Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu

Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu

Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu

Tsiku lina Gulu-IB kudziwitsa za ntchito ya foni yam'manja ya Android Trojan Gustuff. Zimagwira ntchito m'misika yapadziko lonse lapansi, kuukira makasitomala a mabanki akuluakulu akunja a 100, ogwiritsa ntchito mafoni 32 crypto wallet, komanso chuma chachikulu cha e-commerce. Koma woyambitsa Gustuff ndi munthu wolankhula Chirasha pa intaneti pansi pa dzina loti Bestoffer. Mpaka posachedwa, adayamika Trojan yake ngati "chinthu chofunikira kwambiri kwa anthu odziwa komanso odziwa zambiri."

Katswiri wosanthula ma code oyipa ku Gulu-IB Ivan Pisarev mu kafukufuku wake, amalankhula mwatsatanetsatane za momwe Gustuff amagwirira ntchito komanso kuopsa kwake.

Kodi Gustuff amasaka ndani?

Gustuff ndi ya m'badwo watsopano wa pulogalamu yaumbanda yokhala ndi magwiridwe antchito okhazikika. Malinga ndi wopanga mapulogalamuwa, Trojan yakhala mtundu watsopano komanso wowongoleredwa wa pulogalamu yaumbanda ya AndyBot, yomwe kuyambira Novembala 2017 yakhala ikuukira mafoni a Android ndikubera ndalama kudzera pamawebusayiti achinyengo omwe akuwoneka ngati mafoni akubanki odziwika padziko lonse lapansi komanso njira zolipira. Bestoffer adanenanso kuti mtengo wobwereketsa wa Gustuff Bot unali $800 pamwezi.

Kusanthula chitsanzo cha Gustuff kunasonyeza kuti Trojan ingathe kutsata makasitomala omwe amagwiritsa ntchito mafoni a mabanki akuluakulu, monga Bank of America, Bank of Scotland, JPMorgan, Wells Fargo, Capital One, TD Bank, PNC Bank, komanso crypto wallets. Bitcoin Wallet, BitPay, Cryptopay, Coinbase, etc.

Poyambirira adapangidwa ngati Trojan yakubanki yachikale, mu mtundu waposachedwa wa Gustuff adakulitsa kwambiri mndandanda wazomwe angachite kuti aziwukira. Kuphatikiza pa mapulogalamu a Android amabanki, makampani a fintech ndi ntchito za crypto, Gustuff imayang'ana ogwiritsa ntchito malonda amsika, masitolo apaintaneti, njira zolipirira ndi amithenga apompopompo. Makamaka, PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut ndi ena.

Polowera: kuwerengera matenda ambiri

Gustuff imadziwika ndi "classic" vector yolowera mumafoni am'manja a Android kudzera pa ma SMS okhala ndi maulalo ama APK. Chida cha Android chikakhala ndi Trojan molamulidwa ndi seva, Gustuff imatha kufalikira kudzera munkhokwe ya foni yomwe ili ndi kachilombo kapena kudzera pankhokwe ya seva. Ntchito ya Gustuff idapangidwa kuti ipangitse matenda ambiri komanso kupititsa patsogolo ndalama zambiri zamabizinesi awo - ili ndi ntchito yapadera "yodzaza zokha" kukhala mapulogalamu ovomerezeka akubanki am'manja ndi ma wallet a crypto, omwe amakulolani kufulumizitsa ndikukulitsa kuba kwa ndalama.

Kafukufuku wa Trojan adawonetsa kuti ntchito ya autofill idakhazikitsidwa momwemo pogwiritsa ntchito Accessibility Service, ntchito ya anthu olumala. Gustuff si Trojan yoyamba kudutsa bwino chitetezo motsutsana ndi mawindo a mapulogalamu ena pogwiritsa ntchito ntchito ya Android. Komabe, kugwiritsa ntchito Accessibility Service kuphatikiza ndi filler yamagalimoto sikunali kosowa.

