ãã·ã¢äŒæ¥ããè³éãçãããšãå°éãšãããµã€ããŒã°ã«ãŒããããã€ãç¥ãããŠããŸãã ã¿ãŒã²ããã®ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãå¯èœã«ããã»ãã¥ãªãã£ã®æãç©Žã䜿çšããæ»æã確èªãããŠããŸãã ã¢ã¯ã»ã¹æš©ãç²åŸãããšãæ»æè ã¯çµç¹ã®ãããã¯ãŒã¯æ§é ã調ã¹ãç¬èªã®ããŒã«ãå°å ¥ããŠè³éãçã¿ãŸãã ãã®åŸåã®å žåçãªäŸã¯ãããã«ãŒ ã°ã«ãŒãã® BuhtrapãCobaltãCorkow ã§ãã
ãã®ã¬ããŒããçŠç¹ãåœãŠãŠãã RTM ã°ã«ãŒãã¯ããã®åŸåã®äžéšã§ãã ããã¯ãDelphi ã§æžãããç¹å¥ã«èšèšããããã«ãŠã§ã¢ã䜿çšããŸããããã«ã€ããŠã¯ã次ã®ã»ã¯ã·ã§ã³ã§è©³ãã説æããŸãã ESET ãã¬ã¡ã㪠ã·ã¹ãã ã«ããããããã®ããŒã«ã®æåã®çè·¡ã¯ã2015 幎æ«ã«çºèŠãããŸããã ããŒã ã¯å¿ èŠã«å¿ããŠãææããã·ã¹ãã ã«ããŸããŸãªæ°ããã¢ãžã¥ãŒã«ãããŒãããŸãã ãã®æ»æã¯ããã·ã¢ãšäžéšã®è¿é£è«žåœã®ãªã¢ãŒã ãã³ãã³ã° ã·ã¹ãã ã®ãŠãŒã¶ãŒãçã£ãŠããŸãã
RTM ãã£ã³ããŒã³ã¯äŒæ¥ãŠãŒã¶ãŒã察象ãšããŠããŸããããã¯ã䟵害ãããã·ã¹ãã ã§æ»æè ãæ€åºããããšããããã»ã¹ãèŠãã°æããã§ãã çŠç¹ã¯ããªã¢ãŒã ãã³ãã³ã° ã·ã¹ãã ãšé£æºããããã®äŒèšãœãããŠã§ã¢ã§ãã
RTM ã«ãšã£ãŠå¯Ÿè±¡ãšãªãããã»ã¹ã®ãªã¹ãã¯ãBuhtrap ã°ã«ãŒãã®å¯Ÿå¿ãããªã¹ãã«äŒŒãŠããŸãããåã°ã«ãŒãã®ææãã¯ãã«ã¯ç°ãªããŸãã Buhtrap ãåœããŒãžãããé »ç¹ã«äœ¿çšããå ŽåãRTM ã¯ãã©ã€ãã〠ããŠã³ããŒãæ»æ (ãã©ãŠã¶ãŸãã¯ãã®ã³ã³ããŒãã³ãã«å¯Ÿããæ»æ) ãšé»åã¡ãŒã«ã«ããã¹ãã éä¿¡ã䜿çšããŠããŸããã é é枬å®ããŒã¿ã«ãããšããã®è åšã¯ãã·ã¢ãšè¿é£è«žåœïŒãŠã¯ã©ã€ããã«ã¶ãã¹ã¿ã³ããã§ã³å ±ååœããã€ãïŒã«åããããŠããã ãã ãã倧éé åžã¡ã«ããºã ã䜿çšãããŠãããããã¿ãŒã²ããå°åå€ã§ãã«ãŠã§ã¢ãæ€åºãããŠãé©ãã¹ãããšã§ã¯ãããŸããã
ãã«ãŠã§ã¢æ€åºã®ç·æ°ã¯æ¯èŒçå°æ°ã§ãã äžæ¹ãRTM ãã£ã³ããŒã³ã§ã¯è€éãªããã°ã©ã ã䜿çšãããŠãããæ»æãé«åºŠã«æšçåãããŠããããšãããããŸãã
ååšããªãå¥çŽæžãè«æ±æžãçšåäŒèšææžãªã©ãRTM ã«ãã£ãŠäœ¿çšãããŠããããã€ãã®ããšãææžãçºèŠããŸããã ããšãã®æ§è³ªãšãæ»æ察象ã®ãœãããŠã§ã¢ã®çš®é¡ãçµã¿åããããšãæ»æè
ãçµçéšéãéããŠãã·ã¢äŒæ¥ã®ãããã¯ãŒã¯ã«ã䟵å
¥ãããŠããããšãããããŸãã ã°ã«ãŒãã¯åãèšç»ã«åŸã£ãŠè¡åãã
調æ»äžã«ãããã€ãã® C&C ãµãŒããŒãšå¯Ÿè©±ããããšãã§ããŸããã ã³ãã³ãã®å®å šãªãªã¹ãã¯æ¬¡ã®ã»ã¯ã·ã§ã³ã§èª¬æããŸãããçŸæç¹ã§ã¯ãã¯ã©ã€ã¢ã³ãã¯ããŒãã¬ãŒããæ»æãµãŒããŒã«ããŒã¿ãçŽæ¥è»¢éããããããè¿œå ã®ã³ãã³ããåä¿¡ãããšèšããŸãã
ãã ããã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒã«æ¥ç¶ããã ãã§ãå¿ èŠãªããŒã¿ããã¹ãŠåéã§ããæ代ã¯çµãããŸããã ãµãŒããŒããããã€ãã®é¢é£ã³ãã³ããååŸããããã«ãçŸå®çãªãã° ãã¡ã€ã«ãåäœæããŸããã
ãããã® 1 ã€ç®ã¯ããããã«å¯Ÿãããã¡ã€ã« 1c_to_kl.txt ã転éãããªã¯ãšã¹ãã§ãããã㯠8C: Enterprise 1 ããã°ã©ã ã®ãã©ã³ã¹ããŒã ãã¡ã€ã«ã§ããããã®å€èŠ³ã¯ RTM ã«ãã£ãŠã¢ã¯ãã£ãã«ç£èŠãããŠããŸãã XNUMXC ã¯ãåºéã«é¢ããããŒã¿ãããã¹ã ãã¡ã€ã«ã«ã¢ããããŒãããããšã§ããªã¢ãŒã ãã³ãã³ã° ã·ã¹ãã ãšå¯Ÿè©±ããŸãã 次ã«ããã¡ã€ã«ã¯æ¯æã泚æã®èªååãšå®è¡ã®ããã«ãªã¢ãŒã ãã³ãã³ã° ã·ã¹ãã ã«éä¿¡ãããŸãã
ãã¡ã€ã«ã«ã¯æ¯æãã®è©³çŽ°ãå«ãŸããŠããŸãã æ»æè ãåºéã«é¢ããæ å ±ãå€æŽããå Žåãééã¯èåœã®è©³çŽ°ã䜿çšããŠæ»æè ã®ã¢ã«ãŠã³ãã«éä¿¡ãããŸãã
ã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒã«ãããã®ãã¡ã€ã«ãèŠæ±ããŠããçŽ 1 ãæåŸãæ°ãããã©ã°ã€ã³ 2c_XNUMX_kl.dll ã䟵害ãããã·ã¹ãã ã«ããŒããããŠããã®ã芳å¯ãããŸããã ã¢ãžã¥ãŒã« (DLL) ã¯ãäŒèšãœãããŠã§ã¢ã®ããã»ã¹ã«äŸµå ¥ããŠãããŠã³ããŒã ãã¡ã€ã«ãèªåçã«åæããããã«èšèšãããŠããŸãã 次ã®ã»ã¯ã·ã§ã³ã§è©³ãã説æããŸãã
