æšå¹Žæ«ä»¥æ¥ãç§ãã¡ã¯ãã³ãã³ã°åããã€ã®æšéŠ¬ãé
åžããæ°ããªæªæã®ãããã£ã³ããŒã³ã®è¿œè·¡ãéå§ããŸããã æ»æè
ã¯ããã·ã¢äŒæ¥ãã€ãŸãäŒæ¥ãŠãŒã¶ãŒã䟵害ããããšã«çŠç¹ãåœãŠãŸããã ãã®æªæã®ãããã£ã³ããŒã³ã¯å°ãªããšã XNUMX 幎é掻åããŠãããæ»æè
ã¯ãã³ãã³ã°åããã€ã®æšéŠ¬ã«å ããŠãä»ã®ããŸããŸãªãœãããŠã§ã¢ ããŒã«ã䜿çšããŠããŸããã ãããã«ã¯ã次ã䜿çšããŠããã±ãŒãžåãããç¹å¥ãªããŒããŒãå«ãŸããŸãã
æ»æè
ã¯ãããã©ã«ã㧠Windows ã§ãã·ã¢èª (ããŒã«ãªãŒãŒã·ã§ã³) ã䜿çšããã³ã³ãã¥ãŒã¿ãŒã«ã®ã¿ãã«ãŠã§ã¢ãã€ã³ã¹ããŒã«ããŸããã ãã®ããã€ã®æšéŠ¬ã®äž»ãªé
åžãã¯ãã«ã¯ããšã¯ã¹ããã€ããå«ã Word ããã¥ã¡ã³ãã§ããã
ç±³ã 1. ãã£ãã·ã³ã°ææžã
ç±³ã 2. ãã£ãã·ã³ã°ææžã®å¥ã®æ¹å€ã
次ã®äºå®ã¯ãæ»æè ããã·ã¢ã®äŒæ¥ãæšçãšããŠããããšã瀺ããŠããŸãã
- æå®ããããããã¯ã«é¢ããåœã®ææžã䜿çšãããã«ãŠã§ã¢ã®é åžã
- æ»æè ã®æŠè¡ãšåœŒãã䜿çšããæªæã®ããããŒã«ã
- äžéšã®å®è¡å¯èœã¢ãžã¥ãŒã«å ã®ããžãã¹ ã¢ããªã±ãŒã·ã§ã³ãžã®ãªã³ã¯ã
- ãã®ãã£ã³ããŒã³ã§äœ¿çšãããæªæã®ãããã¡ã€ã³ã®ååã
æ»æè ã䟵害ãããã·ã¹ãã ã«ç¹å¥ãªãœãããŠã§ã¢ ããŒã«ãã€ã³ã¹ããŒã«ãããšãã·ã¹ãã ããªã¢ãŒãã§å¶åŸ¡ãããŠãŒã¶ãŒã®ã¢ã¯ãã£ããã£ãç£èŠã§ããããã«ãªããŸãã ãããã®æ©èœãå®è¡ããããã«ãããã¯ãã¢ãã€ã³ã¹ããŒã«ããWindows ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒããååŸããããæ°ããã¢ã«ãŠã³ããäœæããããšããŸãã æ»æè ã¯ãããŒãã¬ãŒ (ããŒãã¬ãŒ)ãWindows ã¯ãªããããŒã ã¹ãã£ãŒã©ãŒãã¹ããŒã ã«ãŒããæäœããããã®ç¹å¥ãªãœãããŠã§ã¢ã®ãµãŒãã¹ãå©çšããŸãã ãã®ã°ã«ãŒãã¯ã被害è ã®ã³ã³ãã¥ãŒã¿ãšåãããŒã«ã« ãããã¯ãŒã¯äžã«ããä»ã®ã³ã³ãã¥ãŒã¿ã䟵害ããããšããŸããã
ãã«ãŠã§ã¢ã®é åžçµ±èšãè¿ éã«è¿œè·¡ã§ãã ESET LiveGrid ãã¬ã¡ã㪠ã·ã¹ãã ã«ãããåè¿°ã®ãã£ã³ããŒã³ã§æ»æè ã䜿çšãããã«ãŠã§ã¢ã®é åžã«é¢ããèå³æ·±ãå°çççµ±èšãåŸãããŸããã
