Nrog rau tsab xov xwm no peb ua tiav cov ntawv tshaj tawm tau mob siab rau kev tshuaj xyuas ntawm cov software phem. IN Peb tau soj ntsuam cov ncauj lus kom ntxaws txog cov ntaub ntawv muaj kab mob uas lub tuam txhab European tau txais los ntawm kev xa ntawv thiab tshawb pom AgentTesla spyware nyob ntawd. Hauv piav qhia txog cov txiaj ntsig ntawm kev txheeb xyuas ib ntus ntawm lub ntsiab AgentTesla module.
Niaj hnub no Ilya Pomerantsev, tus kws tshaj lij hauv kev txheeb xyuas malware ntawm CERT Group-IB, yuav tham txog thawj theem ntawm kev txheeb xyuas malware - semi-automatic unpacking ntawm AgentTesla cov qauv siv piv txwv ntawm peb mini-case los ntawm kev coj ua ntawm CERT Group-IB cov kws tshaj lij.
Feem ntau, thawj theem ntawm malware tsom xam yog tshem tawm kev tiv thaiv nyob rau hauv daim ntawv ntawm ib tug packer, cryptor, protector los yog loader. Feem ntau, qhov teeb meem no tuaj yeem daws tau los ntawm kev khiav lub malware thiab ua lub pob pov tseg, tab sis muaj cov xwm txheej uas cov qauv no tsis haum. Piv txwv li, yog hais tias tus malware yog tus encryptor, yog hais tias nws tiv thaiv nws lub cim xeeb cheeb tsam los ntawm kev muab pov tseg, yog hais tias tus code muaj virtual tshuab nrhiav mechanisms, los yog yog hais tias tus malware reboots tam sim ntawd tom qab pib. Nyob rau hauv cov xwm txheej zoo li no, lub npe hu ua "semi-automatic" unpacking yog siv, uas yog, tus kws tshawb fawb tau ua tiav cov txheej txheem thiab tuaj yeem cuam tshuam txhua lub sijhawm. Cia peb xav txog cov txheej txheem no siv peb tus qauv ntawm AgentTesla tsev neeg ua piv txwv. Qhov no yog ib qho teeb meem tsis zoo yog tias koj lov tes taw nws lub network nkag.
Qauv No 1
Cov ntaub ntawv hauv paus yog MS Word cov ntaub ntawv uas siv qhov tsis zoo CVE-2017-11882.
Yog li ntawd, lub payload yog downloaded thiab launched.
Kev soj ntsuam ntawm cov txheej txheem ntoo thiab cov cwj pwm coj cwj pwm qhia pom tias kev txhaj tshuaj rau hauv cov txheej txheem RegAsm.exe.
Muaj cov cwj pwm coj cwj pwm yam ntxwv ntawm AgentTesla.
Cov qauv downloaded yog qhov executable .NET-cov ntaub ntawv tiv thaiv los ntawm tus neeg tiv thaiv .NET Reactor.
Cia peb qhib nws hauv cov khoom siv hluav taws xob wb x86 thiab txav mus rau qhov chaw nkag.
Los ntawm kev mus rau qhov ua haujlwm DateTimeOffset, peb yuav pom qhov pib code rau qhov tshiab .NET- qauv. Wb muab breakpoint ntawm kab peb nyiam thiab khiav cov ntaub ntawv.
Hauv ib qho ntawm cov buffers rov qab koj tuaj yeem pom MZ kos npe (0x4d 0 x5a). Cia peb khaws cia.
Cov ntaub ntawv pov tseg executable yog ib lub tsev qiv ntawv dynamic uas yog lub loader, i.e. rho tawm lub payload los ntawm cov khoom seem thiab xa nws.
Nyob rau tib lub sijhawm, cov peev txheej tsim nyog lawv tus kheej tsis nyob hauv cov pob tseg. Lawv nyob hauv niam txiv tus qauv.
Π’ΠΈΠ»ΠΈΡΠ° dnSpy ua muaj ob txoj haujlwm tseem ceeb heev uas yuav pab peb sai sai tsim "Frankenstein" los ntawm ob cov ntaub ntawv ntsig txog.
- Thawj qhov tso cai rau koj "muab tshuaj" lub tsev qiv ntawv dynamic rau hauv cov qauv niam txiv.
- Qhov thib ob yog rov sau dua cov lej ua haujlwm ntawm qhov chaw nkag mus hu rau txoj kev xav tau ntawm lub tsev qiv ntawv dynamic tso.
Peb txuag peb "Frankenstein", teem breakpoint ntawm txoj kab rov qab ib qho tsis nrog cov khoom siv decrypted, thiab tsim cov pob tseg los ntawm kev sib piv nrog rau theem dhau los.
Qhov thib ob pov tseg yog sau rau hauv VB.NET ib cov ntaub ntawv executable uas muaj kev tiv thaiv los ntawm tus neeg tiv thaiv peb paub ConfuserEx.