èå³æ·±ãããšã«ããã·ã¢éè¡ã® FinCERT 㯠2016 幎æ«ã«ã1c_to_kl.txt ã¢ããããŒã ãã¡ã€ã«ã䜿çšãããµã€ããŒç¯çœªã«é¢ããèŠåãéå ±ã§çºè¡ããŸããã 1C ã®éçºè ããã®ã¹ããŒã ã«ã€ããŠç¥ã£ãŠããããã§ã«å ¬åŒå£°æãçºè¡šãã泚æäºé ãåæããŠããŸãã
ä»ã®ã¢ãžã¥ãŒã«ãç¹ã« VNC (ãã® 32 ããã ããŒãžã§ã³ãš 64 ããã ããŒãžã§ã³) ãã³ãã³ã ãµãŒããŒããããŒããããŸããã ããã¯ãDridex ããã€ã®æšéŠ¬æ»æã§ä»¥åã«äœ¿çšããã VNC ã¢ãžã¥ãŒã«ã«äŒŒãŠããŸãã ãã®ã¢ãžã¥ãŒã«ã¯ãææããã³ã³ãã¥ãŒã¿ã«ãªã¢ãŒãã§æ¥ç¶ããã·ã¹ãã ã®è©³çŽ°ãªèª¿æ»ãè¡ãããã«äœ¿çšããããšèããããŠããŸãã 次ã«ãæ»æè ã¯ãããã¯ãŒã¯å ã移åããŠããŠãŒã¶ãŒã®ãã¹ã¯ãŒããæœåºããæ å ±ãåéãããã«ãŠã§ã¢ãåžžã«ååšããããã«ããããšããŸãã
2. ææçµè·¯
次ã®å³ã¯ããã£ã³ããŒã³ã®èª¿æ»æéäžã«æ€åºãããææãã¯ãã«ã瀺ããŠããŸãã ãã®ã°ã«ãŒãã¯ããŸããŸãªãã¯ãã«ã䜿çšããŸãããäž»ã«ãã©ã€ãã〠ããŠã³ããŒãæ»æãšã¹ãã ã䜿çšããŸãã ãããã®ããŒã«ã¯æšçåæ»æã«äŸ¿å©ã§ããåè ã®å Žåãæ»æè ã¯æœåšçãªè¢«å®³è ã蚪åãããµã€ããéžæã§ããåŸè ã®å Žåãæ·»ä»ãã¡ã€ã«ä»ãã®é»åã¡ãŒã«ãç®çã®äŒç€Ÿã®åŸæ¥å¡ã«çŽæ¥éä¿¡ã§ããŸãã
ãã®ãã«ãŠã§ã¢ã¯ãRIG ããã³ Sundown ãšã¯ã¹ããã€ã ããããã¹ãã ã¡ãŒã«ãªã©ã®è€æ°ã®ãã£ãã«ãéããŠé åžãããŠãããæ»æè ãšããããã®ãµãŒãã¹ãæäŸããä»ã®ãµã€ããŒæ»æè ãšã®ã€ãªããã瀺ããŠããŸãã
2.1. RTM ãš Buhtrap ã«ã¯ã©ã®ãããªé¢ä¿ããããŸãã?
RTM ãã£ã³ããŒã³ã¯ Buhtrap ã«éåžžã«äŒŒãŠããŸãã èªç¶ãªçåã¯ãããããäºãã«ã©ã®ããã«é¢ä¿ããŠããã®ããšããããšã§ãã
2016 幎 XNUMX æã«ãBuhtrap ã¢ããããŒããŒã䜿çšããŠé åžãããŠãã RTM ãµã³ãã«ã芳å¯ããŸããã ããã«ãBuhtrap ãš RTM ã®äž¡æ¹ã§äœ¿çšãããŠãã XNUMX ã€ã®ããžã¿ã«èšŒææžãèŠã€ãããŸããã
1 ã€ç®ã¯ DNISTER-M 瀟ã«çºè¡ããããã®ãšããã025 ã€ç®ã® Delphi ãã©ãŒã (SHA-718: 31C43BA1E87DB13B94DC61F9338A11A1C1CE) ãš Buhtrap DLL (SHA-2642: 454E2B889A6C41116B83D6CCDBA2F4890FXNUMXDXNUMX) ã«ããžã¿ã«çœ²åããããã«äœ¿çšãããŸããã XNUMX)ã
1 çªç®ã®ãã®ã¯ Bit-Tredj ã«çºè¡ãããBuhtrap ããŒã㌠(SHA-7: 1C6B1713B923BD243FC80002DFEC9FE93B292EB74 ããã³ B71560F48488E2153D2AE51207FB0A206AC2EXNUMXB) ã®çœ²åãšãRTM ã³ã³ããŒãã³ãã®ããŠã³ããŒããšã€ã³ã¹ããŒã«ã«äœ¿çšãããŸããã
RTM ãªãã¬ãŒã¿ãŒã¯ä»ã®ãã«ãŠã§ã¢ ãã¡ããªã«å ±éã®èšŒææžã䜿çšããŸãããç¬èªã®èšŒææžãæã£ãŠããŸãã ESET ãã¬ã¡ããªã«ãããšããã®ãã¡ã€ã«ã¯ Kit-SD ã«å¯ŸããŠçºè¡ãããäžéšã® RTM ãã«ãŠã§ã¢ (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6) ã«çœ²åããããã«ã®ã¿äœ¿çšãããŸããã
RTM 㯠Buhtrap ãšåãããŒããŒã䜿çšããRTM ã³ã³ããŒãã³ã㯠Buhtrap ã€ã³ãã©ã¹ãã©ã¯ãã£ããããŒãããããããã°ã«ãŒãã«ã¯åæ§ã®ãããã¯ãŒã¯ ã€ã³ãžã±ãŒã¿ãŒããããŸãã ãã ããç§ãã¡ã®æšå®ã«ãããšãå°ãªããšã RTM 㯠(ãå€éšãããŠã³ããŒããŒã®äœ¿çšã ãã§ãªã) ç°ãªãæ¹æ³ã§é åžãããŠãããããRTM ãš Buhtrap ã¯ç°ãªãã°ã«ãŒãã§ãã
ããã«ãããããããããã«ãŒã°ã«ãŒãã¯åæ§ã®åäœåçã䜿çšããŠããŸãã 圌ãã¯ãäŒèšãœãããŠã§ã¢ã䜿çšããŠããäŒæ¥ãã¿ãŒã²ããã«ããåæ§ã«ã·ã¹ãã æ å ±ãåéããã¹ããŒã ã«ãŒã ãªãŒããŒãæ€çŽ¢ãã被害è ãã¹ãã€ããããã®äžé£ã®æªæã®ããããŒã«ãå°å ¥ããŸãã
3. é²å
ãã®ã»ã¯ã·ã§ã³ã§ã¯ã調æ»äžã«èŠã€ãã£ããã«ãŠã§ã¢ã®ããŸããŸãªããŒãžã§ã³ãèŠãŠãããŸãã
3.1. ããŒãžã§ã³ç®¡ç
RTM ã¯æ§æããŒã¿ãã¬ãžã¹ã㪠ã»ã¯ã·ã§ã³ã«ä¿åããŸããæãèå³æ·±ãéšåã¯ãããããã ãã¬ãã£ãã¯ã¹ã§ãã ç§ãã¡ã調æ»ãããµã³ãã«ã§ç¢ºèªããããã¹ãŠã®å€ã®ãªã¹ãã以äžã®è¡šã«ç€ºããŸãã
