An kasa fitowa fitowa fili: bari mu fallasa AgentTesla ga ruwa mai tsafta. Kashi na 2

Muna ci gaba da jerin labaran mu da aka keɓe don nazarin malware. IN na farko A wani bangare, mun ba da labarin yadda Ilya Pomerantsev, kwararre kan nazarin malware a CERT Group-IB, ya gudanar da cikakken nazarin fayil ɗin da aka karɓa ta wasiƙa daga ɗaya daga cikin kamfanonin Turai kuma ya gano kayan leƙen asiri a wurin. AgentTesla. A cikin wannan labarin, Ilya yana ba da sakamakon binciken mataki-mataki na babban tsarin AgentTesla.

Agent Tesla software ce ta leƙen asiri ta zamani wacce aka rarraba ta amfani da samfurin malware-as-a-service a ƙarƙashin sunan halaltaccen samfurin maɓalli. Agent Tesla yana da ikon cirewa da watsa bayanan mai amfani daga masu bincike, abokan cinikin imel da abokan cinikin FTP zuwa uwar garken ga maharan, yin rikodin bayanan allo, da ɗaukar allon na'urar. A lokacin bincike, shafin yanar gizon hukuma na masu haɓaka bai samu ba.

Fayil na tsari

Teburin da ke ƙasa ya lissafa waɗanne ayyuka ne suka shafi samfurin da kuke amfani da su:

Description	Ma'ana
Tutar amfani da KeyLogger	gaskiya
Tutar amfani da ScreenLogger	arya
Logger KeyLogger yana aika tazara a cikin mintuna	20
ScreenLogger log na aika tazara a cikin mintuna	20
Tuta mai sarrafa maɓalli na Backspace. Ƙarya - shiga kawai. Gaskiya - yana goge maɓallin baya	arya
CNC irin. Zabuka: smtp, webpanel, ftp	SMTP
Tutar kunna zaren don ƙare matakai daga jerin "% filter_list%"	arya
UAC ta kashe tuta	arya
Mai sarrafa ɗawainiya ya kashe tuta	arya
CMD ya kashe tuta	arya
Run taga kashe tuta	arya
Kallon Rijista Kashe Tuta	arya
Kashe tutar tsarin dawo da maki	gaskiya
Ƙungiyar sarrafawa tana kashe tuta	arya
MSCONFIG yana kashe tuta	arya
Tuta don kashe menu na mahallin a cikin Explorer	arya
Tutar fil	arya
Hanya don kwafi babban module lokacin liƙa shi zuwa tsarin	%startupfolder% %infolder%% inname%
Tuta don saita halayen "Tsarin" da "Hidden" don babban tsarin da aka sanya wa tsarin	arya
Tuta don sake farawa lokacin da aka liƙa zuwa tsarin	arya
Tuta don matsar da babban tsarin zuwa babban fayil na wucin gadi	arya
Tutar kewaye UAC	arya
Tsarin kwanan wata da lokaci don shiga	yyyy-MM-dd HH:mm:ss
Tuta don amfani da matatar shirin don KeyLogger	gaskiya
Nau'in tacewa shirin. 1 - Ana bincika sunan shirin a cikin taken taga 2 - Ana neman sunan shirin a cikin sunan tsari na taga	1
Tace shirin	"facebook" "twitter" "gmail" "instagram" "fim" "skype" "batsa" "haka" "whatsapp" "rikici"

Haɗa babban module zuwa tsarin

Idan an saita tutar da ta dace, ana kofe babban tsarin zuwa hanyar da aka kayyade a cikin tsarin a matsayin hanyar da za a sanya wa tsarin.

Dangane da ƙimar daga saitin, ana ba da fayil ɗin halayen "Hidden" da "Tsarin".
Ana samar da Autorun ta rassan rajista guda biyu:

• HKCU SoftwareMicrosoftWindowsCurrentVersionRun%inregname%
• HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorerStartup ApprovedRun %insregname%

Tun lokacin da bootloader ya shiga cikin tsari RegAsm, kafa tuta mai tsayi don babban tsarin yana haifar da sakamako mai ban sha'awa. Maimakon yin kwafin kanta, malware ɗin sun haɗa ainihin fayil ɗin zuwa tsarin RegAsm.exe, lokacin da aka yi allurar.

