Nyob rau hauv xyoo tas los no, mobile Trojans tau nquag hloov Trojans rau cov khoos phis tawj ntawm tus kheej, yog li qhov tshwm sim ntawm cov malware tshiab rau cov qub "tsheb" zoo thiab lawv siv los ntawm cybercriminals, txawm tias tsis txaus siab, tseem yog ib qho xwm txheej. Tsis ntev los no, CERT Group-IB's XNUMX/XNUMX cov ntaub ntawv kev ruaj ntseg qhov chaw teb cov ntaub ntawv tau tshawb pom qhov txawv txav phishing email uas tau zais lub PC tshiab malware uas sib txuas cov haujlwm ntawm Keylogger thiab PasswordStealer. Cov kws tshuaj ntsuam xyuas tau kos rau yuav ua li cas cov spyware tau txais mus rau tus neeg siv lub tshuab - siv lub suab nrov nrov. Ilya Pomerantsev, tus kws tshuaj xyuas malware tshwj xeeb ntawm CERT Group-IB, piav qhia tias malware ua haujlwm li cas, vim li cas nws thiaj li txaus ntshai, thiab txawm pom nws tus tsim nyob deb Iraq.
Yog li, cia peb mus nyob rau hauv kev txiav txim. Nyob rau hauv lub guise ntawm ib tug Symptoms, xws li ib tsab ntawv muaj ib daim duab, thaum txhaj rau tus neeg siv raug coj mus rau lub site. cdn.discordapp.com, thiab cov ntaub ntawv tsis zoo tau rub tawm los ntawm qhov ntawd.
Siv Discord, lub suab pub dawb thiab cov ntawv xa xov, yog qhov tsis zoo. Feem ntau, lwm cov neeg xa xov xwm tam sim lossis kev sib koom tes yog siv rau cov hom phiaj no.
Thaum lub sij hawm soj ntsuam ntxaws ntxiv, tsev neeg ntawm malware tau txheeb xyuas. Nws tau dhau los ua tus tuaj tshiab rau lub lag luam malware - 404 Keylogger.
Thawj qhov kev tshaj tawm rau kev muag khoom ntawm tus keylogger tau muab tso rau hauv hackforums los ntawm tus neeg siv nyob rau hauv lub npe menyuam yaus "404 Coder" thaum Lub Yim Hli 8.
Lub khw muag khoom tau sau npe tsis ntev los no - thaum lub Cuaj Hlis 7, 2019.
Raws li cov neeg tsim khoom hais hauv lub vev xaib 404 project [.]xyz, 404 yog ib lub cuab yeej tsim los pab cov tuam txhab kawm txog lawv cov neeg siv khoom cov dej num (nrog rau lawv kev tso cai) lossis rau cov uas xav tiv thaiv lawv cov binary los ntawm kev rov qab engineering. Saib tom ntej, cia peb hais tias nrog txoj haujlwm kawg 404 yeej tsis tiv.
Peb txiav txim siab thim rov qab ib qho ntawm cov ntaub ntawv thiab xyuas seb "Zoo tshaj plaws SMART KEYLOGGER" yog dab tsi.
Malware ecosystem
Loader 1 (AtillaCrypter)
Cov ntaub ntawv qhov chaw tiv thaiv siv EaxObfuscator thiab ua ob-kauj ruam loading AtProtect los ntawm cov ntaub ntawv seem. Thaum lub sij hawm soj ntsuam ntawm lwm cov qauv pom ntawm VirusTotal, nws tau pom tseeb tias theem no tsis yog muab los ntawm tus tsim tawm nws tus kheej, tab sis tau ntxiv los ntawm nws cov neeg siv khoom. Tom qab ntawd nws tau txiav txim siab tias qhov bootloader no yog AtillaCrypter.
Bootloader 2 (AtProtect)
Qhov tseeb, tus loader no yog ib feem tseem ceeb ntawm cov malware thiab, raws li tus tsim tawm lub hom phiaj, yuav tsum ua raws li kev ua haujlwm ntawm kev tsom xam.