Tom qab tshem tawm tus tiv thaiv, peb siv YARA cov cai sau ua ntej thiab xyuas kom meej tias cov malware tsis tau ntim yog tiag tiag AgentTesla.
Qauv No 2
Cov ntaub ntawv hauv paus yog MS Excel cov ntaub ntawv. Ib tug built-in macro ua rau kev ua phem code.
Yog li ntawd, tsab ntawv PowerShell tau pib.
Tsab ntawv decrypts C# code thiab hloov kev tswj rau nws. Cov cai nws tus kheej yog bootloader, raws li tuaj yeem pom los ntawm sandbox daim ntawv qhia.
Lub payload yog ib qho executable .NET- ntaub ntawv.
Qhib cov ntaub ntawv hauv wb x86, koj tuaj yeem pom tias nws yog obfuscated. Tshem tawm obfuscation siv lub tshuab hluav taws xob ua 4dot thiab rov qab mus rau kev txheeb xyuas.
Thaum kuaj xyuas cov cai, koj tuaj yeem pom cov haujlwm hauv qab no:
Cov kab encoded tau tawm tsam EntryPoint ΠΈ Ua Ntawv thov. Peb tso breakpoint mus rau thawj kab, khiav thiab txuag tus nqi tsis byte_0.
Cov pov tseg yog dua ib daim ntawv thov rau .NET thiab tiv thaiv ConfuserEx.
Peb tshem tawm obfuscation siv ua 4dot thiab upload rau dnSpy ua. Los ntawm cov ntaub ntawv piav qhia peb nkag siab tias peb tau ntsib CyaX-Sharp loader.
Qhov no loader muaj nws kim heev los tiv thaiv kev tsom xam functionality.
Qhov kev ua haujlwm no suav nrog kev hla dhau qhov kev tiv thaiv Windows built-in, cuam tshuam Windows Defender, nrog rau sandbox thiab virtual tshuab tshawb pom cov tshuab. Nws tuaj yeem thauj cov payload los ntawm lub network lossis khaws cia rau hauv cov khoom seem. Launch yog ua los ntawm kev txhaj tshuaj rau hauv nws tus kheej cov txheej txheem, rau hauv ib qho kev sib npaug ntawm nws tus kheej cov txheej txheem, lossis rau hauv cov txheej txheem MSBuild.exe, vbc.exe ua ΠΈ RegSvcs.exe nyob ntawm qhov parameter xaiv los ntawm tus neeg tawm tsam.
Txawm li cas los xij, rau peb lawv yog qhov tseem ceeb tsawg dua AntiDump-function uas ntxiv ConfuserEx. Nws qhov chaws tuaj yeem pom ntawm .
Txhawm rau lov tes taw kev tiv thaiv, peb yuav siv lub sijhawm dnSpy ua, uas tso cai rau koj los kho IL-chaws.
Txuag thiab nruab breakpoint mus rau kab ntawm kev hu rau payload decryption muaj nuj nqi. Nws yog nyob rau hauv lub constructor ntawm lub ntsiab chav kawm ntawv.
Peb tso thiab pov tseg lub payload. Siv cov kev cai YARA yav dhau los, peb paub tseeb tias qhov no yog AgentTesla.
Qauv No 3
Cov ntaub ntawv qhov chaw yog qhov executable VB Native PE 32- ntaub ntawv.
Entropy tsom xam pom tias muaj ib qho loj ntawm cov ntaub ntawv encrypted.
Thaum txheeb xyuas daim ntawv thov hauv VB Decompiler koj yuav pom qhov txawv pixelated keeb kwm yav dhau.
Entropy daim duab bmp-cov duab zoo ib yam rau cov duab entropy ntawm thawj cov ntaub ntawv, thiab qhov loj yog 85% ntawm cov ntaub ntawv loj.
Qhov dav dav ntawm daim duab qhia txog kev siv steganography.
Cia peb them sai sai rau qhov tshwm sim ntawm cov ntoo txheej txheem, nrog rau qhov muaj cov cim txhaj tshuaj.
Qhov no qhia tau hais tias unpacking tab tom ua. Rau Visual Basic loaders (aka VBKrypt los yog VBInjector) raug siv shellcode los pib lub payload, nrog rau kev txhaj tshuaj nws tus kheej.
Kev tsom xam hauv VB Decompiler tau pom muaj qhov tshwm sim load ntawm daim ntawv FegatassocAirballoon 2.
Wb mus IDA pro mus rau qhov chaw nyob uas tau teev tseg thiab kawm txog kev ua haujlwm. Lub code yog obfuscated hnyav heev. Cov seem uas peb nyiam yog nthuav tawm hauv qab no.
Ntawm no tus txheej txheem qhov chaw nyob yog scanned rau kos npe. Txoj kev no yog qhov dubious heev.
