Peb txuas ntxiv peb cov kab lus ntawm kev mob siab rau kev tshuaj xyuas malware. IN
Tus neeg saib xyuas Tesla yog ib qho modular spying software faib siv tus qauv malware-as-a-service nyob rau hauv lub guise ntawm ib tug raug cai keylogger khoom. Tus neeg saib xyuas Tesla muaj peev xwm rho tawm thiab xa cov ntaub ntawv pov thawj ntawm cov neeg siv los ntawm browsers, email cov neeg siv khoom thiab FTP cov neeg siv khoom mus rau lub server rau cov neeg tawm tsam, kaw cov ntaub ntawv teev cia, thiab ntes lub vijtsam ntaus ntawv. Thaum lub sijhawm kev tshuaj xyuas, lub vev xaib official ntawm cov neeg tsim khoom tsis muaj.
Configuration file
Cov lus hauv qab no teev cov kev ua haujlwm uas siv rau cov qauv koj siv:
piav qhia | nqi |
KeyLogger siv chij | muaj tseeb |
ScreenLogger siv chij | cuav |
KeyLogger cav xa ib ntus hauv feeb | 20 |
ScreenLogger cav xa ib ntus hauv feeb | 20 |
Backspace key tuav chij. False - sau npe xwb. Tseeb - tshem tawm tus yuam sij dhau los | cuav |
CNC hom. Kev xaiv: smtp, webpanel, ftp | SMTP |
Xov xov ua kom chij rau kev txiav cov txheej txheem los ntawm cov npe "%filter_list%" | cuav |
UAC disable flag | cuav |
Task manager disable flag | cuav |
CMD disable chij | cuav |
Khiav qhov rais lov tes taw chij | cuav |
Registry Viewer Disable Flag | cuav |
Disable system restore point chij | muaj tseeb |
Tswj vaj huam sib luag lov tes taw chij | cuav |
MSCONFIG lov tes taw chij | cuav |
Chij rau lov tes taw cov ntsiab lus qhia zaub mov hauv Explorer | cuav |
Pin chij | cuav |
Txoj kev rau luam lub ntsiab module thaum pinning nws mus rau lub system | %startupfolder% %insfolder%%insname% |
Chij rau kev teeb tsa "System" thiab "Hidden" cwj pwm rau lub ntsiab module muab rau lub system | cuav |
Chij los ua qhov rov pib dua thaum pinned rau qhov system | cuav |
Chij rau kev txav lub ntsiab module mus rau ib ntus nplaub tshev | cuav |
UAC bypass flag | cuav |
Hnub tim thiab lub sij hawm hom ntawv rau kev txiav | yyyy-MM-dd HH:mm:ss |
Chij rau siv qhov kev pab cuam lim rau KeyLogger | muaj tseeb |
Hom kev lim dej. 1 – lub npe program nrhiav hauv lub qhov rais npe 2 - lub npe program yog saib rau hauv lub qhov rais txheej txheem npe |
1 |
Program lim | "facebook" "twitter" "gmail" "instagram" "movie" "skype" "porn" "hack" "whatsapp" "kev tsis sib haum xeeb" |
Txuas lub ntsiab module rau qhov system
Yog tias tus chij sib raug raug teeb tsa, lub ntsiab module tau theej rau txoj hauv kev tau teev tseg hauv kev teeb tsa raws li txoj hauv kev uas yuav raug xa mus rau qhov system.
Nyob ntawm tus nqi los ntawm config, cov ntaub ntawv tau muab cov cwj pwm "Hidden" thiab "System".
Autorun yog muab los ntawm ob lub npe npe:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%insregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %insregname%
Txij li thaum lub bootloader txhaj rau hauv cov txheej txheem RegAsm, teeb tsa tus chij tsis tu ncua rau lub ntsiab module ua rau muaj txiaj ntsig zoo heev. Tsis txhob theej nws tus kheej, tus malware txuas cov ntaub ntawv qub rau hauv lub system RegAsm.exe, thaum lub sij hawm txhaj tshuaj.