Txawm li cas los xij, hauv kev xyaum, cov txheej txheem kev tiv thaiv yog qhov tseem ceeb heev, thiab peb lub tshuab ua tiav cov malware no.
Lub ntsiab module yog loaded siv Franchy ShellCode txawv versions. Txawm li cas los xij, peb tsis suav nrog lwm cov kev xaiv uas tuaj yeem siv tau, piv txwv li, RunPE.
Configuration file
Consolidation nyob rau hauv lub system
Consolidation nyob rau hauv lub system yog guaranteed los ntawm lub bootloader AtProtect, yog tias tus chij coj tau teeb tsa.
- Cov ntaub ntawv raug theej raws txoj kev %AppData%GFqaakZpzwm.exe.
- Cov ntaub ntawv yog tsim %AppData%GFqaakWinDriv.url, tso tawm Zpzwm.exe.
- Hauv xov HKCUSoftwareMicrosoftWindowsCurrentVersionRun tus yuam sij pib yog tsim WinDriv.url.
Kev sib tham nrog C&C
Loader AtProtect
Yog tias tus chij tsim nyog tam sim no, tus malware tuaj yeem tsim cov txheej txheem zais iexplorer thiab ua raws li qhov txuas tau teev tseg kom ceeb toom rau tus neeg rau zaub mov txog kev kis tus kab mob zoo.
DataStealer
Txawm hais tias siv txoj kev twg los xij, kev sib txuas lus hauv network pib nrog kev tau txais tus IP sab nraud ntawm tus neeg raug tsim txom siv cov peev txheej [http]://checkip[.]dyndns[.]org/.
User-Agent: Mozilla/4.0 (tshaj; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Cov qauv ntawm cov lus yog tib yam. Header tam sim no
|ββ- 404 Keylogger β {Type} β-|qhov twg {hom} sib raug rau hom ntaub ntawv raug xa mus.
Hauv qab no yog cov ntaub ntawv hais txog qhov system:
_______ + VICTIM INFO + _______
IP: {External IP}
Owner Name: {Computer name}
OS Name: {OS Name}
OS Version: {OS Version}
OS Platform: {Platform}
RAM Loj: {RAM loj}
______________________________
Thiab thaum kawg, cov ntaub ntawv kis tau.
SMTP
Lub ntsiab lus ntawm tsab ntawv yog raws li nram no: 404k | {Xov Xwm Hom} | Client Name: {Username}.
Interestingly, xa cov ntawv rau tus neeg siv khoom 404 Keylogger Cov neeg tsim tawm 'SMTP server yog siv.
Qhov no ua rau nws muaj peev xwm txheeb xyuas qee tus neeg siv khoom, nrog rau email ntawm ib tus neeg tsim khoom.
FTP
Thaum siv txoj kev no, cov ntaub ntawv khaws tseg tau khaws cia rau hauv cov ntaub ntawv thiab nyeem tam sim ntawd.
Lub logic tom qab qhov kev txiav txim no tsis meej meej, tab sis nws tsim ib qho khoom cuav ntxiv rau kev sau cov cai coj cwj pwm.
%HOMEDRIVE%%HOMEPATH%DocumentsA{Arbitrary number}.txt
Pastebin
Thaum lub sij hawm tsom xam, txoj kev no tsuas yog siv los hloov cov passwords raug nyiag lawm. Ntxiv mus, nws yog siv tsis yog ib qho kev xaiv rau thawj ob, tab sis nyob rau hauv parallel. Qhov xwm txheej yog tus nqi ntawm qhov sib npaug ntawm "Vavaa". Nco ntsoov tias qhov no yog tus neeg siv khoom lub npe.
Kev sib cuam tshuam tshwm sim ntawm https raws tu qauv ntawm API muab tshuaj txhuam. Lub ntsiab lus api_paste_private sib npaug PASTE_UNLISTED, uas txwv tsis pub tshawb nrhiav cov nplooj ntawv hauv muab tshuaj txhuam.
