æè¿ããšãŒãããã®é»æ°èšåæ©åšã¡ãŒã«ãŒã Group-IB ã«é£çµ¡ããŸãããå瀟ã®åŸæ¥å¡ã¯ãæªæã®ããæ·»ä»ãã¡ã€ã«ãä»ããäžå¯©ãªæçŽãéµäŸ¿ã§åãåããŸããã ã€ãªã€ã»ãã¡ã©ã³ãã§ãCERT Group-IB ã®ãã«ãŠã§ã¢åæã¹ãã·ã£ãªã¹ãã§ãã ã¯ããã®ãã¡ã€ã«ã®è©³çŽ°ãªåæãå®æœãããã㧠AgentTesla ã¹ãã€ãŠã§ã¢ãçºèŠãããã®ãããªãã«ãŠã§ã¢ããäœãäºæ³ããããããããŠãããã©ã®ããã«å±éºã§ããããäŒããŸããã
ãã®æçš¿ã§ããã®ãããªæœåšçã«å±éºãªãã¡ã€ã«ãåæããæ¹æ³ã«é¢ããäžé£ã®èšäºãéå§ããŸãã5 æ XNUMX æ¥ã«ã¯ããã®ããŒãã«é¢ããç¡æã®ã€ã³ã¿ã©ã¯ãã£ããªãŠã§ãããŒãéå¬ãããŸãã®ã§ãæãèå³ã®ããæ¹ããåŸ
ã¡ããŠããŸãã ããã«ãŠã§ã¢åæ: å®éã®äºäŸã®åæãã ãã¹ãŠã®è©³çŽ°ã¯ã«ããã®äžã«ãããŸãã
é
åžã¡ã«ããºã
ãã®ãã«ãŠã§ã¢ã¯ãã£ãã·ã³ã°ã¡ãŒã«ãä»ããŠè¢«å®³è ã®ãã·ã³ã«å°éããããšãããã£ãŠããŸãã æçŽã®åä¿¡è ã¯ãããã BCC ã§éä¿¡ããããšæãããŸãã
ããããŒãåæãããšãæçŽã®éä¿¡è
ããªãããŸãããŠããããšãããããŸãã å®éãæçŽã«ã¯ããæžãããŠããŸãã vps56[.]oneworldhosting[.]com.
é»åã¡ãŒã«ã®æ·»ä»ãã¡ã€ã«ã«ã¯ WinRar ã¢ãŒã«ã€ããå«ãŸããŠããŸã qoute_jpeg56a.r15 æªæã®ããå®è¡å¯èœãã¡ã€ã«ãå«ã QOUTE_JPEG56A.exe äžèº«ã
ãã«ãŠã§ã¢ã®ãšã³ã·ã¹ãã
次ã«ã調æ»å¯Ÿè±¡ã®ãã«ãŠã§ã¢ã®ãšã³ã·ã¹ãã ãã©ã®ãããªãã®ããèŠãŠã¿ãŸãããã 以äžã®å³ã¯ããã®æ§é ãšã³ã³ããŒãã³ãã®çžäºäœçšã®æ¹åã瀺ããŠããŸãã
次ã«ããã«ãŠã§ã¢ã®åã³ã³ããŒãã³ãã詳ããèŠãŠã¿ãŸãããã
ããŒã
å ã®ãã¡ã€ã« QOUTE_JPEG56A.exe ã³ã³ãã€ã«ããããã®ã§ã AutoIt v3 èæ¬ã
å
ã®ã¹ã¯ãªãããé£èªåããã«ã¯ãåæ§ã®é£èªåããŒã«ã䜿çšããŸãã PELock AutoIT-é£èªåããŒã« ç¹æ§
é£èªå解é€ã¯ XNUMX ã€ã®æ®µéã§å®è¡ãããŸãã
- é£èªåã®è§£é€ ããã®å Žå
æåã®ã¹ãããã¯ãã¹ã¯ãªããã®å¶åŸ¡ãããŒã埩å ããããšã§ãã å¶åŸ¡ãããŒã®å¹³åŠåã¯ãã¢ããªã±ãŒã·ã§ã³ã®ãã€ã㪠ã³ãŒããåæããä¿è·ããæãäžè¬çãªæ¹æ³ã® XNUMX ã€ã§ãã æ··ä¹±ãæãå€æã«ãããã¢ã«ãŽãªãºã ãšããŒã¿æ§é ã®æœåºãšèªèã®è€éããå€§å¹ ã«å¢å ããŸãã
- è¡ã®å埩
æååã®æå·åã«ã¯ XNUMX ã€ã®é¢æ°ã䜿çšãããŸãã
