoyin kariya suna da matuƙar mahimmanci, kuma tsarinmu sun sami nasarar gano wannan malware.

Ana loda babban module ta amfani da shi Franchy Shell Code iri daban-daban. Koyaya, ba mu ware cewa ana iya amfani da wasu zaɓuɓɓuka, misali, RunPE.

Fayil na tsari

Ƙarfafawa a cikin tsarin

Ana tabbatar da haɓakawa a cikin tsarin ta bootloader AtProtect, idan an saita tutar da ta dace.

• Ana kwafi fayil ɗin tare da hanya %AppData%GFqaakZpzwm.exe.
• An ƙirƙiri fayil ɗin %AppData%GFqaakWinDriv.url, ƙaddamarwa Zpzwm.exe.
• A cikin zaren HKCUSoftwareMicrosoftWindowsCurrentVersionRun an ƙirƙiri maɓallin farawa WinDriv.url.

Yin hulɗa tare da C&C

Loader AtProtect

Idan tutar da ta dace tana nan, malware na iya ƙaddamar da tsari mai ɓoye mai bincike kuma bi ƙayyadadden hanyar haɗi don sanar da uwar garken game da kamuwa da cuta mai nasara.

DataStealer

Ko da kuwa hanyar da aka yi amfani da ita, sadarwar cibiyar sadarwa tana farawa tare da samun IP na waje na wanda aka azabtar ta amfani da albarkatun [http]://checkip[.]dyndns[.]org/.

Wakilin mai amfani: Mozilla/4.0 (mai jituwa; MSIE 6.0; Windows NT 5.2; NET CLR1.0.3705;)

Gabaɗaya tsarin saƙon ɗaya ne. Shugaban kasa
|——- 404 Keylogger — {Nau'i} ——-|inda {nau'i} yayi daidai da nau'in bayanin da ake watsawa.
Wadannan bayanai ne game da tsarin:

_______ + BAYANIN WASANNI + _______

IP: {IP na waje}
Sunan Mai Shi: {Sunan Kwamfuta}
Sunan OS: {Sunan OS}
Sigar OS: {OS Siffar}
Dandalin OS: {Platform}
Girman RAM: {Girman RAM}
______________________________

Kuma a ƙarshe, bayanan da aka watsa.

SMTP

Batun wasiƙar shine kamar haka: 404 K | {Nau'in Saƙo} | Sunan Abokin ciniki: {Username}.

Abin sha'awa, don isar da wasiƙu ga abokin ciniki 404 Keylogger Ana amfani da uwar garken SMTP na masu haɓakawa.

Wannan ya ba da damar gano wasu abokan ciniki, da kuma imel na ɗaya daga cikin masu haɓakawa.

FTP

Lokacin amfani da wannan hanyar, ana adana bayanan da aka tattara zuwa fayil kuma nan da nan karanta daga can.

Hankalin da ke bayan wannan aikin bai fito fili ba, amma yana haifar da ƙarin kayan tarihi don rubuta ƙa'idodin ɗabi'a.

%HOMEDRIVE%%HOMEPATH%TakarduA{Lambar Sabani}.txt

Pastebin

A lokacin bincike, ana amfani da wannan hanyar kawai don canja wurin kalmomin shiga da aka sace. Bugu da ƙari, ana amfani da shi ba a matsayin madadin biyu na farko ba, amma a cikin layi daya. Halin shine ƙimar madaidaicin daidai da "Vavaa". Mai yiwuwa wannan shine sunan abokin ciniki.

Ma'amala yana faruwa ta hanyar ka'idar https ta API pastebin. Ma'ana api_paste_private daidai PASTE_UNLISTED, wanda ya hana bincika irin waɗannan shafuka a ciki pastebin.

Algorithms na ɓoyewa

Maido da fayil daga albarkatu

Ana adana kayan aikin a cikin albarkatun bootloader AtProtect a cikin siffar Bitmap hotuna. Ana aiwatar da hakar a matakai da yawa:

• Ana fitar da tsararrun bytes daga hoton. Ana kula da kowane pixel azaman jerin bytes 3 a cikin tsari na BGR. Bayan hakar, na farko 4 bytes na tsararrun suna adana tsawon saƙon, waɗanda ke biyo baya suna adana saƙon da kansa.

  

• Ana lissafta maɓalli. Don yin wannan, ana ƙididdige MD5 daga ƙimar “ZpzwmjMJyfTNiRalKVrcSkxCN” da aka ƙayyade azaman kalmar sirri. Sakamakon zanta an rubuta sau biyu.

  

• Ana yin ɓarnawa ta amfani da algorithm AES a yanayin ECB.

Ayyukan mugunta

Downloader

An aiwatar a cikin bootloader AtProtect.

