Muna ci gaba da jerin labaran mu da aka keɓe don nazarin malware. IN
Agent Tesla software ce ta leƙen asiri ta zamani wacce aka rarraba ta amfani da samfurin malware-as-a-service a ƙarƙashin sunan halaltaccen samfurin maɓalli. Agent Tesla yana da ikon cirewa da watsa bayanan mai amfani daga masu bincike, abokan cinikin imel da abokan cinikin FTP zuwa uwar garken ga maharan, yin rikodin bayanan allo, da ɗaukar allon na'urar. A lokacin bincike, shafin yanar gizon hukuma na masu haɓaka bai samu ba.
Fayil na tsari
Teburin da ke ƙasa ya lissafa waɗanne ayyuka ne suka shafi samfurin da kuke amfani da su:
Description | Ma'ana |
Tutar amfani da KeyLogger | gaskiya |
Tutar amfani da ScreenLogger | arya |
Logger KeyLogger yana aika tazara a cikin mintuna | 20 |
ScreenLogger log na aika tazara a cikin mintuna | 20 |
Tuta mai sarrafa maɓalli na Backspace. Ƙarya - shiga kawai. Gaskiya - yana goge maɓallin baya | arya |
CNC irin. Zabuka: smtp, webpanel, ftp | SMTP |
Tutar kunna zaren don ƙare matakai daga jerin "% filter_list%" | arya |
UAC ta kashe tuta | arya |
Mai sarrafa ɗawainiya ya kashe tuta | arya |
CMD ya kashe tuta | arya |
Run taga kashe tuta | arya |
Kallon Rijista Kashe Tuta | arya |
Kashe tutar tsarin dawo da maki | gaskiya |
Ƙungiyar sarrafawa tana kashe tuta | arya |
MSCONFIG yana kashe tuta | arya |
Tuta don kashe menu na mahallin a cikin Explorer | arya |
Tutar fil | arya |
Hanya don kwafi babban module lokacin liƙa shi zuwa tsarin | %startupfolder% %infolder%% inname% |
Tuta don saita halayen "Tsarin" da "Hidden" don babban tsarin da aka sanya wa tsarin | arya |
Tuta don sake farawa lokacin da aka liƙa zuwa tsarin | arya |
Tuta don matsar da babban tsarin zuwa babban fayil na wucin gadi | arya |
Tutar kewaye UAC | arya |
Tsarin kwanan wata da lokaci don shiga | yyyy-MM-dd HH:mm:ss |
Tuta don amfani da matatar shirin don KeyLogger | gaskiya |
Nau'in tacewa shirin. 1 - Ana bincika sunan shirin a cikin taken taga 2 - Ana neman sunan shirin a cikin sunan tsari na taga |
1 |
Tace shirin | "facebook" "twitter" "gmail" "instagram" "fim" "skype" "batsa" "haka" "whatsapp" "rikici" |
Haɗa babban module zuwa tsarin
Idan an saita tutar da ta dace, ana kofe babban tsarin zuwa hanyar da aka kayyade a cikin tsarin a matsayin hanyar da za a sanya wa tsarin.
Dangane da ƙimar daga saitin, ana ba da fayil ɗin halayen "Hidden" da "Tsarin".
Ana samar da Autorun ta rassan rajista guda biyu:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%inregname%
- HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorerStartup ApprovedRun %insregname%
Tun lokacin da bootloader ya shiga cikin tsari RegAsm, kafa tuta mai tsayi don babban tsarin yana haifar da sakamako mai ban sha'awa. Maimakon yin kwafin kanta, malware ɗin sun haɗa ainihin fayil ɗin zuwa tsarin RegAsm.exe, lokacin da aka yi allurar.
Yin hulɗa tare da C&C
Ko da kuwa hanyar da aka yi amfani da ita, sadarwar cibiyar sadarwa tana farawa tare da samun IP na waje na wanda aka azabtar ta amfani da albarkatun
Mai zuwa yana bayyana hanyoyin hulɗar hanyar sadarwa da aka gabatar a cikin software.
shafin yanar gizon
Ana yin hulɗar ta hanyar ka'idar HTTP. Malware yana aiwatar da buƙatun POST tare da masu kai masu zuwa:
- Wakilin mai amfani: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Haɗin kai: Tsayawa-Rayuwa
- Nau'in abun ciki: aikace-aikace/x-www-form-urlencoded
An ƙayyade adireshin uwar garken ta ƙimar %PostURL%. Ana aika saƙon da aka ɓoye a cikin siga «P». An kwatanta tsarin ɓoyewa a cikin sashe "Encryption Algorithms" (Hanyar 2).
