ãã®èšäºã§ãæªæã®ãããœãããŠã§ã¢ã®åæã«ç¹åããäžé£ã®åºçç©ãå®äºããŸãã ã§
æ¬æ¥ã¯ãCERT Group-IB ã®ãã«ãŠã§ã¢åæã¹ãã·ã£ãªã¹ãã§ãã Ilya Pomerantsev ããCERT Group-IB ã¹ãã·ã£ãªã¹ãã®å®è·µããåŸã XNUMX ã€ã®ããã±ãŒã¹ã®äŸã䜿çšããŠããã«ãŠã§ã¢åæã®ç¬¬ XNUMX 段éã§ãã AgentTesla ãµã³ãã«ã®åèªå解åã«ã€ããŠã話ããŸãã
éåžžããã«ãŠã§ã¢åæã®æåã®æ®µéã¯ãããã«ãŒãã¯ãªãã¿ãŒããããã¯ã¿ãŒããŸãã¯ããŒããŒã®åœ¢åŒã§ã®ä¿è·ãåé€ããããšã§ãã ã»ãšãã©ã®å Žåããã®åé¡ã¯ãã«ãŠã§ã¢ãå®è¡ããŠãã³ããå®è¡ããããšã§è§£æ±ºã§ããŸããããã®æ¹æ³ãé©ããªãç¶æ³ããããŸãã ããšãã°ããã«ãŠã§ã¢ãæå·åããã°ã©ã ã§ããå Žåãã¡ã¢ãªé åããã³ããããªãããã«ä¿è·ããŠããå Žåãã³ãŒãã«ä»®æ³ãã·ã³æ€åºã¡ã«ããºã ãå«ãŸããŠããå ŽåããŸãã¯ãã«ãŠã§ã¢ãèµ·åçŽåŸã«åèµ·åããå Žåãªã©ã§ãã ãã®ãããªå Žåããããããåèªåã解åã䜿çšãããŸããã€ãŸããç 究è ã¯ããã»ã¹ãå®å šã«å¶åŸ¡ãããã€ã§ãä»å ¥ã§ããŸãã AgentTesla ãã¡ããªã® XNUMX ã€ã®ãµã³ãã«ãäŸãšããŠäœ¿çšããŠããã®æé ãæ€èšããŠã¿ãŸãããã ããã¯ããããã¯ãŒã¯ ã¢ã¯ã»ã¹ãç¡å¹ã«ããã°ãæ¯èŒçç¡å®³ãªãã«ãŠã§ã¢ã§ãã
ãµã³ãã«No.1
ãœãŒã¹ ãã¡ã€ã«ã¯ãèåŒ±æ§ CVE-2017-11882 ãæªçšãã MS Word ããã¥ã¡ã³ãã§ãã
ãã®çµæããã€ããŒããããŠã³ããŒããããŠèµ·åãããŸãã
ããã»ã¹ ããªãŒãšåäœããŒã«ãŒã®åæã«ãããããã»ã¹ãžã®æ³šå ¥ã瀺ããã RegAsm.exe.
AgentTesla ã«ç¹åŸŽçãªè¡åããŒã«ãŒããããŸãã
ããŠã³ããŒããããµã³ãã«ã¯å®è¡å¯èœãªãµã³ãã«ã§ã .NET-ãããã¯ã¿ãŒã§ä¿è·ããããã¡ã€ã« .NETãªã¢ã¯ã¿ãŒ.
