I nā makahiki i hala iho nei, ua hoʻololi ikaika ʻo Trojans mobile i nā Trojans no nā kamepiula pilikino, no laila, ʻo ka puka ʻana mai o nā polokalamu polokalamu hou no nā "kaʻa" kahiko maikaʻi a me kā lākou hoʻohana ikaika ʻana e nā cybercriminals, ʻoiai ʻaʻole ʻoluʻolu, he hanana. I kēia mau lā, ua ʻike ka CERT Group-IB's XNUMX/XNUMX information security incident response center i kahi leka uila phishing maʻamau e hūnā ana i kahi polokalamu PC hou e hoʻohui i nā hana a Keylogger a me PasswordStealer. Ua huki ʻia ka manaʻo o ka poʻe loiloi i ke komo ʻana o ka spyware i ka mīkini o ka mea hoʻohana - me ka hoʻohana ʻana i kahi ʻelele leo kaulana. Ilya Pomerantsev, he loea loiloi polokalamu ma CERT Group-IB, wehewehe i ke ʻano o ka hana ʻana o ka malware, no ke aha ia e pōʻino ai, a loaʻa hoʻi i kāna mea nāna i hana ma Iraq mamao.
No laila, e hele kāua i ka hoʻonohonoho. Ma lalo o ke ʻano o kahi hoʻopili, loaʻa kahi leka i kahi kiʻi, ma ke kaomi ʻana i lawe ʻia ka mea hoʻohana i ka pūnaewele. cdn.discordapp.com, a ua hoʻoiho ʻia kahi faila mai laila mai.
ʻO ka hoʻohana ʻana iā Discord, kahi leo manuahi a me ka ʻelele kikokikona, ʻaʻole maʻamau. ʻO ka mea maʻamau, hoʻohana ʻia nā ʻelele koke a i ʻole nā pūnaewele kaiaulu no kēia mau kumu.
I ka wā o ka nānā ʻana i nā kikoʻī, ua ʻike ʻia kahi ʻohana malware. Ua lilo ia i mea hou i ka mākeke malware - 404 Keylogger.
Ua kau ʻia ka hoʻolaha mua no ke kūʻai ʻana i kahi keylogger ma hackforums e ka mea hoʻohana ma lalo o ka inoa kapakapa "404 Coder" ma ʻAukake 8.
Ua hoʻopaʻa inoa ʻia ka waihona hale kūʻai - ma Kepakemapa 7, 2019.
E like me ka ʻōlelo a nā mea hoʻomohala ma ka pūnaewele 404papahana[.]xyz, 404 He mea paahana ia e kōkua i nā hui e aʻo e pili ana i nā hana a kā lākou mea kūʻai aku (me kā lākou ʻae ʻia) a i ʻole no ka poʻe makemake e pale i kā lākou binary mai ka ʻenekini hoʻohuli. Ke nānā nei i mua, e ʻōlelo kākou me ka hana hope loa 404 ʻaʻole hiki ke hoʻokō.
Ua hoʻoholo mākou e hoʻohuli i kekahi o nā faila a nānā i ka mea "BEST SMART KEYLOGGER".
Pūnaehana kino kino
Mea hoʻouka 1 (AtillaCrypter)
Mālama ʻia ka waihona kumu me ka hoʻohana ʻana EaxObfuscator a hana i ʻelua ʻanuʻu hoʻouka AtProtect mai ka mahele waiwai. I ka wā o ka nānā ʻana i nā mea hoʻohālike ʻē aʻe i loaʻa ma VirusTotal, ua maopopo ʻaʻole i hāʻawi ʻia kēia pae e ka mea hoʻomohala ponoʻī, akā ua hoʻohui ʻia e kāna mea kūʻai. Ua hoʻoholo hope ʻia ʻo kēia bootloader ʻo AtillaCrypter.
Mea hoʻouka pahu 2 (AtProtect)
ʻO ka ʻoiaʻiʻo, ʻo kēia mea hoʻoili he ʻāpana koʻikoʻi o ka malware a, e like me ka manaʻo o ka mea hoʻomohala, pono e lawe i ka hana o ka loiloi countering.
Eia nō naʻe, ma ka hoʻomaʻamaʻa ʻana, he mea kahiko loa nā ʻōnaehana pale, a ʻike maikaʻi kā mākou ʻōnaehana i kēia polokalamu.
