Pali magulu angapo odziwika a cyber omwe amaba ndalama kumakampani aku Russia. Tawona kuukira pogwiritsa ntchito njira zachitetezo zomwe zimalola mwayi wofikira pa netiweki yomwe mukufuna. Akapeza mwayi, owukira amaphunzira momwe bungwe limagwirira ntchito ndikugwiritsa ntchito zida zawo kuti abe ndalama. Chitsanzo chodziwika bwino cha izi ndi magulu owononga Buhtrap, Cobalt ndi Corkow.
Gulu la RTM lomwe lipotili likuyang'ana ndi gawo la izi. Imagwiritsa ntchito pulogalamu yaumbanda yopangidwa mwapadera yolembedwa ku Delphi, yomwe tikambirana mwatsatanetsatane m'magawo otsatirawa. Zoyamba za zida izi mu ESET telemetry system zidapezeka kumapeto kwa 2015. Gululo limadzaza ma module osiyanasiyana pamakina omwe ali ndi kachilombo ngati pakufunika. Kuwukiraku kumalimbana ndi ogwiritsa ntchito mabanki akutali ku Russia ndi mayiko ena oyandikana nawo.
1. Zolinga
Kampeni ya RTM imayang'ana ogwiritsa ntchito makampani - izi ndi zoonekeratu kuchokera kunjira zomwe owukira amayesa kuzizindikira mu dongosolo losokoneza. Cholinga chake ndi pulogalamu yowerengera ndalama zogwirira ntchito ndi mabanki akutali.
Mndandanda wazomwe zimakonda ku RTM zikufanana ndi mndandanda wa gulu la Buhtrap, koma maguluwa ali ndi ma vectors osiyanasiyana. Ngati Buhtrap amagwiritsa ntchito masamba abodza nthawi zambiri, ndiye kuti RTM idagwiritsa ntchito kutsitsa koyendetsa (kuukira pa msakatuli kapena zida zake) ndikutumiza sipamu kudzera pa imelo. Malinga ndi deta ya telemetry, chiwopsezochi chimayang'ana ku Russia ndi mayiko angapo oyandikana nawo (Ukraine, Kazakhstan, Czech Republic, Germany). Komabe, chifukwa chogwiritsa ntchito njira zogawira anthu ambiri, kudziwika kwa pulogalamu yaumbanda kunja kwa madera omwe akuyembekezeredwa sizodabwitsa.
Chiwerengero chonse chazomwe zapezeka ndi pulogalamu yaumbanda ndizochepa. Kumbali inayi, kampeni ya RTM imagwiritsa ntchito mapulogalamu ovuta, omwe akuwonetsa kuti ziwopsezozo zimayang'ana kwambiri.
Tapeza zolemba zabodza zingapo zomwe RTM amagwiritsa ntchito, kuphatikiza makontrakitala omwe palibe, ma invoice kapena zikalata zowerengera msonkho. Chikhalidwe cha nyambo, kuphatikizapo mtundu wa mapulogalamu omwe akukhudzidwa ndi kuukira, amasonyeza kuti otsutsawo "akulowa" m'magulu a makampani a ku Russia kudzera mu dipatimenti yowerengera ndalama. Gululo linachita zinthu mogwirizana ndi dongosolo lomwelo mu 2014-2015
Pakufufuza, tinatha kuyanjana ndi ma seva angapo a C&C. Tidzalemba mndandanda wonse wa malamulo m'zigawo zotsatirazi, koma pakali pano tikhoza kunena kuti kasitomala amasamutsa deta kuchokera ku keylogger mwachindunji ku seva yowukira, yomwe malamulo owonjezera amalandiridwa.
Komabe, masiku omwe mungangolumikizana ndi seva yolamula ndikuwongolera ndikusonkhanitsa zonse zomwe mumafuna apita. Tidapanganso mafayilo alogi kuti tipeze malamulo oyenera kuchokera pa seva.
Yoyamba ya iwo ndi pempho kwa bot kusamutsa fayilo 1c_to_kl.txt - fayilo yoyendetsa ya 1C: Pulogalamu ya Enterprise 8, maonekedwe ake omwe akuyang'aniridwa ndi RTM. 1C imalumikizana ndi machitidwe amabanki akutali poyika deta pazolipira zomwe zatuluka ku fayilo yamawu. Kenako, fayiloyo imatumizidwa ku banki yakutali kuti ipange zokha ndikuchita zolipira.
Fayiloyo ili ndi zambiri zolipira. Ngati owukira asintha zambiri zokhudzana ndi malipiro omwe akutuluka, kutumizako kudzatumizidwa pogwiritsa ntchito mfundo zabodza kumaakaunti a owukirawo.
