ProHoster > Блог > ozi ịntanetị > Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha

Ndị ọchụnta ego na-akwado gọọmentị Iran nọ na nnukwu nsogbu. N'ime oge opupu ihe ubi, ndị mmadụ amaghị ama bipụtara "nyocha nzuzo" na Telegram - ozi gbasara otu APT jikọtara ya na gọọmentị Iran - Mmanụ mmanụ и Mmiri Muddy - ngwaọrụ ha, ndị metụtara, njikọ. Ma ọ bụghị banyere onye ọ bụla. N'April, ndị ọkachamara na Group-IB achọpụtala mpụ nke adreesị nzipu ozi nke ụlọ ọrụ Turkish ASELSAN A.Ş, nke na-emepụta redio agha na usoro nchebe electronic maka ndị agha Turkey. Anastasia Tikhonova, Otu-IB Advanced Egwu Research Otu Onye Ndú, na Nikita Rostovtsev, onye nyocha nke obere na Group-IB, kọwara usoro nke mwakpo ahụ na ASELSAN A.Ş wee chọta onye ga-eso ya. Mmiri Muddy.

Ọkụ site na Telegram

Mwepu nke ndị otu APT nke Iran malitere n'eziokwu na ụfọdụ Lab Doukhtegan emere ọha Koodu isi iyi nke ngwaọrụ APT34 isii (aka OilRig na HelixKitten), kpughere adreesị IP na ngalaba ndị metụtara ọrụ ahụ, yana data gbasara ndị ọchụnta ego 66 metụtara, gụnyere Etihad Airways na Emirates National Oil. Lab Doookhtegan tinyekwara data gbasara ọrụ otu ahụ gara aga na ozi gbasara ndị ọrụ nke Ministry of Information and National Security bụ ndị eboro ebubo na ha na-arụ ọrụ otu ahụ. OilRig bụ otu APT jikọrọ Iran nke dị kemgbe gburugburu 2014 wee lekwasị anya na gọọmentị, ndị otu ego na ndị agha, yana ụlọ ọrụ ike na nkwukọrịta na Middle East na China.

Mgbe ekpughere OilRig, ntapu ahụ gara n'ihu - ozi gbasara ọrụ ndị otu pro-state ọzọ si Iran, MuddyWater, pụtara na darknet na na Telegram. Otú ọ dị, n'adịghị ka nkwụsị nke mbụ, oge a, ọ bụghị koodu isi mmalite ka e bipụtara, ma kpofuo, gụnyere nseta ihuenyo nke koodu isi mmalite, sava njikwa, yana adreesị IP nke ndị omempụ gara aga. Oge a, Green Leakers hackers weghaara ọrụ maka ntapu gbasara MuddyWater. Ha nwere ọtụtụ ọwa Telegram na saịtị darknet ebe ha na-akpọsa ma na-ere data metụtara ọrụ MuddyWater.

Ndị nledo cyber si Middle East

Mmiri Muddy bụ otu na-arụ ọrụ kemgbe 2017 na Middle East. Dịka ọmụmaatụ, dị ka ndị ọkachamara Group-IB si kwuo, site na February ruo Eprel 2019, ndị omempụ rụrụ ọtụtụ ozi phishing maka gọọmentị, ụlọ akwụkwọ agụmakwụkwọ, ego, nkwukọrịta na ụlọ ọrụ nchekwa na Turkey, Iran, Afghanistan, Iraq na Azerbaijan.

Ndị otu a na-eji azụ azụ nke mmepe nke ha dabere na PowerShell, nke a na-akpọ IKE. O nwere ike:

  • na-anakọta data gbasara akaụntụ mpaghara na ngalaba, sava faịlụ dị, adreesị IP ime na mpụga, aha na nhazi OS;
  • mee mpụ koodu ogbugbu;
  • bulite na budata faịlụ site na C&C;
  • chọpụta ọnụnọ nke mmemme ntọhapụ ejiri na nyocha nke faịlụ ọjọọ;
  • mechie usoro ma ọ bụrụ na achọtara mmemme maka nyochaa faịlụ ọjọọ;
  • hichapụ faịlụ site na draịva mpaghara;
  • were nseta ihuenyo;
  • gbanyụọ usoro nchekwa na ngwaahịa Microsoft Office.

