Anyị na-aga n'ihu usoro akụkọ anyị etinyere na nyocha malware. N'ime N'akụkụ ụfọdụ, anyị gwara otú Ilya Pomerantsev, onye ọkachamara nyocha malware na CERT Group-IB si mee nyocha zuru ezu nke faịlụ enwetara site na mail site na otu ụlọ ọrụ Europe wee chọpụta spyware ebe ahụ. AgentTesla. N'isiokwu a, Ilya na-enye nsonaazụ nke nyocha nke nzọụkwụ nke isi modul AgentTesla.
Agent Tesla bụ ngwa nledo modular ekesara site na iji ụdị malware-dị ka ọrụ n'okpuru uwe nke ngwaahịa keylogger ziri ezi. Agent Tesla nwere ike ịwepụta ma bufee nzere onye ọrụ site na ihe nchọgharị, ndị ahịa email na ndị ahịa FTP na ihe nkesa na ndị na-awakpo, ịdekọ data clipboard, na ijide ihuenyo ngwaọrụ. N'oge nyocha, weebụsaịtị gọọmentị nke ndị mmepe adịghị.
faịlụ nhazi
Tebụlụ dị n'okpuru na-edepụta ọrụ dị na nlele ị na-eji:
| Nkowasi | uru |
| Ọkọlọtọ ojiji KeyLogger | ezi |
| Ọkọlọtọ ojiji ScreenLogger | ụgha |
| Ndekọ KeyLogger na-eziga nkeji n'ime nkeji | 20 |
| ScreenLogger log na-eziga etiti oge n'ime nkeji | 20 |
| Ọkọlọtọ njikwa igodo Backspace. Ụgha - naanị ịkụ osisi. Eziokwu - na-ehichapụ igodo gara aga | ụgha |
| Ụdị CNC. Nhọrọ: smtp, webpanel, ftp | SMTP |
| Ọkọlọtọ ịgbalite eri maka ịkwụsị usoro na listi "%filter_list%" | ụgha |
| UAC gbanyụọ ọkọlọtọ | ụgha |
| Onye njikwa ọrụ gbanyụọ ọkọlọtọ | ụgha |
| CMD gbanyụọ ọkọlọtọ | ụgha |
| Gbaa mpio gbanyụọ ọkọlọtọ | ụgha |
| Ihe nlele ndekọ gbanyụọ ọkọlọtọ | ụgha |
| Gbanyụọ ọkọlọtọ ntụpọ weghachi sistemụ | ezi |
| Ogwe njikwa gbanyụọ ọkọlọtọ | ụgha |
| MSCONFIG gbanyụọ ọkọlọtọ | ụgha |
| Ọkọlọtọ ka ị gbanyụọ menu onodu na Explorer | ụgha |
| Ọkọlọtọ pin | ụgha |
| Ụzọ maka iṅomi modul bụ isi mgbe ị na-etinye ya na sistemụ | % mmalite nchekwa % % nchekwa %% aha insname % |
| Ọkọlọtọ maka ịtọ njirimara “Sistemụ” na “Zoro Ezo” maka modul bụ isi ekenyere sistemụ | ụgha |
| Ọkọlọtọ ka ịmalitegharịa mgbe etinyere ya na sistemụ | ụgha |
| Ọkọlọtọ maka ibugharị modul isi na nchekwa nwa oge | ụgha |
| Ọkọlọtọ gafere UAC | ụgha |
| Ụdị ụbọchị na oge maka ntinye akwụkwọ | yyyy-MM-dd HH:mm:ss |
| Ọkọlọtọ maka iji nzacha mmemme maka KeyLogger | ezi |
| Ụdị nzacha mmemme. 1 - a na-enyocha aha mmemme na aha mpio 2 - a na-achọ aha mmemme na aha usoro windo |
1 |
| Ihe nzacha mmemme | "facebook" "twitter" "gmail" "instagram" "ihe nkiri" "skype" "porn" "mbanye anataghị ikike" "WhatsApp" "esemokwu" |
Na-agbakwụnye modul isi na usoro
Ọ bụrụ na edobere ọkọlọtọ kwekọrọ, a na-eṅomi modul bụ isi na ụzọ akọwapụtara na nhazi dị ka ụzọ a ga-ekenye na sistemụ.