Pafupifupi mwezi umodzi titapempha mafayilowa kuchokera ku seva yolamula ndi yowongolera, tidawona pulogalamu yowonjezera, 1c_2_kl.dll, ikukwezedwa pamakina owonongeka. Module (DLL) idapangidwa kuti izingosanthula fayilo yotsitsa ndikulowa pamapulogalamu owerengera ndalama. Tidzafotokoza mwatsatanetsatane m'magawo otsatirawa.
Chosangalatsa ndichakuti FinCERT ya Bank of Russia kumapeto kwa chaka cha 2016 idapereka chenjezo lokhudza anthu ochita zigawenga pa intaneti pogwiritsa ntchito 1c_to_kl.txt kukweza mafayilo. Madivelopa ochokera ku 1C amadziwanso za chiwembuchi; anena kale ndipo adalembapo njira zodzitetezera.
Ma modules ena adakwezedwanso kuchokera pa seva yamalamulo, makamaka VNC (mitundu yake ya 32 ndi 64-bit). Imafanana ndi gawo la VNC lomwe linkagwiritsidwa ntchito kale pakuwukira kwa Dridex Trojan. Module iyi ikuyenera kugwiritsidwa ntchito kulumikiza patali ndi kompyuta yomwe ili ndi kachilombo ndikusanthula mwatsatanetsatane dongosololi. Kenaka, owukirawo amayesa kuyendayenda pa intaneti, kuchotsa mapepala achinsinsi, kusonkhanitsa zambiri ndikuwonetsetsa kuti pulogalamu yaumbanda imakhalapo nthawi zonse.
2. Ma vectors a matenda
Chithunzi chotsatirachi chikuwonetsa ma vectors omwe adapezeka panthawi yophunzira. Gululi limagwiritsa ntchito ma vector osiyanasiyana, koma makamaka ma drive-by download attack and spam. Zida izi ndizosavuta kuukiridwa, popeza koyamba, owukira amatha kusankha masamba omwe akhudzidwa ndi omwe angawachitikire, ndipo chachiwiri, amatha kutumiza imelo yokhala ndi zomata mwachindunji kwa ogwira ntchito omwe akufuna.
Pulogalamu yaumbanda imagawidwa kudzera munjira zingapo, kuphatikiza RIG ndi Sundown exploit kits kapena maimelo a spam, kuwonetsa kulumikizana pakati pa omwe akuukirawo ndi ena owukira pa intaneti omwe amapereka izi.
2.1. Kodi RTM ndi Bhutrap zikugwirizana bwanji?
Kampeni ya RTM ndiyofanana kwambiri ndi Bhutrap. Funso lachilengedwe ndilakuti: amagwirizana bwanji?
Mu Seputembala 2016, tidawona chitsanzo cha RTM chikugawidwa pogwiritsa ntchito pulogalamu ya Buhtrap. Kuphatikiza apo, tapeza ziphaso ziwiri za digito zomwe zimagwiritsidwa ntchito mu Buhtrap ndi RTM.
Woyamba, akuti adapereka kwa kampani ya DNESS-m, idagwiritsidwa ntchito poimika fomu yachiwiri Delphi (ST1C025E718A31A43A1A87A13DCKE94F.61F9338D 11).
Yachiwiri, yoperekedwa kwa Bit-Tredj, idagwiritsidwa ntchito kusaina zopatsira za Buhtrap (SHA-1: 7C1B6B1713BD923FC243DFEC80002FE9B93EB292 ndi B74F71560E48488D2153AE2FB51207TM bwino kutsitsa komanso kutsitsa RAC0)
Ogwiritsa ntchito a RTM amagwiritsa ntchito ziphaso zomwe ndizofala kwa mabanja ena a pulogalamu yaumbanda, koma amakhalanso ndi satifiketi yapadera. Malinga ndi telemetry ya ESET, idaperekedwa ku Kit-SD ndipo idangogwiritsidwa ntchito kusaina pulogalamu yaumbanda ya RTM (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6).
RTM imagwiritsa ntchito katundu wofanana ndi Buhtrap, zigawo za RTM zimatengedwa kuchokera ku zomangamanga za Buhtrap, kotero magulu ali ndi zizindikiro zofanana za intaneti. Komabe, malinga ndi kuyerekezera kwathu, RTM ndi Buhtrap ndi magulu osiyana, osachepera chifukwa RTM imagawidwa m'njira zosiyanasiyana (osati kokha kugwiritsa ntchito "akunja") otsitsa).
Ngakhale izi, magulu owononga amagwiritsa ntchito mfundo zofanana zogwirira ntchito. Amayang'ana mabizinesi omwe amagwiritsa ntchito mapulogalamu owerengera ndalama, kusonkhanitsa zidziwitso zamakina, kufunafuna owerenga makhadi anzeru, ndikugwiritsa ntchito zida zambiri zoyipa kuti akazonde omwe akhudzidwa.