- gdrizabegkvfca - Base64 ã®ãããªãã³ãŒããå®è¡ããŸã
- xgacyukcyzxz - æåã®æååãš XNUMX çªç®ã®é·ãã®åçŽãªãã€ããã€ã XOR
- é£èªåã®è§£é€ ãã€ããªããæåå㞠О å®è¡ãã
ã¡ã€ã³ããŒãã¯ãã£ã¬ã¯ããªã«åå²ããŠä¿åãããŸã ãã©ã³ã ãã¡ã€ã«ã®ãªãœãŒã¹ã»ã¯ã·ã§ã³ã
貌ãä»ããé çªã¯ä»¥äžã®éãã§ãã TIEQHCXWFG, IME, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
æœåºãããããŒã¿ã埩å·åããããã« WinAPI é¢æ°ã䜿çšãããŸã æå·è§£èªãå€ã«åºã¥ããŠçæãããã»ãã·ã§ã³ ããŒãããŒãšããŠäœ¿çšãããŸãã fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
埩å·åãããå®è¡å¯èœãã¡ã€ã«ã¯é¢æ°å ¥åã«éä¿¡ãããŸãã RunPEãå®è¡ããŸãã ããã»ã¹ã€ã³ãžã§ã¯ã в RegAsm.exe çµã¿èŸŒã¿ã䜿çšãã ã·ã§ã«ã³ãŒã ïŒãšããŠãç¥ãããŠãã RunPE ã·ã§ã«ã³ãŒãïŒã èè ã¯ã¹ãã€ã³èªãã©ãŒã©ã ã®ãŠãŒã¶ãŒã«å±ããŸã æ€åºäžèœ[.]ããã ãŠã©ãŒããŒãšãããã åã§ã
ãã®ãã©ãŒã©ã ã®ã¹ã¬ããã® XNUMX ã€ã§ã AutoItã® ãµã³ãã«åæäžã«åæ§ã®ç¹æ§ã確èªãããŸããã
圌èªèº« ã·ã§ã«ã³ãŒã éåžžã«ã·ã³ãã«ã§æ³šç®ãéããŠããã®ã¯ãããã«ãŒ ã°ã«ãŒã AnunakCarbanak ããåçšãããã®ã ãã§ãã APIåŒã³åºãã®ããã·ã¥é¢æ°ã
ãŠãŒã¹ã±ãŒã¹ãèªèããŠããŸã ãã¬ã³ããŒã·ã§ã«ã³ãŒã ç°ãªãããŒãžã§ã³ã
説æããæ©èœã«å ããŠãéã¢ã¯ãã£ããªæ©èœãç¹å®ããŸããã
- ã¿ã¹ã¯ãããŒãžã£ãŒã§ã®æåããã»ã¹çµäºã®ãããã¯
- åããã»ã¹ãçµäºãããšãã«åããã»ã¹ãåèµ·åãã
- UAC ããã€ãã¹ãã
- ãã€ããŒãããã¡ã€ã«ã«ä¿åãã
- ã¢ãŒãã«ãŠã£ã³ããŠã®ãã¢ã³ã¹ãã¬ãŒã·ã§ã³
- ããŠã¹ã«ãŒãœã«ã®äœçœ®ãå€ããã®ãåŸ ã£ãŠããŸã
- AntiVM ãš AntiSandbox
- èªå·±ç Žå£
- ãããã¯ãŒã¯ãããã€ããŒãããã³ãã³ã°ãã
ãã®ãããªæ©èœã¯ãããã¯ã¿ãŒã«å žåçãªãã®ã§ããããšãç§ãã¡ã¯ç¥ã£ãŠããŸã ãµã€ãã¡ãŒITãã©ãããåé¡ã®ããŒãããŒããŒã§ãã
ãœãããŠã§ã¢ã®ã¡ã€ã³ã¢ãžã¥ãŒã«
次ã«ããã«ãŠã§ã¢ã®äž»èŠã¢ãžã¥ãŒã«ã«ã€ããŠç°¡åã«èª¬æããXNUMX çªç®ã®èšäºã§ããã«è©³ããèå¯ããŸãã ãã®å Žåãããã¯äžã®ã¢ããªã±ãŒã·ã§ã³ã§ã .NET.