Kev sib tham nrog C&C
Txawm hais tias siv txoj kev twg los xij, kev sib txuas lus hauv network pib nrog kev tau txais tus IP sab nraud ntawm tus neeg raug tsim txom siv cov peev txheej
Cov hauv qab no piav qhia txog txoj hauv kev sib cuam tshuam hauv network uas tau nthuav tawm hauv software.
lub vev xaib
Kev sib cuam tshuam tshwm sim ntawm HTTP raws tu qauv. Tus malware ua rau POST thov nrog cov hauv qab no headers:
- User-Agent: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Kev sib txuas: Keep-Alive
- Cov ntsiab lus-Type: application/x-www-form-urlencoded
Qhov chaw nyob server tau teev los ntawm tus nqi %PostURL%. Cov lus encrypted yog xa mus rau hauv parameter «P». Cov txheej txheem encryption tau piav qhia hauv ntu "Encryption Algorithms" (Txoj Kev 2).
Cov lus xa mus zoo li no:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Parameter hom qhia hom lus:
hwv - ib qho MD5 hash tau sau tseg los ntawm qhov tseem ceeb ntawm lub motherboard serial tooj thiab processor ID. Feem ntau yuav siv los ua Tus Neeg Siv Khoom ID.
lub sij hawm - pab xa cov sijhawm tam sim no thiab hnub tim.
pc npe - txhais raws li <Username>/<Computer name>.
logdata - cov ntaub ntawv pov thawj.
Thaum xa cov passwords, cov lus zoo li:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Cov hauv qab no yog cov lus piav qhia ntawm cov ntaub ntawv raug nyiag hauv hom ntawv nclient[]={0}nlink[]={1}nusername[]={2}npassword[]={3}.
SMTP
Kev sib cuam tshuam tshwm sim los ntawm SMTP raws tu qauv. Cov ntawv xa tawm yog nyob rau hauv hom HTML. Parameter LUB CEV zoo li:
Lub header ntawm tsab ntawv muaj daim ntawv dav dav: <USER NAME>/<COMPUTER NAME> <CONTENT HOM>. Cov ntsiab lus ntawm tsab ntawv, nrog rau nws cov ntawv txuas, tsis yog encrypted.
Kev sib cuam tshuam tshwm sim los ntawm FTP raws tu qauv. Ib cov ntaub ntawv nrog lub npe yog pauv mus rau lub server teev <CONTENT HOM>_< neeg siv lub npe>-<COMPUTER NAME>_<HNUB THIAB SIJ HAWM>.html. Cov ntsiab lus ntawm cov ntaub ntawv tsis tau encrypted.
Encryption algorithms
Cov ntaub ntawv no siv cov txheej txheem encryption hauv qab no:
Txoj kev 1
Txoj kev no yog siv los encrypt cov hlua hauv lub ntsiab module. Lub algorithm siv rau encryption yog AES.
Cov tswv yim yog tus lej rau tus lej lej. Kev hloov pauv hauv qab no yog ua rau nws:
f(x) = (((x > 2 - 31059) ^ 6380) - 1363) >> 3
Qhov tshwm sim tus nqi yog qhov ntsuas rau cov ntaub ntawv array embedded.
Txhua array element yog ib ntus DWORD. Thaum sib koom ua ke DWORD ib qho array ntawm bytes tau txais: thawj 32 bytes yog tus yuam sij encryption, ua raws li 16 bytes ntawm qhov pib vector, thiab cov bytes ntxiv yog cov ntaub ntawv encrypted.
Txoj kev 2
Algorithm siv 3 DES nyob rau hauv hom ECB nrog padding hauv tag nrho bytes (PKCS 7).
Tus yuam sij yog teev los ntawm parameter %urlkey%Txawm li cas los xij, encryption siv nws MD5 hash.
siab phem functionality
Cov qauv hauv qab no siv cov kev pab cuam hauv qab no los siv nws txoj haujlwm tsis zoo:
Yuam Kev
Yog tias muaj qhov sib thooj malware chij siv WinAPI muaj nuj nqi SetWindowsHookEx assigns nws tus kheej handler rau keypress txheej xwm ntawm cov keyboard. Tus tuav haujlwm pib los ntawm kev tau txais lub npe ntawm lub qhov rais nquag.