Sakon da aka turo yayi kama da haka:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Alamar type yana nuna nau'in saƙon:
hwid - Ana yin rikodin zanta na MD5 daga ƙimar lambar serial na motherboard da ID na processor. Mai yuwuwa ana amfani dashi azaman ID mai amfani.
lokaci - sabis don watsa lokaci da kwanan wata na yanzu.
pcname - bayyana kamar yadda <Username>/< Sunan Kwamfuta>.
logdata - bayanan log.
Lokacin aika kalmomin shiga, saƙon yayi kama da:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Wadannan sune bayanin bayanan da aka sace a cikin tsari nclient[]={0}nlink[]={1}sunan mai amfani[]={2}npassword[]={3}.
SMTP
Ana yin hulɗar ta hanyar ka'idar SMTP. Harafin da aka watsa yana cikin tsarin HTML. Siga BODY yana da fom:
Kan wasiƙar yana da sigar gaba ɗaya: < USER NAME>/< SUNAN KWAMFUTA> <NAAU'IN GUDA>. Abubuwan da ke cikin wasiƙar, da abubuwan da aka makala, ba a ɓoye su ba.
Ana yin hulɗar ta hanyar ka'idar FTP. Ana canja wurin fayil tare da sunan zuwa ƙayyadadden uwar garken <NAAU'IN ABUBUWAN>_<SUNAN MAI AMFANI>-<SUNANAN COMPUTER>_<RANAR DA LOKACI>.html. Abubuwan da ke cikin fayil ɗin ba a ɓoye su ba.
Algorithms na ɓoyewa
Wannan shari'ar tana amfani da hanyoyin ɓoyewa masu zuwa:
Hanyar 1
Ana amfani da wannan hanyar don ɓoye kirtani a cikin babban tsarin. Algorithm da ake amfani dashi don ɓoyewa shine AES.
Shigarwar lamba ce mai lamba shida. Ana yin sauyi mai zuwa akansa:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Ƙimar da aka samo asali ita ce fihirisa don tsararrun bayanan da aka haɗa.
Kowane kashi na jeri jeri ne DWORD. Lokacin haɗuwa DWORD Ana samun tsararrun bytes: na farko 32 bytes su ne maɓallin ɓoyewa, sai kuma bytes 16 na vector farawa, sauran bytes su ne ɓoyayyen bayanan.
Hanyar 2
Ana amfani da Algorithm 3DES a yanayin ECB tare da padding a cikin duka bytes (Saukewa: PKCS7).
An ƙayyade maɓalli ta hanyar siga %urlkey%, duk da haka, boye-boye yana amfani da hash ɗin sa na MD5.
Ayyukan mugunta
Samfurin da ke binciken yana amfani da shirye-shirye masu zuwa don aiwatar da mummunan aikinsa:
mabuɗin shiga
Idan akwai alamar malware mai dacewa ta amfani da aikin WinAPI Saita WindowsHookEx ya sanya nasa mai sarrafa kansa don abubuwan latsa maɓalli akan madannai. Aikin mai kulawa yana farawa ta hanyar samun taken taga mai aiki.
Idan an saita tutar tace aikace-aikacen, ana yin tacewa dangane da ƙayyadadden nau'in:
- Ana neman sunan shirin a cikin taken taga
- Ana duba sunan shirin a cikin sunan tsarin taga
Bayan haka, ana ƙara rikodin zuwa log ɗin tare da bayani game da taga mai aiki a cikin tsari:
Sannan ana yin rikodin bayanai game da maɓallin da aka danna:
Mabuɗi | Yi rikodin |
Backspace | Ya danganta da tutar sarrafa maɓallin sararin baya: Ƙarya - {BACK} Gaskiya - yana goge maɓallin baya |
CAPLOCK | {CAPSLOCK} |
ESC | {ESC} |
Shafin | {PageUp} |
Down | ↓ |
share | {DEL} |
" | " |
F5 | {F5} |
& | & |
F10 | {F10} |
TAB | {TAB} |
< | < |
> | > |
sarari | |
F8 | {F8} |
F12 | {F12} |
F9 | {F9} |
ALT + TAB | {ALT+TAB} |
KARSHEN | {KARSHE} |
F4 | {F4} |
F2 | {F2} |
CTRL | {CTRL} |
F6 | {F6} |
dama | → |
Up | ↑ |
F1 | {F1} |
Hagu | ← |
Shafin Down | {Page Down} |
Saka | {Saka} |
Win | {Nasara} |
Lambar lamba | {NumLock} |
F11 | {F11} |
F3 | {F3} |
GIDA | {GIDA} |
Shigar | {ENTER} |
ALT + F4 | {ALT+F4} |
F7 | {F7} |
Wani maɓalli | Halin yana cikin babban harafi ko ƙarami dangane da matsayin CapsLock da maɓallan Shift |
A ƙayyadadden mitar, ana aika log ɗin da aka tattara zuwa uwar garken. Idan canja wurin bai yi nasara ba, an adana log ɗin zuwa fayil %TEMP%log.tmp a cikin tsari:
Lokacin da mai ƙidayar lokaci ya ƙone, za a canja wurin fayil ɗin zuwa uwar garken.