Pambuyo kutsitsa ku foni ya wozunzidwayo, Gustuff, pogwiritsa ntchito Accessibility Service, amatha kuyanjana ndi zinthu zawindo za mapulogalamu ena (banki, cryptocurrency, komanso ntchito zogula pa intaneti, mauthenga, etc.), kuchita zofunikira kwa omwe akuukira. . Mwachitsanzo, pa lamulo la seva, Trojan imatha kusindikiza mabatani ndikusintha makonda a zolemba pamabanki. Kugwiritsa ntchito njira ya Accessibility Service kumapangitsa Trojan kudutsa njira zachitetezo zomwe mabanki amagwiritsa ntchito polimbana ndi ma Trojans am'badwo wam'mbuyomu, komanso kusintha kwa mfundo zachitetezo zomwe Google idakhazikitsa mumitundu yatsopano ya Android OS. Choncho, Gustuff "amadziwa" kuletsa chitetezo cha Google Protect: malinga ndi wolemba, ntchitoyi imagwira ntchito mu 70% ya milandu.

Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu

Gustuff imathanso kuwonetsa zidziwitso zabodza za PUSH ndi zithunzi zamapulogalamu ovomerezeka amafoni. Wogwiritsa ntchito akudina chidziwitso cha PUSH ndikuwona zenera la phishing lomwe limatsitsidwa kuchokera pa seva, pomwe amalowetsa khadi ya banki yofunsidwa kapena data ya crypto wallet. Muzochitika zina za Gustuff, ntchito yomwe m'malo mwake chidziwitso cha PUSH idawonetsedwa imatsegulidwa. Pachifukwa ichi, pulogalamu yaumbanda, polamulidwa ndi seva kudzera pa Accessibility Service, ikhoza kudzaza mafomu a fomu yofunsira kubanki pakuchita mwachinyengo.

Magwiridwe a Gustuff amaphatikizanso kutumiza zidziwitso za chipangizo chomwe chili ndi kachilombo ku seva, kuthekera kowerenga / kutumiza mauthenga a SMS, kutumiza zopempha za USSD, kuyambitsa SOCKS5 Proxy, kutsatira ulalo, kutumiza mafayilo (kuphatikiza zithunzi zojambulidwa, zowonera, zithunzi) ku seva , yambitsaninso chipangizochi ku zoikamo za fakitale.

Kusanthula kwa pulogalamu yaumbanda

Musanayike pulogalamu yoyipa, Android OS imawonetsa wosuta zenera lomwe lili ndi mndandanda wamaufulu omwe afunsidwa ndi Gustuff:

Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu
Pulogalamuyi idzakhazikitsidwa pokhapokha mutalandira chilolezo cha wogwiritsa ntchito. Pambuyo poyambitsa pulogalamuyo, Trojan idzawonetsa wosuta zenera:

Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu
Pambuyo pake idzachotsa chizindikiro chake.

Gustuff yadzaza, malinga ndi wolemba, ndi wonyamula kuchokera ku FTT. Pambuyo poyambitsa, pulogalamuyi imalumikizana ndi seva ya CnC nthawi ndi nthawi kuti ilandire malamulo. Mafayilo angapo omwe tidawapenda adagwiritsa ntchito adilesi ya IP ngati seva yowongolera 88.99.171[.]105 (Apa tidzasonyeza kuti <%CnC%>).

Pambuyo poyambitsa, pulogalamuyo imayamba kutumiza mauthenga ku seva http://<%CnC%>/api/v1/get.php.

Yankho likuyembekezeka kukhala JSON motere:

{
    "results" : "OK",
    "command":{
        "id": "<%id%>",
        "command":"<%command%>",
        "timestamp":"<%Server Timestamp%>",
        "params":{
		<%Command parameters as JSON%>
        },
    },
}

Nthawi iliyonse pulogalamuyo ikafika, imatumiza zambiri za chipangizo chomwe chili ndi kachilomboka. Mtundu wa uthenga ukuwonetsedwa pansipa. Ndikoyenera kudziwa kuti minda zonse, owonjezera, mapulogalamu ΠΈ chilolezo - mwachisawawa ndipo adzatumizidwa pokhapokha ngati mwapempha lamulo kuchokera ku CnC.

