RATKing: kampeni yatsopano yokhala ndi ma Trojans akutali
Kumapeto kwa Meyi, tidapeza kampeni yogawa pulogalamu yaumbanda ya Remote Access Trojan (RAT) yomwe imalola oukira kuwongolera pulogalamu yomwe ili ndi kachilomboka.
Gulu lomwe tidafufuza lidasiyanitsidwa ndikuti silinasankhe banja lililonse la RAT kuti lipeze matenda. Ma Trojans angapo adawonedwa pakuwukira mkati mwa kampeni (zonse zomwe zidapezeka ponseponse). Ndi mbali iyi, gululo lidatikumbutsa za mfumu makoswe - nyama yopeka yomwe imakhala ndi makoswe okhala ndi michira yolumikizana.
Choyambirira chinatengedwa kuchokera ku monograph ya K. N. Rossikov "Mbewa ndi makoswe ngati mbewa, zofunika kwambiri zachuma" (1908)
Zowukira zonse mu kampeni iyi zidachitika motsatira algorithm iyi:
Wogwiritsa adalandira imelo yachinyengo yokhala ndi ulalo wa Google Drive.
Pogwiritsa ntchito ulalo, wozunzidwayo adatsitsa script yoyipa ya VBS yomwe idafotokoza laibulale ya DLL kuti ikweze zolipira zomaliza mu registry ya Windows ndikuyambitsa PowerShell kuti igwire.
Laibulale ya DLL inalowetsa malipiro omaliza - makamaka, imodzi mwa ma RAT omwe amagwiritsidwa ntchito ndi otsutsa - mu ndondomeko ya dongosolo ndikulembetsa script ya VBS mu autorun kuti athe kupeza makina omwe ali ndi kachilomboka.
Malipiro omaliza adachitidwa mwadongosolo ndipo adapatsa wowukirayo mphamvu yowongolera kompyuta yomwe ili ndi kachilombo.
Mwadongosolo, ikhoza kuyimiridwa motere:
Kenako, tiwona magawo atatu oyamba, popeza tili ndi chidwi ndi njira yoperekera pulogalamu yaumbanda. Sitidzalongosola mwatsatanetsatane momwe pulogalamu yaumbanda imagwirira ntchito. Amapezeka ponseponse - mwina amagulitsidwa pamabwalo apadera, kapena amagawidwa ngati mapulojekiti otseguka - motero sizosiyana ndi gulu la RATKing.
Kusanthula magawo owukira
Gawo 1. Imelo yachinyengo
Kuukiraku kudayamba pomwe wozunzidwayo adalandira kalata yoyipa (owukirawo adagwiritsa ntchito ma tempuleti osiyanasiyana okhala ndi mawu; chithunzi pansipa chikuwonetsa chitsanzo chimodzi). Uthengawu unali ndi ulalo wopita kumalo ovomerezeka drive.google.com, zomwe zikuyembekezeka kuti zidayambitsa tsamba lotsitsa zolemba za PDF.
Chitsanzo cha imelo yachinyengo
Komabe, kwenikweni, sichinali chikalata cha PDF chomwe chidakwezedwa konse, koma script ya VBS.
Nthawi yomweyo, monga gawo la kampeni iyi, tidapeza script yotchedwa Cargo Trip Detail.pdf.vbs. Itha kuperekedwa kale pa PDF yovomerezeka chifukwa Windows imabisa zowonjezera mafayilo mwachisawawa. Zowona, pankhaniyi, kukayikira kukanadzutsidwa ndi chithunzi chake, chomwe chimagwirizana ndi zolemba za VBS.
Zolemba za VBS, zomwe wogwiritsa ntchito amatha kutsegula mosadziwa, adalembetsa laibulale ya DLL mu registry ya Windows. Zolembazo zinali zosamveka: mizere yomwe ili mmenemo inalembedwa ngati ma byte olekanitsidwa ndi zilembo zosasintha.
Chitsanzo cha script yobisika
Dongosolo la deobfuscation ndilosavuta: munthu wachitatu aliyense adachotsedwa pa chingwe chobisika, kenako zotsatira zake zidasinthidwa kuchokera ku base16 kupita pachingwe choyambirira. Mwachitsanzo, kuchokera ku mtengo 57Q53s63t72s69J70r74e2El53v68m65j6CH6Ct (yosonyezedwa pa chithunzi pamwambapa) mzere wotsatira unali WScript.Shell.
Kenako, script idagwira ntchito ndi registry ya Windows. Anagwiritsa ntchito luso la WMI pa izi. Ndi chithandizo chake, fungulo lapadera linapangidwa, ndipo thupi la fayilo yotheka linalembedwa ku gawo lake. Registry idafikiridwa kudzera pa WMI pogwiritsa ntchito lamulo ili:
adalandira data ya registry yokhala ndi dzina rnd_value_name - deta iyi inali fayilo ya DLL yolembedwa pa nsanja ya .Net;
adadzaza chotsatira .Net gawo mu ndondomeko kukumbukira powershell.exe pogwiritsa ntchito [System.Threading.Thread]::GetDomain().Load()(mafotokozedwe atsatanetsatane a Load() ntchito likupezeka patsamba la Microsoft);
adagwira ntchitoyo GUyyvmzVhebFCw]::EhwwK() - kuphedwa kwa laibulale ya DLL kudayamba nayo - ndi magawo vbsScriptPath, xorKey, vbsScriptName. Parameter xorKey adasunga kiyi kuti afotokozere zolipira zomaliza, ndi magawo vbsScriptPath ΠΈ vbsScriptName adasamutsidwa kuti alembetse script ya VBS mu autorun.
