I tata nei, ka whakapiri atu tetahi kaihanga Pakeha o nga taputapu whakauru hiko ki te Rōpū-IB - i whakawhiwhia e tana kaimahi he reta whakapae me te taapiri kino i roto i te mēra. Ilya Pomerantsev, he tohunga tātari malware i CERT Group-IB, i whakahaere he tātaritanga taipitopito o tenei konae, i kitea te torotoro AgentTesla i reira ka korero he aha te tumanako mai i taua malware me pehea te kino.
Na tenei panui kei te whakatuwherahia e matou he raupapa tuhinga mo te wetewete i nga konae tino kino, a kei te tatari matou mo nga mea tino mohio i te Hakihea 5th mo te ipurangi whakawhitiwhiti kore utu mo te kaupapa. "Te Tirohanga Malware: Te Tirohanga o nga Take Tuturu". Ko nga korero katoa kei raro i te tapahi.
Tikanga tohatoha
E mohio ana matou i tae atu te malware ki te miihini a te tangata i paopaohia ma nga imeera hītinihanga. Ko te kaiwhiwhi o te reta i BCCed pea.
Ko te tātaritanga o nga pane e whakaatu ana i tinihangatia te kaituku o te reta. Ko te tikanga, i mahue te reta me vps56[.]oneworldhosting[.]com.
Kei roto i te taapiri imeera he puranga WinRar qoute_jpeg56a.r15 me te konae whakahaere kino QOUTE_JPEG56A.exe roto.
Te rauwiringa kaiao kino
Inaianei kia kite tatou he aha te ahua o te rauwiringa kaiao o te malware e rangahaua ana. Ko te hoahoa i raro nei e whakaatu ana i tona hanganga me nga ahunga o te taunekeneke o nga waahanga.
Inaianei me titiro ki ia o nga waahanga malware i roto i nga korero taipitopito.
Kaiuta
Kōnae taketake QOUTE_JPEG56A.exe he mea whakahiato Aunoa v3 tuhinga.
Hei whakapouri i te tuhinga taketake, he obfuscator he rite PElock AutoIT-Obfuscator āhuatanga.
Ka whakahaerehia te whakakore i nga waahanga e toru:
- Te tango i te whakama Mo-Mehemea
Ko te mahi tuatahi ko te whakahoki i te rere mana o te tuhinga. Ko te Whakapapa Whakahaere Rere Ko tetahi o nga huarahi tino noa hei tiaki i te waehere rua tono mai i te tātaritanga. Ko nga panoni rangirua ka piki ake te uaua o te tango me te mohio ki nga algorithm me nga hanganga raraunga.
- Whakaora haupae
E rua nga mahi hei whakamuna i nga aho:
- gdorizabegkvfca - Ka mahia te wetewete-rite ki te Base64
- xgacyukcyzxz - paita-paita ngawari XOR o te aho tuatahi me te roa o te tuarua
- gdorizabegkvfca - Ka mahia te wetewete-rite ki te Base64
- Te tango i te whakama BinaryToString и Whakarite
Ko te kawenga matua kei te rongoa i roto i te ahua wehewehe i roto i te whaiaronga Momotuhi nga waahanga rauemi o te konae.
Ko te raupapa whakapiri e whai ake nei: TIEQHCXWFG, EMI, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWHJHO, AVZOUMVFRDWFLWU.
Ka whakamahia te mahi WinAPI ki te wetewete i nga raraunga kua tangohia CryptoDecrypt, ka whakamahia te kī wātū i hangaia i runga i te uara hei kī fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Ka tukuna te konae kawe i wetemuna ki te whakauru mahi RunPE, e kawe ana TukangaTuhia в RegAsm.exe whakamahi hanga-i roto i ShellCode (mohiotia ano ko RunPE ShellCode). Ko te Kaituhi kei te kaiwhakamahi o te huinga Spanish kitea[.]net i raro i te ingoa karanga Wardow.
Me mahara ano kei roto i tetahi o nga miro o tenei huinga, he obfuscator mo I te tuanui me nga ahuatanga rite i kitea i te wa o te tātaritanga tauira.
Ko ia ShellCode he tino ngawari me te kukume i te aro mai i te roopu hacker AnunakCarbanak. API karanga hashing mahi.
Kei te mohio ano matou ki nga keehi whakamahi Frenchy Shellcode putanga rereke.
