Mu positi iyi tikuwuzani momwe gulu la cyber la OceanLotus (APT32 ndi APT-C-00) posachedwapa lagwiritsira ntchito imodzi mwazinthu zomwe zilipo poyera . Kenako, tifotokoza momwe, kuyambira kuchiyambi kwa 2019, gululi lakhala likugwiritsa ntchito zolemba zakale kuti lizitha kuyendetsa ma code.
OceanLotus imagwira ntchito pa ukazitape wa cyber, ndipo zolinga zazikulu ndi mayiko aku Southeast Asia. Zigawenga zimapeka zikalata zomwe zimakopa chidwi cha omwe angakhale akuzunzidwa kuti awatsimikizire kuti achite kumbuyo, komanso akuyesetsa kupanga zida. Njira zomwe zimagwiritsidwa ntchito popanga miphika ya uchi zimasiyana mosiyanasiyana, kuchokera ku mafayilo a "double-extension", zolemba zakale, zolemba zokhala ndi macros, mpaka zodziwika bwino.
Kugwiritsa ntchito mwayi mu Microsoft Equation Editor
Pakati pa chaka cha 2018, OceanLotus idachita kampeni yopezera chiwopsezo cha CVE-2017-11882. Chimodzi mwazolemba zoyipa za gulu la cyber chidawunikidwa ndi akatswiri ochokera ku 360 Threat Intelligence Center (), kuphatikizapo kufotokoza mwatsatanetsatane za kugwiriridwa. Cholemba pansipa chili ndi chidule cha chikalata choyipa chotere.
Gawo loyamba
Chikalatacho FW Report on demonstration of former CNRP in Republic of Korea.doc (SHA-1: D1357B284C951470066AAA7A8228190B88A5C7C3) ndizofanana ndi zomwe zatchulidwa mu kafukufukuyu. Ndizosangalatsa chifukwa zimayang'ana ogwiritsa ntchito omwe ali ndi chidwi ndi ndale za Cambodian (CNRP - Cambodia National Rescue Party, idasungunuka kumapeto kwa 2017). Ngakhale .doc yowonjezera, chikalatacho chili mumtundu wa RTF (onani chithunzi pansipa), chili ndi code ya zinyalala, ndipo imasokonekera.
Chithunzi 1. "Zinyalala" mu RTF
Ngakhale pali zinthu zowonongeka, Mawu amatsegula bwino fayilo ya RTF. Monga mukuwonera pa Chithunzi 2, pali dongosolo la EQNOLEFILEHDR pa offset 0xC00, kutsatiridwa ndi mutu wa MTEF, kenako kulowa kwa MTEF (Chithunzi 3) cha font.
Chithunzi 2. FONT kulowa mfundo
Chithunzi 3.
Zotheka kusefukira m'munda dzina, chifukwa kukula kwake sikufufuzidwa musanakopere. Dzina lalitali kwambiri limayambitsa kusatetezeka. Monga mukuwonera pazomwe zili mu fayilo ya RTF (yochotsa 0xC26 mu Chithunzi 2), buffer imadzazidwa ndi chipolopolo chotsatiridwa ndi lamulo la dummy (0x90) ndi adilesi yobwerera 0x402114. Adilesi ndi gawo la zokambirana EQNEDT32.exe, kusonyeza malangizo RET. Izi zimapangitsa EIP kuloza kuyambika kwa munda dzinayomwe ili ndi shellcode.
Chithunzi 4. Chiyambi cha ma exploit shellcode
Adilesi 0x45BD3C imasunga chosinthika chomwe chimasiyidwa mpaka chikafika pacholozera pamapangidwe omwe apakidwa MTEFData. Zina zonse za shellcode zili pano.
Cholinga cha shellcode ndikuchita chidutswa chachiwiri cha shellcode chomwe chili mu chikalata chotseguka. Shellcode yoyambirira imayesa kupeza chofotokozera fayilo ya chikalata chotseguka pobwereza zofotokozera zonse zamakina (NtQuerySystemInformation ndi mtsutso SystemExtendedHandleInformation) ndikuwunika ngati zikugwirizana PID descriptor ndi PID ndondomeko WinWord komanso ngati chikalatacho chinatsegulidwa ndi chigoba chofikira - 0x12019F.