ç±³ã 3. ãã®æªæã®ãããã£ã³ããŒã³ã§äœ¿çšããããã«ãŠã§ã¢ã®å°ççååžã«é¢ããçµ±èšã
ãã«ãŠã§ã¢ã®ã€ã³ã¹ããŒã«
ãŠãŒã¶ãŒãè匱ãªã·ã¹ãã äžã§ãšã¯ã¹ããã€ããå«ãæªæã®ããããã¥ã¡ã³ããéããšãNSIS ã䜿çšããŠããã±ãŒãžåãããç¹å¥ãªããŠã³ããŒããŒãããŠã³ããŒããããããã§å®è¡ãããŸãã ããã°ã©ã ã¯äœæ¥ã®éå§æã«ãWindows ç°å¢ã«ãããã¬ãååšãããã©ããããŸãã¯ä»®æ³ãã·ã³ã®ã³ã³ããã¹ãã§å®è¡ãããŠãããã©ããããã§ãã¯ããŸãã ãŸããWindows ã®ããŒã«ãªãŒãŒã·ã§ã³ãšããŠãŒã¶ãŒããã©ãŠã¶ãŒã§ä»¥äžã®è¡šã«ãªã¹ããããŠãã URL ã«ã¢ã¯ã»ã¹ãããã©ããããã§ãã¯ããŸãã ããã«ã¯ API ã䜿çšãããŸã ãŸãèŠã€ããŠãã ãã/NextUrlCacheEntry SoftwareMicrosoftInternet ExplorerTypedURLs ã¬ãžã¹ã㪠ããŒã
ããŒãããŒããŒã¯ãã·ã¹ãã äžã«æ¬¡ã®ã¢ããªã±ãŒã·ã§ã³ãååšãããã©ããã確èªããŸãã
ããã»ã¹ã®ãªã¹ãã¯å®ã«å°è±¡çã§ãã芧ã®ãšãããéè¡ã¢ããªã±ãŒã·ã§ã³ã ããå«ãŸããŠããããã§ã¯ãããŸããã ããšãã°ããscardsvr.exeããšããååã®å®è¡å¯èœãã¡ã€ã«ã¯ãã¹ããŒã ã«ãŒã (Microsoft SmartCard ãªãŒããŒ) ãæäœããããã®ãœãããŠã§ã¢ãæããŸãã ãã³ãã³ã°åããã€ã®æšéŠ¬èªäœã«ã¯ãã¹ããŒã ã«ãŒããæäœããæ©èœãå«ãŸããŠããŸãã
ç±³ã 4. ãã«ãŠã§ã¢ã®ã€ã³ã¹ããŒã« ããã»ã¹ã®äžè¬çãªå³ã
ãã¹ãŠã®ãã§ãã¯ãæ£åžžã«å®äºãããšãããŒããŒã¯ãªã¢ãŒã ãµãŒããŒããç¹å¥ãªãã¡ã€ã« (ã¢ãŒã«ã€ã) ãããŠã³ããŒãããŸãããã®ãã¡ã€ã«ã«ã¯ãæ»æè ã䜿çšãããã¹ãŠã®æªæã®ããå®è¡å¯èœã¢ãžã¥ãŒã«ãå«ãŸããŠããŸãã èå³æ·±ãããšã«ãäžèšã®ãã§ãã¯ã®å®è¡ã«å¿ããŠããªã¢ãŒã C&C ãµãŒããŒããããŠã³ããŒããããã¢ãŒã«ã€ããç°ãªãå¯èœæ§ãããããšã«æ³šæããŠãã ããã ã¢ãŒã«ã€ãã«ã¯æªæãããå Žåãšããã§ãªãå ŽåããããŸãã æªæããªãå Žåã¯ããŠãŒã¶ãŒã« Windows Live ããŒã«ããŒãã€ã³ã¹ããŒã«ããŸãã ãããããæ»æè ã¯åæ§ã®ããªãã¯ã䜿çšããŠãèªåãã¡ã€ã«åæã·ã¹ãã ãäžå¯©ãªãã¡ã€ã«ãå®è¡ãããä»®æ³ãã·ã³ã欺ãããšèããããŸãã