• Ta hanyar tuntuɓar juna [activelink-repalce] Ana buƙatar matsayin uwar garken don tabbatar da cewa ya shirya don hidimar fayil ɗin. Ya kamata uwar garken ya dawo "A".
• Haɗi [downloadlink-maye gurbin] An zazzage abin biyan kuɗi.
• Tare da taimakon FranchyShellcode ana shigar da kayan aiki a cikin tsari [inj-majiye].

A lokacin bincike na yanki 404projects[.]xyz An gano ƙarin lokuta akan VirusTotal 404 Keylogger, da nau'ikan loda da yawa.

A al'ada, sun kasu kashi biyu:

1. Ana yin zazzagewa daga albarkatun 404projects[.]xyz.

   
   An ɓoye bayanan Base64 kuma an rufaffen AES.

2. Wannan zaɓin ya ƙunshi matakai da yawa kuma ana iya amfani dashi tare da haɗin gwiwa tare da bootloader AtProtect.

• A mataki na farko, ana loda bayanai daga pastebin da kuma yanke hukunci ta amfani da aikin HexToByte.

  

• A mataki na biyu, tushen loading shi ne 404projects[.]xyz. Koyaya, ayyukan yankewa da yankewa suna kama da waɗanda aka samu a cikin DataStealer. Wataƙila an riga an shirya shi don aiwatar da aikin bootloader a cikin babban tsarin.

  

• A wannan mataki, nauyin biyan kuɗi ya riga ya kasance a cikin bayanan albarkatun a cikin nau'i mai matsi. Hakanan an sami irin wannan ayyukan hakar a cikin babban tsarin.

An sami masu saukewa a cikin fayilolin da aka tantance njRat, SpyGate da sauran RATs.

Keylogger

Lokacin aikawa: Minti 30.

Ana goyan bayan duk haruffa. Haruffa na musamman sun tsere. Akwai sarrafa maɓallan BackSpace da Share. Harka m.

ClipboardLogger

Lokacin aikawa: Minti 30.

Lokacin kada kuri'a: 0,1 seconds.

An aiwatar da hanyar tserewa.

ScreenLogger

Lokacin aikawa: Minti 60.

Ana ajiye hotuna a ciki %GIDA%%HOMEPATH%Takardu404k404pic.png.

Bayan aika babban fayil ɗin 404k an share.

Kalmar sirriStealer

Masu bincike	Abokan imel	FTP abokan ciniki
Chrome	Outlook	FileZilla
Firefox	Thunderbird
SeaMonkey	Foxmail
icedragon
Rariya
cyberfox
Chrome
BraveBrowser
QQBrowser
Iridium Browser
XvastBrowser
Chedot
360 Mai lilo
ComodoDragon
360 Chrome
SuperBird
CentBrowser
GhostBrowser
IronBrowser
chromium
Vivaldi
Slimjet Browser
Kewaya
CocCoc
tocilan
UCBrowser
EpicBrowser
BliskBrowser
Opera

Yin adawa da bincike mai ƙarfi

• Dubawa ko tsari yana ƙarƙashin bincike

  An yi ta amfani da bincike na tsari takaddara, ProcessHacker, aiki 64, procexp, procmon. Idan aka sami aƙalla ɗaya, malware ɗin yana fita.

• Dubawa idan kuna cikin yanayin kama-da-wane

  An yi ta amfani da bincike na tsari vmtoolsd, VGAuthService, vmacthlp, VBoxService, VBoxTray. Idan aka sami aƙalla ɗaya, malware ɗin yana fita.

• Yin barci na daƙiƙa 5
• Nuna nau'ikan akwatunan maganganu daban-daban

  Ana iya amfani da su don ketare wasu akwatunan yashi.

• Haɓaka UAC

  Anyi ta hanyar gyara maɓallin yin rajista EnableLUA a cikin saitunan Manufofin Rukuni.

• Yana aiki da sifa ta "Boye" ga fayil na yanzu.
• Ikon share fayil na yanzu.

Siffofin marasa aiki

A lokacin nazarin bootloader da babban tsarin, an gano ayyukan da ke da alhakin ƙarin ayyuka, amma ba a yi amfani da su a ko'ina ba. Wannan yana yiwuwa saboda gaskiyar cewa malware yana ci gaba kuma za a fadada aikin nan ba da jimawa ba.

Loader AtProtect

An samo wani aiki wanda ke da alhakin lodawa da allura a cikin tsari msiexec.exe sabani module.

DataStealer

• Ƙarfafawa a cikin tsarin

  

• Decompression da ayyukan ɓarna

  
  
  Da alama nan ba da jimawa ba za a aiwatar da ɓoyayyen bayanai yayin sadarwar sadarwar.

