Da wannan labarin mun kammala jerin wallafe-wallafen da aka keɓe don nazarin software na ɓarna. IN Mun gudanar da cikakken bincike game da fayil ɗin da ya kamu da cutar wanda wani kamfani na Turai ya karɓa ta hanyar wasiku kuma ya gano kayan leken asiri na AgentTesla a wurin. A ciki ya bayyana sakamakon binciken mataki-mataki na babban rukunin AgentTesla.
A yau Ilya Pomerantsev, kwararre a cikin nazarin malware a CERT Group-IB, zai yi magana game da matakin farko na bincike na malware - kwatankwacin kwatankwacin samfuran AgentTesla ta atomatik ta amfani da misalin ƙaramin ƙararraki guda uku daga aikin ƙwararrun CERT Group-IB.
Yawanci, mataki na farko a cikin bincike na malware shine kau da kariya ta hanyar fakiti, cryptor, kariya ko loda. A mafi yawan lokuta, ana iya magance wannan matsalar ta hanyar tafiyar da malware da yin juji, amma akwai yanayin da wannan hanyar ba ta dace ba. Misali, idan malware ɗin mai ɓoye ne, idan yana kare yankunan ƙwaƙwalwar ajiyarsa daga zubarwa, idan lambar ta ƙunshi hanyoyin gano injin kama-da-wane, ko kuma idan malware ɗin ya sake farawa nan da nan bayan farawa. A irin waɗannan lokuta, ana amfani da abin da ake kira "Semi-atomatik" cirewa, wato, mai binciken yana da cikakken iko akan tsarin kuma yana iya shiga tsakani a kowane lokaci. Bari mu yi la'akari da wannan hanya ta amfani da samfurori uku na dangin AgentTesla a matsayin misali. Wannan malware ne mara lahani idan kun kashe hanyar sadarwar sa.
Misali Na 1
Fayil ɗin tushen takaddar MS Word ce wacce ke amfani da raunin CVE-2017-11882.
A sakamakon haka, ana zazzage kayan da aka biya kuma an ƙaddamar da shi.
Binciken bishiyar tsari da alamomin ɗabi'a suna nuna allura a cikin tsari RegAsm.exe.
Akwai alamomin halayen halayen AgentTesla.
Samfurin da aka zazzage shine wanda za'a iya aiwatarwa .NET-fayil mai karewa NET Reactor.
Bari mu bude shi a cikin mai amfani dnSpy x86 sannan muci gaba da shiga.
Ta hanyar zuwa aikin DateTimeOffset, za mu sami lambar farawa don sabon .NET- module. Mu saka karya akan layin da muke sha'awar kuma muna gudanar da fayil ɗin.
A cikin ɗaya daga cikin buffers ɗin da aka dawo za ku iya ganin sa hannun MZ (0x4D 0x5A). Mu ajiye shi.
Fayil ɗin da za a iya zubarwa babban ɗakin karatu ne mai ƙarfi wanda ke ɗaukar kaya, watau. yana fitar da kaya daga sashin albarkatun kuma ya ƙaddamar da shi.
A lokaci guda kuma, abubuwan da ake buƙata da kansu ba su kasance a cikin juji ba. Suna cikin samfurin iyaye.
Mai amfani dnSpy yana da ayyuka masu amfani guda biyu waɗanda zasu taimaka mana da sauri ƙirƙirar "Frankenstein" daga fayiloli guda biyu masu alaƙa.
- Na farko yana ba ku damar "manna" ɗakin karatu mai ƙarfi a cikin samfurin iyaye.
- Na biyu shine sake rubuta lambar aiki a wurin shigarwa don kiran hanyar da ake so na shigar da ɗakin karatu mai ƙarfi.
Muna adana "Frankenstein", saita karya akan layi yana dawo da buffer tare da abubuwan da aka ɓoye, da kuma samar da juji ta hanyar kwatankwacin matakin da ya gabata.
An rubuta juji na biyu a ciki VB.NET fayil mai aiwatarwa wanda wani majiɓinci ya saba mana kariya ConfuserEx.