I tua atu i te taumahinga kua whakamaramatia, i tautuhia ano e matou nga mahi hohekore:
- Te aukati i te whakamutu tukanga a-ringa i te kaiwhakahaere mahi
- Ka timata ano i te tukanga tamaiti ina mutu ana
- Tukuna UAC
- Te tiaki i te utu ki te konae
- Whakaaturanga o nga matapihi aratau
- E tatari ana kia huri te tuunga pehu kiore
- AntiVM me AntiSandbox
- Te whakangaro-whaiaro
- Te pupuhi utunga mai i te whatunga
E mohio ana matou he ahua noa tenei mahi mo te kaitiaki CypherIT, ko te ahua nei ko te bootloader e patai ana.
Kōwae matua o te pūmanawa
I muri mai, ka whakaahua poto matou i te waahanga matua o te malware, ka whakaarohia i roto i nga korero i roto i te tuhinga tuarua. I tenei keehi, he tono kei runga .NET.
I te wa o te tātaritanga, i kitea e matou i whakamahia he obfuscator ConfuserEX.
IELlibrary.dll
Kei te rongoa te whare pukapuka hei rauemi waahanga matua, he mono rongonui mo KaihokoTesla, e whakarato ana i nga mahi mo te tango i nga momo korero mai i nga kaitirotiro Internet Explorer me Edge.
Ko te Agent Tesla he raupaparorohiko torotoro rereke kua tohatohahia ma te whakamahi i te tauira malware-as-a-ratonga i raro i te ahua o te hua keylogger tika. Ka taea e Agent Tesla te tango me te tuku i nga tohu a nga kaiwhakamahi mai i nga kaitirotiro, nga kaihoko imeera me nga kaihoko FTP ki te tūmau ki te hunga whakaeke, te tuhi raraunga papatopenga, me te hopu i te mata o te taputapu. I te wa o te tātaritanga, kaore i te waatea te paetukutuku mana o nga kaihanga.
Ko te waahi urunga ko te mahi GetSavedPasswords akomanga InternetExplorer.
I te nuinga o te waa, he raina te mahi waehere, kaore he whakamarumaru ki te tātari. Ko te mahi karekau noa e tika kia arohia GetSavedCookies. Ko te ahua, ko te mahi o te mono i tika kia whakawhänuihia, engari kaore i mahia.
Te taapiri i te bootloader ki te punaha
Me ako me pehea te hono o te bootloader ki te punaha. Ko te tauira i raro i te rangahau kaore i te punga, engari i nga ahuatanga rite ka puta i runga i te kaupapa e whai ake nei:
- Kei te kōpaki C:UssPublic ka hangaia te tuhinga Visual Basic
Tauira hōtuhi:
- Ko nga mea kei roto i te konae bootloader kua kapi ki te ahua kore ka tiakina ki te kōpaki %Temp%<Ingoa kōpaki ritenga><ingoa Kōnae>
- Ka hangaia he taviri autorun ki te rehita mo te konae tuhinga HKCUSoftwareMicrosoftWindowsCurrentVersionRun<ingoa Hōtuhi>
Na, i runga i nga hua o te waahanga tuatahi o te tātaritanga, i taea e matou te whakatuu i nga ingoa o nga whanau o nga waahanga katoa o te malware kei te akohia, te tātari i te tauira mate, me te whiwhi taonga mo te tuhi hainatanga. Ka haere tonu ta matou wetewete i tenei mea i roto i te tuhinga e whai ake nei, i reira ka titiro atu ki te waahanga matua KaihokoTesla. Kaua e ngaro!
Ma te ara, i te Hakihea 5 ka tono matou ki nga kaipanui katoa ki te ipurangi whakawhitiwhiti koreutu i runga i te kaupapa "Tataritanga o te kino: tātaritanga o nga keehi tuuturu", kei reira te kaituhi o tenei tuhinga, he tohunga CERT-GIB, ka whakaatu i runga ipurangi te waahanga tuatahi o tātari malware - wetewete aunoa i nga tauira ma te whakamahi i te tauira o nga keehi iti e toru mai i nga mahi, ka taea e koe te uru ki te tātari. He pai te webinar mo nga tohunga kua whai wheako ki te tarai i nga konae kino. Ko te rehitatanga mai i te imeera umanga: . E tatari ana ki a koe!
Yara
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
Hashes
| ingoa | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890E643316E9276156EDC8A |
| momo | Pūranga WinRAR |
| Rahinga | 823014 |
| ingoa | QOUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| momo | PE (HonotuhiAunoa kua whakahiato) |
| Rahinga | 1327616 |
| Ingoa Taketake | Unknown |
| Waitohu Ra | 15.07.2019 |
| Honohono | Kaihono Microsoft(12.0)[EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| momo | ShellCode |
| Rahinga | 1474 |
Source: will.com