Encryption algorithms
Retrieving ib cov ntaub ntawv los ntawm cov ntaub ntawv
Lub payload yog khaws cia hauv cov peev txheej bootloader AtProtect nyob rau hauv daim ntawv ntawm Bitmap dluab. Extraction yog ua nyob rau hauv ntau theem:
- Ib array ntawm bytes yog muab rho tawm los ntawm daim duab. Txhua pixel raug kho raws li ib theem ntawm 3 bytes hauv BGR xaj. Tom qab rho tawm, thawj 4 bytes ntawm array khaws qhov ntev ntawm cov lus, cov tom ntej khaws cov lus nws tus kheej.
- Tus yuam sij yog xam. Ua li no, MD5 yog xam los ntawm tus nqi "ZpzwmjMJyfTNiRalKVrcSkxCN" teev raws li tus password. Qhov tshwm sim hash yog sau ob zaug.
- Decryption yog ua los ntawm AES algorithm hauv ECB hom.
siab phem functionality
Downloader
Implemented nyob rau hauv lub bootloader AtProtect.
- Los ntawm kev tiv tauj [activelink-repalce] Tus neeg rau zaub mov cov xwm txheej tau thov kom paub meej tias nws tau npaj ua haujlwm rau cov ntaub ntawv. Lub server yuav tsum rov qab los "RAU".
- Los ntawm kev txuas [downloadlink-replace] Lub payload yog downloaded.
- Nrog kev pab los ntawm FranchyShellcode lub payload yog txhaj rau hauv cov txheej txheem [inj-replace].
Thaum lub sij hawm soj ntsuam xyuas 404 project [.]xyz Cov xwm txheej ntxiv tau raug txheeb xyuas ntawm VirusTotal 404 Keylogger, nrog rau ntau hom loaders.
Conventionally, lawv muab faib ua ob hom:
- Kev rub tawm yog ua los ntawm cov peev txheej 404 project [.]xyz.
Cov ntaub ntawv yog Base64 encoded thiab AES encrypted. - Qhov kev xaiv no muaj ntau theem thiab feem ntau yuav siv ua ke nrog bootloader AtProtect.
- Nyob rau hauv thawj theem, cov ntaub ntawv yog loaded los ntawm muab tshuaj txhuam thiab decoded siv lub function HexToByte.
- Nyob rau theem ob, qhov chaw ntawm kev thauj khoom yog qhov 404 project [.]xyz. Txawm li cas los xij, lub decompression thiab decoding functions zoo ib yam li cov pom hauv DataStealer. Nws yog tej zaum Ameslikas npaj los siv lub bootloader functionality nyob rau hauv lub ntsiab module.
- Nyob rau theem no, lub payload yog twb nyob rau hauv cov peev txheej manifest nyob rau hauv daim ntawv compressed. Cov txiaj ntsig zoo sib xws kuj tau pom nyob rau hauv lub ntsiab module.
Downloaders tau pom ntawm cov ntaub ntawv txheeb xyuas njRat, SpyGate thiab lwm yam RATs.
Keylogger
Lub sij hawm xa tuaj: 30 feeb.
Tag nrho cov cim tau txais kev txhawb nqa. Cov cim tshwj xeeb raug dim. Muaj kev ua haujlwm rau BackSpace thiab Rho tawm cov yuam sij. Case sensitive.
ClipboardLogger
Lub sij hawm xa tuaj: 30 feeb.
Lub sij hawm tsis pov npav: 0,1 vib nas this.
Siv qhov txuas khiav tawm.
ScreenLogger
Lub sij hawm xa tuaj: 60 feeb.
Screenshots raug cawm nyob rau hauv %HOMEDRIVE%%HOMEPATH%Documents404k404pic.png.
Tom qab xa cov ntawv tais ceev tseg 404k yog deleted.