Hoʻouka ʻia ka module nui me ka hoʻohana ʻana Franchy ShellCode nā mana like ʻole. Eia naʻe, ʻaʻole mākou e kāpae i nā koho ʻē aʻe i hoʻohana ʻia, no ka laʻana, LOKO.
waihona hoʻonohonoho
Hoʻohui i ka ʻōnaehana
Hoʻohui ʻia i ka ʻōnaehana e ka bootloader AtProtect, inā hoʻonoho ʻia ka hae pili.
- Kope ʻia ka faila ma ke ala %AppData%GFqaakZpzwm.exe.
- Hana ʻia ka faila %AppData%GFqaakWinDriv.url, hoolana ana Zpzwm.exe.
- I ke kaula HKCUSoftwareMicrosoftWindowsCurrentVersionRun hana ʻia kahi kī hoʻomaka WinDriv.url.
Ka launa pū me C&C
Loader AtProtect
Inā loaʻa ka hae kūpono, hiki i ka malware ke hoʻomaka i kahi kaʻina huna iexplorer a hahai i ka loulou i kuhikuhi ʻia e haʻi aku i ke kikowaena e pili ana i ka maʻi kūleʻa.
ʻIkepili
Ma waho o ke ʻano i hoʻohana ʻia, hoʻomaka ka kamaʻilio pūnaewele me ka loaʻa ʻana o ka IP waho o ka mea i hoʻohana ʻia i ka waiwai [http]://checkip[.]dyndns[.]org/.
Mea hoʻohana-Agent: Mozilla/4.0 (kūpono; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Ua like ke ano o ka memo. Aia ke poʻo
|——- 404 Keylogger — {Ano} ——-|kahi {ʻano} pili i ke ʻano o ka ʻike i hoʻouna ʻia.
Eia ka ʻike e pili ana i ka ʻōnaehana:
_______ + ʻIkepili Pōhaku + _______
IP: {IP waho}
Ka inoa o ka mea nona ka inoa: {Inoa kamepiula}
Inoa OS: {OS Name}
Manaʻo OS: {OS Version}
Papahana OS: {Platform}
Nui RAM: {RAM nui}
______________________________
A ʻo ka hope, ka ʻikepili i hoʻouna ʻia.
SMTP
ʻO ke kumuhana o ka leka penei: 404 K | {Ke ʻano memo} | Inoa mea kūʻai: {Username}.
ʻO ka mea hoihoi, e hāʻawi i nā leka i ka mea kūʻai aku 404 Keylogger Hoʻohana ʻia ka server SMTP o nā mea hoʻomohala.
ʻO kēia ka mea i hiki ke ʻike i kekahi mau mea kūʻai aku, a me ka leka uila o kekahi o nā mea hoʻomohala.
FTP
Ke hoʻohana nei i kēia ʻano, mālama ʻia ka ʻike i hōʻiliʻili ʻia i kahi faila a heluhelu koke ʻia mai laila.
ʻAʻole maopopo loa ka loina ma hope o kēia hana, akā hana ia i mea hana hou no ke kākau ʻana i nā lula pili.
%HOMEDRIVE%%HOMEPATH%DocumentsA{Helu kūʻokoʻa}.txt
Pastebin
I ka manawa o ka nānā ʻana, hoʻohana wale ʻia kēia ala e hoʻoili i nā ʻōlelo huna ʻaihue. Eia kekahi, ʻaʻole ia i hoʻohana ʻia ma ke ʻano he ʻokoʻa i nā mea mua ʻelua, akā ma ke ʻano like. ʻO ke kūlana ka waiwai o ka mea mau e like me "Vavaa". ʻO kēia paha ka inoa o ka mea kūʻai aku.
Hana ʻia ka pilina ma o ka protocol https ma o ka API pāpaʻi. ʻO ke ʻano api_paste_private kūlike PASTE_UNLISTED, ka mea pāpā i ka huli ʻana i ia mau ʻaoʻao ma pāpaʻi.