ãŠãŒãã£ãªãã£ã§éããŠã¿ãŸããã dnSpy x86 ãããŠãšã³ããªãŒãã€ã³ããžç§»åããŸãã
é¢æ°äŒã«è¡ãããšã§ æ¥ä»æå»ãªãã»ãããæ°ãããã®ã®åæåã³ãŒããèŠã€ãããŸãã .NET-ã¢ãžã¥ãŒã«ã å
¥ããŸããã ãã¬ãŒã¯ãã€ã³ã èå³ã®ããè¡ã§ãã¡ã€ã«ãå®è¡ããŸãã
è¿ããããããã¡ãŒã® XNUMX ã€ã§ãMZ 眲å (0x4D 0x5AïŒã ä¿åããŸãããã
ãã³ããããå®è¡å¯èœãã¡ã€ã«ã¯ãããŒããŒã§ããåçã©ã€ãã©ãªã§ãã ãªãœãŒã¹ã»ã¯ã·ã§ã³ãããã€ããŒããæœåºããŠèµ·åããŸãã
åæã«ãå¿
èŠãªãªãœãŒã¹èªäœããã³ãå
ã«ååšããŸããã ãããã¯èŠªãµã³ãã«ã«ãããŸãã
ãŠãŒãã£ãªã㣠dnã¹ã〠ã«ã¯ãXNUMX ã€ã®é¢é£ãã¡ã€ã«ããããã©ã³ã±ã³ã·ã¥ã¿ã€ã³ãããã°ããäœæããã®ã«åœ¹ç«ã€ XNUMX ã€ã®éåžžã«äŸ¿å©ãªæ©èœããããŸãã
- XNUMX ã€ç®ã§ã¯ããã€ããã㯠ã©ã€ãã©ãªã芪ãµã³ãã«ã«ã貌ãä»ãããããšãã§ããŸãã
- XNUMX ã€ç®ã¯ãæ¿å ¥ããããã€ããã㯠ã©ã€ãã©ãªã®ç®çã®ã¡ãœãããåŒã³åºãããã«ãšã³ã㪠ãã€ã³ãã®é¢æ°ã³ãŒããæžãæããããšã§ãã
ç§ãã¡ã¯ããã©ã³ã±ã³ã·ã¥ã¿ã€ã³ããä¿åããŸããã»ãã ãã¬ãŒã¯ãã€ã³ã 埩å·åããããªãœãŒã¹ãå«ããããã¡ãè¿ãè¡ã§ãåã®æ®µéãšåæ§ã«ãã³ããçæããŸãã
XNUMX çªç®ã®ãã³ãã¯æ¬¡ã®ããã«æžã蟌ãŸããŸãã VB.NET ç§ãã¡ã«éŠŽæã¿ã®ãããããã¯ã¿ãŒã«ãã£ãŠä¿è·ãããå®è¡å¯èœãã¡ã€ã« ã³ã³ãã¥ãŒã¶ãŒãšã¯ã¹.
ãããã¯ã¿ãŒãåé€ããåŸã以åã«äœæãã YARA ã«ãŒã«ã䜿çšããŠã解åããããã«ãŠã§ã¢ãæ¬åœã« AgentTesla ã§ããããšã確èªããŸãã
ãµã³ãã«No.2
ãœãŒã¹ ãã¡ã€ã«ã¯ MS Excel ããã¥ã¡ã³ãã§ãã çµã¿èŸŒã¿ãã¯ãã«ãããæªæã®ããã³ãŒããå®è¡ãããŸãã
ãã®çµæãPowerShell ã¹ã¯ãªãããèµ·åãããŸãã
ã¹ã¯ãªãã㯠C# ã³ãŒãã埩å·åããå¶åŸ¡ãããã«æž¡ããŸãã ãµã³ãããã¯ã¹ ã¬ããŒãããããããããã«ãã³ãŒãèªäœã¯ããŒãããŒããŒã§ãã
ãã€ããŒãã¯å®è¡å¯èœãã¡ã€ã«ã§ã .NET-ãã¡ã€ã«ã
ãã¡ã€ã«ãéããšã dnSpy x86ãé£èªåãããŠããããšãããããŸãã ãŠãŒãã£ãªãã£ã䜿çšããŠé£èªåãåé€ãã de4dot ãããŠåæã«æ»ããŸãã
ã³ãŒãã調ã¹ããšã次ã®é¢æ°ãèŠã€ãããããããŸããã
ãšã³ã³ãŒããããã©ã€ã³ãå°è±¡ç ãšã³ããªãŒãã€ã³ã О åŒã³åºããŸãã 眮ããŸã ãã¬ãŒã¯ãã€ã³ã æåã®è¡ã«ç§»åããå®è¡ããŠãããã¡å€ãä¿åããŸã ãã€ã_0.