Dabere na uru sitere na nhazi ahụ, a na-enye faịlụ ahụ njiri mara "Zoro Ezo" na "Sistemụ".
A na-enye Autorun site na ngalaba ndekọ abụọ:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%insregname%
- HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorer StartupApprovedRun %insregname%
Ebe ọ bụ na bootloader na-abanye n'ime usoro ahụ RegAsm, ịtọ ọkọlọtọ na-adịgide adịgide maka modul bụ isi na-eduga na nsonaazụ na-atọ ụtọ. Kama iṅomi onwe ya, malware jikọtara faịlụ mbụ na sistemụ RegAsm.exe, n'oge a na-eme injections.
Mmekọrịta na C&C
N'agbanyeghị usoro eji, nkwurịta okwu netwọk na-amalite site n'inweta IP mpụga nke onye ahụ na-eji akụ [.]amazonaws[.]com/.
Ndị na-esonụ na-akọwa ụzọ mmekọrịta netwọk ndị ewepụtara na ngwanrọ.
webpanel
Mmekọrịta a na-eme site na protocol HTTP. malware na-eji isi nkụnye ndị a na-eme arịrịọ POST:
- Onye nnọchi anya: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Njikọ: Nọgidenụ na-adị ndụ
- Ụdị ọdịnaya: ngwa/x-www-form-urlencoded
Eji uru akọwapụtara adreesị ihe nkesa ahụ %PostURL%. A na-eziga ozi ezoro ezo na oke «P». A kọwara usoro ezoro ezo na ngalaba "Algorithms nzuzo" (Usoro 2).
Ozi ezigara dị ka nke a:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Ogologo ụdị na-egosi ụdị ozi:
hwid - A na-edekọ hash MD5 site na ụkpụrụ nke nọmba serial motherboard na ID processor. O yikarịrị ka ejiri ya dịka NJ onye ọrụ.
oge - na-eje ozi iji nyefee oge na ụbọchị dị ugbu a.
aha pc - kọwara dị ka <Aha njirimara>/<Aha kọmputa>.
logdata - ndekọ data.
Mgbe ị na-ebufe okwuntughe, ozi a dị ka:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Ndị a bụ nkọwa nke data ezuru n'ụdị nclient[]={0}nlink[]={1}aha njirimara[]={2}npassword[]={3}.
SMTP
Mmekọrịta a na-ewere ọnọdụ site na protocol SMTP. Akwụkwọ ozi ezigara dị n'ụdị HTML. Oke AHỤ dị ka:
Isi akwụkwọ ozi ahụ nwere ụdị izugbe: < USER NAME>/<Aha Kọmputa> <Ụdị Ọdịnaya>. Ezobeghi ọdịnaya nke akwụkwọ ozi ahụ, yana mgbakwunye ya.
Mmekọrịta ahụ na-ewere ọnọdụ site na protocol FTP. A na-ebufe faịlụ nwere aha na sava akọwapụtara <Ụdị Ọdịnaya>_<Aha USER>- <Aha Kọmputa>_<ỤBỤTA NA OGE>.html. Ezobeghi ọdịnaya nke faịlụ a.
Algọridim nzuzo
Ikpe a na-eji usoro nzuzo ndị a:
Usoro 1
A na-eji usoro a ezoro eriri eriri na modul isi. Algọridim eji ezoro ezo bụ AES.
Ntinye bụ ọnụọgụ ọnụọgụ isii. A na-eme mgbanwe ndị a na ya:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Uru pụtapụtara bụ ndeksi maka nhazi data agbakwunyere.
Ihe nhazi ọ bụla bụ usoro DWORD. Mgbe ejikọta DWORD A na-enweta ọtụtụ bytes: nke mbụ 32 bytes bụ igodo ezoro ezo, na-esote 16 bytes nke vector mmalite, na ihe ndị fọdụrụ bụ data ezoro ezo.