Hoʻopili algorithms
Ke kiʻi nei i kahi faila mai nā kumuwaiwai
Mālama ʻia ka uku i loko o nā kumuwaiwai bootloader AtProtect ma ke ʻano o nā kiʻi Bitmap. Lawe ʻia ka unuhi ʻana i kekahi mau pae:
- Wehe ʻia kahi ʻano paita mai ke kiʻi. Hana ʻia kēlā me kēia pika ma ke ʻano he kaʻina o 3 bytes ma ke kauoha BGR. Ma hope o ka unuhi ʻana, mālama nā 4 bytes mua o ka array i ka lōʻihi o ka memo, nā mea ma hope e mālama i ka memo ponoʻī.
- Ua helu ʻia ke kī. No ka hana ʻana i kēia, helu ʻia ʻo MD5 mai ka waiwai "ZpzwmjMJyfTNiRalKVrcSkxCN" i kuhikuhi ʻia e like me ka ʻōlelo huna. Ua kākau ʻia ka hash i ʻelua manawa.
- Hana ʻia ka decryption me ka hoʻohana ʻana i ka algorithm AES ma ke ʻano ECB.
Hana ʻino
Hoʻopau hou
Hoʻokomo ʻia i ka bootloader AtProtect.
- Ma ka hoʻopili ʻana [activelink-repalce] Ua noi ʻia ke kūlana o ke kikowaena e hōʻoia ua mākaukau e lawelawe i ka faila. Pono ke kikowaena e hoʻi "ON".
- Ma ka'ōlelo [Downloadlink-replace] Hoʻoiho ʻia ka uku uku.
- Me ke kōkuaʻana o FranchyShellcode hoʻokomo ʻia ka ukana i loko o ke kaʻina hana [inj-replace].
I ka wā o ka hoʻopaʻa ʻāina 404papahana[.]xyz ua ʻike ʻia nā mea hou aku ma VirusTotal 404 Keylogger, a me kekahi mau ʻano mea hoʻouka.
Conventionally, ua maheleia lakou i elua ano:
- Lawe ʻia ka hoʻoiho ʻana mai ka punawai 404papahana[.]xyz.
Hoʻopili ʻia ka ʻikepili Base64 a hoʻopili ʻia ʻo AES. - Aia kēia koho i nā pae he nui a hoʻohana ʻia i ka hui pū me kahi bootloader AtProtect.
- I ka pae mua, hoʻouka ʻia ka ʻikepili mai pāpaʻi a wehe ʻia me ka hoʻohana ʻana i ka hana HexToByte.
- Ma ka papa ʻelua, ʻo ke kumu o ka hoʻouka ʻana ʻo ia ka 404papahana[.]xyz. Eia naʻe, ua like nā hana decompression a me ka decoding me nā mea i loaʻa ma DataStealer. Ua hoʻolālā mua ʻia paha ia e hoʻokō i ka hana bootloader i ka module nui.
- I kēia manawa, aia ka uku i loko o ka hōʻike kumu waiwai ma kahi ʻano paʻi. Ua loaʻa pū nā hana unuhi like i loko o ka module nui.
Loaʻa nā mea hoʻoiho ma waena o nā faila i kālailai ʻia njRat, SpyGate a me nā RAT ʻē aʻe.
Keylogger
Ka manawa hoʻouna moʻolelo: 30 minuke.
Kākoʻo ʻia nā huapalapala a pau. Pakele nā huapalapala kūikawā. Aia ke kaʻina hana no nā kī BackSpace a Delete. Pilikino i ka hihia.
ClipboardLogger
Ka manawa hoʻouna moʻolelo: 30 minuke.
Manawa koho pale: 0,1 kekona.
Hoʻokō ʻia ka loulou e pakele ai.
ScreenLogger
Ka manawa hoʻouna moʻolelo: 60 minuke.
Mālama ʻia nā kiʻi paʻi i loko %HOMEDRIVE%%HOMEPATH%Paʻi palapala404k404pic.png.