NSIS ããŠã³ããŒããŒã«ãã£ãŠããŠã³ããŒãããããã¡ã€ã«ã¯ãããŸããŸãªãã«ãŠã§ã¢ ã¢ãžã¥ãŒã«ãå«ã 7z ã¢ãŒã«ã€ãã§ãã äžã®ç»åã¯ããã®ãã«ãŠã§ã¢ãšãã®ããŸããŸãªã¢ãžã¥ãŒã«ã®ã€ã³ã¹ããŒã« ããã»ã¹å šäœã瀺ããŠããŸãã
ç±³ã 5. ãã«ãŠã§ã¢ãã©ã®ããã«æ©èœãããã®äžè¬çãªã¹ããŒã ã
ããŒããããã¢ãžã¥ãŒã«ã¯æ»æè ã«ãšã£ãŠç°ãªãç®çãæãããŸããããããã¯åäžã«ããã±ãŒãžåãããŠããããã®å€ãã¯æå¹ãªããžã¿ã«èšŒææžã§çœ²åãããŠããŸãã æ»æè ããã£ã³ããŒã³ã®æåãã䜿çšããŠãããã®ãããªèšŒææžã XNUMX ã€èŠã€ãããŸããã ç§ãã¡ã®èŠæ ãåããŠããããã®èšŒææžã¯åãæ¶ãããŸããã èå³æ·±ãã®ã¯ããã¹ãŠã®èšŒææžãã¢ã¹ã¯ã¯ã«ç»é²ãããŠããäŒæ¥ã«çºè¡ãããããšã§ãã
ç±³ã 6. ãã«ãŠã§ã¢ã®çœ²åã«äœ¿çšãããããžã¿ã«èšŒææžã
次ã®è¡šã¯ãæ»æè ããã®æªæã®ãããã£ã³ããŒã³ã§äœ¿çšããããžã¿ã«èšŒææžã瀺ããŠããŸãã
æ»æè
ã䜿çšããã»ãšãã©ãã¹ãŠã®æªæã®ããã¢ãžã¥ãŒã«ã®ã€ã³ã¹ããŒã«æé ã¯åãã§ãã ãããã¯ããã¹ã¯ãŒãã§ä¿è·ãããèªå·±è§£åå 7zip ã¢ãŒã«ã€ãã§ãã
ç±³ã 7. install.cmd ããã ãã¡ã€ã«ã®æçã
ããã .cmd ãã¡ã€ã«ã¯ãã·ã¹ãã ã«ãã«ãŠã§ã¢ãã€ã³ã¹ããŒã«ããããŸããŸãªæ»æè
ããŒã«ãèµ·åããŸãã å®è¡ã«äžè¶³ããŠãã管çè
æš©éãå¿
èŠãªå Žåãæªæã®ããã³ãŒãã¯ããã€ãã®æ¹æ³ã䜿çšããŠç®¡çè
æš©éãååŸããŸã (UAC ããã€ãã¹ããŸã)ã æåã®æ¹æ³ãå®è£
ããã«ã¯ãl1.exe ãš cc1.exe ãšãã XNUMX ã€ã®å®è¡å¯èœãã¡ã€ã«ã䜿çšãããŸãããããã®ãã¡ã€ã«ã¯ã
ãã®ãã£ã³ããŒã³ã远跡ããªãããããŠã³ããŒããŒã«ãã£ãŠã¢ããããŒããããããã€ãã®ã¢ãŒã«ã€ããåæããŸããã ã¢ãŒã«ã€ãã®å 容ã¯å€æ§ã§ãããæ»æè ãæªæã®ããã¢ãžã¥ãŒã«ãããŸããŸãªç®çã«é©å¿ãããå¯èœæ§ãããããšãæå³ããŸãã
ãŠãŒã¶ãŒã®äŸµå®³