{
    "info":
    {
        "info":
        {
            "cell":<%Sim operator name%>,
            "country":<%Country ISO%>,
            "imei":<%IMEI%>,
            "number":<%Phone number%>,
            "line1Number":<%Phone number%>,
            "advertisementId":<%ID%>
        },
        "state":
        {
            "admin":<%Has admin rights%>,
            "source":<%String%>,
            "needPermissions":<%Application needs permissions%>,
            "accesByName":<%Boolean%>,
            "accesByService":<%Boolean%>,
            "safetyNet":<%String%>,
            "defaultSmsApp":<%Default Sms Application%>,
            "isDefaultSmsApp":<%Current application is Default Sms Application%>,
            "dateTime":<%Current date time%>,
            "batteryLevel":<%Battery level%>
        },
        "socks":
        {
            "id":<%Proxy module ID%>,
            "enabled":<%Is enabled%>,
            "active":<%Is active%>
        },
        "version":
        {
            "versionName":<%Package Version Name%>,
            "versionCode":<%Package Version Code%>,
            "lastUpdateTime":<%Package Last Update Time%>,
            "tag":<%Tag, default value: "TAG"%>,
            "targetSdkVersion":<%Target Sdk Version%>,
            "buildConfigTimestamp":1541309066721
        },
    },
    "full":
    {
        "model":<%Device Model%>,
        "localeCountry":<%Country%>,
        "localeLang":<%Locale language%>,
        "accounts":<%JSON array, contains from "name" and "type" of accounts%>,
        "lockType":<%Type of lockscreen password%>
    },
    "extra":
    {
        "serial":<%Build serial number%>,
        "board":<%Build Board%>,
        "brand":<%Build Brand%>,
        "user":<%Build User%>,
        "device":<%Build Device%>,
        "display":<%Build Display%>,
        "id":<%Build ID%>,
        "manufacturer":<%Build manufacturer%>,
        "model":<%Build model%>,
        "product":<%Build product%>,
        "tags":<%Build tags%>,
        "type":<%Build type%>,
        "imei":<%imei%>,
        "imsi":<%imsi%>,
        "line1number":<%phonenumber%>,
        "iccid":<%Sim serial number%>,
        "mcc":<%Mobile country code of operator%>,
        "mnc":<%Mobile network codeof operator%>,
        "cellid":<%GSM-data%>,
        "lac":<%GSM-data%>,
        "androidid":<%Android Id%>,
        "ssid":<%Wi-Fi SSID%>
    },
    "apps":{<%List of installed applications%>},
    "permission":<%List of granted permissions%>
}

Kusunga zosintha

Gustuff amasunga zidziwitso zofunikira mufayilo yokonda. Dzina lafayilo, komanso mayina a magawo omwe ali mmenemo, ndi zotsatira za kuwerengera ndalama za MD5 kuchokera pa chingwe. 15413090667214.6.1<%name%>kumene <%name%> - mtengo wa dzina loyamba. Kutanthauzira kwa Python kwa ntchito yopanga dzina: 

 nameGenerator(input):
    output = md5("15413090667214.6.1" + input)

M'zimenezi tidzazifotokoza motere dzinaJenereta(zolowera).
Chifukwa chake dzina loyamba lafayilo ndi: namegenerator("API_SERVER_LIST"), ili ndi mfundo zomwe zili ndi mayina otsatirawa:

Dzina losinthika mtengo
namegenerator("API_SERVER_LIST") Muli ndi mndandanda wamaadiresi a CnC mumndandanda.
namegenerator("API_SERVER_URL") Ili ndi adilesi ya CnC.
dzinaJenereta("SMS_UPLOAD") Mbendera imayikidwa mwachisawawa. Ngati mbendera yakhazikitsidwa, imatumiza ma SMS ku CnC.
dzinaJenereta("SMS_ROOT_NUMBER") Nambala yafoni yomwe ma SMS alandilidwa ndi chipangizo chomwe chili ndi kachilomboka adzatumizidwa. Zofikira ndi zopanda pake.
dzinaJenereta("SMS_ROOT_NUMBER_RESEND") Mbendera imachotsedwa mwachisawawa. Ngati atayikidwa, chipangizo chodwala chikalandira SMS, chidzatumizidwa ku nambala ya mizu.
dzinaJenereta("DEFAULT_APP_SMS") Mbendera imachotsedwa mwachisawawa. Ngati mbendera iyi yakhazikitsidwa, pulogalamuyo ikonza ma SMS omwe akubwera.
namegenerator("DEFAULT_ADMIN") Mbendera imachotsedwa mwachisawawa. Ngati mbendera yakhazikitsidwa, pulogalamuyi ili ndi ufulu woyang'anira.
nameJenereta("DEFAULT_ACCESSIBILITY") Mbendera imachotsedwa mwachisawawa. Ngati mbendera yakhazikitsidwa, ntchito yogwiritsa ntchito Accessibility Service ikugwira ntchito.
dzinaJenereta("APPS_CONFIG") Chinthu cha JSON chomwe chili ndi mndandanda wa zochita zomwe ziyenera kuchitidwa ngati Kufikika komwe kumalumikizidwa ndi pulogalamu inayake kuyambika.
dzinaJenereta("APPS_INSTALLED") Imasunga mndandanda wamapulogalamu omwe adayikidwa pa chipangizocho.
dzinaJenereta("IS_FIST_RUN") Mbendera imakhazikitsidwanso poyambira koyamba.
dzinaJenereta("UNIQUE_ID") Lili ndi chizindikiritso chapadera. Amapangidwa pomwe bot idakhazikitsidwa koyamba.