Yin hulɗa tare da C&C

Ko da kuwa hanyar da aka yi amfani da ita, sadarwar cibiyar sadarwa tana farawa tare da samun IP na waje na wanda aka azabtar ta amfani da albarkatun dubawa[.]amazonaws[.]com/.
Mai zuwa yana bayyana hanyoyin hulɗar hanyar sadarwa da aka gabatar a cikin software.

shafin yanar gizon

Ana yin hulɗar ta hanyar ka'idar HTTP. Malware yana aiwatar da buƙatun POST tare da masu kai masu zuwa:

• Wakilin mai amfani: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
• Haɗin kai: Tsayawa-Rayuwa
• Nau'in abun ciki: aikace-aikace/x-www-form-urlencoded

An ƙayyade adireshin uwar garken ta ƙimar %PostURL%. Ana aika saƙon da aka ɓoye a cikin siga «P». An kwatanta tsarin ɓoyewa a cikin sashe "Encryption Algorithms" (Hanyar 2).

Sakon da aka turo yayi kama da haka:

type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}

Alamar type yana nuna nau'in saƙon:

hwid - Ana yin rikodin zanta na MD5 daga ƙimar lambar serial na motherboard da ID na processor. Mai yuwuwa ana amfani dashi azaman ID mai amfani.
lokaci - sabis don watsa lokaci da kwanan wata na yanzu.
pcname - bayyana kamar yadda <Username>/< Sunan Kwamfuta>.
logdata - bayanan log.

Lokacin aika kalmomin shiga, saƙon yayi kama da:

type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]

Wadannan sune bayanin bayanan da aka sace a cikin tsari nclient[]={0}nlink[]={1}sunan mai amfani[]={2}npassword[]={3}.

SMTP

Ana yin hulɗar ta hanyar ka'idar SMTP. Harafin da aka watsa yana cikin tsarin HTML. Siga BODY yana da fom:

Kan wasiƙar yana da sigar gaba ɗaya: < USER NAME>/< SUNAN KWAMFUTA> <NAAU'IN GUDA>. Abubuwan da ke cikin wasiƙar, da abubuwan da aka makala, ba a ɓoye su ba.

Ana yin hulɗar ta hanyar ka'idar FTP. Ana canja wurin fayil tare da sunan zuwa ƙayyadadden uwar garken <NAAU'IN ABUBUWAN>_<SUNAN MAI AMFANI>-<SUNANAN COMPUTER>_<RANAR DA LOKACI>.html. Abubuwan da ke cikin fayil ɗin ba a ɓoye su ba.

Algorithms na ɓoyewa

Wannan shari'ar tana amfani da hanyoyin ɓoyewa masu zuwa:

Hanyar 1

Ana amfani da wannan hanyar don ɓoye kirtani a cikin babban tsarin. Algorithm da ake amfani dashi don ɓoyewa shine AES.

Shigarwar lamba ce mai lamba shida. Ana yin sauyi mai zuwa akansa:

f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3

Ƙimar da aka samo asali ita ce fihirisa don tsararrun bayanan da aka haɗa.

Kowane kashi na jeri jeri ne DWORD. Lokacin haɗuwa DWORD Ana samun tsararrun bytes: na farko 32 bytes su ne maɓallin ɓoyewa, sai kuma bytes 16 na vector farawa, sauran bytes su ne ɓoyayyen bayanan.

Hanyar 2

Ana amfani da Algorithm 3DES a yanayin ECB tare da padding a cikin duka bytes (Saukewa: PKCS7).

An ƙayyade maɓalli ta hanyar siga %urlkey%, duk da haka, boye-boye yana amfani da hash ɗin sa na MD5.

Ayyukan mugunta

Samfurin da ke binciken yana amfani da shirye-shirye masu zuwa don aiwatar da mummunan aikinsa:

mabuɗin shiga

Idan akwai alamar malware mai dacewa ta amfani da aikin WinAPI Saita WindowsHookEx ya sanya nasa mai sarrafa kansa don abubuwan latsa maɓalli akan madannai. Aikin mai kulawa yana farawa ta hanyar samun taken taga mai aiki.

Idan an saita tutar tace aikace-aikacen, ana yin tacewa dangane da ƙayyadadden nau'in:

1. Ana neman sunan shirin a cikin taken taga
2. Ana duba sunan shirin a cikin sunan tsarin taga

Bayan haka, ana ƙara rikodin zuwa log ɗin tare da bayani game da taga mai aiki a cikin tsari:

Sannan ana yin rikodin bayanai game da maɓallin da aka danna:

Mabuɗi	Yi rikodin
Backspace	Ya danganta da tutar sarrafa maɓallin sararin baya: Ƙarya - {BACK} Gaskiya - yana goge maɓallin baya
CAPLOCK	{CAPSLOCK}
ESC	{ESC}
Shafin	{PageUp}
Down	↓
share	{DEL}
"	"
F5	{F5}
&	&
F10	{F10}
TAB	{TAB}
<	<
>	>
sarari
F8	{F8}
F12	{F12}
F9	{F9}
ALT + TAB	{ALT+TAB}
KARSHEN	{KARSHE}
F4	{F4}
F2	{F2}
CTRL	{CTRL}
F6	{F6}
dama	→
Up	↑
F1	{F1}
Hagu	←
Shafin Down	{Page Down}
Saka	{Saka}
Win	{Nasara}
Lambar lamba	{NumLock}
F11	{F11}
F3	{F3}
GIDA	{GIDA}
Shigar	{ENTER}
ALT + F4	{ALT+F4}
F7	{F7}
Wani maɓalli	Halin yana cikin babban harafi ko ƙarami dangane da matsayin CapsLock da maɓallan Shift