ãã®å€ããã«ãŠã§ã¢ã®ããŒãžã§ã³ãèšé²ããããã«äœ¿çšãããå¯èœæ§ããããŸãã ãã ããbit2 ãš bit3ã0.1.6.4 ãš 0.1.6.6 ãªã©ã®ããŒãžã§ã³éã®éãã¯ããŸãèŠãããŸããã§ããã ããã«ããã¬ãã£ãã¯ã¹ã® XNUMX ã€ã¯æåããååšããŠããã以äžã«ç€ºãããã«ãå žåç㪠C&C ãã¡ã€ã³ãã .bit ãã¡ã€ã³ã«é²åããŸããã
3.2. ã¹ã±ãžã¥ãŒã«
ãã¬ã¡ããªãŒããŒã¿ã䜿çšããŠããµã³ãã«ã®çºçã®ã°ã©ããäœæããŸããã
4.ãã¯ãã«ã«åæ
ãã®ã»ã¯ã·ã§ã³ã§ã¯ãèæ§ã¡ã«ããºã ãRC4 ã¢ã«ãŽãªãºã ã®ç¬èªããŒãžã§ã³ããããã¯ãŒã¯ ãããã³ã«ãã¹ãã€æ©èœããã®ä»ã®æ©èœãªã©ãRTM ãã³ãã³ã° ããã€ã®æšéŠ¬ã®äž»ãªæ©èœã«ã€ããŠèª¬æããŸãã ç¹ã«ãSHA-1 ãµã³ãã« AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 ããã³ 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B ã«çŠç¹ãåœãŠãŸãã
4.1. ã€ã³ã¹ããŒã«ãšä¿å
4.1.1.å®è£
RTM ã³ã¢ã¯ DLL ã§ãããã©ã€ãã©ãªã¯ .EXE ã䜿çšããŠãã£ã¹ã¯ã«ããŒããããŸãã å®è¡å¯èœãã¡ã€ã«ã¯éåžžããã±ãŒãžåãããŠãããDLL ã³ãŒããå«ãŸããŠããŸãã èµ·åãããšãDLL ãæœåºããã次ã®ã³ãã³ãã䜿çšããŠå®è¡ãããŸãã
rundll32.exe â%PROGRAMDATA%Winlogonwinlogon.lnkâ,DllGetClassObject host
4.1.2.DLL
ã¡ã€ã³ DLL ã¯åžžã«ã%PROGRAMDATA%Winlogon ãã©ã«ããŒå ã® winlogon.lnk ãšããŠãã£ã¹ã¯ã«ããŒããããŸãã ãã®ãã¡ã€ã«æ¡åŒµåã¯éåžžãã·ã§ãŒãã«ããã«é¢é£ä»ããããŠããŸãããäžã®å³ã«ç€ºãããã«ããã¡ã€ã«ã¯å®éã«ã¯ Delphi ã§äœæããã DLL ã§ãéçºè ã«ãã£ãŠ core.dll ãšããååãä»ããããŸããã
ÐÑÐžÐŒÐµÑ ÐœÐ°Ð·Ð²Ð°ÐœÐžÑ DLL F4C746696B0F5BB565D445EC49DD912993DE6361
ããã€ã®æšéŠ¬ã¯ãèµ·åããããšããã®èæ§ã¡ã«ããºã ãã¢ã¯ãã£ãã«ããŸãã ããã¯ãã·ã¹ãã å ã§ã®è¢«å®³è ã®æš©éã«å¿ããŠãXNUMX ã€ã®ç°ãªãæ¹æ³ã§å®è¡ã§ããŸãã 管çè æš©éãããå Žåãããã€ã®æšéŠ¬ã¯ Windows Update ãšã³ããªã HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun ã¬ãžã¹ããªã«è¿œå ããŸãã Windows Update ã«å«ãŸããã³ãã³ãã¯ããŠãŒã¶ãŒã®ã»ãã·ã§ã³ã®éå§æã«å®è¡ãããŸãã
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Update [REG_SZ] = rundll32.exe â%PROGRAMDATA%winlogon.lnkâ,DllGetClassObject host
ãã®ããã€ã®æšéŠ¬ã¯ãWindows ã¿ã¹ã¯ ã¹ã±ãžã¥ãŒã©ã«ã¿ã¹ã¯ãè¿œå ããããšããŸãã ã¿ã¹ã¯ã¯ãäžèšãšåããã©ã¡ãŒã¿ã䜿çšã㊠winlogon.lnk DLL ãèµ·åããŸãã éåžžã®ãŠãŒã¶ãŒæš©éã«ãããããã€ã®æšéŠ¬ã¯åãããŒã¿ãæ〠Windows Update ãšã³ããªã HKCUSoftwareMicrosoftWindowsCurrentVersionRun ã¬ãžã¹ããªã«è¿œå ã§ããŸãã
rundll32.exe â%PROGRAMDATA%winlogon.lnkâ,DllGetClassObject host
4.2. ä¿®æ£ããã RC4 ã¢ã«ãŽãªãºã
RC4 ã¢ã«ãŽãªãºã ã«ã¯æ¢ç¥ã®æ¬ ç¹ãããã«ããããããããã«ãŠã§ã¢äœæè ã«ãã£ãŠå®æçã«äœ¿çšãããŠããŸãã ãã ããRTM ã®äœæè ã¯ããããããŠã€ã«ã¹ ã¢ããªã¹ãã®äœæ¥ãããå°é£ã«ããããã«ãRTM ããããã«å€æŽããŸããã RC4 ã®ä¿®æ£ããŒãžã§ã³ã¯ãæååããããã¯ãŒã¯ ããŒã¿ãæ§æãã¢ãžã¥ãŒã«ãæå·åããããã«æªæã®ãã RTM ããŒã«ã§åºã䜿çšãããŠããŸãã
4.2.1. éã
ãªãªãžãã«ã® RC4 ã¢ã«ãŽãªãºã ã«ã¯ãs ãããã¯åæå (å¥å KSA - ã㌠ã¹ã±ãžã¥ãŒãªã³ã° ã¢ã«ãŽãªãºã ) ãšæ¬äŒŒã©ã³ãã ã·ãŒã±ã³ã¹çæ (PRGA - æ¬äŒŒã©ã³ãã çæã¢ã«ãŽãªãºã ) ã® XNUMX ã€ã®ã¹ããŒãžãå«ãŸããŠããŸãã æåã®æ®µéã§ã¯ããŒã䜿çšã㊠S-box ãåæåãã第 XNUMX 段éã§ã¯æå·åã®ããã« S-box ã䜿çšããŠãœãŒã¹ ããã¹ããåŠçãããŸãã