ScreenLogger
A ƙayyadadden mitar, malware yana ƙirƙirar hoton allo a cikin tsari Jpeg tare da ma'ana Quality daidai da 50 kuma yana adana shi zuwa fayil %APPDATA %<Jerin bazuwar haruffa 10>.jpg. Bayan canja wurin, an share fayil ɗin.
ClipboardLogger
Idan an saita tutar da ta dace, ana yin maye gurbin a cikin rubutun da aka katse bisa teburin da ke ƙasa.
Bayan haka, ana shigar da rubutun a cikin log ɗin:
Kalmar sirriStealer
Malware na iya zazzage kalmomin sirri daga aikace-aikace masu zuwa:
Masu bincike | Abokan imel | FTP abokan ciniki |
Chrome | Outlook | FileZilla |
Firefox | Thunderbird | WS_FTP |
IE/Edge | Foxmail | WinSCP |
Safari | Wasikun Opera | CoreFTP |
Mai Binciken Opera | Ƙari mai yawa | FTP Navigator |
Yandex | Pocomail | FlashFXP |
Comodo | Eudora | SmartFTP |
ChromePlus | TheBat | FTPCommander |
chromium | Akwatin gidan waya | |
tocilan | ClawsMail | |
7Star | ||
Amigo | ||
BraveSoftware | Abokan ciniki na Jabber | Abokan ciniki na VPN |
CentBrowser | Psi/Psi+ | Bude VPN |
Chedot | ||
CocCoc | ||
Abubuwan Burauza | Zazzage Manajoji | |
Epic Browser na Sirri | Internet Download Manager | |
Comet | JDownloader | |
Kewaya | ||
Sputnik | ||
uCozMedia | ||
Vivaldi | ||
SeaMonkey | ||
Flock Browser | ||
UC Browser | ||
BlackHawk | ||
CyberFox | ||
K-meleon | ||
kankara cat | ||
icedragon | ||
Rariya | ||
WaterFox | ||
Falcon Browser |
Yin adawa da bincike mai ƙarfi
- Amfani da aikin barci. Yana ba ku damar ketare wasu akwatunan yashi ta lokacin ƙarewa
- Lalacewar zaren Yankin Mai Bidiyo. Yana ba ku damar ɓoye gaskiyar zazzage fayil daga Intanet
- A cikin siga %filter_list% Ƙayyade jerin matakai waɗanda malware za su ƙare a tazarar daƙiƙa ɗaya
- Haɗawa UAC
- Kashe mai sarrafa ɗawainiya
- Haɗawa CMD
- Kashe taga "Ƙarfafawa"
- Kashe Control Panel
- Kashe kayan aiki RegEdit
- Kashe maki maido da tsarin
- Kashe menu na mahallin a cikin Explorer
- Haɗawa MSCONFIG
- Ketare UAC:
Abubuwan da ba su aiki na babban module
Yayin nazarin babban tsarin, an gano ayyukan da ke da alhakin yadawa a cikin hanyar sadarwa da kuma bin matsayi na linzamin kwamfuta.
tsutsa
Ana lura da abubuwan da ke faruwa don haɗa kafofin watsa labarai masu cirewa a cikin wani zaren daban. Lokacin da aka haɗa, malware mai suna ana kwafi zuwa tushen tsarin fayil scr.exe, bayan haka yana neman fayiloli tare da tsawo lnk. Tawagar kowa lnk canza zuwa cmd.exe /c fara scr.exe&fara <asali umarni>& fita.
Kowane kundin adireshi a tushen kafofin watsa labarai ana ba shi sifa "Boye" kuma an ƙirƙiri fayil tare da tsawo lnk tare da sunan boye directory da umurnin cmd.exe /c fara scr.exe & mai bincike / tushen,"% CD% <DIRECTORY NAME>" & fita.
MouseTracker
Hanyar yin tsangwama tayi kama da wacce aka yi amfani da ita don madannai. Har yanzu ana ci gaba da haɓaka wannan aikin.