Usoro 2
A na-eji Algorithm 3DES na ọnọdụ ECB na padding na dum bytes (PKCS7).
A na-akọwa igodo ahụ site na oke %urlkey%, Otú ọ dị, izo ya ezo na-eji MD5 hash.
Ọrụ ọjọọ
Ihe nlele a na-amụ na-eji mmemme ndị a iji mejuputa ọrụ ọjọọ ya:
onye na-agba igodo
Ọ bụrụ na enwere ọkọlọtọ malware dabara na iji ọrụ WinAPI Tọọ WindowsHookEx na-ekenye onye njikwa ya maka mmemme igodo igodo na ahụigodo. Ọrụ njikwa na-amalite site n'inweta aha nke windo arụ ọrụ.
Ọ bụrụ na edobere ọkọlọtọ nzacha ngwa, a na-eme nzacha dabere n'ụdị akọwapụtara:
- a na-achọ aha mmemme na aha mpio
- A na-ele aha mmemme ahụ na aha usoro mpio
Na-esote, a na-agbakwunye ndekọ na ndekọ nwere ozi gbasara windo arụ ọrụ n'ụdị:
Mgbe ahụ, a na-edokọ ozi gbasara igodo ịpị:
| Isi | Dekọọ |
| Backspace | Dabere na ọkọlọtọ nhazi igodo Backspace: Ụgha - {BACK} Eziokwu - na-ehichapụ igodo gara aga |
| IGODO NNUKWU MKPỤRỤEDEMEDE | {IGODO NNUKWU MKPỤRỤEDEMEDE} |
| ESC | {ESC} |
| Peeji | {PageUp} |
| Down | ↓ |
| Gbanyụọ | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| TAB | {TAB} |
| < | < |
| > | > |
| Oghere | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + TAB | {ALT+TAB} |
| ọgwụgwụ | {END} |
| F4 | {F4} |
| F2 | {F2} |
| CTRL | {CTRL} |
| F6 | {F6} |
| Right | → |
| Up | ↑ |
| F1 | {F1} |
| ekpe | ← |
| Pagedown | {Pagedown} |
| Insert | {Fanye} |
| Win | {merie} |
| Mkpọchi ọnụọgụ | {NumLock} |
| F11 | {F11} |
| F3 | {F3} |
| ỤLỌ | {ỤLỌ} |
| Tinye | {ENTER} |
| ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| igodo ọzọ | Akparamagwa dị na mkpụrụedemede ukwu ma ọ bụ obere dabere na ọnọdụ nke igodo CapsLock na Shift |
N'otu oge akọwapụtara, a na-eziga ndekọ anakọtara na sava ahụ. Ọ bụrụ na mbufe agaghị aga nke ọma, a na-echekwa ndekọ ahụ na faịlụ %TEMP% log.tmp n'ụdị:
Mgbe ngụ oge gbara ọkụ, a ga-ebufe faịlụ ahụ na sava ahụ.
ScreenLogger
N'otu oge akọwapụtara, malware na-emepụta nseta ihuenyo n'ụdị JPEG nwere ihe ọ pụtara Quality hà nhata 50 ma chekwaa ya na faịlụ %APPDATA % <Usoro usoro nke mkpụrụedemede iri>.jpg. Mgbe ebufechara, a ga-ehichapụ faịlụ ahụ.
ClipboardLogger
Ọ bụrụ na edobere ọkọlọtọ kwesịrị ekwesị, a na-eme mgbanwe n'ime ederede egbochiri dị ka tebụl dị n'okpuru.