Yog tias daim ntawv thov filtering chij tau teeb tsa, filtering yog ua nyob ntawm hom teev:
- lub npe program raug ntsia rau hauv lub qhov rais npe
- lub npe program yog ntsia rau hauv lub qhov rais txheej txheem npe
Tom ntej no, cov ntaub ntawv ntxiv rau lub cav nrog cov ntaub ntawv hais txog lub qhov rais nquag hauv hom:
Tom qab ntawd cov ntaub ntawv hais txog tus yuam sij nias raug kaw:
Tus yuam sij | Ntaub Ntawv |
Backspace | Nyob ntawm tus chij tseem ceeb ntawm Backspace: False – {BACK} Tseeb - tshem tawm tus yuam sij dhau los |
CAPSLOCK | {CAPSLOCK} |
ESC | {ESC} |
Nplooj ntawv | {PageUp} |
down | ↓ |
RHO TAWM | {DEL} |
" | " |
F5 | {F5} |
& | & |
F10 | {F10} |
Tab | {TAB} |
< | < |
> | > |
Qhov chaw | |
F8 | {F8} |
F12 | {F12} |
F9 | {F9} |
ALT + TAB | {ALT+TAB} |
kAWG | {END} |
F4 | {F4} |
F2 | {F2} |
CTRL | {CTRL} |
F6 | {F6} |
Txoj cai | → |
Up | ↑ |
F1 | {F1} |
Poob | ← |
PageDown | {PageDown} |
Insert | {Ntxig} |
Yeej | {yuav} |
Num xeeb | {NumLock} |
F11 | {F11} |
F3 | {F3} |
TSEV | {HOME} |
ENTER | {ENTER} |
ALT + F4 | {ALT+F4} |
F7 | {F7} |
Lwm tus yuam sij | Tus cwj pwm yog nyob rau sab sauv lossis qis dua nyob ntawm txoj haujlwm ntawm CapsLock thiab Shift yuam sij |
Ntawm qhov zaus uas tau teev tseg, cov ntawv sau tau raug xa mus rau lub server. Yog tias qhov kev hloov pauv tsis ua tiav, lub cav raug khaws cia rau hauv cov ntaub ntawv %TEMP%log.tmp hauv format:
Thaum lub sijhawm tua hluav taws, cov ntaub ntawv yuav raug xa mus rau lub server.
ScreenLogger
Ntawm lub sijhawm teev tseg, tus malware tsim ib qho screenshot hauv hom jpeg nrog lub ntsiab lus Zoo sib npaug li 50 thiab khaws cia rau hauv cov ntaub ntawv %APPDATA %<Random sequence of 10 character>.jpg. Tom qab hloov chaw, cov ntaub ntawv yog deleted.
ClipboardLogger
Yog tias tus chij tsim nyog tau teeb tsa, hloov pauv tau ua hauv cov ntawv cuam tshuam raws li cov lus hauv qab no.
Tom qab ntawd, cov ntawv yog muab tso rau hauv lub log:
PasswordStealer
Lub malware tuaj yeem rub tawm cov passwords los ntawm cov ntawv thov hauv qab no:
Browsers | Xa cov neeg siv khoom | FTP cov neeg siv khoom |
Chrome | Outlook | Filezilla |
Firefox | Thunderbird | WS_FTP |
IE / Edge | Foxmail | WinSCP |
safari | Opera Xa Ntawv | CoreFTP |
Opera browser | IncrediMail | FTP Navigator |
Yandex | Pocomail | FlashFXP |
Xis | Eudora | SmartFTP |
ChromePlus | TheBat | FTPCommander |
chromium | Postbox | |
Tsom ntsa | ClawsMail | |
7Star | ||
Amigo | ||
BraveSoftware | Jabber cov neeg siv khoom | VPN cov neeg siv khoom |
CentBrowser | Psi/Psi+ | Qhib VPN |
Chedot | ||
CocCoc | ||
Elements Browser | Download Managers | |
Epic Privacy Browser | Tus thawj tswj Internet download | |
Comet | JDownloader | |
orbitum | ||
Sputnik | ||
uCozMedia | ||
Vivaldi | ||
SeaMonkey | ||
Flock Browser | ||