äžã§è¿°ã¹ãããã«ãæ»æè ã¯ç¹å¥ãªããŒã«ã䜿çšããŠãŠãŒã¶ãŒã®ã³ã³ãã¥ãŒã¿ã䟵害ããŸãã ãããã®ããŒã«ã«ã¯ãå®è¡å¯èœãã¡ã€ã«å mimi.exe ããã³ xtm.exe ã®ããã°ã©ã ãå«ãŸããŠããŸãã ãããã¯ãæ»æè ã被害è ã®ã³ã³ãã¥ãŒã¿ãå¶åŸ¡ããWindows ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒãã®ååŸ/å埩ãRDP ãµãŒãã¹ã®æå¹åãOS ã§ã®æ°ããã¢ã«ãŠã³ãã®äœæãšãã£ãã¿ã¹ã¯ã®å®è¡ã«ç¹åããã®ã«åœ¹ç«ã¡ãŸãã
mimi.exe å®è¡å¯èœãã¡ã€ã«ã«ã¯ãæåãªãªãŒãã³ãœãŒã¹ ããŒã«ã®ä¿®æ£ããŒãžã§ã³ãå«ãŸããŠããŸã
å¥ã®å®è¡å¯èœãã¡ã€ã«ã§ãã xtm.exe ã¯ãã·ã¹ãã 㧠RDP ãµãŒãã¹ãæå¹ã«ããOS ã§æ°ããã¢ã«ãŠã³ãã®äœæãè©Šã¿ãç¹å¥ãªã¹ã¯ãªãããèµ·åããŸãããŸããè€æ°ã®ãŠãŒã¶ãŒã䟵害ãããã³ã³ãã¥ãŒã¿ã« RDP çµç±ã§åæã«æ¥ç¶ã§ããããã«ã·ã¹ãã èšå®ãå€æŽããŸãã æããã«ããããã®æé ã¯ã䟵害ãããã·ã¹ãã ãå®å šã«å¶åŸ¡ããããã«å¿ èŠã§ãã
ç±³ã 8. ã·ã¹ãã äžã® xtm.exe ã«ãã£ãŠå®è¡ãããã³ãã³ãã
æ»æè ã¯ãã·ã¹ãã ã«ç¹å¥ãªãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ããããã«äœ¿çšããããimpack.exe ãšåŒã°ããå¥ã®å®è¡å¯èœãã¡ã€ã«ã䜿çšããŸãã ãã®ãœãããŠã§ã¢ã¯ LiteManager ãšåŒã°ããæ»æè ã«ãã£ãŠããã¯ãã¢ãšããŠäœ¿çšãããŸãã
ç±³ã 9. LiteManager ã€ã³ã¿ãŒãã§ã€ã¹ã
LiteManager ããŠãŒã¶ãŒã®ã·ã¹ãã ã«ã€ã³ã¹ããŒã«ãããšãæ»æè ããã®ã·ã¹ãã ã«çŽæ¥æ¥ç¶ãããªã¢ãŒãã§å¶åŸ¡ã§ããããã«ãªããŸãã ãã®ãœãããŠã§ã¢ã«ã¯ãé ãã€ã³ã¹ããŒã«ãç¹å¥ãªãã¡ã€ã¢ãŠã©ãŒã« ã«ãŒã«ã®äœæãããã³ã¢ãžã¥ãŒã«ã®èµ·åã®ããã®ç¹å¥ãªã³ãã³ã ã©ã€ã³ ãã©ã¡ãŒã¿ããããŸãã ãã¹ãŠã®ãã©ã¡ãŒã¿ã¯æ»æè ã«ãã£ãŠäœ¿çšãããŸãã
æ»æè ã䜿çšãããã«ãŠã§ã¢ ããã±ãŒãžã®æåŸã®ã¢ãžã¥ãŒã«ã¯ãå®è¡å¯èœãã¡ã€ã«åã pn_pack.exe ã®éè¡ãã«ãŠã§ã¢ ããã°ã©ã (ãã³ã«ãŒ) ã§ãã 圌女ã¯ãŠãŒã¶ãŒã®ã¹ãã€ãå°éãšããC&C ãµãŒããŒãšã®å¯Ÿè©±ãæ åœããŠããŸãã ãã³ã«ãŒã¯ãæ£èŠã® Yandex Punto ãœãããŠã§ã¢ã䜿çšããŠèµ·åãããŸãã Punto ã¯ãæ»æè ãæªæã®ãã DLL ã©ã€ãã©ãªãèµ·åããããã«äœ¿çšãããŸã (DLL ãµã€ãããŒãã£ã³ã°æ¹åŒ)ã ãã«ãŠã§ã¢èªäœã¯æ¬¡ã®æ©èœãå®è¡ã§ããŸãã