3. Chisinthiko
Mu gawoli, tiwona mitundu yosiyanasiyana ya pulogalamu yaumbanda yomwe idapezeka panthawi ya kafukufukuyu.
3.1. Kusintha
RTM imasunga zosintha mu gawo la registry, gawo losangalatsa kwambiri kukhala botnet-prefix. Mndandanda wazinthu zonse zomwe tawona m'zitsanzo zomwe taphunzira zaperekedwa patebulo pansipa.
Ndizotheka kuti mfundozo zitha kugwiritsidwa ntchito kujambula mitundu yaumbanda. Komabe, sitinazindikire kusiyana kwakukulu pakati pa mitundu monga bit2 ndi bit3, 0.1.6.4 ndi 0.1.6.6. Komanso, chimodzi mwama prefixes chakhalapo kuyambira pachiyambi ndipo chasintha kuchokera ku dera la C&C kupita ku .bit domain, monga ziwonetsedwe pansipa.
3.2. Ndandanda
Pogwiritsa ntchito deta ya telemetry, tinapanga chithunzi cha zochitika za zitsanzo.
4. Kusanthula kwaukadaulo
M'chigawo chino, tifotokoza ntchito zazikulu za Trojan banki ya RTM, kuphatikizapo njira zotsutsa, ndondomeko yake ya RC4 algorithm, protocol network, spying functionality ndi zina. Makamaka, tiyang'ana pa zitsanzo za SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 ndi 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B.
4.1. Kuyika ndi kusunga
4.1.1. Kukhazikitsa
The RTM pachimake ndi DLL, laibulale yokwezedwa pa litayamba ntchito .EXE. Fayilo yomwe ingagwiritsidwe ntchito nthawi zambiri imapakidwa ndipo imakhala ndi code ya DLL. Ikangokhazikitsidwa, imatulutsa DLL ndikuyiyendetsa pogwiritsa ntchito lamulo ili:
rundll32.exe β%PROGRAMDATA%Winlogonwinlogon.lnkβ,DllGetClassObject host4.1.2. DLL
DLL yayikulu nthawi zonse imayikidwa pa disk monga winlogon.lnk mu foda ya % PROGRAMDATA%Winlogon. Fayilo yowonjezerayi nthawi zambiri imagwirizanitsidwa ndi njira yachidule, koma fayilo kwenikweni ndi DLL yolembedwa ku Delphi, yotchedwa core.dll ndi wopanga mapulogalamu, monga momwe tawonetsera pa chithunzi pansipa.
ΠΡΠΈΠΌΠ΅Ρ Π½Π°Π·Π²Π°Π½ΠΈΡ DLL F4C746696B0F5BB565D445EC49DD912993DE6361
Ikangokhazikitsidwa, Trojan imayendetsa makina ake okana. Izi zikhoza kuchitika m'njira ziwiri zosiyana, malingana ndi mwayi wa wozunzidwa m'dongosolo. Ngati muli ndi ufulu woyang'anira, Trojan imawonjezera kulowa kwa Windows Update ku HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry. Malamulo omwe ali mu Windows Update adzayamba kumayambiriro kwa gawo la wogwiritsa ntchito.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Update [REG_SZ] = rundll32.exe β%PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host
Trojan imayesanso kuwonjezera ntchito ku Windows Task Scheduler. Ntchitoyi idzayambitsa winlogon.lnk DLL ndi magawo omwe ali pamwambapa. Ufulu wogwiritsa ntchito nthawi zonse umalola Trojan kuwonjezera cholowa cha Windows Update ndi data yomweyo ku HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry:
rundll32.exe β%PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host4.2. Zosintha za RC4 algorithm
Ngakhale zili ndi zolakwika zomwe zimadziwika, algorithm ya RC4 imagwiritsidwa ntchito pafupipafupi ndi olemba pulogalamu yaumbanda. Komabe, omwe adapanga RTM adasintha pang'ono, mwina kuti ntchito ya osanthula ma virus ikhale yovuta kwambiri. Mtundu wosinthidwa wa RC4 umagwiritsidwa ntchito kwambiri pazida zoyipa za RTM kubisa zingwe, data ya netiweki, masinthidwe ndi ma module.
4.2.1. Kusiyana
Ma algorithm oyambilira a RC4 ali ndi magawo awiri: s-block initialization (aka KSA - Key-Scheduling Algorithm) ndi pseudo-random sequence generation (PRGA - Pseudo-Random Generation Algorithm). Gawo loyamba limaphatikizapo kuyambitsa s-bokosi pogwiritsa ntchito kiyi, ndipo gawo lachiwiri mawu oyambira amasinthidwa pogwiritsa ntchito bokosi la s-encryption.