N'oge ụfọdụ, ndị mwakpo ahụ mehiere na ndị nchọpụta sitere na ReaQta jisiri ike nweta adreesị IP ikpeazụ, nke dị na Tehran. Nyere ebumnuche ndị otu a wakporo, yana ebumnuche ya metụtara nledo cyber, ndị ọkachamara tụrụ aro na otu a na-anọchite anya ọdịmma gọọmentị Iran.

Ihe ngosi mbuso aghaC&C:

  • gladiator[.]tk
  • 94.23.148[.]194
  • 192.95.21[.]28
  • 46.105.84[.]146
  • 185.162.235[.]182

Faịlụ:

  • 09aabd2613d339d90ddbd4b7c09195a9
  • cfa845995b851aacdf40b8e6a5b87ba7
  • a61b268e9bc9b7e6c9125cdbfb1c422a
  • f12bab5541a7d8ef4bbca81f6fc835a3
  • a066f5b93f4ac85e9adfe5ff3b10bc28
  • 8a004e93d7ee3b26d94156768bc0839d
  • 0638adf8fb4095d60fbef190a759aa9e
  • eed599981c097944fa143e7d7f7e17b1
  • 21aebece73549b3c4355a6060df410e9
  • 5c6148619abb10bb3789dcfb32f759a6

A na-awakpo Turkey

Na Eprel 10, 2019, ndị ọkachamara Group-IB achọpụtala mpụta nke adreesị nzipu ozi nke ụlọ ọrụ Turkey ASELSAN A.Ş, ụlọ ọrụ kacha ukwuu n'ọhịa elektrọnik agha na Turkey. Ngwaahịa ya gụnyere radar na eletrọnịkị, electro-optics, avionics, sistemu na-enweghị mmadụ, ala, ụgbọ mmiri, ngwa agha na sistemu nchekwa ikuku.

N'ịmụ otu n'ime ihe atụ ọhụrụ nke POWERSTATS malware, ndị ọkachamara Group-IB kpebisiri ike na ìgwè ndị mwakpo MuddyWater jiri dị ka akwụkwọ ikike ikike n'etiti Koç Savunma, ụlọ ọrụ na-emepụta ihe ngwọta na ngalaba ozi na teknụzụ nchekwa, yana Tubitak Bilgem. , ebe nchekwa nchekwa ozi na teknụzụ dị elu. Onye na-akpọtụrụ Koç Savunma bụ Tahir Taner Tımış, onye ji ọkwa nchịkwa mmemme na Koç Bilgi ve Savunma Teknolojileri A.Ş. site na Septemba 2013 ruo Disemba 2018. Mgbe e mesịrị ọ malitere ịrụ ọrụ na ASELSAN A.Ş.

Ihe atụ akwụkwọ aghụghọMmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Mgbe onye ọrụ kpalitere macros ọjọọ, a na-ebudata POWERSTATS backdoor na kọmputa onye ahụ ihe metụtara.

Daalụ metadata nke akwụkwọ aghụghọ a (MD5: 0638adf8fb4095d60fbef190a759aa9e) Ndị nchọpụta nwere ike ịchọta ihe atụ atọ ọzọ nwere ụkpụrụ, gụnyere ụbọchị na oge okike, aha njirimara, na ndepụta nke macros dị:

  • ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
  • asd.doc (21aebece73549b3c4355a6060df410e9)
  • F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)

nseta ihuenyo nke metadata nke akwụkwọ aghụghọ dị iche iche Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha

Otu n'ime akwụkwọ achọpụtara nwere aha ListOfHackedEmails.doc nwere ndepụta adreesị email 34 nke ngalaba ahụ @aselsan.com.tr.

Ndị ọkachamara otu-IB nyochara adreesị ozi-e na ntapu dị n'ihu ọha wee chọpụta na 28 n'ime ha emebiela na ntapu achọpụtara na mbụ. Inyocha ngwakọta nke ntapu dịnụ gosiri ihe dị ka nbanye pụrụ iche 400 jikọtara na ngalaba a yana okwuntughe maka ha. Ọ ga-ekwe omume na ndị mwakpo ji data a dị n'ihu ọha wakpo ASELSAN A.Ş.