Kutsimikizira kuti chogwirira choyenera chapezeka (osati chogwirizira ku chikalata china chotseguka), zomwe zili mufayilo zikuwonetsedwa pogwiritsa ntchito ntchitoyi. CreateFileMapping, ndipo shellcode imayang'ana ngati mabayiti anayi omaliza a chikalatacho akugwirizana "yyyy"(Njira Yosaka Mazira). Machesi akapezeka, chikalatacho chimakopera ku chikwatu chakanthawi (GetTempPath) monga ole.dll. Kenako ma byte 12 omaliza a chikalatacho amawerengedwa.
Chithunzi 5. Mapeto a Zolemba Zolemba
Mtengo wa 32-bit pakati pa zolembera AABBCCDD и yyyy ndiye kuchotsera kwa shellcode yotsatira. Zimatchedwa kugwiritsa ntchito CreateThread. Adatulutsanso zipolopolo zomwe zidagwiritsidwa ntchito ndi gulu la OceanLotus m'mbuyomu. , yomwe tidatulutsa mu Marichi 2018, ikugwirabe ntchito yotaya gawo lachiwiri.
Gawo lachiwiri
Kuchotsa Zigawo
Mayina a fayilo ndi chikwatu amasankhidwa mwamphamvu. Khodiyo imasankha mwachisawawa dzina la fayilo yomwe ikuyenera kuchitika kapena DLL C:Windowssystem32. Kenako imapanga pempho kuzinthu zake ndikubweza gawolo FileDescription kuti mugwiritse ntchito ngati dzina lafoda. Ngati izi sizikugwira ntchito, khodiyo imasankha dzina lachikwatu mwachisawawa kuchokera pamakanema %ProgramFiles% kapena C:Windows (kuchokera ku GetWindowsDirectoryW). Imapewa kugwiritsa ntchito dzina lomwe lingasemphane ndi mafayilo omwe alipo ndikuwonetsetsa kuti ilibe mawu otsatirawa: windows, Microsoft, desktop, system, system32 kapena syswow64. Ngati chikwatucho chilipo kale, "NLS_{6 zilembo}" amawonjezedwa ku dzinalo.
gwero 0x102 imawunikidwa ndipo mafayilo amatayidwa %ProgramFiles% kapena %AppData%, ku foda yosankhidwa mwachisawawa. Anasintha nthawi yolenga kuti ikhale ndi mfundo zofanana kernel32.dll.
Mwachitsanzo, nayi chikwatu ndi mndandanda wamafayilo omwe amapangidwa posankha zomwe zitha kuchitika C:Windowssystem32TCPSVCS.exe monga gwero la data.
Chithunzi 6. Kuchotsa zigawo zosiyanasiyana
Kapangidwe kazinthu 0x102 mu dropper ndizovuta kwambiri. Mwachidule, ili ndi:
- Mayina afayilo
- Kukula kwa fayilo ndi zomwe zili
- Compress format (COMPRESSION_FORMAT_LZNT1, yogwiritsidwa ntchito RtlDecompressBuffer)
Fayilo yoyamba idakhazikitsidwanso ngati TCPSVCS.exe, zomwe ziri zololeka AcroTranscoder.exe (Malinga ndi FileDescription, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3).
Mwina mwawona kuti mafayilo ena a DLL ndi akulu kuposa 11 MB. Izi ndichifukwa choti buffer yayikulu ya data mwachisawawa imayikidwa mkati mwa fayilo yomwe ingathe kuchitika. Ndizotheka kuti iyi ndi njira yopewera kuzindikirika ndi zinthu zina zachitetezo.
Kuonetsetsa kulimbikira
gwero 0x101 mu dropper muli mitundu iwiri ya 32-bit yomwe imafotokoza momwe kulimbikira kuyenera kuperekedwa. Mtengo woyamba umatanthawuza momwe pulogalamu yaumbanda ipitirire popanda ufulu wa woyang'anira.
Table 1. Njira yolimbikira popanda ufulu woyang'anira
Mtengo wa nambala yachiwiri umanena za momwe pulogalamu yaumbanda ikuyenera kulimbikira pamene ikugwira ntchito ndi maufulu a woyang'anira.