Ua ntej, qhov chaw pib scanning 0x400100. Tus nqi no zoo li qub thiab tsis kho thaum lub hauv paus hloov. Nyob rau hauv lub tsev cog khoom zoo tagnrho nws yuav qhia qhov kawg PE- lub header ntawm cov ntaub ntawv executable. Txawm li cas los xij, cov ntaub ntawv tsis zoo li qub, nws tus nqi tuaj yeem hloov pauv, thiab tshawb nrhiav qhov chaw nyob tiag tiag ntawm qhov yuav tsum tau kos npe, txawm tias nws yuav tsis ua rau muaj kev sib txawv, tuaj yeem siv sijhawm ntev heev.
Qhov thib ob, lub ntsiab lus ntawm kos npe iWGK. Kuv xav tias nws pom tseeb tias 4 bytes tsawg dhau los lav qhov tsis zoo. Thiab yog tias koj coj mus rau hauv tus account thawj lub ntsiab lus, qhov tshwm sim ntawm kev ua yuam kev yog siab heev.
Qhov tseeb, qhov yuav tsum tau tawg yog txuas mus rau qhov kawg ntawm qhov pom yav dhau los bmp- duab los ntawm offset 0x1d0 ua.
Kev ua tau zoo Shellcode nqa tawm hauv ob theem. Thawj decipers lub ntsiab lub cev. Hauv qhov no, tus yuam sij yog txiav txim siab los ntawm brute force.
Tshem tawm qhov decrypted Shellcode thiab saib cov kab.
Ua ntej, tam sim no peb paub cov haujlwm los tsim cov txheej txheem menyuam yaus: CreateProcessInternalW.
Qhov thib ob, peb tau paub txog cov txheej txheem ntawm kev txhim kho hauv qhov system.
Cia peb rov qab mus rau qhov qub txheej txheem. Wb muab breakpoint rau CreateProcessInternalW thiab txuas ntxiv mus. Tom ntej no peb pom kev sib txuas NtGetContextThread/NtSetContextThread, uas hloov qhov chaw pib ua haujlwm rau qhov chaw nyob ShellCode.
Peb txuas mus rau tus txheej txheem tsim nrog ib tug debugger thiab qhib qhov kev tshwm sim Ncua tseg ntawm libraryu load/unload, rov pib txheej txheem thiab tos rau kev thauj khoom .NET- tsev qiv ntawv.
Kev siv ntxiv ProcessHacker pov tseg cov cheeb tsam uas muaj unpacked .NET- daim ntawv thov.
Peb nres tag nrho cov txheej txheem thiab tshem tawm cov ntawv luam ntawm cov malware uas tau dhau los ua rau hauv lub kaw lus.
Cov ntaub ntawv pov tseg yog tiv thaiv los ntawm tus neeg tiv thaiv .NET Reactor, uas tuaj yeem tshem tau yooj yim siv lub tshuab hluav taws xob ua 4dot.
Siv YARA cov cai sau ua ntej, peb paub tseeb tias qhov no yog AgentTesla.
Cia peb tus kheej lub ntsiab lus
Yog li, peb tau ua kom nthuav dav cov txheej txheem ntawm cov qauv semi-automatic unpacking siv peb lub rooj plaub me me ua piv txwv, thiab kuj tau txheeb xyuas malware raws li cov ntaub ntawv tag nrho, nrhiav pom tias cov qauv hauv qab kev kawm yog AgentTesla, tsim nws cov haujlwm thiab ib qho ua kom tiav daim ntawv qhia txog kev sib haum xeeb.
Kev tsom xam ntawm cov khoom phem uas peb tau ua yuav tsum tau siv sijhawm ntau thiab siv zog, thiab cov haujlwm no yuav tsum tau ua los ntawm ib tus neeg ua haujlwm tshwj xeeb hauv lub tuam txhab, tab sis tsis yog txhua lub tuam txhab tau npaj los ntiav tus kws tshuaj ntsuam.
Ib qho ntawm cov kev pabcuam muab los ntawm Pawg-IB Laboratory ntawm Computer Forensics thiab Malicious Code Analysis yog teb rau cov xwm txheej cyber. Thiab kom cov neeg siv khoom tsis nkim sij hawm pom zoo cov ntaub ntawv thiab sib tham txog lawv nyob rau hauv nruab nrab ntawm kev tawm tsam cyber, Group-IB tau tshaj tawm Qhov xwm txheej teb Retainer, ib qho kev pabcuam ua ntej qhov xwm txheej teb uas suav nrog cov kauj ruam tshuaj xyuas malware. Xav paub ntau ntxiv txog qhov no tuaj yeem nrhiav tau .
Yog tias koj xav rov kawm dua yuav ua li cas AgentTesla cov qauv raug tshem tawm thiab pom tias tus kws tshaj lij CERT Group-IB ua li cas, koj tuaj yeem rub tawm cov ntaub ntawv webinar ntawm lub ncauj lus no .
Tau qhov twg los: www.hab.com