Olemba a RTM adawonjezera gawo lapakati pakati pa kuyambitsa kwa s-box ndi encryption. Mfungulo yowonjezera imasinthasintha ndipo imayikidwa nthawi yomweyo kuti deta ibisidwe ndi kusinthidwa. Ntchito yomwe imagwira gawo lowonjezerali ikuwonetsedwa pachithunzi pansipa.
4.2.2. Kubisa kwa chingwe
Poyang'ana koyamba, pali mizere ingapo yowerengeka mu DLL yayikulu. Zina zonse zimasungidwa pogwiritsa ntchito algorithm yomwe tafotokozazi, momwe mawonekedwe ake akuwonekera pachithunzi chotsatirachi. Tidapeza makiyi opitilira 25 a RC4 obisala zingwe pamasankho omwe adawunikidwa. Kiyi ya XOR ndi yosiyana pamzere uliwonse. Mtengo wa magawo olekanitsa mizere nthawi zonse ndi 0xFFFFFFFF.
Kumayambiriro kwa kuphedwa, RTM imachotsa zingwezo kukhala zosinthika padziko lonse lapansi. Ngati kuli kofunikira kuti mupeze chingwe, Trojan imawerengera mozama adilesi ya zingwe zochotsedwa potengera adilesi yoyambira ndi kuchotsera.
Zingwezo zili ndi zambiri zosangalatsa zokhudzana ndi ntchito za pulogalamu yaumbanda. Zingwe zina zachitsanzo zaperekedwa mu Gawo 6.8.
4.3. Network
Momwe pulogalamu yaumbanda ya RTM imalumikizira seva ya C&C imasiyanasiyana kutengera mtundu. Zosintha zoyamba (Oktoba 2015 - Epulo 2016) zidagwiritsa ntchito mayina achikhalidwe komanso RSS feed pa livejournal.com kuti asinthe mndandanda wamalamulo.
Kuyambira Epulo 2016, tawona kusintha kwa madambwe a .bit mu data ya telemetry. Izi zimatsimikiziridwa ndi deti lolembetsa - domain yoyamba ya RTM fde05d0573da.bit idalembetsedwa pa Marichi 13, 2016.
Ma URL onse omwe tidawawona poyang'anira kampeni anali ndi njira yofanana: /r/z.php. Ndizosazolowereka ndipo zithandizira kuzindikira zopempha za RTM pamayendedwe amtaneti.
4.3.1. Channel kwa malamulo ndi ulamuliro
Zitsanzo zodziwika bwino zidagwiritsa ntchito njira iyi kuti isinthe mndandanda wamaseva awo olamulira ndi owongolera. Hosting ili pa livejournal.com, panthawi yolemba lipotilo idakhalabe pa URL hxxp://f72bba81c921(.)livejournal(.)com/data/rss.
Livejournal ndi kampani yaku Russia-America yomwe imapereka nsanja yolembera mabulogu. Ogwiritsa ntchito a RTM amapanga blog ya LJ momwe amayika nkhani yokhala ndi malamulo olembedwa - onani chithunzi.
Mizere yolamula ndi yowongolera imasungidwa pogwiritsa ntchito algorithm yosinthidwa ya RC4 (Gawo 4.2). Mtundu wapano (November 2016) wa tchanelo uli ndi ma adilesi awa olamula ndi ma seva:
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. .bit madambwe
M'zitsanzo zaposachedwa kwambiri za RTM, olemba amalumikizana ndi madera a C&C pogwiritsa ntchito .bit TLD domain level top. Sili pa ICANN (Domain Name ndi Internet Corporation) mndandanda wamadomeni apamwamba. M'malo mwake, amagwiritsa ntchito dongosolo la Namecoin, lomwe limamangidwa pamwamba pa teknoloji ya Bitcoin. Olemba pulogalamu yaumbanda sagwiritsa ntchito .bit TLD nthawi zambiri pamadera awo, ngakhale kuti chitsanzo cha kugwiritsidwa ntchito koterechi chawonedwa kale mu mtundu wa Necurs botnet.
Mosiyana ndi Bitcoin, ogwiritsa ntchito database ya Namecoin yogawidwa ali ndi kuthekera kosunga deta. Cholinga chachikulu cha izi ndi .bit pamwamba-level domain. Mutha kulembetsa madera omwe adzasungidwa mu database yogawidwa. Zolemba zofananira mu nkhokwe zili ndi ma adilesi a IP othetsedwa ndi domain. TLD iyi ndi "kutsutsa-kutsutsa" chifukwa ndi yekhayo amene angasinthe kusintha kwa .bit domain. Izi zikutanthauza kuti ndizovuta kwambiri kuyimitsa dera loyipa kugwiritsa ntchito mtundu uwu wa TLD.