A ƙayyadadden mitar, ana aika log ɗin da aka tattara zuwa uwar garken. Idan canja wurin bai yi nasara ba, an adana log ɗin zuwa fayil %TEMP%log.tmp a cikin tsari:

Lokacin da mai ƙidayar lokaci ya ƙone, za a canja wurin fayil ɗin zuwa uwar garken.

ScreenLogger

A ƙayyadadden mitar, malware yana ƙirƙirar hoton allo a cikin tsari Jpeg tare da ma'ana Quality daidai da 50 kuma yana adana shi zuwa fayil %APPDATA %<Jerin bazuwar haruffa 10>.jpg. Bayan canja wurin, an share fayil ɗin.

ClipboardLogger

Idan an saita tutar da ta dace, ana yin maye gurbin a cikin rubutun da aka katse bisa teburin da ke ƙasa.

Bayan haka, ana shigar da rubutun a cikin log ɗin:

Kalmar sirriStealer

Malware na iya zazzage kalmomin sirri daga aikace-aikace masu zuwa:

Masu bincike	Abokan imel	FTP abokan ciniki
Chrome	Outlook	FileZilla
Firefox	Thunderbird	WS_FTP
IE/Edge	Foxmail	WinSCP
Safari	Wasikun Opera	CoreFTP
Mai Binciken Opera	Ƙari mai yawa	FTP Navigator
Yandex	Pocomail	FlashFXP
Comodo	Eudora	SmartFTP
ChromePlus	TheBat	FTPCommander
chromium	Akwatin gidan waya
tocilan	ClawsMail
7Star
Amigo
BraveSoftware	Abokan ciniki na Jabber	Abokan ciniki na VPN
CentBrowser	Psi/Psi+	Bude VPN
Chedot
CocCoc
Abubuwan Burauza	Zazzage Manajoji
Epic Browser na Sirri	Internet Download Manager
Comet	JDownloader
Kewaya
Sputnik
uCozMedia
Vivaldi
SeaMonkey
Flock Browser
UC Browser
BlackHawk
CyberFox
K-meleon
kankara cat
icedragon
Rariya
WaterFox
Falcon Browser

Yin adawa da bincike mai ƙarfi

• Amfani da aikin barci. Yana ba ku damar ketare wasu akwatunan yashi ta lokacin ƙarewa
• Lalacewar zaren Yankin Mai Bidiyo. Yana ba ku damar ɓoye gaskiyar zazzage fayil daga Intanet
• A cikin siga %filter_list% Ƙayyade jerin matakai waɗanda malware za su ƙare a tazarar daƙiƙa ɗaya
• Haɗawa UAC
• Kashe mai sarrafa ɗawainiya
• Haɗawa CMD
• Kashe taga "Ƙarfafawa"
• Kashe Control Panel
• Kashe kayan aiki RegEdit
• Kashe maki maido da tsarin
• Kashe menu na mahallin a cikin Explorer
• Haɗawa MSCONFIG
• Ketare UAC:

Abubuwan da ba su aiki na babban module

Yayin nazarin babban tsarin, an gano ayyukan da ke da alhakin yadawa a cikin hanyar sadarwa da kuma bin matsayi na linzamin kwamfuta.

tsutsa

Ana lura da abubuwan da ke faruwa don haɗa kafofin watsa labarai masu cirewa a cikin wani zaren daban. Lokacin da aka haɗa, malware mai suna ana kwafi zuwa tushen tsarin fayil scr.exe, bayan haka yana neman fayiloli tare da tsawo lnk. Tawagar kowa lnk canza zuwa cmd.exe /c fara scr.exe&fara <asali umarni>& fita.

Kowane kundin adireshi a tushen kafofin watsa labarai ana ba shi sifa "Boye" kuma an ƙirƙiri fayil tare da tsawo lnk tare da sunan boye directory da umurnin cmd.exe /c fara scr.exe & mai bincike / tushen,"% CD% <DIRECTORY NAME>" & fita.

MouseTracker

Hanyar yin tsangwama tayi kama da wacce aka yi amfani da ita don madannai. Har yanzu ana ci gaba da haɓaka wannan aikin.