• Kashe hanyoyin riga-kafi

zlclient	Dvp95_0	Pavsched	abgserv9
egui	Ecengine	Pavw	avgserv9schedapp
bdagent	Esafe	PCCIOMON	avgemc
npfmsg	Espwatch	PCCMAIN	ashwebsv
olydbg	F-Agnt95	PCwin98	ashdisp
anubis	Findvir	Pcfwallicon	ashmaisv
wireshark	Fprot	Persfw	ashserv
avastui	F-Prot	POP3TRAP	aswUpdSv
_Avp32	F-Prot95	Farashin PVIEW95	symwsc
vsmon	Fp-Win	Rav 7	Norton
mbam	Frw	Raw7win	Norton Auto-Kare
keyscrambler	F-Stopw	Rescue	norton_av
_Avpc	Iamapp	Safeweb	nortonav
_Avpm	Iamserv	Dubawa32	ccsetmgr
Akwin32	Ibmasn	Dubawa95	ccevtmgr
Takaitaccen bayani	Ibmavsp	Scanpm	avadmin
Anti-Trojan	Saukewa: 95	Scscan	avcenter
MAGANA	Icloadnt	Bauta95	avgnt
Apvxdwin	Icmon	Smc	avguard
HANKALI	Icsup95	SMCSERVICE	warware
Sauke atomatik	Icsupnt	Snort	avscan
Avconsol	Iface	Sphinx	guardgui
Hanya 32	Imon98	Shara95	ku 32kr
Avgctrl	Jedi	SYMPROXYSVC	nufa32 ku
Avkserv	Kulle 2000	Tbscan	clamscan
Avnt	Yi hankali	Tca	clamTray
Avp	Luall	Tds2-98	clamWin
Ap32	kafe	Tds2-Nt	freshclam
Avpcc	Motsi	TermiNET	oladdin
Abpdos32	MPftray	Matashi95	sigtool
Avpm	N32	Vetray	w9 zuw
Abptc32	NAVAPSVC	Vscan40	Kusa
Abpupd	NAVAPW32	Vsecomr	cmgrdian
Avsched32	NAVLU32	Vshwin32	alogserver
AVSYNMGR	Navnt	Vsstat	mcshield
Abin95	NAVRUNR	Webscanx	vshwin32
Awupd32	Nawa32	YANAR GIZO	avconsol
Blackd	Navwnt	Wfindv32	vsstat
Baƙar fata	NeoWatch	Alamar yanki	avsynmgr
Cfiadmin	NISSERV	LOCKDOWN2000	avcmd
Cfiudit	Nisum	Ceto32	avconfig
Cfinet	Nmain	LUCOMSERVER	licmgr
Cfinet32	Normist	avgcc	shirya
Kashi95	NORTON	avgcc	preupd
Kawu95cf	Gyara	avgamsvr	MsMpEng
Mai tsabta	Nvc95	avgupsvc	MSASCui
Mai tsaftacewa3	Takaitaccen bayani	abgw	Avira.Systray
Defwatch	Padmin	avgcc32
Dvp95	Pavcl	avgserv

• Lalacewar kai
• Ana loda bayanai daga ƙayyadaddun bayanan albarkatu

  

• Ana kwafin fayil tare da hanya %Temp%tmpG[Yanzu kwanan wata da lokaci a cikin millise seconds].tmp

  
  Abin sha'awa, aiki iri ɗaya yana nan a cikin AgentTesla malware.

• Ayyukan tsutsa

  Malware yana karɓar jerin kafofin watsa labarai masu cirewa. An ƙirƙiri kwafin malware a tushen tsarin fayilolin mai jarida tare da sunan Sys.exe. Ana aiwatar da Autorun ta amfani da fayil karar.inf.

  

Bayanan martaba

A lokacin nazarin cibiyar umarni, yana yiwuwa a kafa imel da sunan laƙabi na mai haɓakawa - Razer, aka Brwa, Brwa65, HiDDen PerSOn, 404 Coder. Na gaba, mun sami bidiyo mai ban sha'awa akan YouTube wanda ke nuna aiki tare da magini.

Wannan ya ba da damar samun asalin tashar mai haɓakawa.

Ya bayyana a fili cewa yana da gogewa wajen rubuta masu rubutun kalmomi. Akwai kuma hanyoyin haɗin yanar gizo a shafukan sada zumunta, da kuma ainihin sunan marubucin. Ya zama mazaunin Iraki.

Wannan shi ne abin da ake tsammani mai haɓaka Keylogger 404 yayi kama. Hoto daga bayanin martabarsa na Facebook.

Kungiyar CERT-IB ta sanar da wata sabuwar barazana - 404 Keylogger - cibiyar sa ido da mayar da martani na sa'o'i XNUMX don barazanar intanet (SOC) a Bahrain.

source: www.habr.com