RTM Trojan sichiphatikizira mapulogalamu ofunikira kuti muwerenge nkhokwe ya Namecoin yogawidwa. Imagwiritsa ntchito maseva apakati a DNS monga dns.dot-bit.org kapena OpenNic maseva kuthetsa madera a .bit. Chifukwa chake, ili ndi kulimba kofanana ndi ma seva a DNS. Tidawona kuti madera ena amagulu sanadziwikenso atatchulidwa patsamba labulogu.
Ubwino wina wa .bit TLD kwa owononga ndi mtengo. Kuti mulembetse dera, ogwira ntchito amafunika kulipira 0,01 NK yokha, yomwe ikufanana ndi $ 0,00185 (kuyambira pa December 5, 2016). Poyerekeza, domain.com imawononga ndalama zosachepera $10.
4.3.3. Ndondomeko
Kuti mulankhule ndi seva yolamulira ndi yolamulira, RTM imagwiritsa ntchito zopempha za HTTP POST ndi deta yopangidwa pogwiritsa ntchito ndondomeko yachizolowezi. Mtengo wanjira nthawi zonse ndi /r/z.php; Mozilla/5.0 wosuta (yogwirizana; MSIE 9.0; Windows NT 6.1; Trident/5.0). Pazopempha kwa seva, deta imapangidwa motere, pomwe zowerengera zimawonetsedwa mu byte:
Ma byte 0 mpaka 6 sanasungidwe; ma byte kuyambira 6 amasungidwa pogwiritsa ntchito algorithm yosinthidwa ya RC4. Mapangidwe a paketi ya mayankho a C&C ndiwosavuta. Ma byte amasungidwa kuchokera pa 4 mpaka kukula kwa paketi.
Mndandanda wazomwe zingatheke kuchitapo kanthu ukuwonetsedwa patebulo ili pansipa:
Pulogalamu yaumbanda nthawi zonse imawerengera CRC32 yazomwe zasungidwa ndikuziyerekeza ndi zomwe zili mu paketi. Ngati asiyana, Trojan imagwetsa paketi.
Deta yowonjezera ikhoza kukhala ndi zinthu zosiyanasiyana, kuphatikizapo fayilo ya PE, fayilo yofufuzidwa mu fayilo, kapena ma URL atsopano.
4.3.4. Gulu
Tawona kuti RTM imagwiritsa ntchito gulu pa ma seva a C&C. Chithunzithunzi pansipa:
4.4. Chizindikiro cha chikhalidwe
RTM ndi Trojan wamba wamba. N'zosadabwitsa kuti ogwira ntchito amafuna zambiri zokhudza dongosolo la wozunzidwayo. Kumbali imodzi, bot imasonkhanitsa zambiri za OS. Kumbali inayi, imapeza ngati dongosolo lowonongeka lili ndi zikhumbo zomwe zimagwirizanitsidwa ndi machitidwe akubanki aku Russia.
4.4.1. Zambiri
Pulogalamu yaumbanda ikayikidwa kapena kukhazikitsidwa pambuyo poyambiranso, lipoti limatumizidwa ku seva yolamula ndi yowongolera yomwe ili ndi zambiri kuphatikiza:
- Zone nthawi;
- chinenero chadongosolo;
- zidziwitso zovomerezeka za ogwiritsa;
- ndondomeko umphumphu mlingo;
- Dzina lolowera;
- dzina la kompyuta;
- Mtundu wa OS;
- ma modules owonjezera;
- anaika antivayirasi pulogalamu;
- mndandanda wa owerenga makadi anzeru.
4.4.2 Mabanki akutali
Cholinga cha Trojan ndi njira yakubanki yakutali, ndipo RTM ndi chimodzimodzi. Imodzi mwamagawo a pulogalamuyi imatchedwa TBdo, yomwe imagwira ntchito zosiyanasiyana, kuphatikiza ma disks osanthula ndi mbiri yosakatula.
Poyang'ana disk, Trojan imayang'ana ngati mapulogalamu akubanki aikidwa pamakina. Mndandanda wathunthu wa mapologalamu omwe mukufuna kukwaniritsa uli patebulo ili m'munsimu. Pambuyo pozindikira fayilo yosangalatsa, pulogalamuyi imatumiza chidziwitso ku seva yolamula. Zochita zotsatirazi zimadalira malingaliro omwe afotokozedwa ndi ma algorithms apakati (C&C).
RTM imayang'ananso ma URL mu mbiri ya msakatuli wanu ndi ma tabo otsegula. Kuphatikiza apo, pulogalamuyi imayang'ana kugwiritsa ntchito ntchito za FindNextUrlCacheEntryA ndi FindFirstUrlCacheEntryA, komanso imayang'ana cholowa chilichonse kuti chigwirizane ndi ulalo umodzi mwazinthu zotsatirazi:
Atazindikira ma tabo otseguka, Trojan imalumikizana ndi Internet Explorer kapena Firefox kudzera munjira ya Dynamic Data Exchange (DDE) kuti muwone ngati tabuyo ikufanana ndi chitsanzocho.