Kufotokozera kwa laibulale ya DLL
Mu mawonekedwe owonongeka, bootloader imawoneka motere:
Loader mu mawonekedwe osokonekera (ntchito yomwe ntchito ya laibulale ya DLL idayamba idalembedwa mofiira)
Bootloader imatetezedwa ndi chitetezo cha .Net Reactor. Chida cha de4dot chimagwira ntchito yabwino kwambiri yochotsa mtetezi uyu.
Chojambulira ichi:
adalowetsamo malipiro mu ndondomeko ya dongosolo (mu chitsanzo ichi svchost.exe);
Ndawonjezera script ya VBS ku autorun.
Jakisoni wolipira
Tiyeni tiwone ntchito yomwe script ya PowerShell idayitcha.
Ntchito yotchedwa PowerShell script
Ntchitoyi idachita izi:
decrypted ma data seti awiri (array ΠΈ array2 pa skrini). Poyamba adapanikizidwa pogwiritsa ntchito gzip ndikusungidwa ndi XOR algorithm yokhala ndi kiyi xorKey;
wotchedwa ntchito CallWindowProcA(mafotokozedwewo Ntchitoyi ikupezeka patsamba la Microsoft) ndi magawo otsatirawa (mayina a magawo alembedwa pansipa, pazithunzi ali mu dongosolo lomwelo, koma ndi magwiridwe antchito):
lpPrevWndFunc - cholozera ku data kuchokera array2;
hWnd - cholozera ku chingwe chomwe chili ndi njira yopita ku fayilo yotheka svchost.exe;
Msg - cholozera ku data kuchokera array;
wParam, lParam - magawo a uthenga (panthawiyi, magawowa sanagwiritsidwe ntchito ndipo anali ndi 0);
adapanga fayilo %AppData%MicrosoftWindowsStart MenuProgramsStartup<name>.urlkumene <name> - awa ndi zilembo 4 zoyambirira za parameter vbsScriptName (pazithunzi, chidutswa cha code ndi izi chimayamba ndi lamulo File.Copy). Mwanjira iyi, pulogalamu yaumbanda idawonjezera fayilo ya URL pamndandanda wamafayilo a autorun pomwe wogwiritsa ntchito adalowa ndipo adalumikizidwa ndi kompyuta yomwe ili ndi kachilombo. Fayilo ya URL inali ndi ulalo wa script:
Chifukwa cha zomwe tafotokozazi, imodzi mwazinthu zingapo zaumbanda zamtundu wa RAT idayikidwa pa pulogalamu yomwe ili ndi kachilombo. Gome ili m'munsimu limatchula pulogalamu yaumbanda yomwe imagwiritsidwa ntchito poukira, yomwe titha kunena molimba mtima kuti idapangidwa ndi gulu limodzi la owukira, popeza zitsanzozo zidapezanso seva yolamulira yomweyi.
Kuti apange zolemba za VBS, gululo liyenera kugwiritsa ntchito chida chofanana ndi chothandizira VBS-Crypter kuchokera kwa wopanga NYAN-x-CAT. Izi zikuwonetsedwa ndi kufanana kwa script yomwe pulogalamuyi imapanga ndi zolemba za owukira. Makamaka, onse awiri:
gwiritsani ntchito mochedwa Sleep;
gwiritsani ntchito WMI;
lembani thupi la fayilo yomwe ingathe kuchitidwa ngati chizindikiro cha registry;
perekani fayiloyi pogwiritsa ntchito PowerShell mu malo ake adilesi.
Kuti mumveke bwino, yerekezerani lamulo la PowerShell kuti muthamangitse fayilo kuchokera ku registry, yomwe imagwiritsidwa ntchito ndi script yomwe idapangidwa pogwiritsa ntchito VBS-Crypter:
Dziwani kuti owukirawo adagwiritsa ntchito chida china kuchokera ku NYAN-x-CAT ngati imodzi mwazolipira - Mtengo wa LimeRAT.
Maadiresi a maseva a C&C akuwonetsa chinthu china chodziwika bwino cha RATKing: gulu limakonda ntchito za DNS zamphamvu (onani mndandanda wa C&C patebulo la IoC).
IoC
Gome ili m'munsili limapereka mndandanda wathunthu wa zolemba za VBS zomwe zitha kukhala chifukwa cha kampeni yomwe yafotokozedwayo. Zolemba zonsezi ndi zofanana ndipo zimagwira ntchito mofananamo. Onsewa amabaya pulogalamu yaumbanda ya RAT munjira yodalirika ya Windows. Onsewa ali ndi ma adilesi a C&C olembetsedwa pogwiritsa ntchito ntchito za Dynamic DNS.
Komabe, sitinganene kuti zolemba zonsezi zidagawidwa ndi omwe akuwukira, kupatula zitsanzo zokhala ndi ma adilesi a C&C (mwachitsanzo, kimjoy007.dyndns.org).