Ma hope o ka hoʻouna ʻana i ka waihona 404k holoi ʻia.
mea huna huna
| Nā Kūpono Pūnaewele | Nā mea kūʻai leka uila | Nā mea kūʻai FTP |
|---|---|---|
| ikona | Outlook | FileZilla |
| Firefox | Kaukoki | |
| SeaMonkey | Foxmail | |
| hau hau | ||
| ʻO PaleMoon | ||
| Cyberhio | ||
| ikona | ||
| ʻO ka Pūnaehana Koa | ||
| QQBrowser | ||
| IridiumBrowser | ||
| XvastBrowser | ||
| ʻO Chedot | ||
| 360Ka mea nānā | ||
| KomodoDragon | ||
| 360Chrome | ||
| SuperBird | ||
| CentBrowser | ||
| Hoʻopaʻa ʻuhane | ||
| Mea Nānā Hao | ||
| Chromium | ||
| ʻO Vivaldi | ||
| SlimjetBrowser | ||
| orbitum | ||
| CocCoc | ||
| 'O Torch | ||
| UCBrowser | ||
| EpicBrowser | ||
| BliskBrowser | ||
| Opera |
Kūʻē i ka nānā ʻana i ka dynamic
- Ke nānā nei inā he kaʻina hana i lalo o ka nānā ʻana
Hana ʻia me ka hoʻohana ʻana i ke kaʻina hana taskmgr, HanaHacker, procexp64, procexp, procmon. Inā loaʻa ma ka liʻiliʻi hoʻokahi, puka ka malware.
- Ke nānā nei inā ʻoe i loko o kahi kaiapuni virtual
Hana ʻia me ka hoʻohana ʻana i ke kaʻina hana vmtoolsd, VGAuthService, vmacthlp, VBoxService, VBoxTray. Inā loaʻa ma ka liʻiliʻi hoʻokahi, puka ka malware.
- E hiamoe ana no 5 kekona
- Hōʻike i nā ʻano pahu kamaʻilio like ʻole
Hiki ke hoʻohana ʻia e kāʻalo i kekahi mau pahu one.
- Kāohi UAC
Hana ʻia ma ka hoʻoponopono ʻana i ke kī hoʻopaʻa inoa HoʻōlaLua i nā hoʻonohonoho kulekele hui.
- Hoʻopili i ke ʻano "Hidden" i ka faila o kēia manawa.
- Hiki ke holoi i ka faila o kēia manawa.
Nā hiʻohiʻona hana ʻole
I ka wā o ka nānā ʻana o ka bootloader a me ka module nui, ua ʻike ʻia nā hana i kuleana no nā hana hou aku, akā ʻaʻole hoʻohana ʻia ma nā wahi āpau. Aia paha kēia ma muli o ka hoʻomohala ʻana o ka malware a e hoʻonui koke ʻia ka hana.
Loader AtProtect
Ua ʻike ʻia kahi hana nona ke kuleana no ka hoʻouka ʻana a me ka hoʻokomo ʻana i ke kaʻina hana msiexec.exe ʻokoʻa kūʻokoʻa.
ʻIkepili
- Hoʻohui i ka ʻōnaehana
- Decompression a me ka decryption hana
Malia paha e hoʻokō koke ʻia ka hoʻopiʻi ʻikepili i ka wā kamaʻilio pūnaewele. - Hoʻopau i nā kaʻina hana antivirus
| zlcclient | Dvp95_0 | Pavsched | avgserv9 |
| egui | ʻEnekene | Pavw | avgserv9schedapp |
| bdagent | Esafe | PCCIOMON | avgemc |
| npfmsg | Espwatch | PCCMAIN | lehuehusv |
| olydbg | F-Agnt95 | Pccwin98 | lehu lehu |
| anubis | Findvir | Pcfwallicon | ashmaisv |
| wireshark | Fprot | Persfw | ashserv |
| avastui | Kahu-F | POP3TRAP | aswUpdSv |
| _Avp32 | F-Prot95 | PUUU95 | symwsc |
| vsmon | Fp-Win | ʻO Rav7 | norton |
| mbam | ʻO Frw | Rav7win | Pale-Aunoa Norton |
| mea kī kī | F-Stopw | hoʻopakele | norton_av |
| _Avpcc | Iamapp | Pūnaewele palekana | nortonav |
| _Avpm | Iamserv | Nānā32 | ccsetmgr |
| Ackwin32 | ʻO ʻIbemasna | Nānā95 | ccevtmgr |