Kuyang'ana mbiri yanu yosakatula ndi ma tabo otseguka kumachitika mu WHILE loop (lopu yokhala ndi choyambira) ndikupumula kwa sekondi imodzi pakati pa macheke. Deta ina yomwe ikuyang'aniridwa mu nthawi yeniyeni idzakambidwa mu gawo 1.
Ngati chitsanzo chapezeka, pulogalamuyi imanena izi kwa seva yolamulira pogwiritsa ntchito mndandanda wa zingwe patebulo ili:
4.5 Kuwunika
Pamene Trojan ikugwira ntchito, chidziwitso chokhudza mawonekedwe a dongosolo la kachilomboka (kuphatikizapo zambiri za kukhalapo kwa mapulogalamu a banki) zimatumizidwa ku seva yolamulira ndi yolamulira. Kusindikiza zala kumachitika pamene RTM imayendetsa kachitidwe koyang'anira patangotha ββsikani yoyamba ya OS.
4.5.1. Mabanki akutali
Module ya TBdo ilinso ndi udindo wowunika momwe mabanki amagwirira ntchito. Imagwiritsa ntchito kusinthana kwa data kuti iyang'ane ma tabo mu Firefox ndi Internet Explorer poyang'ana koyamba. Gawo lina la TShell limagwiritsidwa ntchito kuyang'anira malamulo windows (Internet Explorer kapena File Explorer).
Gawoli limagwiritsa ntchito mawonekedwe a COM IShellWindows, iWebBrowser, DWebBrowserEvents2 ndi IConnectionPointContainer kuyang'anira windows. Wogwiritsa ntchito akamapita patsamba latsopano, pulogalamu yaumbanda imazindikira izi. Kenako imafanizira ulalo watsamba ndi mawonekedwe omwe ali pamwambapa. Atazindikira machesi, Trojan amatenga zithunzi zisanu ndi chimodzi zotsatizana ndi mphindi ya 5 masekondi ndikuzitumiza ku seva yamalamulo ya C&S. Pulogalamuyi imayang'ananso mayina azenera okhudzana ndi pulogalamu yakubanki - mndandanda wathunthu uli pansipa:
4.5.2. Smart khadi
RTM imakupatsani mwayi wowunika owerenga makhadi anzeru olumikizidwa ndi makompyuta omwe ali ndi kachilombo. Zipangizozi zimagwiritsidwa ntchito m'mayiko ena kugwirizanitsa maoda olipira. Ngati chipangizo chamtunduwu chikalumikizidwa pakompyuta, zitha kuwonetsa Trojan kuti makinawo akugwiritsidwa ntchito pochita zinthu zamabanki.
Mosiyana ndi ma Trojans ena akubanki, RTM siyingagwirizane ndi makhadi anzeru otere. Mwina magwiridwe antchitowa akuphatikizidwa mu gawo lowonjezera lomwe sitinawonebe.
4.5.3. Keylogger
Gawo lofunikira pakuwunika PC yomwe ili ndi kachilombo ndikujambula makiyi. Zikuwoneka kuti opanga RTM sakusowa chidziwitso chilichonse, chifukwa samangoyang'anira makiyi okhazikika, komanso kiyibodi ndi bolodi.
Kuti muchite izi, gwiritsani ntchito SetWindowsHookExA ntchito. Zigawenga zimalowetsa makiyi omwe asindikizidwa kapena makiyi ofanana ndi kiyibodi yeniyeni, pamodzi ndi dzina ndi tsiku la pulogalamuyo. Chosungiracho chimatumizidwa ku seva yolamula ya C&C.
Ntchito ya SetClipboardViewer imagwiritsidwa ntchito kulumikiza bolodi. Obera amalemba zomwe zili mu clipboard pomwe deta ili ndi mawu. Dzina ndi tsiku zimalowetsedwanso buffer isanatumizidwe ku seva.
4.5.4. Zithunzi
Ntchito ina ya RTM ndikuwonera pazithunzi. Ntchitoyi imagwiritsidwa ntchito pomwe gawo loyang'anira zenera likuwona tsamba kapena pulogalamu yakubanki yosangalatsa. Zithunzi zimatengedwa pogwiritsa ntchito laibulale ya zithunzi zojambula ndikusamutsidwa ku seva yolamula.