Table 2. Njira yolimbikira yokhala ndi ufulu woyang'anira
Dzina lautumiki ndi dzina la fayilo popanda kuwonjezera; dzina lowonetsera ndilo dzina la chikwatu, koma ngati liripo kale, chingwecho " chimawonjezeredwa kwa ichoRevision 1” (chiwerengerocho chikuwonjezeka mpaka dzina losagwiritsidwa ntchito litapezeka). Ogwira ntchitowo adawonetsetsa kuti kulimbikira kudzera muutumiki kunali kolimba - ngati kulephera, ntchitoyo iyenera kuyambiranso pambuyo pa sekondi imodzi. Ndiye mtengo WOW64 Chinsinsi cha registry chatsopano chakhazikitsidwa ku 4, kusonyeza kuti ndi ntchito ya 32-bit.
Ntchito yomwe idakonzedweratu imapangidwa kudzera m'malo angapo a COM: ITaskScheduler, ITask, ITaskTrigger, IPersistFile и ITaskScheduler. Kwenikweni, pulogalamu yaumbanda imapanga ntchito yobisika, imayika zidziwitso za akauntiyo limodzi ndi chidziwitso cha ogwiritsa ntchito kapena woyang'anira, kenako ndikuyika choyambitsa.
Imeneyi ndi ntchito ya tsiku ndi tsiku yokhala ndi nthawi ya maola 24 ndi nthawi pakati pa kupha kawiri kwa mphindi 10, zomwe zikutanthauza kuti idzayenda mosalekeza.
Zoyipa
Mu chitsanzo chathu, fayilo yotheka TCPSVCS.exe (AcroTranscoder.exe) ndi mapulogalamu ovomerezeka omwe amanyamula ma DLL omwe amasinthidwa pamodzi nawo. Pankhaniyi, ndi chidwi Flash Video Extension.dll.
Ntchito yake DLLMain amangoyitana ntchito ina. Pali ma predicates angapo:
Chithunzi 7. Mauthenga osadziwika bwino
Pambuyo pofufuza zolakwika izi, code imapeza gawo .text fayilo TCPSVCS.exe, kusintha chitetezo chake kukhala PAGE_EXECUTE_READWRITE ndikulembanso powonjezera malangizo a dummy:
Chithunzi 8. Mndandanda wa malangizo
Kumapeto kwa adilesi ya ntchito FLVCore::Uninitialize(void), zotumizidwa kunja Flash Video Extension.dll, malangizo amawonjezeredwa CALL. Izi zikutanthauza kuti pambuyo poti DLL yoyipa ikatsitsidwa, nthawi yothamanga itayimba WinMain в TCPSVCS.exe, cholozera chowongolera chidzaloza ku NOP, kuchititsa FLVCore::Uninitialize(void), siteji yotsatira.
Ntchitoyi imangopanga mutex kuyambira {181C8480-A975-411C-AB0A-630DB8B0A221}kutsatiridwa ndi dzina lolowera pano. Kenako imawerenga fayilo yotayidwa *.db3, yomwe ili ndi code yodziyimira pawokha, ndikugwiritsa ntchito CreateThread kuchita zomwe zili.
Zomwe zili mufayilo ya *.db3 ndi shellcode yomwe gulu la OceanLotus limagwiritsa ntchito. Tinatulutsanso bwino zolipira zake pogwiritsa ntchito emulator script yomwe tidasindikiza .
Zolemba zimachotsa gawo lomaliza. Chigawo ichi ndi backdoor, chomwe tasanthula kale . Izi zitha kutsimikiziridwa ndi GUID {A96B020F-0000-466F-A96D-A91BBF8EAC96} binary file. Kukonzekera kwa pulogalamu yaumbanda kumasungidwa muzinthu za PE. Ili ndi masinthidwe ofanana, koma ma seva a C&C ndi osiyana ndi am'mbuyomu:
- andreagahuvrauvin[.]com
- byronorenstein[.]com
- stienollmache[.]xyz
Gulu la OceanLotus likuwonetsanso njira zingapo zopewera kudziwika. Anabwerera ndi chithunzi "choyeretsedwa" cha njira ya matenda. Posankha mayina mwachisawawa ndikudzaza zomwe zitha kuchitika ndi data mwachisawawa, amachepetsa kuchuluka kwa ma IoC odalirika (kutengera ma hashes ndi mayina a mafayilo). Kuphatikiza apo, chifukwa chogwiritsa ntchito kutsitsa kwa chipani chachitatu cha DLL, owukira amangofunika kuchotsa binary yovomerezeka. AcroTranscoder.