PasswordStealer
Browsers | Xa cov neeg siv khoom | FTP cov neeg siv khoom |
---|---|---|
Chrome | Outlook | Filezilla |
Firefox | Thunderbird | |
SeaMonkey | Foxmail | |
dej khov | ||
Yeeb Sam Phiaj | ||
Hlob Cyfox | ||
Chrome | ||
BraveBrowser | ||
QQBrowser | ||
IridiumBrowser | ||
XvastBrowser | ||
Chedot | ||
360 Qhov browser | ||
ComodoDragon | ||
360 Chrome | ||
SuperBird | ||
CentBrowser | ||
GhostBrowser | ||
IronBrowser | ||
chromium | ||
Vivaldi | ||
SlimjetBrowser | ||
orbitum | ||
CocCoc | ||
Tsom ntsa | ||
UCBrowser | ||
EpicBrowser | ||
BliskBrowser | ||
opera |
Tawm tsam rau dynamic tsom xam
- Tshawb xyuas seb qhov txheej txheem puas nyob hauv kev tshuaj xyuas
Ua tiav siv cov txheej txheem tshawb nrhiav Tasgmgr, ProcessHacker, xwm 64, procexp, procmon. Yog tias tsawg kawg yog pom, tus malware tawm.
- Tshawb xyuas yog tias koj nyob hauv ib puag ncig virtual
Ua tiav siv cov txheej txheem tshawb nrhiav vmtoolsd, VGAuthService, vmacthlp, VBoxService, VBoxTray. Yog tias tsawg kawg yog pom, tus malware tawm.
- tsaug zog 5 vib nas this
- Ua qauv qhia ntawm ntau hom dialog boxes
Yuav siv tau los hla ib co sandboxes.
- Bypass UAC
Ua los ntawm kev kho tus yuam sij rau npe EnableLUA nyob rau hauv Group Policy settings.
- Siv tus cwj pwm "Hidden" rau cov ntaub ntawv tam sim no.
- Muaj peev xwm rho tawm cov ntaub ntawv tam sim no.
Cov yam ntxwv tsis ua haujlwm
Thaum lub sij hawm soj ntsuam ntawm lub bootloader thiab lub ntsiab module, kev ua haujlwm tau pom tias yog lub luag haujlwm rau kev ua haujlwm ntxiv, tab sis lawv tsis siv nyob qhov twg. Qhov no tej zaum yog vim qhov tseeb tias cov malware tseem nyob hauv kev txhim kho thiab cov haujlwm yuav raug nthuav dav sai sai.
Loader AtProtect
Ib qho haujlwm tau pom tias yog lub luag haujlwm rau kev thauj khoom thiab txhaj tshuaj rau hauv cov txheej txheem msiexec.exe arbitrary module.
DataStealer
- Consolidation nyob rau hauv lub system
- Decompression thiab decryption muaj nuj nqi
Nws zoo li tias cov ntaub ntawv encryption thaum lub sij hawm sib txuas lus network yuav sai sai no. - Terminating txheej txheem antivirus
zlclient | dvp95_0 | Pavsche | avgwv 9 |
ua egui | Ecengine | Pawv | avgserv9 kev |
bdagent ua | EsafΓ© | PCCIOMON | avgemc |
npfmsg | Espwatch | PCCMAIN | ashwebsv ua |
olydbg ua | F-Agnt95 | pwm 98 | ashdisp ua |
anubis ib | Findvir | Pcfwallicon | ashmaiv |
wireshark | Fprot | Persfw | ashserv |
avastui ua | F-Prot | POP3TRAP | aswUpdSv |
_Avp32 | F-Prot95 | SIB 95 | symwsc |
vsmon ua | Fp-Win | Rov 7 | Norton |
ua mbam | Frw | rov 7win | Norton Auto-tiv thaiv |
keyscrambler | F-Stopw | cawm | norton_av |
_Avpcc | Iamapp | Safeweb | nortonav |
_Awm | Iamserv | Luam theej duab 32 | ccsetmgr ua |
Ackwin 32 | Ibmasn | Luam theej duab 95 | ccevtmgr ua |
Ntshai | Ibmavsp | Scanpm | avadmin |