4.6. Kuchotsa
Seva ya C&C imatha kuyimitsa pulogalamu yaumbanda kuti isayendetse ndikuyeretsa kompyuta yanu. Lamulo limakupatsani mwayi wochotsa mafayilo ndi zolembera zolembedwa pomwe RTM ikugwira ntchito. DLL imagwiritsidwa ntchito kuchotsa pulogalamu yaumbanda ndi fayilo ya winlogon, kenako lamulo limatseka kompyuta. Monga momwe chithunzi chili m'munsimu, DLL amachotsedwa ndi Madivelopa ntchito erase.dll.
Seva ikhoza kutumiza Trojan lamulo lowononga lochotsa-lock. Pankhaniyi, ngati muli ndi ufulu woyang'anira, RTM ichotsa gawo la boot la MBR pa hard drive. Izi zikalephera, Trojan idzayesa kusamutsa gawo la boot la MBR kupita ku gawo lachisawawa - ndiye kuti kompyutayo siitha kuyambitsa OS ikatha. Izi zitha kubweretsa kukonzanso kwathunthu kwa OS, zomwe zikutanthauza kuwonongedwa kwa umboni.
Popanda mwayi woyang'anira, pulogalamu yaumbanda imalemba .EXE encoded mu RTM DLL yapansi. Chochitikacho chimapereka nambala yofunikira kuti mutseke kompyuta ndikulembetsa gawo mu kiyi ya registry ya HKCUCurrentVersionRun. Nthawi iliyonse wogwiritsa ntchito ayamba gawo, kompyuta nthawi yomweyo imatseka.
4.7. Fayilo yosinthira
Mwachikhazikitso, RTM ilibe fayilo yosinthira, koma seva yolamulira ndi yowongolera imatha kutumiza masinthidwe omwe azisungidwa mu registry ndikugwiritsidwa ntchito ndi pulogalamuyi. Mndandanda wa makiyi a kasinthidwe waperekedwa mu tebulo ili m'munsimu:
Kukonzekera kumasungidwa mu kiyi ya registry ya Software[Pseudo-random]. Mtengo uliwonse umagwirizana ndi umodzi mwa mizere yomwe ili mu tebulo lapitalo. Makhalidwe ndi deta amasungidwa pogwiritsa ntchito algorithm ya RC4 mu RTM.
Deta ili ndi mawonekedwe ofanana ndi netiweki kapena zingwe. Kiyi ya XOR ya ma-byte anayi imawonjezedwa kumayambiriro kwa deta yosungidwa. Pazinthu zosinthira, fungulo la XOR ndi losiyana ndipo zimatengera kukula kwa mtengowo. Ikhoza kuwerengedwa motere:
xor_key = (len(config_value) <<24) | (len(config_value) <<16)
| | len(config_value)| (len(config_value) << 8)
4.8. Ntchito zina
Kenako, tiyeni tiwone ntchito zina zomwe RTM imathandizira.
4.8.1. Ma modules owonjezera
Trojan imaphatikizapo ma module owonjezera, omwe ndi mafayilo a DLL. Ma module omwe amatumizidwa kuchokera ku seva yamalamulo ya C&C atha kuchitidwa ngati mapulogalamu akunja, owonetsedwa mu RAM ndikukhazikitsidwa mu ulusi watsopano. Kusungirako, ma modules amasungidwa mu mafayilo a .dtt ndi encoded pogwiritsa ntchito algorithm ya RC4 ndi kiyi yomweyi yogwiritsidwa ntchito pa mauthenga a pa intaneti.
Pakadali pano tawona kukhazikitsidwa kwa gawo la VNC (8966319882494077C21F66A8354E2CBCA0370464), gawo la msakatuli wochotsa deta (03DE8622BE6B2F75A364A275995C3411626C4D9E1C2D1F ndi 562D1E69C6D58F88753F) FC7FBA0 B3BE4DXNUMXBXNUMXEXNUMXCFAB).
Kuti muyike gawo la VNC, seva ya C & C ikupereka lamulo lopempha maulumikizi ku seva ya VNC pa adiresi yapadera ya IP pa doko 44443. Pulagi yobwezeretsa deta ya osatsegula imagwira TBrowserDataCollector, yomwe imatha kuwerenga mbiri ya IE yosakatula. Kenako imatumiza mndandanda wathunthu wa ma URL omwe adayendera ku seva yamalamulo ya C&C.
Gawo lomaliza lomwe lapezeka limatchedwa 1c_2_kl. Itha kuyanjana ndi phukusi la pulogalamu ya 1C Enterprise. Gawoli lili ndi magawo awiri: gawo lalikulu - DLL ndi othandizira awiri (32 ndi 64 bit), omwe adzabayidwe munjira iliyonse, kulembetsa kumangiriza ku WH_CBT. Atadziwitsidwa mu ndondomeko ya 1C, gawoli limamangiriza ntchito za CreateFile ndi WriteFile. Nthawi zonse pamene ntchito yomangirira ya CreateFile imatchedwa, gawoli limasunga njira ya fayilo 1c_to_kl.txt mu kukumbukira. Pambuyo poletsa kuyimba kwa WriteFile, imayitana ntchito ya WriteFile ndikutumiza njira ya fayilo 1c_to_kl.txt ku gawo lalikulu la DLL, ndikudutsa uthenga wopangidwa ndi Windows WM_COPYDATA.