RTM ã®äœæè ã¯ãS-box ã®åæåãšæå·åã®éã«äžéã¹ããããè¿œå ããŸããã è¿œå ããŒã¯å¯å€ã§ãããæå·åããã³åŸ©å·åããããŒã¿ãšåæã«èšå®ãããŸãã ãã®è¿œå ã¹ããããå®è¡ããé¢æ°ã次ã®å³ã«ç€ºããŸãã
4.2.2. æååã®æå·å
äžèŠãããšãããã¡ã€ã³ DLL ã«ã¯èªã¿åããè¡ãããã€ããããŸãã æ®ãã¯äžèšã®ã¢ã«ãŽãªãºã ã䜿çšããŠæå·åãããŸãããã®æ§é ã¯æ¬¡ã®å³ã«ç€ºãããŠããŸãã åæããããµã³ãã«ã§ã¯ãââæååæå·åçšã® 25 ãè¶ ããç°ãªã RC4 ããŒãèŠã€ãããŸããã XOR ããŒã¯è¡ããšã«ç°ãªããŸãã è¡ãåºåãæ°å€ãã£ãŒã«ãã®å€ã¯åžžã« 0xFFFFFFFF ã§ãã
å®è¡ã®éå§æã«ãRTM ã¯æååãã°ããŒãã«å€æ°ã«åŸ©å·åããŸãã æååã«ã¢ã¯ã»ã¹ããå¿ èŠãããå Žåãããã€ã®æšéŠ¬ã¯ãããŒã¹ ã¢ãã¬ã¹ãšãªãã»ããã«åºã¥ããŠã埩å·åãããæååã®ã¢ãã¬ã¹ãåçã«èšç®ããŸãã
æååã«ã¯ããã«ãŠã§ã¢ã®æ©èœã«é¢ããèå³æ·±ãæ å ±ãå«ãŸããŠããŸãã ããã€ãã®æååã®äŸãã»ã¯ã·ã§ã³ 6.8 ã«ç€ºããŸãã
4.3.ãããã¯ãŒã¯
RTM ãã«ãŠã§ã¢ã C&C ãµãŒããŒã«æ¥ç¶ããæ¹æ³ã¯ããŒãžã§ã³ããšã«ç°ãªããŸãã æåã®å€æŽ (2015 幎 2016 æãã XNUMX 幎 XNUMX æ) ã§ã¯ãåŸæ¥ã®ãã¡ã€ã³åãš livejournal.com ã® RSS ãã£ãŒãã䜿çšããŠã³ãã³ãã®ãªã¹ããæŽæ°ããŸããã
2016 幎 05 æ以éããã¬ã¡ã㪠ããŒã¿ã® .bit ãã¡ã€ã³ãžã®ç§»è¡ãèŠãããŸããã ããã¯ãã¡ã€ã³ç»é²æ¥ã«ãã£ãŠç¢ºèªãããŸããæåã® RTM ãã¡ã€ã³ fde0573d13da.bit 㯠2016 幎 XNUMX æ XNUMX æ¥ã«ç»é²ãããŸããã
ãã£ã³ããŒã³ã®ç£èŠäžã«ç¢ºèªãããã¹ãŠã® URL ã«ã¯ã/r/z.php ãšããå ±éã®ãã¹ããããŸããã ããã¯éåžžã«çããããšã§ããããããã¯ãŒã¯ ãããŒå ã® RTM ãªã¯ãšã¹ããèå¥ããã®ã«åœ¹ç«ã¡ãŸãã
4.3.1. ã³ãã³ããšå¶åŸ¡çšã®ãã£ãã«
åŸæ¥ã®äŸã§ã¯ããã®ãã£ãã«ã䜿çšããŠã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒã®ãªã¹ããæŽæ°ããŠããŸããã ãã¹ãã£ã³ã°ã¯ livejournal.com ã«ãããŸãããã¬ããŒãå·çæç¹ã§ã¯ URL hxxp://f72bba81c921(.)livejournal(.)com/data/rss ã®ãŸãŸã§ããã
Livejournal ã¯ãããã° ãã©ãããã©ãŒã ãæäŸãããã·ã¢ç³»ã¢ã¡ãªã«äººã®äŒç€Ÿã§ãã RTM ãªãã¬ãŒã¿ãŒã¯ãã³ãŒãåãããã³ãã³ããå«ãèšäºãæçš¿ãã LJ ããã°ãäœæããŸã (ã¹ã¯ãªãŒã³ã·ã§ãããåç §)ã
ã³ãã³ãã©ã€ã³ãšå¶åŸ¡ã©ã€ã³ã¯ãä¿®æ£ããã RC4 ã¢ã«ãŽãªãºã (ã»ã¯ã·ã§ã³ 4.2) ã䜿çšããŠãšã³ã³ãŒããããŸãã ãã£ãã«ã®çŸåšã®ããŒãžã§ã³ (2016 幎 XNUMX æ) ã«ã¯ã次ã®ã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒã®ã¢ãã¬ã¹ãå«ãŸããŠããŸãã
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. .bit ãã¡ã€ã³
ææ°ã® RTM ãµã³ãã«ã§ã¯ãââäœæè 㯠.bit TLD ãããã¬ãã« ãã¡ã€ã³ã䜿çšã㊠C&C ãã¡ã€ã³ã«æ¥ç¶ããŸãã ICANN (Domain Name and Internet Corporation) ã®ãããã¬ãã« ãã¡ã€ã³ã®ãªã¹ãã«ã¯å«ãŸããŠããŸããã 代ããã«ããããã³ã€ã³æè¡ã®äžã«æ§ç¯ãããããŒã ã³ã€ã³ã·ã¹ãã ã䜿çšããŸãã ãã«ãŠã§ã¢äœæè ãèªåã®ãã¡ã€ã³ã« .bit TLD ã䜿çšããããšã¯ããŸããããŸãããããã®ãããªäœ¿çšäŸã¯ Necurs ããããããã®ããŒãžã§ã³ã§ä»¥åã«èŠ³å¯ãããŠããŸãã
ãããã³ã€ã³ãšã¯ç°ãªããåæ£åããŒã ã³ã€ã³ ããŒã¿ããŒã¹ã®ãŠãŒã¶ãŒã¯ããŒã¿ãä¿åã§ããŸãã ãã®æ©èœã®äž»ãªçšéã¯ã.bit ãããã¬ãã« ãã¡ã€ã³ã§ãã åæ£ããŒã¿ããŒã¹ã«ä¿åããããã¡ã€ã³ãç»é²ã§ããŸãã ããŒã¿ããŒã¹å ã®å¯Ÿå¿ãããšã³ããªã«ã¯ããã¡ã€ã³ã«ãã£ãŠè§£æ±ºããã IP ã¢ãã¬ã¹ãå«ãŸããŠããŸãã ç»é²è ã®ã¿ã .bit ãã¡ã€ã³ã®è§£å床ãå€æŽã§ããããããã® TLD ã¯ãæ€é²èæ§ãããããŸãã ããã¯ããã®ã¿ã€ãã® TLD ã䜿çšããŠæªæã®ãããã¡ã€ã³ãé»æ¢ããã®ãã¯ããã«å°é£ã§ããããšãæå³ããŸãã