Mgbe nke a gasịrị, a na-etinye ederede n'ime ndekọ:
OkwuntugheStealer
malware nwere ike budata okwuntughe site na ngwa ndị a:
| Ike | Ndị ahịa ozi | Ndị ahịa FTP |
| Chrome | Outlook | FileZilla |
| Firefox | Thunderbird | WS_FTP |
| IE/Eji | Foxmail | WinSCP |
| safari | Mail Opera | CoreFTP |
| Opera Nchọgharị | Enweghi ike | FTP Navigator |
| Yandex | Pocomail | FlashFXP |
| Comodo | Eudora | SmartFTP |
| ChromePlus | TheBat | Onye isi nchịkwa FTP |
| chromium | Igbe ozi | |
| Uhie | ClawsMail | |
| 7Star | ||
| Enyi | ||
| BraveSoftware | Ndị ahịa Jabber | Ndị ahịa VPN |
| CentBrowser | Psi/Psi+ | Mepee VPN |
| Chedot | ||
| CocCoc | ||
| Ihe Nchọgharị | Ndị njikwa nbudata | |
| Epic Nzuzo Nchọgharị | Internet Download Manager | |
| Comet | JDownloader | |
| orbitum | ||
| Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Flock Browser | ||
| UC Nchọgharị | ||
| BlackHawk | ||
| CyberFox | ||
| K-meleon | ||
| akpụrụ pusi | ||
| icedragon | ||
| PaleMoon | ||
| WaterFox | ||
| Ihe nchọgharị Falkon |
Mmegide na nyocha dị ike
- Iji ọrụ ahụ ụra. Na-enye gị ohere ịgafe ụfọdụ igbe ájá site n'oge agwụla
- Na-ebibi eri Mpaghara. Na-enye gị ohere izochi eziokwu nke nbudata faịlụ na ịntanetị
- Na paramita %filter_list% na-akọwapụta ndepụta usoro nke malware ga-akwụsị n'etiti nkeji nke otu sekọnd
- Disconnecting UAC
- Ịgbanyụ onye njikwa ọrụ
- Disconnecting CMD
- Ịgbanyụ windo "Ịhụnanya"
- Ịgbanyụọ Ogwe njikwa
- Ịgbanyụ ngwaọrụ RegEdit
- Ịgbanyụ isi ihe weghachi sistemụ
- Gbanyụọ menu onodu na Explorer
- Disconnecting MSCONFIG
- Gafefe UAC:
Atụmatụ adịghị arụ ọrụ nke modul isi
N'oge nyocha nke modul isi, a chọpụtara ọrụ ndị na-ahụ maka ịgbasa na netwọk na nyochaa ọnọdụ nke òké.
Worm
A na-enyocha ihe omume maka ijikọ mgbasa ozi mbughari na eri dị iche. Mgbe ejikọrọ, malware nwere aha na-eṅomi ya na mgbọrọgwụ nke sistemụ faịlụ scr.exe, emesia ọ na-achọ faịlụ nwere ndọtị ahụ lnk. Otu onye ọ bụla lnk mgbanwe na cmd.exe /c bido scr.exe&bido <iwu izizi>& pụọ.
A na-enye akwụkwọ ndekọ aha ọ bụla na mgbọrọgwụ nke mgbasa ozi njirimara "Zoro ezo" na a na-emepụta faịlụ na ndọtị ahụ lnk n'aha akwụkwọ ndekọ aha zoro ezo na iwu cmd.exe /c bido scr.exe&nyocha / mgbọrọgwụ,"% CD% <DIRECTORY NAME>" & pụọ.
MouseTracker
Usoro maka ime nkwubi okwu yiri nke a na-eji maka ahụigodo. Ọrụ a ka na-arụ ọrụ.
Ọrụ faịlụ
| ụzọ | Nkowasi |
| %Okpomọkụ%temp.tmp | Nwere counter maka mbọ ngafe UAC |
| % mmalite folda%% nchekwa nchekwa%% aha insname% | Ụzọ a ga-ekenye na sistemụ HPE |
| %Temp%tmpG{ugbu a na milliseconds}.tmp | Ụzọ maka ndabere nke isi modul |
| %Okpomọkụ%log.tmp | Tinye faịlụ |
| %AppData%{Usoro aka ike nke mkpụrụedemede iri}.jpeg | Nseta ihuenyo |
| C:UsersPublic{Usoro aka ike nke mkpụrụedemede iri}.vbs | Ụzọ na faịlụ vbs nke bootloader nwere ike iji tinye na sistemụ |
| %Temp%{Aha nchekwa ahapụrụ iche} Aha faịlụ} | Ụzọ nke bootloader ji etinye onwe ya na sistemụ |
Profaịlụ ọgụ
N'ihi data nkwenye siri ike, anyị nwere ike ịnweta ụlọ ọrụ iwu.