| Kuhikuhi | Ibmavsp | Scanpm | avadmin |
| Anti-Trojan | Icload95 | Scrscan | avcenter |
| ANTIVIR | Icloadnt | lawelawe95 | avgnt |
| Apvxdwin | Icmon | smc | avguard |
| KAHIKI | Icsupp95 | SMCSERVICE | avnotify |
| iho iho | Icsuppnt | Aloha | avscan |
| Avconsol | Iface | sphinx | guardgui |
| Ave32 | Iomona98 | Holoi95 | nod32krn |
| Avgctrl | Jedi | SYMPROXYSVC | nod32kui |
| Avkserv | Lockdown2000 | Tbscan | clamscan |
| Avnt | Nānā i waho | Tca | clamTray |
| Avp | Luall | Tds2-98 | clamWin |
| Avp32 | mcafee | Tds2-Nt | mālamele |
| Avpcc | Moolive | TermiNET | oladdin |
| Avpdos32 | MPftray | Kau95 | hōʻailona |
| Avpm | N32scanw | Vetray | w9xpopen |
| Avptc32 | NAVAPSVC | Vscan40 | Pani |
| Avpupd | NAVAPW32 | ʻO Vsecomr | cmgrdian |
| Avsched32 | NAVLU32 | Vshwin32 | alogserv |
| AVSYNMGR | Navnt | Vsstat | mcshield |
| Avwin95 | NAVRUNR | Webscanx | vshwin32 |
| Avwupd32 | Navw32 | WEBTRAP | avconsol |
| Blackd | Navwnt | Wfindv32 | vsstat |
| Blackice | NeoWatch | Alarm Zoneal | avsynmgr |
| Cfiadmin | NISSERV | KAUKA2000 | avcmd |
| Cfiaaudit | Nisum | HOOLAHA32 | avconfig |
| Cfinet | Nmain | LUCOMSERVER | licmgr |
| Cfinet32 | Normist | avgcc | papaʻa |
| maiuu95 | NORTON | avgcc | preupd |
| maiuu95cf | Hoʻonui | avgamsvr | MsMpEng |
| 'Oʻemaʻe | Nvc95 | avgupsvc | MSASCui |
| Hoomaemae3 | Kuhikuhi | avgw | Avira.Systray |
| Defwatch | Padmin | avgcc32 | |
| Dvp95 | Pavcl | avgserv |
- Hoʻopau iā ia iho
- Ke hoʻouka nei i ka ʻikepili mai ka hōʻike punawai i kuhikuhi ʻia
- Ke kope ʻana i kahi faila ma kahi ala %Temp%tmpG[La a me ka manawa o kēia manawa i milliseconds].tmp
ʻO ka mea mahalo, aia kahi hana like ma AgentTesla malware. - Hana ilo
Loaʻa i ka polokalamu kino ka papa inoa o nā media hiki ke hoʻoneʻe. Hoʻokumu ʻia kahi kope o ka malware ma ke kumu o ka ʻōnaehana faila media me ka inoa Sys.exe. Hoʻohana ʻia ʻo Autorun me kahi faila autorun.inf.
Kiʻi hoʻouka kaua
I ka wā o ka nānā ʻana i ke kikowaena kauoha, hiki ke hoʻokumu i ka leka uila a me ka inoa inoa o ka mea hoʻomohala - Razer, aka Brwa, Brwa65, HiDDen PerSOn, 404 Coder. Ma hope aʻe, ua loaʻa iā mākou kahi wikiō hoihoi ma YouTube e hōʻike ana i ka hana pū me ka mea hana.
ʻO kēia ka mea i hiki ai ke ʻimi i ke ala hoʻomohala kumu.
Ua maopopo ua loaʻa iā ia ka ʻike ma ke kākau ʻana i nā cryptographers. Aia kekahi mau loulou i nā ʻaoʻao ma nā ʻoihana pūnaewele, a me ka inoa maoli o ka mea kākau. Ua lilo ʻo ia i kamaʻāina no Iraq.
ʻO kēia ke ʻano o ka mea hoʻomohala Keylogger 404. Kiʻi mai kāna ʻaoʻao pilikino Facebook.
Ua hoʻolaha ʻo CERT Group-IB i kahi hoʻoweliweli hou - 404 Keylogger - he XNUMX-hola kiaʻi a pane pane no nā hoʻoweliweli cyber (SOC) ma Bahrain.
Source: www.habr.com