RTM ããã€ã®æšéŠ¬ã«ã¯ãåæ£ããã Namecoin ããŒã¿ããŒã¹ãèªã¿åãããã«å¿ èŠãªãœãããŠã§ã¢ãçµã¿èŸŒãŸããŠããŸããã dns.dot-bit.org ã OpenNic ãµãŒããŒãªã©ã®äžå€® DNS ãµãŒããŒã䜿çšããŠã.bit ãã¡ã€ã³ã解決ããŸãã ãã®ãããDNSãµãŒããŒãšåçã®èä¹ æ§ãæã£ãŠããŸãã äžéšã®ããŒã ãã¡ã€ã³ããããã°æçš¿ã§èšåãããåŸãæ€åºãããªããªã£ãŠããããšã確èªãããŸããã
ããã«ãŒã«ãšã£ãŠã® .bit TLD ã®ãã 0,01 ã€ã®å©ç¹ã¯ã³ã¹ãã§ãã ãã¡ã€ã³ãç»é²ããããã«ãäºæ¥è 㯠0,00185 NK ã®ã¿ãæ¯æãå¿ èŠããããŸããããã¯ã5 ãã«ã«çžåœããŸã (2016 幎 10 æ XNUMX æ¥çŸåš)ã ã¡ãªã¿ã«ãdomain.com ã®æéã¯å°ãªããšã XNUMX ãã«ã§ãã
4.3.3. ãããã³ã«
ã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒãšéä¿¡ããããã«ãRTM ã¯ã«ã¹ã¿ã ãããã³ã«ã䜿çšããŠãã©ãŒããããããããŒã¿ãå«ã HTTP POST ãªã¯ãšã¹ãã䜿çšããŸãã ãã¹å€ã¯åžžã« /r/z.php ã§ãã Mozilla/5.0 ãŠãŒã¶ãŒ ãšãŒãžã§ã³ã (äºææ§ãMSIE 9.0ãWindows NT 6.1ãTrident/5.0)ã ãµãŒããŒãžã®ãªã¯ãšã¹ãã§ã¯ãããŒã¿ã¯æ¬¡ã®ããã«ãã©ãŒããããããŸãããªãã»ããå€ã¯ãã€ãåäœã§è¡šãããŸãã
ãã€ã 0 ïœ 6 ã¯ãšã³ã³ãŒããããŸããã 6 ããå§ãŸããã€ãã¯ãä¿®æ£ããã RC4 ã¢ã«ãŽãªãºã ã䜿çšããŠãšã³ã³ãŒããããŸãã C&C å¿çãã±ããã®æ§é ã¯ããåçŽã§ãã ãã€ã㯠4 ãããã±ãã ãµã€ãºãŸã§ãšã³ã³ãŒããããŸãã
å¯èœãªã¢ã¯ã·ã§ã³ãã€ãå€ã®ãªã¹ãã以äžã®è¡šã«ç€ºããŸãã
ãã«ãŠã§ã¢ã¯åžžã«ã埩å·åãããããŒã¿ã® CRC32 ãèšç®ãããã±ããå
ã«ååšãããã®ãšæ¯èŒããŸãã ããããç°ãªãå Žåãããã€ã®æšéŠ¬ã¯ãã±ãããããããããŸãã
è¿œå ããŒã¿ã«ã¯ãPE ãã¡ã€ã«ããã¡ã€ã« ã·ã¹ãã å
ã§æ€çŽ¢ããããã¡ã€ã«ãæ°ããã³ãã³ã URL ãªã©ãããŸããŸãªãªããžã§ã¯ããå«ãŸããå ŽåããããŸãã
4.3.4. ããã«
RTM ã C&C ãµãŒããŒäžã®ããã«ã䜿çšããŠããããšã«æ°ä»ããŸããã 以äžã®ã¹ã¯ãªãŒã³ã·ã§ãã:
4.4. ç¹åŸŽçãªå å
RTM ã¯å žåçãªãã³ãã³ã°åããã€ã®æšéŠ¬ã§ãã ãªãã¬ãŒã¿ãŒã被害è ã®ã·ã¹ãã ã«é¢ããæ å ±ãå¿ èŠãšããã®ã¯åœç¶ã®ããšã§ãã äžæ¹ã§ã¯ãããã㯠OS ã«é¢ããäžè¬çãªæ å ±ãåéããŸãã äžæ¹ã§ã䟵害ãããã·ã¹ãã ã«ãã·ã¢ã®ãªã¢ãŒã ãã³ãã³ã° ã·ã¹ãã ã«é¢é£ããå±æ§ãå«ãŸããŠãããã©ããã調ã¹ãŸãã
4.4.1. äžè¬æ å ±
åèµ·ååŸã«ãã«ãŠã§ã¢ãã€ã³ã¹ããŒã«ãŸãã¯èµ·åããããšã次ã®ãããªäžè¬æ å ±ãå«ãã¬ããŒããã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒã«éä¿¡ãããŸãã
- ã¿ã€ã ãŸãŒã³;
- ããã©ã«ãã®ã·ã¹ãã èšèªã
- èš±å¯ããããŠãŒã¶ãŒã®è³æ Œæ å ±ã
- ããã»ã¹ã®å®å šæ§ã¬ãã«ã
- ãŠãŒã¶ãŒå;
- ã³ã³ãã¥ãŒã¿ããŒã ;
- OSã®ããŒãžã§ã³ã
- è¿œå ã€ã³ã¹ããŒã«ãããã¢ãžã¥ãŒã«ã
- ã€ã³ã¹ããŒã«ããããŠã€ã«ã¹å¯Ÿçããã°ã©ã ã
- ã¹ããŒãã«ãŒããªãŒããŒã®ãªã¹ãã
4.4.2 ãªã¢ãŒããã³ãã³ã°ã·ã¹ãã
å žåçãªããã€ã®æšéŠ¬ã®ã¿ãŒã²ããã¯ãªã¢ãŒã ãã³ãã³ã° ã·ã¹ãã ã§ãããRTM ãäŸå€ã§ã¯ãããŸããã ããã°ã©ã ã®ã¢ãžã¥ãŒã«ã® XNUMX ã€ã¯ TBdo ãšåŒã°ãããã£ã¹ã¯ã®ã¹ãã£ã³ãå±¥æŽã®é²èŠ§ãªã©ã®ããŸããŸãªã¿ã¹ã¯ãå®è¡ããŸãã
ãã®ããã€ã®æšéŠ¬ã¯ããã£ã¹ã¯ãã¹ãã£ã³ããããšã§ããã·ã³ã«ãã³ãã³ã° ãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ãããŠãããã©ããã確èªããŸãã 察象ããã°ã©ã ã®å®å šãªãªã¹ãã¯ä»¥äžã®è¡šã«ãããŸãã 察象ã®ãã¡ã€ã«ãæ€åºãããšãããã°ã©ã ã¯æ å ±ãã³ãã³ã ãµãŒããŒã«éä¿¡ããŸãã 次ã®ã¢ã¯ã·ã§ã³ã¯ãã³ãã³ã ã»ã³ã¿ãŒ (C&C) ã¢ã«ãŽãªãºã ã«ãã£ãŠæå®ãããããžãã¯ã«ãã£ãŠç°ãªããŸãã
RTM ã¯ããã©ãŠã¶ã®å±¥æŽãéããŠããã¿ãã® URL ãã¿ãŒã³ãæ€çŽ¢ããŸãã ããã«ãããã°ã©ã 㯠FindNextUrlCacheEntryA é¢æ°ãš FindFirstUrlCacheEntryA é¢æ°ã®äœ¿çšãæ€æ»ããåãšã³ããªããã§ãã¯ã㊠URL ã次ã®ããããã®ãã¿ãŒã³ãšäžèŽãããã©ããã確èªããŸãã