Module yokonza malamulo kuchokera pa seva

Pulogalamuyi imasunga ma adilesi a maseva a CnC mumpangidwe wamagulu osungidwa ndi maziko85 mizere. Mndandanda wa maseva a CnC ukhoza kusinthidwa mutalandira lamulo loyenera, momwemo ma adilesi adzasungidwa mufayilo yokonda.

Poyankha pempholi, seva imatumiza lamulo ku pulogalamuyo. Ndizofunikira kudziwa kuti malamulo ndi magawo amaperekedwa mumtundu wa JSON. Pulogalamuyi imatha kukonza malamulo otsatirawa:

timu mafotokozedwe
patsogoloStart Yambani kutumiza mauthenga a SMS olandiridwa ndi chipangizo chomwe chili ndi kachilomboka ku seva ya CnC.
patsogoloStop Lekani kutumiza mauthenga a SMS olandiridwa ndi chipangizo chomwe chili ndi kachilomboka ku seva ya CnC.
ussdRun Pangani pempho la USSD. Nambala yomwe mukufunikira kuti mupange pempho la USSD ili mu gawo la JSON "nambala".
kutumiza SMS Tumizani uthenga umodzi wa SMS (ngati kuli kofunikira, uthengawo "wagawikana" m'zigawo). Monga parameter, lamulo limatenga chinthu cha JSON chomwe chili ndi minda "ku" - nambala yopita ndi "thupi" - thupi la uthengawo.
kutumizaSmsAb Tumizani mauthenga a SMS (ngati kuli kofunikira, uthengawo "wagawika" m'zigawo) kwa aliyense amene ali pamndandanda wolumikizana ndi chipangizocho. Pakati pa kutumiza mauthenga ndi masekondi 10. Thupi la uthenga lili m'munda wa JSON "thupi"
kutumizaSmsMass Tumizani mauthenga a SMS (ngati kuli kofunikira, uthengawo "wagawika" m'zigawo) kwa omwe atchulidwa m'magawo a malamulo. Pakati pa kutumiza mauthenga ndi masekondi 10. Monga parameter, lamulo limatenga gulu la JSON (gawo la "sms"), zomwe zili ndi minda "ku" - nambala yopita ndi "thupi" - thupi la uthengawo.
kusinthaServer Lamuloli litha kutenga mtengo ndi kiyi "url" ngati parameter - ndiye bot idzasintha mtengo wa nameGenerator("SERVER_URL"), kapena "array" - ndiye bot idzalemba mndandanda ku nameGenerator ("API_SERVER_LIST") Chifukwa chake, kugwiritsa ntchito kumasintha ma adilesi a maseva a CnC.
adminNumber Lamuloli lapangidwa kuti lizigwira ntchito ndi nambala ya mizu. Lamulo limavomereza chinthu cha JSON chokhala ndi magawo otsatirawa: "nambala" - sintha dzinaGenerator("ROOT_NUMBER") kukhala mtengo womwe walandilidwa, "tumizani" - sinthani dzinaGenerator("SMS_ROOT_NUMBER_RESEND"), "sendId" - tumizani ku nameGenerator("ROOT_NUMBER" ) wapaderaID.
updateInfo Tumizani zambiri za chipangizo chomwe chili ndi kachilomboka ku seva.
wipeData Lamuloli likufuna kuchotsa deta ya ogwiritsa ntchito. Kutengera dzina la dzina lomwe pulogalamuyo idakhazikitsidwa, mwina datayo imafufutidwa poyambitsanso chipangizocho (wogwiritsa ntchito wamkulu), kapena ndizomwe zimachotsedwa (wogwiritsa ntchito wina).
masokosiStart Yambitsani gawo la Proxy. Ntchito ya module ikufotokozedwa mu gawo lina.
masokosiStop Imitsa gawo la Proxy.
OpenLink Tsatirani ulalo. Ulalo uli mugawo la JSON pansi pa kiyi ya "url". "android.intent.action.VIEW" amagwiritsidwa ntchito kutsegula ulalo.
uploadAllSms Tumizani mauthenga onse a SMS olandiridwa ndi chipangizocho ku seva.
uploadAllPhotos Tumizani zithunzi kuchokera ku chipangizo chomwe chili ndi kachilombo kupita ku ulalo. URL imabwera ngati parameter.
uploadFile Tumizani fayilo ku URL kuchokera ku chipangizo chomwe chili ndi kachilombo. URL imabwera ngati parameter.
uploadPhoneNumbers Tumizani manambala a foni kuchokera pamndandanda wanu kupita ku seva. Ngati mtengo wa chinthu cha JSON wokhala ndi kiyi "ab" ulandilidwa ngati parameter, pulogalamuyo imalandira mndandanda wa omwe amalumikizana nawo kuchokera m'buku lamafoni. Ngati chinthu cha JSON chokhala ndi kiyi "sms" chikulandilidwa ngati parameter, pulogalamuyo imawerenga mndandanda wa omwe amalumikizana nawo kuchokera kwa omwe amatumiza mauthenga a SMS.
kusinthaArchive Pulogalamuyi imatsitsa fayilo kuchokera ku adilesi yomwe imabwera ngati parameter pogwiritsa ntchito kiyi ya "url". Fayilo yotsitsidwa imasungidwa ndi dzina loti "archive.zip". Pulogalamuyo idzatsegula fayiloyo, pogwiritsa ntchito mawu achinsinsi osungira "b5jXh37gxgHBrZhQ4j3D". Mafayilo osatsegulidwa amasungidwa [kusungira kunja]/hgps chikwatu. Mu bukhuli, pulogalamuyi imasunga zabodza pa intaneti (zofotokozedwa pansipa).
zochita Lamuloli lapangidwa kuti ligwire ntchito ndi Action Service, yomwe yafotokozedwa m'gawo lina.
mayeso Osachita kalikonse.
Download Lamuloli likufuna kutsitsa fayilo kuchokera pa seva yakutali ndikuisunga ku "Downloads" directory. Ulalo ndi dzina la fayilo zimabwera ngati parameter, minda mu chinthu cha parameter ya JSON, motsatana: "url" ndi "fileName".
kuchotsa Imachotsa fayilo mu "Downloads" chikwatu. Dzina lafayilo limabwera mu parameter ya JSON yokhala ndi kiyi ya "fileName". Dzina lafayilo lokhazikika ndi "tmp.apk".
zidziwitso Onetsani zidziwitso zofotokozera komanso zolemba zamutu zomwe zimafotokozedwa ndi seva yoyang'anira.

