Tsis ntev los no, ib lub chaw tsim khoom nyob sab Europe ntawm cov khoom siv hluav taws xob tau hu rau Pab Pawg-IB - nws cov neeg ua haujlwm tau txais tsab ntawv tsis txaus ntseeg nrog cov ntaub ntawv tsis zoo hauv kev xa ntawv. Ilya Pomerantsev, tus kws tshaj lij kev tshuaj xyuas malware ntawm CERT Group-IB, tau tshawb xyuas cov ncauj lus kom ntxaws ntawm cov ntaub ntawv no, tshawb pom AgentTesla spyware nyob ntawd thiab qhia seb yuav xav li cas los ntawm cov malware thiab nws txaus ntshai li cas.
Nrog rau cov ntawv tshaj tawm no peb tab tom qhib cov kab lus hais txog yuav ua li cas txheeb xyuas cov ntaub ntawv uas muaj peev xwm txaus ntshai, thiab peb tab tom tos qhov xav paub tshaj plaws rau lub Kaum Ob Hlis 5th rau kev sib tham sib tham pub dawb ntawm lub ncauj lus. βMalware Analysis: Analysis of Real Casesβ. Tag nrho cov ntsiab lus yog nyob rau hauv qhov kev txiav.
Kev faib tawm mechanism
Peb paub tias tus malware mus txog tus neeg raug tsim txom lub tshuab ntawm phishing emails. Tus neeg tau txais tsab ntawv yog tej zaum BCCed.
Kev tshuaj xyuas ntawm cov headers qhia tau hais tias tus xa tsab ntawv tau spoofed. Qhov tseeb, tsab ntawv tshuav nrog vps56[.]oneworldhosting[.]com.
Cov ntawv txuas email muaj WinRar archive qoute_jpeg56a.r15 nrog rau cov ntaub ntawv phem executable QOUTE_JPEG56A.exe sab hauv.
Malware ecosystem
Tam sim no cia saib seb lub ecosystem ntawm malware nyob rau hauv kev kawm zoo li cas. Daim duab hauv qab no qhia txog nws cov qauv thiab cov lus qhia ntawm kev sib cuam tshuam ntawm cov khoom.
Tam sim no cia peb saib txhua yam ntawm malware Cheebtsam hauv kev nthuav dav ntxiv.
Loader
Original file QOUTE_JPEG56A.exe yog sau ua ke AutoIt v3 tsab ntawv.
Txhawm rau obfuscate tus thawj tsab ntawv, obfuscator nrog zoo sib xws PELlock AutoIT-Obfuscator yam ntxwv.
Deobfuscation yog ua nyob rau hauv peb theem:
- Tshem tawm obfuscation Rau-Yog
Thawj kauj ruam yog los kho cov ntawv tswj kev khiav. Tswj Flow Flattening yog ib txoj hauv kev zoo tshaj plaws los tiv thaiv daim ntawv thov binary code los ntawm kev tshuaj xyuas. Kev hloov pauv tsis meej pem ua rau nce qhov nyuaj ntawm kev rho tawm thiab lees paub algorithms thiab cov qauv ntaub ntawv.
- Kab rov qab
Ob txoj haujlwm yog siv los encrypt cov hlua:
- gdorizabegkvfca - Ua Base64-zoo li kev txiav txim siab
- xgacyukcyzxz - yooj yim byte-byte XOR ntawm thawj txoj hlua nrog qhov ntev ntawm qhov thib ob
- gdorizabegkvfca - Ua Base64-zoo li kev txiav txim siab
- Tshem tawm obfuscation BinaryToString ΠΈ Execute
Lub ntsiab load yog khaws cia nyob rau hauv ib tug faib daim ntawv nyob rau hauv lub directory Fonts cov ntaub ntawv seem ntawm cov ntaub ntawv.
Qhov kev txiav txim gluing yog raws li nram no: TIEQHCXWFG, EMI, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJ, AVZOUMVFRDWFLWU.
WinAPI muaj nuj nqi yog siv los decrypt cov ntaub ntawv rho tawm CryptDecrypt, thiab qhov kev sib kho qhov tseem ceeb tsim los ntawm tus nqi yog siv los ua tus yuam sij fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Lub decrypted executable cov ntaub ntawv raug xa mus rau lub function input RunPE, uas ua ProcessInject Π² RegAsm.exe siv built-in ShellCode (tseem hu ua RunPE ShellCode). Authorship belongs rau tus neeg siv ntawm lub rooj sab laj Spanish indetectables [.]net nyob rau hauv lub npe menyuam yaus Wardow.
Nws tseem tsim nyog sau cia tias nyob rau hauv ib qho ntawm cov xov ntawm lub rooj sab laj no, obfuscator rau Ntawm lub ru tsev nrog cov khoom zoo sib xws tau txheeb xyuas thaum kuaj xyuas.
Nws tus kheej ShellCode yooj yim heev thiab nyiam mloog tsuas yog qiv los ntawm pawg hacker AnunakCarbanak. API hu hashing muaj nuj nqi.
Peb kuj paub txog cov ntaub ntawv siv Frenchy Shellcode txawv versions.