éããŠããã¿ããæ€åºãããã®ããã€ã®æšéŠ¬ã¯ãDynamic Data Exchange (DDE) ã¡ã«ããºã ãéã㊠Internet Explorer ãŸã㯠Firefox ã«ã¢ã¯ã»ã¹ããã¿ãããã¿ãŒã³ãšäžèŽãããã©ããã確èªããŸãã
é²èŠ§å±¥æŽãšéããŠããã¿ãã®ãã§ãã¯ã¯ããã§ãã¯éã« 1 ç§ã®äŒæ©ãæã㧠WHILE ã«ãŒã (åææ¡ä»¶ã®ããã«ãŒã) ã§å®è¡ãããŸãã ãªã¢ã«ã¿ã€ã ã§ç£èŠããããã®ä»ã®ããŒã¿ã«ã€ããŠã¯ãã»ã¯ã·ã§ã³ 4.5 ã§èª¬æããŸãã
ãã¿ãŒã³ãèŠã€ãã£ãå Žåãããã°ã©ã ã¯ã次ã®è¡šã®æååã®ãªã¹ãã䜿çšããŠããããã³ãã³ã ãµãŒããŒã«å ±åããŸãã
4.5 ã¢ãã¿ãªã³ã°
ããã€ã®æšéŠ¬ãå®è¡ãããŠããéãææããã·ã¹ãã ã®ç¹åŸŽçãªæ©èœã«é¢ããæ å ± (éè¡ãœãããŠã§ã¢ã®ååšã«é¢ããæ å ±ãå«ã) ãã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒã«éä¿¡ãããŸãã ãã£ã³ã¬ãŒããªã³ãã£ã³ã°ã¯ãæåã® OS ã¹ãã£ã³ã®çŽåŸã« RTM ãç£èŠã·ã¹ãã ãåããŠå®è¡ãããšãã«çºçããŸãã
4.5.1. ãªã¢ãŒããã³ãã³ã°
TBdo ã¢ãžã¥ãŒã«ã¯ãéè¡é¢é£ã®ããã»ã¹ã®ç£èŠãæ åœããŸãã åçããŒã¿äº€æã䜿çšããŠãåæã¹ãã£ã³äžã« Firefox ãš Internet Explorer ã®ã¿ãããã§ãã¯ããŸãã å¥ã® TShell ã¢ãžã¥ãŒã«ã¯ãã³ãã³ã ãŠã£ã³ã㊠(Internet Explorer ãŸã㯠File Explorer) ãç£èŠããããã«äœ¿çšãããŸãã
ãã®ã¢ãžã¥ãŒã«ã¯ãCOM ã€ã³ã¿ãŒãã§ã€ã¹ IShellWindowsãiWebBrowserãDWebBrowserEvents2ãããã³ IConnectionPointContainer ã䜿çšããŠãŠã£ã³ããŠãç£èŠããŸãã ãŠãŒã¶ãŒãæ°ãã Web ããŒãžã«ç§»åãããšããã«ãŠã§ã¢ã¯ãããèªèããŸãã 次ã«ãããŒãžã® URL ãäžèšã®ãã¿ãŒã³ãšæ¯èŒããŸãã äžèŽãæ€åºãããšãããã€ã®æšéŠ¬ã¯ 5 ç§éé㧠XNUMX æã®é£ç¶ããã¹ã¯ãªãŒã³ã·ã§ãããååŸããC&S ã³ãã³ã ãµãŒããŒã«éä¿¡ããŸãã ãã®ããã°ã©ã ã¯ãéè¡ãœãããŠã§ã¢ã«é¢é£ããããã€ãã®ãŠã£ã³ããŠåããã§ãã¯ããŸããå®å šãªãªã¹ãã¯ä»¥äžã®ãšããã§ãã
4.5.2. ã¹ããŒãã«ãŒã
RTM ã䜿çšãããšãææããã³ã³ãã¥ãŒã¿ã«æ¥ç¶ãããŠããã¹ããŒã ã«ãŒã ãªãŒããŒãç£èŠã§ããŸãã ãããã®ããã€ã¹ã¯ãäžéšã®åœã§æ¯æã泚æã調æŽããããã«äœ¿çšãããŸãã ãã®ã¿ã€ãã®ããã€ã¹ãã³ã³ãã¥ãŒã¿ã«æ¥ç¶ãããŠããå Žåããã®ã³ã³ãã¥ãŒã¿ãéè¡ååŒã«äœ¿çšãããŠããããšãããã€ã®æšéŠ¬ã«ç€ºãå¯èœæ§ããããŸãã
ä»ã®ãã³ãã³ã°åããã€ã®æšéŠ¬ãšã¯ç°ãªããRTM ã¯ãã®ãããªã¹ããŒã ã«ãŒããšå¯Ÿè©±ã§ããŸããã ããããããã®æ©èœã¯ããŸã èŠãŠããªãè¿œå ã¢ãžã¥ãŒã«ã«å«ãŸããŠããå¯èœæ§ããããŸãã
4.5.3. ããŒãã¬ãŒ
ææãã PC ãç£èŠããéèŠãªéšåã¯ãããŒã¹ãããŒã¯ããã£ããã£ããããšã§ãã RTMéçºè ã¯éåžžã®ããŒã ãã§ãªãä»®æ³ããŒããŒããã¯ãªããããŒããç£èŠããŠãããããæ å ±ãèŠéãããšã¯ãªãããã§ãã
ãããè¡ãã«ã¯ãSetWindowsHookExA é¢æ°ã䜿çšããŸãã æ»æè ã¯ãæŒãããããŒããŸãã¯ä»®æ³ããŒããŒãã«å¯Ÿå¿ããããŒããããã°ã©ã ã®ååãšæ¥ä»ãšãšãã«èšé²ããŸãã ãã®åŸããããã¡ã¯ C&C ã³ãã³ã ãµãŒããŒã«éä¿¡ãããŸãã
SetClipboardViewer é¢æ°ã¯ãã¯ãªããããŒããã€ã³ã¿ãŒã»ããããããã«äœ¿çšãããŸãã ããŒã¿ãããã¹ãã®å Žåãããã«ãŒã¯ã¯ãªããããŒãã®å 容ããã°ã«èšé²ããŸãã ãããã¡ããµãŒããŒã«éä¿¡ãããåã«ãååãšæ¥ä»ãèšé²ãããŸãã
4.5.4. ã¹ã¯ãªãŒã³ã·ã§ãã
ãã XNUMX ã€ã® RTM æ©èœã¯ã¹ã¯ãªãŒã³ã·ã§ããã®ååã§ãã ãã®æ©èœã¯ããŠã£ã³ããŠç£èŠã¢ãžã¥ãŒã«ã察象ã®ãµã€ããŸãã¯éè¡ãœãããŠã§ã¢ãæ€åºãããšãã«é©çšãããŸãã ã¹ã¯ãªãŒã³ã·ã§ããã¯ã°ã©ãã£ã㯠ã€ã¡ãŒãžã®ã©ã€ãã©ãªã䜿çšããŠååŸãããã³ãã³ã ãµãŒããŒã«è»¢éãããŸãã
4.6. ã¢ã³ã€ã³ã¹ããŒã«