UC-Browser | ||
BlackHawk | ||
CyberFox | ||
K-meleon | ||
Dej Nyab | ||
dej khov | ||
Yeeb Sam Phiaj | ||
WaterFox | ||
Falcon Browser |
Tawm tsam rau dynamic tsom xam
- Siv lub luag haujlwm pw tsaug zog. Tso cai rau koj hla ib co sandboxes los ntawm timeout
- Kev rhuav tshem ib txoj xov Thaj Chaw.Qhov chaw nyob. Tso cai rau koj mus nkaum qhov tseeb ntawm rub tawm cov ntaub ntawv los ntawm Is Taws Nem
- Nyob rau hauv parameter %filter_list% qhia cov npe ntawm cov txheej txheem uas cov malware yuav xaus ntawm ib ntus ntawm ib thib ob
- Tshem tawm UAS
- Disabling tus thawj tswj haujlwm
- Tshem tawm CMD
- Disabling lub qhov rais "Kev hlub"
- Disabling Control Vaj Huam Sib Luag
- Disabling ib lub cuab tam Ntxawg
- Disabling system restore cov ntsiab lus
- Tshem tawm cov ntawv qhia zaub mov hauv Explorer
- Tshem tawm MSCONFIG
- Bypass UAC:
Inactive nta ntawm lub ntsiab module
Thaum lub sij hawm kev soj ntsuam ntawm lub ntsiab module, kev ua haujlwm tau txheeb xyuas uas yog lub luag haujlwm rau kev sib kis thoob plaws lub network thiab taug qab txoj haujlwm ntawm tus nas.
Worm
Cov xwm txheej rau kev sib txuas cov xov xwm tshem tawm tau raug saib xyuas hauv cov xov sib cais. Thaum txuas nrog, cov malware nrog lub npe tau theej rau hauv paus ntawm cov ntaub ntawv kaw lus scr.exe ua, tom qab uas nws tshawb nrhiav cov ntaub ntawv nrog rau qhov txuas ntxiv lnk. Txhua tus pab neeg lnk hloov rau cmd.exe /c pib scr.exe&start < thawj cov lus txib> & tawm.
Txhua daim ntawv teev npe ntawm lub hauv paus ntawm kev tshaj tawm yog muab tus cwj pwm "Hidden" thiab cov ntaub ntawv raug tsim nrog qhov txuas ntxiv lnk nrog lub npe ntawm cov ntaub ntawv zais thiab cov lus txib cmd.exe /c pib scr.exe&explorer /root,"%CD%<DIRECTORY NAME>" & tawm.
MouseTracker
Txoj kev ua haujlwm cuam tshuam zoo ib yam li siv rau cov keyboard. Qhov kev ua haujlwm no tseem tab tom txhim kho.
Cov ntaub ntawv ua haujlwm
txoj kev | piav qhia |
%Temp%temp.tmp | Muaj lub txee rau UAC bypass sim |
%startupfolder%%insfolder%%insname% | Txoj kev yuav raug muab rau HPE system |
%Temp%tmpG{Tam sim no lub sij hawm nyob rau hauv milliseconds}.tmp | Txoj kev rau thaub qab ntawm lub ntsiab module |
%Temp%log.tmp | Cov ntaub ntawv log |
%AppData%{Ib qhov kev txiav txim siab ntawm 10 cim}.jpeg | Screenshots |
C:UsersPublic{Ib qho arbitrary sequence ntawm 10 cim}.vbs | Txoj kev mus rau vbs cov ntaub ntawv uas tus bootloader siv tau los txuas rau lub system |
%Temp%{Custom folder name}{File name} | Txoj kev siv los ntawm bootloader los txuas nws tus kheej mus rau qhov system |
Tus neeg tua neeg profile
Ua tsaug rau hardcoded authentication cov ntaub ntawv, peb muaj peev xwm nkag tau mus rau qhov chaw hais kom ua.
Qhov no tso cai rau peb txheeb xyuas email kawg ntawm cov neeg tawm tsam:
junaid[.]in ***@gmail[.]com.