Bayan cire mai karewa, muna amfani da dokokin YARA da aka rubuta a baya kuma mu tabbatar da cewa malware ɗin da ba a buɗe ba shine ainihin AgentTesla.
Misali Na 2
Fayil ɗin tushen takaddar MS Excel ce. Macro da aka gina a ciki yana haifar da aiwatar da lamba mara kyau.
Sakamakon haka, an ƙaddamar da rubutun PowerShell.
Rubutun yana ɓata lambar C # kuma yana canja wurin sarrafawa zuwa gare shi. Lambar kanta ita ce bootloader, kamar yadda kuma za a iya gani daga rahoton sandbox.
Abin da aka biya shi ne mai aiwatarwa .NET- fayil.
Buɗe fayil ɗin a ciki dnSpy x86, za ka ga an rufe ta. Cire rufewa ta amfani da mai amfani di4 digo da komawa bincike.
Lokacin bincika lambar, zaku iya gano aikin mai zuwa:
Layukan da aka ɓoye suna da ban mamaki EntryPoint и Kira. Mun sanya karya zuwa layin farko, gudu kuma ajiye ƙimar buffer byte_0.
Juji kuma aikace-aikace ne a kunne .NET da kuma kariya ConfuserEx.
Muna cire ɓoyewa ta amfani da di4 digo da upload zuwa dnSpy. Daga bayanin fayil mun fahimci cewa muna fuskantar CyaX-Sharp Loader.
Wannan loda yana da faffadan aikin anti-bincike.
Wannan aikin ya haɗa da ƙetare ginannen tsarin kariyar Windows, kashe Windows Defender, da akwatin sandbox da hanyoyin gano injin kama-da-wane. Yana yiwuwa a ɗora nauyin biyan kuɗi daga hanyar sadarwa ko adana shi a cikin sashin albarkatun. Ana ƙaddamar da ƙaddamarwa ta hanyar allura zuwa tsarin nata, zuwa cikin kwafin tsarinsa, ko cikin tsari MSBuild.exe, vbc.exe и RegSvcs.exe dangane da sigar da maharin ya zaba.
Koyaya, a gare mu ba su da mahimmanci fiye da AntiDump-aiki wanda ya kara ConfuserEx. Ana iya samun lambar tushe a .
Don musaki kariya, za mu yi amfani da damar dnSpy, wanda ke ba ka damar gyarawa IL-kode.
Ajiye kuma shigar karya zuwa layin kiran aikin decryption. Yana cikin maginin babban aji.
Muna kaddamar da zubar da kaya. Amfani da dokokin YAR da aka rubuta a baya, muna tabbatar da cewa wannan AgentTesla ne.
Misali Na 3
Fayil mai tushe shine mai aiwatarwa VB 'Yan Asalin PE32- fayil.
Binciken Entropy yana nuna kasancewar babban yanki na rufaffiyar bayanai.
Lokacin nazarin fam ɗin aikace-aikacen a Mai Rarraba VB za ka iya lura da wani bakon bangon pixelated.
Entropy jadawali bmp-image yayi kama da jadawali na ainihin fayil ɗin, kuma girman shine 85% na girman fayil ɗin.
Babban bayyanar hoton yana nuna amfani da steganography.
Bari mu kula da bayyanar bishiyar tsari, da kuma kasancewar alamar allura.
Wannan yana nuna cewa ana ci gaba da kwashe kayan. Don masu lodin Kayayyakin Kaya (aka VBKrypt ko Farashin VBI) amfani na yau da kullun shellcode don fara aikin biya, da kuma yin allurar kanta.
Analysis a Mai Rarraba VB ya nuna gaban wani taron load a form FegatassocAirballoon2.
Muje zuwa IDA pro zuwa ƙayyadadden adireshin kuma bincika aikin. An rufaffen lambar sosai. An gabatar da guntun da ke sha'awar mu a ƙasa.
Anan ana bincika sararin adireshin tsarin don sa hannu. Wannan hanya tana da shakku sosai.