Zosungira zokha zakale
Pambuyo pa mafayilo a RTF, gululo lidasamukira kumalo osungira (SFX) okhala ndi zithunzi wamba kuti asokoneze wogwiritsa ntchito. Threatbook analemba za izi (). Poyambitsa, mafayilo a RAR odzipangira okha amatsitsidwa ndipo ma DLL okhala ndi .ocx extension amachitidwa, malipiro omaliza omwe adalembedwa kale. {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. Kuyambira pakati pa Januware 2019, OceanLotus yakhala ikugwiritsanso ntchito njirayi, koma ikusintha masinthidwe pakapita nthawi. M'chigawo chino tidzakambirana za njira ndi kusintha.
Kupanga Ntchito
Chikalatacho THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE (SHA-1: AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB) idapezeka koyamba mu 2018. Fayilo ya SFX iyi idapangidwa mwanzeru - mukufotokozera (Zambiri Zamtundu) akuti ichi ndi chithunzi cha JPEG. Zolemba za SFX zikuwoneka motere:
Chithunzi 9. Malamulo a SFX
Pulogalamu yaumbanda iyambiranso {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (SHA-1: EFAC23B0E6395B1178BCF7086F72344B24C04DCC), komanso chithunzi 2018 thich thong lac.jpg.
Chithunzi cha decoy chikuwoneka motere:
Chithunzi 10. Chithunzi chonyenga
Mwinamwake mwazindikira kuti mizere iwiri yoyambirira mu script ya SFX imayitana fayilo ya OCX kawiri, koma uku sikulakwa.
{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)
Kuwongolera kwa fayilo ya OCX ndikofanana kwambiri ndi zigawo zina za OceanLotus - mndandanda wamalamulo ambiri JZ/JNZ и PUSH/RET, kusinthana ndi code ya zinyalala.
Chithunzi 11. Khodi yobisika
Mukasefa khodi ya junk, tumizani kunja DllRegisterServer, woyitana regsvr32.exe, motere:
Chithunzi 12. Basic installer code
Kwenikweni, pa kuyitana koyamba DllRegisterServer export imayika mtengo wa registry HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Model kwa encrypted offset mu DLL (0x10001DE0).
Ntchitoyo ikatchedwanso kachiwiri, imawerengera mtengo womwewo ndikuchita pa adilesiyo. Kuchokera apa gwero ndi zochita zambiri mu RAM zimawerengedwa ndikuchitidwa.
Shellcode ndi PE loader yomweyi yomwe imagwiritsidwa ntchito pamakampu am'mbuyomu a OceanLotus. Ikhoza kutsanziridwa pogwiritsa ntchito . Pomaliza akukhazikitsa db293b825dcc419ba7dc2c49fa2757ee.dll, amachilowetsa mu kukumbukira ndikuchita DllEntry.
DLL imatulutsa zomwe zili muzinthu zake, kuzichotsa (AES-256-CBC) ndikuzichotsa (LZMA). Chothandiziracho chili ndi mawonekedwe apadera omwe ndi osavuta kuwola.
Chithunzi 13. Mapangidwe oyika oyika (KaitaiStruct Visualizer)
Kukonzekera kumatchulidwa momveka bwino - kutengera mwayi, deta ya binary idzalembedwera %appdata%IntellogsBackgroundUploadTask.cpl kapena %windir%System32BackgroundUploadTask.cpl (kapena SysWOW64 kwa machitidwe a 64-bit).
Kulimbikira kwina kumatsimikizika popanga ntchito ndi dzina BackgroundUploadTask[junk].jobkumene [junk] imayimira seti ya ma byte 0x9D и 0xA0.
Dzina la Ntchito %windir%System32control.exe, ndipo mtengo wa parameter ndiyo njira yopita ku fayilo ya binary yotsitsidwa. Ntchito yobisika imayenda tsiku lililonse.
Mwadongosolo, fayilo ya CPL ndi DLL yokhala ndi dzina lamkati ac8e06de0a6c4483af9837d96504127e.dll, yomwe imatumiza kunja ntchito CPlApplet. Fayiloyi imachotsa gwero lake lokhalo {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll, kenako ndikutsitsa DLL iyi ndikuyitanitsa kutumiza kwake kokha DllEntry.