Nke a nyere anyị ohere ịchọpụta email ikpeazụ nke ndị mwakpo ahụ:
junaid[.] na ***@gmail[.]com.
Aha ngalaba iwu ka edebanyere aha na mail sg ***@gmail[.]com.
nkwubi
N'oge nyocha zuru ezu nke malware ejiri na mbuso agha ahụ, anyị nwere ike ịmepụta ọrụ ya wee nweta ndepụta zuru oke nke ndị na-egosi nkwenye dị mkpa na nke a. Ịghọta usoro nke mmekọrịta netwọk n'etiti malware mere ka o kwe omume inye ndụmọdụ maka ịhazigharị ọrụ nke ngwaọrụ nchekwa ozi yana ide iwu IDS kwụsiri ike.
Isi ihe egwu AgentTesla dị ka DataStealer na ọ dịghị mkpa itinye aka na sistemụ ma ọ bụ chere maka njikwa njikwa iji rụọ ọrụ ya. Ozugbo na igwe, ọ na-amalite ozugbo ịnakọta ozi nkeonwe wee bufee ya na CnC. Omume ike a dị n'ụzọ ụfọdụ yiri omume nke ransomware, naanị ihe dị iche bụ na nke ikpeazụ anaghị achọ njikọ netwọkụ. Ọ bụrụ na ị zutere ezinụlọ a, mgbe ihichachara sistemu nje ahụ na malware n'onwe ya, ị ga-agbanwerịrị okwuntughe niile nke nwere ike, opekata mpe, echekwara na otu ngwa edepụtara n'elu.
Na-ele anya n'ihu, ka anyị kwuo na ndị na-awakpo na-eziga AgentTesla, a na-agbanwekarị ihe na-ebu ibu nke mbụ. Nke a na-enye gị ohere ịnọ na-ahụghị site na static scanners na heuristic analyzers n'oge mwakpo. Na ọchịchọ nke ezinụlọ a ozugbo ịmalite ọrụ ha na-eme ka usoro nlekota oru abaghị uru. Ụzọ kachasị mma iji luso AgentTesla ọgụ bụ nyocha mbido na igbe ájá.
N'isiokwu nke atọ nke usoro isiokwu a, anyị ga-eleba anya na bootloaders ndị ọzọ ejiri AgentTesla, ma mụọkwa usoro nke mwepu nke ọkara akpaaka ha. Agbagharala!
Eke
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
N&A
| URL |
| sina-c0m[.] icu |
| smtp[.]sina-c0m[.] icu |
RegKey
| Ndebanye aha |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun{aha edemede} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%insregname% |
| HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorer Startup ApprovedRun%insregname% |
Ogbi
Enweghị ihe ngosi.
Files
| Ọrụ faịlụ |
| %Okpomọkụ%temp.tmp |
| % mmalite folda%% nchekwa nchekwa%% aha insname% |
| %Temp%tmpG{ugbu a na milliseconds}.tmp |
| %Okpomọkụ%log.tmp |
| %AppData%{Usoro aka ike nke mkpụrụedemede iri}.jpeg |
| C:UsersPublic{Usoro aka ike nke mkpụrụedemede iri}.vbs |
| %Temp%{Aha nchekwa ahapụrụ iche} Aha faịlụ} |
Ozi nlele
| aha | Unknown |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| ụdị | PE (.NET) |
| size | 327680 |
| Aha mbụ | AZZRIDKGGSLTYFUUBCCRUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| Ụbọchị Stampụ | 01.07.2019 |
| Gbako | vb.net |
| aha | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| ụdị | PE (.NET DLL) |
| size | 16896 |
| Aha mbụ | IELibrary.dll |
| Ụbọchị Stampụ | 11.10.2016 |
| Gbako | Microsoft Linker (48.0*) |
isi: www.habr.com