Nseta ihuenyo nke akwụkwọ ListOfHackedEmails.doc Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha

nseta ihuenyo nke ndepụta ihe karịrị ụzọ abụọ nbanye-paswọọdụ 450 achọpụtara na ntapu ọha Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
N'ime ihe nlele achọpụtara nwekwara akwụkwọ nwere aha F35-Specifications.doc, na-ezo aka na ụgbọ elu F-35. Akwụkwọ nri azụ bụ nkọwapụta maka F-35 multi-role fighter-bomber, na-egosi njirimara na ọnụahịa ụgbọ elu ahụ. Isiokwu nke akwụkwọ aghụghọ a metụtara ọjụjụ US jụrụ ịnye F-35 mgbe Turkey zụtara sistemụ S-400 na iyi egwu ịnyefe ozi gbasara F-35 Lightning II na Russia.

Ihe data niile enwetara gosiri na ebumnuche MuddyWater cyber cyber bụ ndị otu dị na Turkey.

Ole ndị bụ Gladiyator_CRK na Nima Nikjoo?

Na mbụ, na Machị 2019, otu onye ọrụ Windows mepụtara akwụkwọ ọjọọ n'okpuru aha njirimara Gladiyator_CRK. Akwụkwọ ndị a kesakwara POWERSTATS backdoor ma jikọọ na sava C&C nwere aha yiri ya gladiator[.]tk.

Enwere ike ịme nke a mgbe onye ọrụ Nima Nikjoo biputere na Twitter na Maachị 14, 2019, na-anwa imezi koodu emebi emebi jikọtara ya na MuddyWater. N'okwu ndị a na tweet a, onye nyocha ahụ kwuru na ya enweghị ike ịkekọrịta ihe ngosi nke nkwenye maka malware a, n'ihi na ozi a bụ nzuzo. Ọ dị nwute na ehichapụla akwụkwọ ozi ahụ, mana akara ya ka dị na ntanetị:

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Nima Nikjoo bụ onye nwe profaịlụ Gladiyator_CRK na saịtị ndị ọbịa vidiyo Iran dideo.ir na videoi.ir. Na saịtị a, ọ na-egosipụta ike PoC iji gbanyụọ ngwaọrụ antivirus sitere n'aka ndị na-ere ahịa dị iche iche na gafere igbe ájá. Nima Nikjoo na-ede banyere onwe ya na ọ bụ ọkachamara nchekwa netwọkụ, yana onye injinia na-agbanwe agbanwe na onye nyocha malware na-arụ ọrụ maka MTN Irancell, ụlọ ọrụ nkwukọrịta Iran.

Nseta vidiyo echekwara na nsonaazụ ọchụchọ Google:

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Mgbe e mesịrị, na Maachị 19, 2019, onye ọrụ Nima Nikjoo na netwọk mmekọrịta Twitter gbanwere aha njirimara ya na Malware Fighter, ma kpochapụkwa posts na nkwupụta ndị metụtara ya. A ehichapụkwa profaịlụ Gladiyator_CRK na vidiyo hosting dideo.ir, dị ka ọ dị na YouTube, na profaịlụ n'onwe ya ewegharịrị aha N Tabrizi. Agbanyeghị, ihe fọrọ nke nta ka ọ bụrụ otu ọnwa ka e mesịrị (Eprel 16, 2019), akaụntụ Twitter malitere iji aha Nima Nikjoo ọzọ.

N'oge ọmụmụ ihe ahụ, ndị ọkachamara Group-IB chọpụtara na Nima Nikjoo akpọbuolarị n'ihe metụtara mpụ cyber. N'August 2014, blọgụ Iran Khabarestan bipụtara ozi gbasara ndị mmadụ n'otu n'otu metụtara cybercriminal otu Iranian Nasr Institute. Otu nyocha FireEye kwuru na ụlọ ọrụ Nasr bụ onye na-arụ ọrụ maka APT33 ma tinyekwa aka na mwakpo DDoS wakporo ụlọ akụ US n'etiti 2011 na 2013 dịka akụkụ nke mkpọsa akpọrọ Operation Ababil.

Yabụ na otu blọgụ ahụ, akpọrọ Nima Nikju-Nikjoo, onye na-emepe emepe malware iji ledo ndị Iran, yana adreesị ozi-e ya: gladiator_cracker@yahoo[.]com.