Ayyukan fayil

hanyar	Description
% Temp.tmp	Ya ƙunshi ma'auni don ƙoƙarin wucewar UAC
%startupfolder%% manyan fayiloli%% insname%	Hanyar da za a sanya wa tsarin HPE
%Temp%tmpG{Yanzu a cikin millise seconds}.tmp	Hanya don madadin babban module
% Temp%log.tmp	Shiga fayil
%AppData%{Jeri na sabani na haruffa 10}.jpeg	Screenshots
C:UsersPublic{Jerin sabani na haruffa 10}.vbs	Hanya zuwa fayil vbs wanda bootloader zai iya amfani da shi don haɗawa da tsarin
%Temp%{Sunan babban fayil na Custom}{File Name}	Hanyar da bootloader ke amfani da ita don haɗa kanta zuwa tsarin

Bayanan martaba

Godiya ga bayanan tantancewa mai ƙarfi, mun sami damar shiga cibiyar umarni.

Wannan ya ba mu damar gano imel ɗin ƙarshe na maharan:

junaid[.]in***@gmail[.]com.

An yi rajistar sunan yankin na cibiyar umarni zuwa wasiku sg***@gmail[.]com.

ƙarshe

Yayin cikakken bincike na malware da aka yi amfani da shi wajen harin, mun sami damar kafa aikin sa kuma mun sami mafi cikakken jerin alamomin sasantawa da suka dace da wannan harka. Fahimtar hanyoyin mu'amalar cibiyar sadarwar malware ya ba da damar ba da shawarwari don daidaita aikin kayan aikin tsaro na bayanai, da kuma rubuta ƙa'idodin IDS masu tsayayye.

Babban haɗari AgentTesla kamar DataStealer a cikin cewa ba ya buƙatar ƙaddamar da tsarin ko jira umarnin sarrafawa don aiwatar da ayyukansa. Da zarar kan na'urar, nan da nan ya fara tattara bayanan sirri kuma ya tura shi zuwa CnC. Wannan mummunan hali yana ta wasu hanyoyi kama da halin ransomware, tare da kawai bambanci shi ne cewa na baya baya buƙatar haɗin cibiyar sadarwa. Idan kun ci karo da wannan iyali, bayan tsaftace tsarin kamuwa da cuta daga malware kanta, lallai ya kamata ku canza duk kalmomin shiga da za su iya, aƙalla a zahiri, a adana su cikin ɗayan aikace-aikacen da aka jera a sama.

Duba gaba, bari mu ce maharan suna aika AgentTesla, Ana canza mai ɗaukar kaya na farko sau da yawa. Wannan yana ba ku damar zama ba a lura da su ta hanyar na'urorin daukar hoto da masu nazari na heuristic a lokacin harin ba. Kuma dabi'ar wannan dangi na fara ayyukansu nan da nan ya sa masu lura da tsarin ba su da amfani. Hanya mafi kyau don yaƙar AgentTesla shine bincike na farko a cikin akwatin yashi.

A cikin labarin na uku na wannan silsilar za mu kalli sauran bootloaders da ake amfani da su AgentTesla, da kuma nazarin tsarin kwashe kayansu na atomatik. Kada ku yi kuskure!

Hash

SHA1

A8C2765B3D655BA23886D663D22BDD8EF6E8E894

8010CC2AF398F9F951555F7D481CE13DF60BBECF

79B445DE923C92BF378B19D12A309C0E9C5851BF

15839B7AB0417FA35F2858722F0BD47BDF840D62

1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD

C & C

URL

sina-c0m[.] icu

smtp[.]sina-c0m[.] icu

RegKey

Registry

HKCUSoftwareMicrosoftWindowsCurrentVersionRun{sunan rubutun}

HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname%

HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%insregname%

Mutex

Babu alamomi.

files

Ayyukan fayil

% Temp.tmp

%startupfolder%% manyan fayiloli%% insname%

%Temp%tmpG{Yanzu a cikin millise seconds}.tmp

% Temp%log.tmp

%AppData%{Jeri na sabani na haruffa 10}.jpeg

C:UsersPublic{Jerin sabani na haruffa 10}.vbs

%Temp%{Sunan babban fayil na Custom}{File Name}

Bayanan Samfura

sunan	unknown
MD5	F7722DD8660B261EA13B710062B59C43
SHA1	15839B7AB0417FA35F2858722F0BD47BDF840D62
SHA256	41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9
type	PE (.NET)
size	327680
Asalin Suna	AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe
Kwanan Tambari	01.07.2019
Mai tarawa	VB.NET

sunan	IELibrary.dll
MD5	BFB160A89F4A607A60464631ED3ED9FD
SHA1	1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD
SHA256	D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE
type	PE (.NET DLL)
size	16896
Asalin Suna	IELibrary.dll
Kwanan Tambari	11.10.2016
Mai tarawa	Microsoft Linker (48.0*)

source: www.habr.com