Ayyukan fayil
hanyar | Description |
% Temp.tmp | Ya ƙunshi ma'auni don ƙoƙarin wucewar UAC |
%startupfolder%% manyan fayiloli%% insname% | Hanyar da za a sanya wa tsarin HPE |
%Temp%tmpG{Yanzu a cikin millise seconds}.tmp | Hanya don madadin babban module |
% Temp%log.tmp | Shiga fayil |
%AppData%{Jeri na sabani na haruffa 10}.jpeg | Screenshots |
C:UsersPublic{Jerin sabani na haruffa 10}.vbs | Hanya zuwa fayil vbs wanda bootloader zai iya amfani da shi don haɗawa da tsarin |
%Temp%{Sunan babban fayil na Custom}{File Name} | Hanyar da bootloader ke amfani da ita don haɗa kanta zuwa tsarin |
Bayanan martaba
Godiya ga bayanan tantancewa mai ƙarfi, mun sami damar shiga cibiyar umarni.
Wannan ya ba mu damar gano imel ɗin ƙarshe na maharan:
junaid[.]in***@gmail[.]com.
An yi rajistar sunan yankin na cibiyar umarni zuwa wasiku sg***@gmail[.]com.
ƙarshe
Yayin cikakken bincike na malware da aka yi amfani da shi wajen harin, mun sami damar kafa aikin sa kuma mun sami mafi cikakken jerin alamomin sasantawa da suka dace da wannan harka. Fahimtar hanyoyin mu'amalar cibiyar sadarwar malware ya ba da damar ba da shawarwari don daidaita aikin kayan aikin tsaro na bayanai, da kuma rubuta ƙa'idodin IDS masu tsayayye.
Babban haɗari AgentTesla kamar DataStealer a cikin cewa ba ya buƙatar ƙaddamar da tsarin ko jira umarnin sarrafawa don aiwatar da ayyukansa. Da zarar kan na'urar, nan da nan ya fara tattara bayanan sirri kuma ya tura shi zuwa CnC. Wannan mummunan hali yana ta wasu hanyoyi kama da halin ransomware, tare da kawai bambanci shi ne cewa na baya baya buƙatar haɗin cibiyar sadarwa. Idan kun ci karo da wannan iyali, bayan tsaftace tsarin kamuwa da cuta daga malware kanta, lallai ya kamata ku canza duk kalmomin shiga da za su iya, aƙalla a zahiri, a adana su cikin ɗayan aikace-aikacen da aka jera a sama.
Duba gaba, bari mu ce maharan suna aika AgentTesla, Ana canza mai ɗaukar kaya na farko sau da yawa. Wannan yana ba ku damar zama ba a lura da su ta hanyar na'urorin daukar hoto da masu nazari na heuristic a lokacin harin ba. Kuma dabi'ar wannan dangi na fara ayyukansu nan da nan ya sa masu lura da tsarin ba su da amfani. Hanya mafi kyau don yaƙar AgentTesla shine bincike na farko a cikin akwatin yashi.
A cikin labarin na uku na wannan silsilar za mu kalli sauran bootloaders da ake amfani da su AgentTesla, da kuma nazarin tsarin kwashe kayansu na atomatik. Kada ku yi kuskure!
Hash
SHA1 |
A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
8010CC2AF398F9F951555F7D481CE13DF60BBECF |
79B445DE923C92BF378B19D12A309C0E9C5851BF |
15839B7AB0417FA35F2858722F0BD47BDF840D62 |
1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
C & C
URL |
sina-c0m[.] icu |
smtp[.]sina-c0m[.] icu |
RegKey
Registry |
HKCUSoftwareMicrosoftWindowsCurrentVersionRun{sunan rubutun} |
HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname% |
HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%insregname% |
Mutex
Babu alamomi.
files
Ayyukan fayil |
% Temp.tmp |
%startupfolder%% manyan fayiloli%% insname% |
%Temp%tmpG{Yanzu a cikin millise seconds}.tmp |
% Temp%log.tmp |
%AppData%{Jeri na sabani na haruffa 10}.jpeg |
C:UsersPublic{Jerin sabani na haruffa 10}.vbs |
%Temp%{Sunan babban fayil na Custom}{File Name} |
Bayanan Samfura
sunan | unknown |
MD5 | F7722DD8660B261EA13B710062B59C43 |
SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
type | PE (.NET) |
size | 327680 |
Asalin Suna | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
Kwanan Tambari | 01.07.2019 |
Mai tarawa | VB.NET |
sunan | IELibrary.dll |
MD5 | BFB160A89F4A607A60464631ED3ED9FD |
SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
type | PE (.NET DLL) |
size | 16896 |
Asalin Suna | IELibrary.dll |
Kwanan Tambari | 11.10.2016 |
Mai tarawa | Microsoft Linker (48.0*) |
source: www.habr.com