- ããŒããŒãã®ããŒã¹ãããŒã¯ãšã¯ãªããããŒãã®å 容ã远跡ãããã®åŸãªã¢ãŒããµãŒããŒã«éä¿¡ããŸãã
- ã·ã¹ãã å ã«ååšãããã¹ãŠã®ã¹ããŒã ã«ãŒãããªã¹ãããŸãã
- ãªã¢ãŒã C&C ãµãŒããŒãšå¯Ÿè©±ããŸãã
ããããã¹ãŠã®ã¿ã¹ã¯ãå®è¡ãããã«ãŠã§ã¢ ã¢ãžã¥ãŒã«ã¯ãæå·åããã DLL ã©ã€ãã©ãªã§ãã Punto ã®å®è¡äžã«åŸ©å·åãããŠã¡ã¢ãªã«ããŒããããŸãã äžèšã®ã¿ã¹ã¯ãå®è¡ããããã«ãDLL å®è¡å¯èœã³ãŒã㯠XNUMX ã€ã®ã¹ã¬ãããéå§ããŸãã
æ»æè ãç®çã®ããã« Punto ãœãããŠã§ã¢ãéžæãããšããäºå®ã¯é©ãã¹ãããšã§ã¯ãããŸãããäžéšã®ãã·ã¢ã®ãã©ãŒã©ã ã§ã¯ãæ£èŠã®ãœãããŠã§ã¢ã®æ¬ é¥ãå©çšããŠãŠãŒã¶ãŒã䟵害ããããšãªã©ã®ãããã¯ã«é¢ãã詳现ãªæ å ±ãå ¬ç¶ãšæäŸããŠããŸãã
æªæã®ããã©ã€ãã©ãªã¯ãC&C ãµãŒããŒãšã®ãããã¯ãŒã¯éä¿¡äžã« RC4 ã¢ã«ãŽãªãºã ã䜿çšããŠæååãæå·åããŸãã XNUMX åããšã«ãµãŒããŒã«æ¥ç¶ãããã®æéäžã«äŸµå®³ãããã·ã¹ãã ã§åéããããã¹ãŠã®ããŒã¿ãããã«éä¿¡ããŸãã
ç±³ã 10. ããããšãµãŒããŒéã®ãããã¯ãŒã¯å¯Ÿè©±ã®æçã
以äžã¯ãã©ã€ãã©ãªãåä¿¡ã§ãã C&C ãµãŒããŒåœä»€ã®äžéšã§ãã
C&C ãµãŒããŒããã®æ瀺ã®åä¿¡ã«å¿çããŠããã«ãŠã§ã¢ã¯ã¹ããŒã¿ã¹ ã³ãŒãã§å¿çããŸãã èå³æ·±ãã®ã¯ãåæãããã¹ãŠã®ãã³ã«ãŒ ã¢ãžã¥ãŒã« (ã³ã³ãã€ã«æ¥ã 18 æ XNUMX æ¥ã®ææ°ã¢ãžã¥ãŒã«) ã«æååãTEST_BOTNETããå«ãŸããŠããããããåã¡ãã»ãŒãžã§ C&C ãµãŒããŒã«éä¿¡ãããããšã§ãã
ãŸãšã
äŒæ¥ãŠãŒã¶ãŒã䟵害ããããã«ãæ»æè ã¯æåã®æ®µéã§ããšã¯ã¹ããã€ããå«ããã£ãã·ã³ã° ã¡ãã»ãŒãžãéä¿¡ããããšã«ãããäŒæ¥ã® XNUMX 人ã®åŸæ¥å¡ã䟵害ããŸãã 次ã«ããã«ãŠã§ã¢ãã·ã¹ãã ã«ã€ã³ã¹ããŒã«ããããšãã·ã¹ãã äžã§ã®æš©éãå€§å¹ ã«æ¡åŒµããäŒæ¥ãããã¯ãŒã¯äžã®ä»ã®ã³ã³ãã¥ãŒã¿ã䟵害ããŠãŠãŒã¶ãŒãã¹ãã€ãããªã©ã®è¿œå ã¿ã¹ã¯ãå®è¡ããã®ã«åœ¹ç«ã€ãœãããŠã§ã¢ ããŒã«ã䜿çšããŸãã圌ãå®è¡ããéè¡ååŒã
åºæïŒ habr.com