åæäžã«ãé£èªåããŒã«ã䜿çšãããŠããããšãå€æããŸãã ã³ã³ãã¥ãŒã¶ãŒEX.
IELibrary.dll
ã©ã€ãã©ãªã¯ã¡ã€ã³ ã¢ãžã¥ãŒã« ãªãœãŒã¹ãšããŠä¿åãããããç¥ããããã©ã°ã€ã³ã§ãã ãšãŒãžã§ã³ããã¹ã©ãInternet Explorer ããã³ Edge ãã©ãŠã¶ãŒããããŸããŸãªæ å ±ãæœåºããæ©èœãæäŸããŸãã
Agent Tesla ã¯ãæ£èŠã®ããŒãã¬ãŒè£œåãè£ ã£ãŠãµãŒãã¹ãšããŠã®ãã«ãŠã§ã¢ ã¢ãã«ã䜿çšããŠé åžãããã¢ãžã¥ãŒã«åŒã®ã¹ã〠ãœãããŠã§ã¢ã§ãã ãšãŒãžã§ã³ã Tesla ã¯ããã©ãŠã¶ãé»åã¡ãŒã« ã¯ã©ã€ã¢ã³ããããã³ FTP ã¯ã©ã€ã¢ã³ããããŠãŒã¶ãŒèªèšŒæ å ±ãæœåºããŠãµãŒããŒã«éä¿¡ããæ»æè ã«éä¿¡ããã¯ãªããããŒã ããŒã¿ãèšé²ããããã€ã¹ç»é¢ããã£ããã£ããããšãã§ããŸãã åææç¹ã§ã¯ãéçºè ã®å ¬åŒ Web ãµã€ãã¯å©çšã§ããŸããã§ããã
ãšã³ããªãã€ã³ãã¯é¢æ°ã§ã ä¿åããããã¹ã¯ãŒããååŸãã ã¯ã©ã¹ InternetExplorerã
äžè¬ã«ãã³ãŒãã®å®è¡ã¯çŽç·çã§ãããåæã«å¯Ÿããä¿è·ã¯å«ãŸããŠããŸããã æªå®çŸã®æ©èœã®ã¿ã泚ç®ã«å€ãã GetSavedCookiesã ã©ãããããã©ã°ã€ã³ã®æ©èœãæ¡åŒµãããã¯ãã§ããããæ¡åŒµãããããšã¯ãããŸããã§ããã
ããŒãããŒããŒãã·ã¹ãã ã«æ¥ç¶ãã
ããŒãããŒããŒãã©ã®ããã«ã·ã¹ãã ã«æ¥ç¶ããããã調ã¹ãŠã¿ãŸãããã ç 究äžã®æšæ¬ã¯åºå®ãããŠããŸããããåæ§ã®ã€ãã³ãã§ã¯æ¬¡ã®ã¹ããŒã ã«åŸã£ãŠåºå®ãããŸãã
- ãã©ã«ããŒå
C:ãŠãŒã¶ãŒãããªã㯠ã¹ã¯ãªãããäœæãããŸã ããžã¥ã¢ã«ããŒã·ãã¯
ã¹ã¯ãªããã®äŸ:
- ããŒãããŒã㌠ãã¡ã€ã«ã®å 容ã¯ãã«æåã§åãããããã©ã«ããŒã«ä¿åãããŸãã %Temp%<ã«ã¹ã¿ã ãã©ã«ããŒå><ãã¡ã€ã«å>
- èªåå®è¡ããŒãã¹ã¯ãªãã ãã¡ã€ã«ã®ã¬ãžã¹ããªã«äœæãããŸã HKCUSoftwareMicrosoftWindowsCurrentVersionRun<ã¹ã¯ãªããå>