Na farko, adireshin farawa na dubawa 0x400100. Wannan ƙimar tana tsaye kuma ba a daidaita ta lokacin da aka canza tushe. A cikin kyakkyawan yanayin greenhouse zai nuna ƙarshen PE- shugaban fayil ɗin aiwatarwa. Duk da haka, ma'ajin bayanai ba a tsaye ba ne, darajarsa na iya canzawa, kuma neman ainihin adireshin sa hannun da ake buƙata, ko da yake ba zai haifar da kwararar canji ba, na iya ɗaukar lokaci mai tsawo.
Na biyu, ma'anar sa hannu iWGK. Ina tsammanin a bayyane yake cewa 4 bytes ya yi ƙanƙanta don tabbatar da keɓantacce. Kuma idan kun yi la'akari da batu na farko, yiwuwar yin kuskure yana da yawa.
A gaskiya ma, guntun da ake buƙata yana haɗe zuwa ƙarshen abin da aka samo a baya bmp- hotuna ta hanyar biya diyya 0xA1D0D.
Ayyuka Shellcode za'ayi a matakai biyu. Na farko yana deciphers babban jiki. A wannan yanayin, ana ƙayyade maɓalli ta ƙarfin ƙarfi.
Juya wanda aka ɓoye Shellcode kuma dubi layi.
Na farko, yanzu mun san aikin don ƙirƙirar tsarin yaro: Ƙirƙirar Tsarin CikiW.
Abu na biyu, mun fahimci tsarin gyarawa a cikin tsarin.
Bari mu koma ga ainihin tsari. Mu saka karya a kan Ƙirƙirar Tsarin CikiW kuma a ci gaba da aiwatar da hukuncin kisa. Na gaba muna ganin haɗin NtGetContextThread/NtSetContextThread, wanda ke canza adireshin farawa na aiwatarwa zuwa adireshin ShellCode.
Muna haɗi zuwa tsarin da aka ƙirƙira tare da mai cirewa kuma kunna taron Dakatar da load/cire kayan karatu, Ci gaba da aiki kuma jira loading .NET- dakunan karatu.
Ci gaba da amfani ProcessHacker yankunan juji dauke da kayan da ba a cika ba .NET- aikace-aikace.
Muna dakatar da duk matakai kuma muna share kwafin malware ɗin da aka saka a cikin tsarin.
Fayil ɗin da aka zubar yana da kariya ta mai tsaro NET Reactor, wanda za'a iya cirewa cikin sauƙi ta amfani da kayan aiki di4 digo.
Amfani da dokokin YARA da aka rubuta a baya, muna tabbatar da cewa wannan shine AgentTesla.
Bari mu taƙaita
Don haka, mun nuna dalla-dalla game da aiwatar da cirewar samfurin atomatik ta amfani da ƙaramin ƙarami guda uku a matsayin misali, sannan kuma mun bincika malware dangane da cikakken shari'ar, gano cewa samfurin da ke kan binciken shine AgentTesla, yana tabbatar da aikinsa da ƙari. cikakken jerin alamomin sasantawa.
Binciken mugayen abu da muka yi yana buƙatar lokaci mai yawa da ƙoƙari, kuma wannan aikin ya kamata a yi shi ta wani ma'aikaci na musamman a cikin kamfanin, amma ba duk kamfanoni suna shirye su ɗauki wani manazarci ba.
Ɗayan sabis ɗin da Cibiyar Nazarin Rukuni-IB ta Ƙididdigar Kwamfuta da Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararru ke bayarwa ita ce amsawa ga abubuwan da suka faru na intanet. Kuma don kada abokan ciniki su ɓata lokaci don amincewa da takardu da tattaunawa da su a tsakiyar harin yanar gizo, ƙungiyar-IB ta ƙaddamar. Mai riƙe da Amsa abin da ya faru, sabis na amsa aukuwar abin da ya faru kafin shiga rajista wanda kuma ya haɗa da matakin bincike na malware. Ana iya samun ƙarin bayani game da wannan .
Idan kuna son sake nazarin yadda samfuran AgentTesla ke buɗewa kuma ku ga yadda ƙwararrun ƙungiyar CERT-IB ke yin ta, zaku iya zazzage rikodin webinar akan wannan batu. .
source: www.habr.com