Nseta ihuenyo nke data sitere na cybercriminals sitere na Institutelọ Ọrụ Nasr nke Iran:

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Ntụgharị asụsụ nke ederede emepụtara ka ọ bụrụ Russian: Nima Nikio - Onye Mmepụta Spyware - Email:.

Dịka enwere ike ịhụ site na ozi a, ejikọtara adreesị ozi-e ahụ na adreesị ejiri na mbuso agha yana ndị ọrụ Gladiyator_CRK na Nima Nikjoo.

Na mgbakwunye, isiokwu June 15, 2017 kwuru na Nikjoo enweghị mmasị na ikenye ntụaka na Kavosh Security Center na mmalite ya. Rie echichena Kavosh Security Center na-akwado steeti Iran iji kwado ndị ọchụnta ego na-akwado gọọmentị.

Ozi gbasara ụlọ ọrụ ebe Nima Nikjoo rụrụ ọrụ:

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Onye ọrụ Twitter Nima Nikjoo profaịlụ LinkedIn depụtara ebe izizi ya dị ka Kavosh Security Center, ebe ọ rụrụ ọrụ site na 2006 ruo 2014. N'oge ọrụ ya, ọ mụtara malware dị iche iche, ma mesookwa ọrụ metụtara mgbagha na nhụsianya.

Ozi gbasara ụlọ ọrụ Nima Nikjoo rụrụ ọrụ na LinkedIn:

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha

Muddywater na ùgwù onwe onye dị elu

Ọ na-achọsi ike na otu MuddyWater na-enyocha nlezianya na akụkọ niile na ozi sitere na ndị ọkachamara nchekwa ozi bipụtara banyere ha, na ọbụna kpachapụrụ anya hapụ ọkọlọtọ ụgha na mbụ iji tụpụ ndị nchọpụta na-esi ísì ụtọ. Dịka ọmụmaatụ, mwakpo mbụ ha duhiere ndị ọkachamara site na ịchọpụta iji DNS Messenger, nke a na-ejikọkarị ya na otu FIN7. Na mwakpo ndị ọzọ, ha tinyere eriri ndị China na koodu.

Na mgbakwunye, otu ahụ na-enwe mmasị ịhapụ ozi maka ndị nchọpụta. Dịka ọmụmaatụ, ha enweghị mmasị na Kaspersky Lab tinyere MuddyWater na 3rd na ọkwa egwu ya maka afọ. N'otu oge ahụ, mmadụ - eleghị anya otu MuddyWater - bulitere PoC nke nrigbu na YouTube nke na-ewepụ antivirus LK. Ha hapụkwara nkọwa n’okpuru akụkọ ahụ.

nseta ihuenyo nke vidiyo na gbanyụọ Kaspersky Lab antivirus na nkọwa dị n'okpuru:

Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Mmiri na-adịghị mma: ka ndị na-agba ọsọ si MuddyWater wakporo onye Turkey na-emepụta ngwá electronic ndị agha
Ọ ka siri ike ịme nkwubi okwu na-enweghị mgbagha gbasara itinye aka nke "Nima Nikjoo". Ndị ọkachamara Group-IB na-atụle ụdị abụọ. Nima Nikjoo, n'ezie, nwere ike ịbụ onye hacker sitere na MuddyWater otu, bụ onye bịara pụta ìhè n'ihi nleghara anya ya na ụbara ọrụ na netwọk. Nhọrọ nke abụọ bụ na ndị ọzọ so n'òtù ahụ kpachaara anya 'kpughee' ya iji mee ka a na-enyo ha enyo. N'ọnọdụ ọ bụla, Group-IB na-aga n'ihu nyocha ya ma ga-akọkwa nsonaazụ ya.

Banyere APT nke Iran, mgbe ọtụtụ ntapu na ntapu gachara, ha ga-eche “nkọwa nkọwa” siri ike - a ga-amanye ndị na-agba ọsọ ka ha gbanwee ngwa ha nke ọma, hichaa egwu ha wee chọta “moles” n'ọkwa ha. Ndị ọkachamara ewepụghị na ha ga-ewe obere oge, mana mgbe obere oge ezumike gasịrị, mwakpo APT nke Iran gara n'ihu ọzọ.

isi: www.habr.com

Tinye a comment