ãã®ãããåæã®æåã®éšåã®çµæã«åºã¥ããŠã調æ»å¯Ÿè±¡ã®ãã«ãŠã§ã¢ã®ãã¹ãŠã®ã³ã³ããŒãã³ãã®ãã¡ããªãŒã®ååãç¹å®ããææãã¿ãŒã³ãåæãã眲åãæžã蟌ãããã®ãªããžã§ã¯ããååŸããããšãã§ããŸããã 次ã®èšäºã§ãã®ãªããžã§ã¯ãã®åæãç¶ããã¡ã€ã³ ã¢ãžã¥ãŒã«ãããã«è©³ããèŠãŠãããŸãã ãšãŒãžã§ã³ããã¹ã©ã ãèŠéããªãïŒ
ã¡ãªã¿ã«ã5 æ XNUMX æ¥ã«ã¯ããã¹ãŠã®èªè ãããã«ãŠã§ã¢ã®åæ: å®éã®ã±ãŒã¹ã®åæããšããããŒãã®ç¡æã€ã³ã¿ã©ã¯ãã£ã ãŠã§ãããŒã«æåŸ ããŸããããã§ã¯ããã®èšäºã®èè ã§ãã CERT-GIB ã¹ãã·ã£ãªã¹ããããã«ãŠã§ã¢ã®æåã®æ®µéããªã³ã©ã€ã³ã§çŽ¹ä»ããŸãããã«ãŠã§ã¢åæ - å®éã® XNUMX ã€ã®å®éã®ããã±ãŒã¹ã®äŸã䜿çšããŠãµã³ãã«ãåèªåçã«è§£åããåæã«åå ã§ããŸãã ãã®ãŠã§ãããŒã¯ãæªæã®ãããã¡ã€ã«ã®åæã«ãã§ã«çµéšãããå°é家ã«é©ããŠããŸãã ç»é²ã¯äŒæ¥ã¡ãŒã«ããã®ã¿è¡ãããŸãã
заÑегОÑÑÑОÑÑйÑеÑÑ ã ããªããåŸ ã£ãŠããŸãïŒ
å±è¯
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
ããã·ã¥
åå | qoute_jpeg56a.r15 |
MD5 | 53BE8F9B978062D4411F71010F49209E |
SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890E643316E9276156EDC8A |
ã¿ã€ã | WinRAR ãã¢ãŒã«ã€ããã |
ãµã€ãº | 823014 |
åå | QOUTE_JPEG56A.exe |
MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
ã¿ã€ã | PE (ã³ã³ãã€ã«æžã¿ AutoIt ã¹ã¯ãªãã) |
ãµã€ãº | 1327616 |
å ã®åå | æªç¥ã® |
æ¥ä»ã¹ã¿ã³ã | 15.07.2019 |
ãªã³ã¯ã¹ | Microsoft ãªã³ã«ãŒ(12.0)[EXE32] |
MD5 | C2743AEDDADACC012EF4A632598C00C0 |
SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
ã¿ã€ã | ã·ã§ã«ã³ãŒã |
ãµã€ãº | 1474 |
åºæïŒ habr.com