Module yayikulu ya DLL imatsegula ndikuyika fayiloyo kuti mudziwe zolipirira. Imazindikira kuchuluka ndi nambala yamalonda yomwe ili mufayiloyo. Izi zimatumizidwa ku seva yolamula. Tikukhulupirira kuti gawoli likukonzedwa chifukwa lili ndi uthenga wothetsa vutoli ndipo silingasinthe 1c_to_kl.txt.
4.8.2. Kuwonjezeka kwa mwayi
RTM ikhoza kuyesa kukulitsa mwayi powonetsa mauthenga olakwika olakwika. Pulogalamu yaumbanda imafanizira cheke cholembera (onani chithunzi pansipa) kapena imagwiritsa ntchito chizindikiro chenicheni cha registry. Chonde dziwani kudikirira molakwika - whait. Pambuyo pa masekondi angapo akujambula, pulogalamuyi imawonetsa uthenga wolakwika.
Uthenga wonyenga udzanyengerera mosavuta wogwiritsa ntchito wamba, ngakhale zolakwika za galamala. Ngati wosuta adina pa imodzi mwa maulalo awiriwa, RTM idzayesa kukulitsa mwayi wake mudongosolo.
Pambuyo posankha chimodzi mwazinthu ziwiri zobwezeretsa, Trojan imayambitsa DLL pogwiritsa ntchito njira ya runas mu ntchito ya ShellExecute yokhala ndi mwayi woyang'anira. Wogwiritsa awona Windows mwachangu (onani chithunzi pansipa) kuti akweze. Ngati wogwiritsa ntchito apereka zilolezo zofunika, Trojan idzayenda ndi maudindo a woyang'anira.
Kutengera chilankhulo chosasinthika chomwe chimayikidwa pakompyuta, Trojan imawonetsa mauthenga olakwika mu Chirasha kapena Chingerezi.
4.8.3. Satifiketi
RTM ikhoza kuwonjezera ziphaso ku Windows Store ndikutsimikizira kudalirika kwa kuwonjezerapo pongodina batani la "inde" mubokosi la csrss.exe. Khalidwe ili silatsopano; mwachitsanzo, banki ya Trojan Retefe imatsimikiziranso paokha kukhazikitsidwa kwa satifiketi yatsopano.
4.8.4. Reverse kugwirizana
Olemba a RTM adapanganso njira ya Backconnect TCP. Sitinawone zomwe zikugwiritsidwa ntchito pano, koma zidapangidwa kuti ziziyang'anira ma PC omwe ali ndi kachilomboka.
4.8.5. Host file management
Seva ya C&C imatha kutumiza lamulo ku Trojan kuti isinthe fayilo ya Windows host. Fayilo yolandila imagwiritsidwa ntchito popanga zosankha za DNS.
4.8.6. Pezani ndi kutumiza fayilo
Seva ikhoza kupempha kuti isake ndikutsitsa fayilo pamakina omwe ali ndi kachilomboka. Mwachitsanzo, mkati mwa kafukufukuyu tidalandira pempho la fayilo 1c_to_kl.txt. Monga tafotokozera kale, fayiloyi imapangidwa ndi 1C: Enterprise 8 accounting system.
4.8.7. Kusintha
Pomaliza, olemba RTM amatha kusintha pulogalamuyo potumiza DLL yatsopano kuti isinthe mawonekedwe omwe alipo.
5. Kutsiliza
Kafukufuku wa RTM akuwonetsa kuti mabanki aku Russia amakopabe omwe akuukira ma cyber. Magulu monga Buhtrap, Corkow ndi Carbanak amabera bwino ndalama ku mabungwe azachuma ndi makasitomala awo ku Russia. RTM ndi wosewera watsopano mumakampani awa.
Zida zoyipa za RTM zakhala zikugwiritsidwa ntchito kuyambira kumapeto kwa 2015, malinga ndi ESET telemetry. Pulogalamuyi ili ndi kuthekera kokwanira kochita kazitape, kuphatikiza kuwerenga makhadi anzeru, kuwongolera makiyi ndi kuyang'anira zochitika zamabanki, komanso kusaka 1C: mafayilo oyendetsa Enterprise 8.
Kugwiritsa ntchito dera lokhazikika, losavomerezeka la .bit kumapangitsa kuti pakhale chitukuko chokhazikika.
Source: www.habr.com