C&C ãµãŒããŒã¯ãã«ãŠã§ã¢ã®å®è¡ãåæ¢ããã³ã³ãã¥ãŒã¿ãã¯ãªãŒã³ã¢ããããŸãã ãã®ã³ãã³ãã䜿çšãããšãRTM ã®å®è¡äžã«äœæããããã¡ã€ã«ãšã¬ãžã¹ã㪠ãšã³ããªãã¯ãªã¢ã§ããŸãã ãã®åŸãDLL ã䜿çšããŠãã«ãŠã§ã¢ãš winlogon ãã¡ã€ã«ãåé€ããããã®åŸã³ãã³ãã«ãã£ãŠã³ã³ãã¥ãŒã¿ãŒãã·ã£ããããŠã³ãããŸãã äžã®å³ã«ç€ºãããã«ãDLL ã¯éçºè ã«ãã£ãŠ Erase.dll ã䜿çšããŠåé€ãããŸãã
ãµãŒããŒã¯ãããã€ã®æšéŠ¬ã«ç Žå£çãªã¢ã³ã€ã³ã¹ããŒã« ãã㯠ã³ãã³ããéä¿¡ããå¯èœæ§ããããŸãã ãã®å Žåã管çè æš©éãããå ŽåãRTM ã¯ããŒã ãã©ã€ãäžã® MBR ããŒã ã»ã¯ã¿ãŒãåé€ããŸãã ããã倱æãããšãããã€ã®æšéŠ¬ã¯ MBR ããŒã ã»ã¯ã¿ãã©ã³ãã ã»ã¯ã¿ã«ç§»åããããšããŸãããã®å Žåãã³ã³ãã¥ãŒã¿ã¯ã·ã£ããããŠã³åŸã« OS ãèµ·åã§ããªããªããŸãã ããã«ãããOS ãå®å šã«åã€ã³ã¹ããŒã«ãããå¯èœæ§ãããã蚌æ ã®é æ» ãæå³ããŸãã
管çè æš©éããªãå Žåããã«ãŠã§ã¢ã¯åºç€ãšãªã RTM DLL ã«ãšã³ã³ãŒãããã .EXE ãæžã蟌ã¿ãŸãã å®è¡å¯èœãã¡ã€ã«ã¯ãã³ã³ãã¥ãŒã¿ãŒãã·ã£ããããŠã³ããããã«å¿ èŠãªã³ãŒããå®è¡ããã¢ãžã¥ãŒã«ã HKCUCurrentVersionRun ã¬ãžã¹ã㪠ããŒã«ç»é²ããŸãã ãŠãŒã¶ãŒãã»ãã·ã§ã³ãéå§ãããã³ã«ãã³ã³ãã¥ãŒã¿ã¯ããã«ã·ã£ããããŠã³ãããŸãã
4.7. èšå®ãã¡ã€ã«
ããã©ã«ãã§ã¯ãRTM ã«ã¯æ§æãã¡ã€ã«ãã»ãšãã©ãããŸããããã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒã¯ãã¬ãžã¹ããªã«ä¿åãããããã°ã©ã ã§äœ¿çšãããæ§æå€ãéä¿¡ã§ããŸãã æ§æããŒã®ãªã¹ãã以äžã®è¡šã«ç€ºããŸãã
æ§æ㯠Software[Pseudo-random string] ã¬ãžã¹ã㪠ããŒã«ä¿åãããŸãã åå€ã¯ãåã®è¡šã«ç€ºãããŠããè¡ã® 4 ã€ã«å¯Ÿå¿ããŸãã å€ãšããŒã¿ã¯ãRTM ã® RCXNUMX ã¢ã«ãŽãªãºã ã䜿çšããŠãšã³ã³ãŒããããŸãã
ããŒã¿ã¯ãããã¯ãŒã¯ãæååãšåãæ§é ãæã£ãŠããŸãã ãšã³ã³ãŒããããããŒã¿ã®å é ã« XNUMX ãã€ãã® XOR ããŒãè¿œå ãããŸãã æ§æå€ã®å ŽåãXOR ããŒã¯ç°ãªããå€ã®ãµã€ãºã«ãã£ãŠç°ãªããŸãã 次ã®ããã«èšç®ã§ããŸãã
xor_key = (len(config_value) << 24) | (len(config_value) << 16)
| len(config_value)| (len(config_value) << 8)
4.8.ãã®ä»ã®æ©èœ
次ã«ãRTM ããµããŒããããã®ä»ã®æ©èœãèŠãŠã¿ãŸãããã
4.8.1. è¿œå ã¢ãžã¥ãŒã«
ãã®ããã€ã®æšéŠ¬ã«ã¯ãDLL ãã¡ã€ã«ã§ããè¿œå ã¢ãžã¥ãŒã«ãå«ãŸããŠããŸãã C&Cã³ãã³ããµãŒããŒããéä¿¡ãããã¢ãžã¥ãŒã«ã¯å€éšããã°ã©ã ãšããŠå®è¡ããããRAMã«åæ ããããæ°ããã¹ã¬ããã§èµ·åãããããããšãã§ããŸãã ã¹ãã¬ãŒãžã®å Žåãã¢ãžã¥ãŒã«ã¯ .dtt ãã¡ã€ã«ã«ä¿åããããããã¯ãŒã¯éä¿¡ã«äœ¿çšãããã®ãšåãããŒã䜿çšã㊠RC4 ã¢ã«ãŽãªãºã ã䜿çšããŠãšã³ã³ãŒããããŸãã
ãããŸã§ã®ãšãããVNC ã¢ãžã¥ãŒã« (8966319882494077C21F66A8354E2CBCA0370464)ããã©ãŠã¶ ããŒã¿æœåºã¢ãžã¥ãŒã« (03DE8622BE6B2F75A364A275995C3411626C4D9F)ãããã³ 1c_2_kl ã¢ãžã¥ãŒã« (B1EE562E1F69E) ã®ã€ã³ã¹ããŒã«ã確èªãããŠããŸãã FC6FBA58 B88753BE7D0B3E4CFABïŒã
VNC ã¢ãžã¥ãŒã«ãããŒãããããã«ãC&C ãµãŒããŒã¯ããŒã 44443 äžã®ç¹å®ã® IP ã¢ãã¬ã¹ã§ VNC ãµãŒããŒãžã®æ¥ç¶ãèŠæ±ããã³ãã³ããçºè¡ããŸãããã©ãŠã¶ ããŒã¿ååŸãã©ã°ã€ã³ã¯ãIE é²èŠ§å±¥æŽãèªã¿åãããšãã§ãã TBrowserDataCollector ãå®è¡ããŸãã 次ã«ã蚪åãã URL ã®å®å šãªãªã¹ãã C&C ã³ãã³ã ãµãŒããŒã«éä¿¡ããŸãã