ãã³ãã¯åã³ã¢ããªã±ãŒã·ã§ã³ã§ã .NET ãããŠä¿è·ãããŸãã ã³ã³ãã¥ãŒã¶ãŒãšã¯ã¹.
ã䜿çšããŠé£èªåãåé€ããŸã de4dot ã«ã¢ããããŒãããŠãã ãã dnã¹ãã€ã ãã¡ã€ã«ã®èª¬æããã次ã®ãããªåé¡ã«çŽé¢ããŠããããšãããããŸãã CyaX-Sharp ããŒããŒ.
ãã®ããŒããŒã«ã¯ãåºç¯ãªåæé²æ¢æ©èœãåãã£ãŠããŸãã
ãã®æ©èœã«ã¯ãçµã¿èŸŒã¿ã® Windows ä¿è·ã·ã¹ãã ã®ãã€ãã¹ãWindows Defender ã®ç¡å¹åããµã³ãããã¯ã¹ããã³ä»®æ³ãã·ã³ã®æ€åºã¡ã«ããºã ãå«ãŸããŸãã ãã€ããŒãããããã¯ãŒã¯ããããŒããããããªãœãŒã¹ ã»ã¯ã·ã§ã³ã«ä¿åãããããããšãã§ããŸãã èµ·åã¯ãç¬èªã®ããã»ã¹ãç¬èªã®ããã»ã¹ã®è€è£œããŸãã¯ããã»ã¹ãžã®æ³šå
¥ãéããŠå®è¡ãããŸãã MSBuild.exe, vbc.exe О RegSvcs.exe æ»æè
ãéžæãããã©ã¡ãŒã¿ã«å¿ããŠã
ãã ããç§ãã¡ã«ãšã£ãŠããããã¯ããã»ã©éèŠã§ã¯ãããŸããã ã¢ã³ããã³ã-è¿œå ããé¢æ° ã³ã³ãã¥ãŒã¶ãŒãšã¯ã¹ã ãã®ãœãŒã¹ã³ãŒãã¯æ¬¡ã®å Žæã«ãããŸãã
ä¿è·ãç¡å¹ã«ããã«ã¯ã次ã®æ©äŒã䜿çšããŸãã dnã¹ãã€ãç·šéã§ããããã«ãªããŸã IL-ã³ãŒãã
ä¿åããŠã€ã³ã¹ããŒã«ãã ãã¬ãŒã¯ãã€ã³ã ãã€ããŒã埩å·åé¢æ°ãåŒã³åºãè¡ã«è¿œå ããŸãã ããã¯ã¡ã€ã³ã¯ã©ã¹ã®ã³ã³ã¹ãã©ã¯ã¿ãŒå
ã«ãããŸãã
ãã€ããŒããèµ·åããŠãã³ãããŸãã 以åã«äœæãã YARA ã«ãŒã«ã䜿çšããŠãããã AgentTesla ã§ããããšã確èªããŸãã
ãµã³ãã«No.3
ãœãŒã¹ãã¡ã€ã«ã¯å®è¡å¯èœãã¡ã€ã«ã§ã VBãã€ãã£ãPE32-ãã¡ã€ã«ã
ãšã³ããããŒåæã«ãããæå·åããã倧èŠæš¡ãªããŒã¿ã®ååšã瀺ãããŸãã
ç³è«ãã©ãŒã ãåæãããšã VBãã³ã³ãã€ã©ãŒ å¥åŠãªãã¯ã»ã«åãããèæ¯ã«æ°ã¥ããããããŸããã
ãšã³ããããŒã°ã©ã bmpãã¡ã€ã«-image ã¯å
ã®ãã¡ã€ã«ã®ãšã³ããã㌠ã°ã©ããšåäžã§ããããµã€ãºã¯ãã¡ã€ã« ãµã€ãºã® 85% ã§ãã
ç»åã®å
šäœçãªå€èŠ³ã¯ãã¹ãã¬ãã°ã©ãã£ãŒã䜿çšãããŠããããšã瀺ããŠããŸãã
ããã»ã¹ããªãŒã®å€èŠ³ãšå°åºããŒã«ãŒã®ååšã«æ³šç®ããŠã¿ãŸãããã
ããã¯ã解åãé²è¡äžã§ããããšã瀺ããŸãã Visual Basic ããŒã㌠(å¥å) ã®å Žå VBKrypt ãŸã㯠VBã€ã³ãžã§ã¯ã¿ãŒ) äžè¬çãªäœ¿çšæ³ ã·ã§ã«ã³ãŒã ãã€ããŒããåæåãã泚å
¥èªäœãå®è¡ããŸãã
ã§ã®åæ VBãã³ã³ãã€ã©ãŒ ã€ãã³ãã®ååšã瀺ãã è² è· ãã©ãŒã 㧠Fegatassocãšã¢ãã«ãŒã³2.