Backdoor kasinthidwe file
Kukonzekera kwa backdoor kumasungidwa ndikuphatikizidwa muzinthu zake. Mapangidwe a fayilo yosinthira ndi ofanana kwambiri ndi yapitayi.
Chithunzi 14. Kapangidwe kamangidwe ka backdoor (KaitaiStruct Visualizer)
Ngakhale kapangidwe kake ndi kofanana, zambiri zamagawo zasinthidwa kuchokera pazomwe zikuwonetsedwa .
Gawo loyamba la gulu la binary lili ndi DLL (HttpProv.dll MD5: 2559738D1BD4A999126F900C7357B759), . Koma popeza dzina lotumiza kunja lidachotsedwa ku binary, ma hashes samafanana.
Kafukufuku Wowonjezera
Tikusonkhanitsa zitsanzo, tidawona mikhalidwe ina. Chitsanzo chomwe tafotokozachi chinawoneka cha Julayi 2018, ndipo zina zonga izo zidawoneka posachedwa pakati pa Januware mpaka koyambirira kwa February 2019. Zosungidwa zakale za SFX zidagwiritsidwa ntchito ngati chotengera matenda, kugwetsa chikalata chovomerezeka ndi fayilo yoyipa ya OSX.
Ngakhale OceanLotus imagwiritsa ntchito masitampu abodza, tawona kuti masitampu a SFX ndi OCX nthawi zonse amakhala ofanana (0x57B0C36A (08/14/2016 @ 7:15pm UTC) ndi 0x498BE80F (02/06/2009 @ 7:34am UTC) motsatana). Izi mwina zikuwonetsa kuti olembawo ali ndi mtundu wina wa "wojambula" yemwe amagwiritsa ntchito ma templates omwewo ndikungosintha zina.
Mwazolemba zomwe taphunzira kuyambira kuchiyambi kwa 2018, pali mayina osiyanasiyana omwe akuwonetsa mayiko omwe ali ndi chidwi ndi omwe akuukirawo:
- Zambiri Zatsopano Zaku Cambodia Media(Zatsopano).xls.exe
— 李建香 (个人简历).exe (zolemba zabodza za pdf za CV)
- ndemanga, Rally ku USA kuyambira Julayi 28-29, 2018.exe
Popeza backdoor anapezeka {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll ndi kufalitsidwa kwa kusanthula kwake ndi ofufuza angapo, tidawona kusintha kwina kwa kasinthidwe ka pulogalamu yaumbanda.
Choyamba, olembawo adayamba kuchotsa mayina kuchokera kwa othandizira a DLL (DNSprov.dll ndi mitundu iwiri HttpProv.dll). Ogwiritsa ntchitowo adasiya kuyika DLL yachitatu (mtundu wachiwiri HttpProv.dll), kusankha kuyika imodzi yokha.
Chachiwiri, magawo ambiri osinthira kumbuyo adasinthidwa, mwina kuti apewe kuzindikirika pomwe ma IoC ambiri adapezeka. Zofunikira zomwe adazisintha ndi monga:
- Kiyi yolembera ya AppX yasinthidwa (onani ma IoCs)
- mutex encoding chingwe ("def", "abc", "ghi")
- doko nambala
Pomaliza, mitundu yonse yatsopano yomwe yawunikidwa ili ndi C&C yatsopano yomwe yalembedwa mgawo la IoCs.
anapezazo
OceanLotus ikupitilizabe kukula. Gulu la cyber limayang'ana kwambiri pakuyenga ndi kukulitsa zida ndi chinyengo. Olemba amabisa malipilo oyipa pogwiritsa ntchito zikalata zokopa chidwi zomwe mutu wake umagwirizana ndi omwe akufuna kuzunzidwa. Amapanga ziwembu zatsopano komanso amagwiritsa ntchito zida zopezeka pagulu, monga Equation Editor exploit. Kuphatikiza apo, akukonza zida zochepetsera kuchuluka kwa zinthu zakale zomwe zimatsalira pamakina a ozunzidwa, motero amachepetsa mwayi wodziwika ndi pulogalamu ya antivayirasi.
Zizindikiro zakunyengerera
Zizindikiro za kunyengerera komanso mawonekedwe a MITER ATT&CK zilipo и .
Source: www.habr.com