Lub npe sau npe ntawm lub chaw hais kom ua tau sau npe rau hauv kev xa ntawv sg***@gmail[.]com.
xaus
Thaum tshawb xyuas cov ncauj lus kom ntxaws ntawm cov malware siv hauv kev tawm tsam, peb tuaj yeem tsim nws txoj haujlwm thiab tau txais cov npe ua tiav ntawm cov cim qhia txog kev cuam tshuam cuam tshuam rau rooj plaub no. Nkag siab txog cov txheej txheem ntawm kev sib cuam tshuam ntawm malware ua rau nws muaj peev xwm muab cov lus pom zoo rau kev kho cov haujlwm ntawm cov ntaub ntawv kev ruaj ntseg cov cuab yeej, nrog rau sau cov cai IDS ruaj khov.
Tseem ceeb txaus ntshai Tus neeg saib xyuasTesla zoo li DataStealer nyob rau hauv uas nws tsis tas yuav cog lus rau lub kaw lus lossis tos rau kev tswj hwm kom ua nws txoj haujlwm. Ib zaug ntawm lub tshuab, nws tam sim ntawd pib sau cov ntaub ntawv ntiag tug thiab hloov mus rau CnC. Tus cwj pwm nruj no yog qee txoj hauv kev zoo ib yam li tus cwj pwm ntawm ransomware, nrog rau qhov sib txawv tsuas yog tias tom kawg tsis tas yuav muaj kev sib txuas hauv network. Yog tias koj ntsib tsev neeg no, tom qab ntxuav cov kab mob kis los ntawm malware nws tus kheej, koj yuav tsum tau hloov pauv txhua tus passwords uas tuaj yeem, yam tsawg kawg nkaus, tau txais kev cawmdim hauv ib qho ntawm cov ntawv teev npe saum toj no.
Saib tom ntej, cia peb hais tias cov neeg tawm tsam xa Tus neeg saib xyuasTesla, qhov pib khau raj loader hloov ntau zaus. Qhov no tso cai rau koj kom tsis txhob hnov qab txog cov tshuab luam ntawv zoo li qub thiab cov ntsuas heuristic thaum lub sijhawm tawm tsam. Thiab txoj kev nyiam ntawm tsev neeg no kom pib tam sim ntawd lawv cov dej num ua rau kev saib xyuas tsis muaj txiaj ntsig. Txoj hauv kev zoo tshaj los tawm tsam AgentTesla yog kev tshuaj xyuas ua ntej hauv sandbox.
Nyob rau hauv peb tsab xov xwm ntawm no series peb yuav saib lwm bootloaders siv Tus neeg saib xyuasTesla, thiab tseem kawm txog cov txheej txheem ntawm lawv cov semi-automatic unpacking. Tsis txhob nco!
Hash
SHA1 |
A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
8010CC2AF398F9F951555F7D481CE13DF60BBECF |
79B445DE923C92BF378B19D12A309C0E9C5851BF |
15839B7AB0417FA35F2858722F0BD47BDF840D62 |
1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
C&C
URL |
sina-c0m[.]icu |
smtp[.]sina-c0m[.]icu |
RegKey
Kev Sau Npe |
HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Script name} |
HKCUSoftwareMicrosoftWindowsCurrentVersionRun%insregname% |
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%insregname% |
Mutex
Tsis muaj qhov ntsuas.
Cov ntaub ntawv
Cov ntaub ntawv ua haujlwm |
%Temp%temp.tmp |
%startupfolder%%insfolder%%insname% |
%Temp%tmpG{Tam sim no lub sij hawm nyob rau hauv milliseconds}.tmp |
%Temp%log.tmp |
%AppData%{Ib qhov kev txiav txim siab ntawm 10 cim}.jpeg |
C:UsersPublic{Ib qho arbitrary sequence ntawm 10 cim}.vbs |
%Temp%{Custom folder name}{File name} |
Cov ntaub ntawv qauv
lub npe | Unknown |
MD5 | F7722DD8660B261EA13B710062B59C43 |
SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
hom | PE (.NET) |
loj | 327680 |
Lub Npe | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
Hnub tim | 01.07.2019 |
Sau | VB.NET |
lub npe | IELibrary.dll |
MD5 | BFB160A89F4A607A60464631ED3ED9FD |
SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
hom | PE (.NET DLL) |
loj | 16896 |
Lub Npe | IELibrary.dll |
Hnub tim | 11.10.2016 |
Sau | Microsoft Linker (48.0*) |
Tau qhov twg los: www.hab.com