æåŸã«æ€åºãããã¢ãžã¥ãŒã«ã¯ 1c_2_kl ãšåŒã°ããŸãã 1C Enterprise ãœãããŠã§ã¢ ããã±ãŒãžãšå¯Ÿè©±ã§ããŸãã ãã®ã¢ãžã¥ãŒã«ã«ã¯ 32 ã€ã®éšåãå«ãŸããŠããŸããäž»èŠéšå - DLL ãš 64 ã€ã®ãšãŒãžã§ã³ã (1 ãããããã³ 1 ããã)ããããã¯åããã»ã¹ã«æ¿å ¥ãããWH_CBT ãžã®ãã€ã³ãã£ã³ã°ãç»é²ããŸãã 1C ããã»ã¹ã«å°å ¥ããããã®ã¢ãžã¥ãŒã«ã¯ãCreateFile é¢æ°ãš WriteFile é¢æ°ããã€ã³ãããŸãã CreateFile ãã€ã³ãé¢æ°ãåŒã³åºããããã³ã«ãã¢ãžã¥ãŒã«ã¯ãã¡ã€ã« ãã¹ XNUMXc_to_kl.txt ãã¡ã¢ãªã«ä¿åããŸãã WriteFile åŒã³åºããã€ã³ã¿ãŒã»ããããåŸãWriteFile é¢æ°ãåŒã³åºãããã¡ã€ã« ãã¹ XNUMXc_to_kl.txt ãã¡ã€ã³ DLL ã¢ãžã¥ãŒã«ã«éä¿¡ãã现工ããã Windows WM_COPYDATA ã¡ãã»ãŒãžãæž¡ããŸãã
ã¡ã€ã³ DLL ã¢ãžã¥ãŒã«ã¯ãã¡ã€ã«ãéããŠè§£æããæ¯æã泚æã決å®ããŸãã ãã¡ã€ã«ã«å«ãŸããéé¡ãšååŒçªå·ãèªèããŸãã ãã®æ å ±ã¯ã³ãã³ã ãµãŒããŒã«éä¿¡ãããŸãã ãã®ã¢ãžã¥ãŒã«ã«ã¯ãããã° ã¡ãã»ãŒãžãå«ãŸããŠããã1c_to_kl.txt ãèªåçã«å€æŽã§ããªããããçŸåšéçºäžã§ãããšèããããŸãã
4.8.2. æš©éææ Œ
RTM ã¯ã誀ã£ããšã©ãŒ ã¡ãã»ãŒãžã衚瀺ããŠæš©éã®ææ Œãè©Šã¿ãå ŽåããããŸãã ãã®ãã«ãŠã§ã¢ã¯ãã¬ãžã¹ã㪠ãã§ãã¯ãã·ãã¥ã¬ãŒãããã (äžã®å³ãåç §)ãå®éã®ã¬ãžã¹ã㪠ãšãã£ã¿ã®ã¢ã€ã³ã³ã䜿çšããŸãã wait â what ã®ã¹ãã«ãã¹ã«æ³šæããŠãã ããã ã¹ãã£ã³ã®æ°ç§åŸãããã°ã©ã ã¯èª€ã£ããšã©ãŒ ã¡ãã»ãŒãžã衚瀺ããŸãã
ææ³äžã®èª€ããããã«ãããããããåœã®ã¡ãã»ãŒãžã¯å¹³åçãªãŠãŒã¶ãŒãç°¡åã«æ¬ºããŠããŸããŸãã ãŠãŒã¶ãŒã XNUMX ã€ã®ãªã³ã¯ã®ãããããã¯ãªãã¯ãããšãRTM ã¯ã·ã¹ãã å ã®æš©éãææ ŒããããšããŸãã
XNUMX ã€ã®å埩ãªãã·ã§ã³ã®ãããããéžæãããšãããã€ã®æšéŠ¬ã¯ç®¡çè æš©é㧠ShellExecute é¢æ°ã® runas ãªãã·ã§ã³ã䜿çšã㊠DLL ãèµ·åããŸãã ãŠãŒã¶ãŒã«ã¯ãææ Œãæ±ããå®éã® Windows ããã³ãã (äžã®ç»åãåç §) ã衚瀺ãããŸãã ãŠãŒã¶ãŒãå¿ èŠãªæš©éãäžãããšãããã€ã®æšéŠ¬ã¯ç®¡çè æš©éã§å®è¡ãããŸãã
ã·ã¹ãã ã«ã€ã³ã¹ããŒã«ãããŠããããã©ã«ãã®èšèªã«å¿ããŠãããã€ã®æšéŠ¬ã¯ãã·ã¢èªãŸãã¯è±èªã§ãšã©ãŒ ã¡ãã»ãŒãžã衚瀺ããŸãã
4.8.3. 蚌ææž
RTM 㯠Windows ã¹ãã¢ã«èšŒææžãè¿œå ããcsrss.exe ãã€ã¢ãã° ããã¯ã¹ã§ [ã¯ã] ãã¿ã³ãèªåçã«ã¯ãªãã¯ããããšã§è¿œå ã®ä¿¡é Œæ§ã確èªã§ããŸãã ãã®åäœã¯æ°ãããã®ã§ã¯ãããŸãããããšãã°ããã³ãã³ã°åããã€ã®æšéŠ¬ Retefe ããæ°ãã蚌ææžã®ã€ã³ã¹ããŒã«ãç¬èªã«ç¢ºèªããŸãã
4.8.4. éæ¥ç¶
RTM ã®äœæè ã¯ãBackconnect TCP ãã³ãã«ãäœæããŸããã ãã®æ©èœã¯ãŸã 䜿çšãããŠããŸããããææãã PC ããªã¢ãŒãã§ç£èŠããããã«èšèšãããŠããŸãã
4.8.5. ãã¹ããã¡ã€ã«ç®¡ç
C&C ãµãŒããŒã¯ãããã€ã®æšéŠ¬ã«ã³ãã³ããéä¿¡ããŠãWindows ãã¹ã ãã¡ã€ã«ãå€æŽããå¯èœæ§ããããŸãã ãã¹ã ãã¡ã€ã«ã¯ãã«ã¹ã¿ã DNS 解決ãäœæããããã«äœ¿çšãããŸãã
4.8.6. ãã¡ã€ã«ãæ€çŽ¢ããŠéä¿¡ãã
ãµãŒããŒã¯ãææããã·ã¹ãã äžã®ãã¡ã€ã«ã®æ€çŽ¢ãšããŠã³ããŒããèŠæ±ããå ŽåããããŸãã ããšãã°ã調æ»äžã«ããã¡ã€ã« 1c_to_kl.txt ã«å¯Ÿãããªã¯ãšã¹ããåãåããŸããã åè¿°ããããã«ããã®ãã¡ã€ã«ã¯ 1C: Enterprise 8 äŒèšã·ã¹ãã ã«ãã£ãŠçæãããŸãã
4.8.7.ã¢ããããŒã
æåŸã«ãRTM äœæè ã¯ãçŸåšã®ããŒãžã§ã³ã眮ãæããæ°ãã DLL ãéä¿¡ããããšã§ãœãããŠã§ã¢ãæŽæ°ã§ããŸãã
5ã çµè«
RTMã®èª¿æ»ã«ãããšããã·ã¢ã®éè¡ã·ã¹ãã ã¯äŸç¶ãšããŠãµã€ããŒæ»æè ãæ¹ãã€ããŠããã BuhtrapãCorkowãCarbanak ãªã©ã®ã°ã«ãŒãã¯ããã·ã¢ã®éèæ©é¢ãšãã®é¡§å®¢ããè³éãçãããšã«æåããŠããŸãã RTM ã¯ããã®æ¥çã§ã¯æ°ãããã¬ãŒã€ãŒã§ãã
ESET ã®ãã¬ã¡ããªã«ãããšãæªæã®ãã RTM ããŒã«ã¯å°ãªããšã 2015 幎åŸåãã䜿çšãããŠããŸãã ãã®ããã°ã©ã ã«ã¯ãã¹ããŒã ã«ãŒãã®èªã¿åããããŒã¹ãããŒã¯ã®ååãéè¡ååŒã®ç£èŠã1C: Enterprise 8 ãã©ã³ã¹ããŒã ãã¡ã€ã«ã®æ€çŽ¢ãªã©ãããããç¯å²ã®ã¹ãã€æ©èœãåãã£ãŠããŸãã
åæ£åãããç¡æ€é²ã® .bit ãããã¬ãã« ãã¡ã€ã³ã®äœ¿çšã«ããã埩å åã®é«ãã€ã³ãã©ã¹ãã©ã¯ãã£ãä¿èšŒãããŸãã
åºæïŒ habr.com