Ntxiv nrog rau qhov piav qhia ua haujlwm, peb kuj tau txheeb xyuas cov haujlwm tsis ua haujlwm:
- Thaiv cov txheej txheem kev txiav tawm hauv phau ntawv ua haujlwm
- Rov pib txheej txheem menyuam yaus thaum nws xaus
- Bypass UAC
- Txuag lub payload rau ib cov ntaub ntawv
- Ua qauv qhia ntawm modal windows
- Tos kom tus nas cursor txoj hauj lwm hloov
- AntiVM thiab AntiSandbox
- Kev puas tsuaj rau tus kheej
- Pumping payload los ntawm lub network
Peb paub tias kev ua haujlwm zoo li no yog qhov zoo rau tus tiv thaiv CypherIT, uas, thaj, yog tus bootloader nug.
Main module ntawm software
Tom ntej no, peb yuav piav qhia luv luv ntawm lub ntsiab module ntawm malware, thiab xav txog nws kom ntxaws ntxiv hauv tsab xov xwm thib ob. Hauv qhov no, nws yog daim ntawv thov rau .NET.
Thaum lub sij hawm soj ntsuam, peb pom tau hais tias ib tug obfuscator tau siv ConfuserEX.
IELibrary.dll
Lub tsev qiv ntawv yog khaws cia raws li ib qho tseem ceeb module peev txheej thiab yog ib tug paub zoo plugin rau Tus neeg saib xyuasTesla, uas muab kev ua haujlwm rau kev rho tawm ntau cov ntaub ntawv los ntawm Internet Explorer thiab Edge browsers.
Tus neeg saib xyuas Tesla yog ib qho modular spying software faib siv tus qauv malware-as-a-service nyob rau hauv lub guise ntawm ib tug raug cai keylogger khoom. Tus neeg saib xyuas Tesla muaj peev xwm rho tawm thiab xa cov ntaub ntawv pov thawj ntawm cov neeg siv los ntawm browsers, email cov neeg siv khoom thiab FTP cov neeg siv khoom mus rau lub server rau cov neeg tawm tsam, kaw cov ntaub ntawv teev cia, thiab ntes lub vijtsam ntaus ntawv. Thaum lub sijhawm kev tshuaj xyuas, lub vev xaib official ntawm cov neeg tsim khoom tsis muaj.
Lub ntsiab lus nkag yog qhov ua haujlwm GetSavedPasswords chav InternetExplorer.
Feem ntau, kev ua lej code yog linear thiab tsis muaj kev tiv thaiv kev tsom xam. Tsuas yog qhov ua tsis tau tiav yuav tsum tau saib xyuas GetSavedCookies. Thaj, kev ua haujlwm ntawm lub plugin yuav tsum tau nthuav dav, tab sis qhov no yeej tsis ua tiav.
Txuas lub bootloader rau lub system
Cia peb kawm yuav ua li cas lub bootloader txuas nrog lub system. Cov qauv hauv kev kawm tsis cuam tshuam, tab sis hauv cov xwm txheej zoo sib xws nws tshwm sim raws li cov txheej txheem hauv qab no:
- Hauv ntawv tais ceev tseg C:UsersPublic tsab ntawv yog tsim Visual Basic
Script example:
- Cov ntsiab lus ntawm cov ntaub ntawv loader yog padded nrog tus cwj pwm null thiab khaws cia rau hauv daim nplaub tshev %Temp%< lub npe nplaub tshev>> Cov ntaub ntawv npe>
- Tus yuam sij autorun yog tsim nyob rau hauv cov npe rau cov ntawv sau HKCUSoftwareMicrosoftWindowsCurrentVersionRun <Script npe>
Yog li, raws li cov txiaj ntsig ntawm thawj ntu ntawm kev tshuaj xyuas, peb tuaj yeem tsim cov npe ntawm cov tsev neeg ntawm txhua yam ntawm cov malware nyob rau hauv kev kawm, txheeb xyuas tus qauv kab mob, thiab tseem tau txais cov khoom siv rau kev sau npe kos npe. Peb yuav txuas ntxiv peb qhov kev tshuaj xyuas ntawm cov khoom no hauv tsab xov xwm tom ntej, qhov twg peb yuav saib cov qauv tseem ceeb hauv kev nthuav dav ntxiv Tus neeg saib xyuasTesla. Tsis txhob nco!
Los ntawm txoj kev, thaum Lub Kaum Ob Hlis 5 peb caw txhua tus neeg nyeem mus rau kev sib tham hauv webinar pub dawb ntawm lub ncauj lus "Tshaj tawm ntawm malware: kev tshuaj xyuas ntawm cov xwm txheej tiag", qhov twg tus sau tsab xov xwm no, tus kws tshaj lij CERT-GIB, yuav qhia online thawj theem ntawm malware tsom xam - semi-automatic unpacking ntawm cov qauv siv cov piv txwv ntawm peb mini-cov ntaub ntawv tiag tiag los ntawm kev xyaum, thiab koj tuaj yeem koom nrog hauv kev tshuaj xyuas. Lub webinar yog tsim rau cov kws tshwj xeeb uas twb muaj kev paub txog kev txheeb xyuas cov ntaub ntawv tsis zoo. Kev sau npe yog nruj me ntsis los ntawm tuam txhab email: . Tos koj!
Yara
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
Hashes
| lub npe | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890 E643316E9276156 EDC8A |
| hom | Archive WinRAR |
| loj | 823014 |
| lub npe | QOUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| hom | PE (Compiled AutoIt Script) |
| loj | 1327616 |
| Lub Npe | Unknown |
| Hnub tim | 15.07.2019 |
| Txuas lus | Microsoft Linker (12.0) [EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| hom | ShellCode |
| loj | 1474 |
Tau qhov twg los: www.hab.com