Anti-Trojan | Icload 95 | Scrscan | avcenter |
ANTIVIR | Icloadnt | siv 95 | avgnt |
Apvxdwin | Icmon | Smc | avguard |
ATRACK | Ib 95 | SMCSERVICE | avnotify |
Autodown | Icsuppnt | Snort | avscan |
Avconsol | Iface | sphinx | tiv gui |
Ave 32 | yam 98 | Swb 95 | nug 32kr |
Avgctrl | Jedi | SYMPROXYSVC | noj 32u |
Avkserv | Lockdown 2000 | Tbscan | clamscan |
Avnt | Xyuas seb puas | Tca | clamTray |
Avp | Luall | Txd2-98 | clamWin |
Avp 32 | mcafe ua | Tds2-Nt | newclam |
Avpcc | Moolive | TermiNET | oladdin ua |
Avpdos 32 | MPftray | vwm 95 | sigtool |
Avpm | N32 swb | Vettray | w9x pom |
Avptc32 | NAVAPSVC | Vscan40 | Kaw |
Avpupd | NAV 32 | Vsecomr | cmgrdian ua |
Avsched32 | NAV 32 | Vshwin 32 | alogserv |
AVSYNMGR | Navnt | Vsstat | mcshield |
Avwin 95 | NAVRUNR | Webscanx | vwm 32 |
Awwpd 32 | Nawv 32 | WEBTRAP | avconsol |
Dubd | Nawv | Wfindv32 | vsstat |
Dubice | NeoWatch | Zonealarm | avsynmgr |
Cfiadmin | NISSERV | LOCKDOWN 2000 | avcmd ua |
Cfiaudit | Nisum | TXOJ CAI 32 | avconfig |
Cfinet | Nmain | LUCOMSERVER | lismgr |
Cfinet32 | Normist | avgcc | sche |
Claw 95 | NORTON | avgcc | ua ntej |
qw 95cf | Hloov kho | avgamvr | MsMpEng |
Nqus Tsev Vacuum | nqc 95 XNUMX | avgupsvc ua | MSASCui |
Lub tshuab ntxhua khaub ncaws 3 | Ntshai | avgw ua | Avira.Systray |
Defwatch | Padmin | avgc 32 | |
dv95 ua | Pavcl | avgserv |
- Kev puas tsuaj rau tus kheej
- Loading cov ntaub ntawv los ntawm cov ntaub ntawv teev manifest
- Luam ib cov ntaub ntawv raws ib txoj kev %Temp%tmpG[Tam sim no hnub tim thiab lub sij hawm nyob rau hauv milliseconds].tmp
Interestingly, ib tug zoo tib yam muaj nuj nqi yog tam sim no nyob rau hauv AgentTesla malware. - Kab mob ua haujlwm
Tus malware tau txais cov npe ntawm cov xov xwm tshem tawm. Ib daim ntawv theej ntawm malware yog tsim nyob rau hauv lub hauv paus ntawm cov ntaub ntawv xov xwm nrog lub npe Sys.exe. Autorun yog siv los ntawm cov ntaub ntawv autorun.inf.
Tus neeg tua neeg profile
Thaum lub sij hawm soj ntsuam ntawm lub chaw hais kom ua, nws muaj peev xwm tsim tau email thiab lub npe menyuam yaus ntawm tus tsim tawm - Razer, aka Brwa, Brwa65, HiDDen PerSOn, 404 Coder. Tom ntej no, peb pom ib qho yeeb yaj kiab nthuav hauv YouTube uas qhia tau tias ua haujlwm nrog tus tsim.
Qhov no ua rau nws muaj peev xwm nrhiav tau tus thawj tsim tawm channel.
Nws tau pom tseeb tias nws muaj kev paub txog kev sau ntawv cryptographers. Kuj tseem muaj qhov txuas mus rau nplooj ntawv hauv social networks, nrog rau lub npe tiag tiag ntawm tus sau. Nws tau dhau los ua neeg nyob hauv Iraq.
Qhov no yog dab tsi 404 Keylogger tus tsim tawm supposedly zoo li. Duab los ntawm nws tus kheej Facebook profile.
CERT Group-IB tau tshaj tawm qhov kev hem thawj tshiab - 404 Keylogger - XNUMX-teev kev soj ntsuam thiab teb chaw rau cyber hem (SOC) hauv Bahrain.
Tau qhov twg los: www.hab.com