ã«è¡ããŸããã IDAãã æå®ããã¢ãã¬ã¹ã«è»¢éããŠæ©èœãæ€èšããŠãã ããã ã³ãŒãã¯å€§å¹
ã«é£èªåãããŠããŸãã ç§ãã¡ã®èå³ã®ããæçã以äžã«ç€ºããŸãã
ããã§ã¯ãããã»ã¹ã®ã¢ãã¬ã¹ç©ºéãã¹ãã£ã³ãããŠçœ²åãååŸãããŸãã ãã®ã¢ãããŒãã¯éåžžã«çãããã§ãã
ãŸããã¹ãã£ã³éå§ã¢ãã¬ã¹ 0x400100ã ãã®å€ã¯éçã§ãããããŒã¹ãã·ãããããŠã調æŽãããŸããã çæ³çãªæž©å®€æ¡ä»¶ã§ã¯ãããã¯çµããã瀺ããŸã PE- å®è¡å¯èœãã¡ã€ã«ã®ããããŒã ãã ããããŒã¿ããŒã¹ã¯éçã§ã¯ãªãããã®å€ã¯å€æŽãããå¯èœæ§ããããå¿ èŠãªçœ²åã®å®éã®ã¢ãã¬ã¹ã®æ€çŽ¢ã«ã¯ãå€æ°ã®ãªãŒããŒãããŒã¯çºçããŸããããéåžžã«é·ãæéããããå¯èœæ§ããããŸãã
第äºã«ã眲åã®æå³ iWGKã äžææ§ãä¿èšŒããã«ã¯ 4 ãã€ããå°ããããããšã¯æããã ãšæããŸãã ãããŠãæåã®ç¹ãèæ ®ãããšãééããç¯ãå¯èœæ§ãéåžžã«é«ããªããŸãã
å®éãå¿ èŠãªãã©ã°ã¡ã³ãã¯ã以åã«èŠã€ãã£ããã©ã°ã¡ã³ãã®æ«å°Ÿã«ä»å ãããŠããŸãã bmpãã¡ã€ã«- ãªãã»ããã«ããç»å 0xA1D0D.
å®è¡ ã·ã§ã«ã³ãŒã XNUMX段éã§å®æœãããŸãã ãŸãã¯æ¬äœã解èªããŸãã ãã®å ŽåãããŒã¯ç·åœããã«ãã£ãŠæ±ºå®ãããŸãã
埩å·åããããã®ããã³ãããŸã ã·ã§ã«ã³ãŒã ãããŠç·ãèŠãŠãã ããã
ãŸããåããã»ã¹ãäœæããé¢æ°ãããããŸããã CreateProcessInternalW.
第äºã«ãã·ã¹ãã ã®åºå®åã®ã¡ã«ããºã ã«æ°ã¥ããŸããã
å
ã®ããã»ã¹ã«æ»ããŸãããã å
¥ããŸããã ãã¬ãŒã¯ãã€ã³ã Ма CreateProcessInternalW ãããŠå®è¡ãç¶è¡ããŸãã 次ã«æ¥ç¶ãèŠãŠãããŸã NtGetContextThread/NtSetContextThreadãå®è¡éå§ã¢ãã¬ã¹ãã¢ãã¬ã¹ã«å€æŽããŸãã ã·ã§ã«ã³ãŒã.
äœæããããã»ã¹ã«ãããã¬ã§æ¥ç¶ããã€ãã³ããèµ·åããŸã ã©ã€ãã©ãªã®ããŒã/ã¢ã³ããŒãæã«äžæåæ¢ãããããã»ã¹ãåéããããŒããåŸ
ã¡ãŸã .NET-å³æžé€šã
ããã«äœ¿çšãã ããã»ã¹ããã«ãŒ 解åãããé åãå«ããã³ãé å .NET-å¿çšã
ãã¹ãŠã®ããã»ã¹ãåæ¢ããã·ã¹ãã ã«åã蟌ãŸãããã«ãŠã§ã¢ã®ã³ããŒãåé€ããŸãã
ãã³ãããããã¡ã€ã«ã¯ãããã¯ã¿ãŒã«ãã£ãŠä¿è·ãããŠããŸã .NETãªã¢ã¯ã¿ãŒãŠãŒãã£ãªãã£ã䜿çšããŠç°¡åã«åé€ã§ããŸãã de4dot.
åã«äœæãã YARA ã«ãŒã«ã䜿çšããŠãããã AgentTesla ã§ããããšã確èªããŸãã
èŠçŽããŸã
ããã§ãäŸãšã㊠XNUMX ã€ã®ããã±ãŒã¹ã䜿çšããŠåèªåãµã³ãã«è§£åã®ããã»ã¹ã詳现ã«ãã¢ã³ã¹ãã¬ãŒã·ã§ã³ããæ¬æ Œçãªã±ãŒã¹ã«åºã¥ããŠãã«ãŠã§ã¢ãåæããŸããã調æ»å¯Ÿè±¡ã®ãµã³ãã«ã AgentTesla ã§ããããšãå€æãããã®æ©èœãšäŸµå®³ã®å åã®å®å šãªãªã¹ãã
ç§ãã¡ãè¡ã£ãæªæã®ãããªããžã§ã¯ãã®åæã«ã¯å€å€§ãªæéãšåŽåãå¿ èŠã§ããããã®äœæ¥ã¯ç€Ÿå ã®ç¹å¥ãªåŸæ¥å¡ãè¡ãå¿ èŠããããŸããããã¹ãŠã®äŒæ¥ãåæè ãéãæºåãã§ããŠããããã§ã¯ãããŸããã
Group-IB Laboratory of Computer Forensics and Malicious Code Analysis ãæäŸãããµãŒãã¹ã® XNUMX ã€ã¯ããµã€ã㌠ã€ã³ã·ãã³ããžã®å¯Ÿå¿ã§ãã ãããŠã顧客ããµã€ããŒæ»æã®æäžã«ææžã®æ¿èªãè°è«ã«æéãç¡é§ã«ããªãããã«ãGroup-IB ãç«ã¡äžããŸããã ã€ã³ã·ãã³ã察å¿ä¿æè
ãäºåç»é²åã®ã€ã³ã·ãã³ã察å¿ãµãŒãã¹ã§ããã«ãŠã§ã¢åæã¹ããããå«ãŸããŠããŸãã ããã«é¢ãã詳现æ
å ±ã¯ãã¡ããã芧ãã ãã
AgentTesla ãµã³ãã«ãã©ã®ããã«è§£åãããããããäžåºŠèª¿ã¹ãŠãCERT Group-IB ã¹ãã·ã£ãªã¹ããã©ã®ããã«è§£åãããã確èªãããå Žåã¯ããã®ãããã¯ã«é¢ãããŠã§ãããŒã®é²ç»ãããŠã³ããŒãã§ããŸãã
åºæïŒ habr.com