Command Format zidziwitso:

{
    "results" : "OK",
    "command":{
    "id": <%id%>,
    "command":"notification",
    "timestamp":<%Server Timestamp%>,
    "params":{
        "openApp":<%Open original app or not%>,
        "array":[
                      {"title":<%Title text%>,
                      "desc":<%Description text%>,
                      "app":<%Application name%>}
                   ]
                   },
        },
}

Chidziwitso chopangidwa ndi fayilo yomwe ikufufuzidwa chikuwoneka chofanana ndi zidziwitso zopangidwa ndi pulogalamu yomwe yafotokozedwa m'mundawu. app. Ngati mtengo wamunda openApp - Zowona, chidziwitso chikatsegulidwa, ntchito yomwe yafotokozedwa m'munda imayambitsidwa app. Ngati mtengo wamunda openApp - Zabodza, ndiye:

  • Zenera la phishing limatsegulidwa, zomwe zili mkati mwake zimatsitsidwa kuchokera m'ndandanda <% yosungirako kunja%>/hgps/<%filename%>
  • Zenera la phishing limatsegulidwa, zomwe zili mkati mwake zimatsitsidwa kuchokera pa seva <%url%>?id=<%Bot id%>&app=<%Dzina lofunsira%>
  • Zenera la phishing limatsegulidwa, lopangidwa ngati Google Play Card, ndi mwayi wolowetsa tsatanetsatane wamakhadi.

Pulogalamuyi imatumiza zotsatira za lamulo lililonse ku <%CnC%>set_state.php monga chinthu cha JSON mwanjira iyi: 

{
    "command":
    {
        "command":<%command%>,
        "id":<%command_id%>,
        "state":<%command_state%>
    }
    "id":<%bot_id%>
}

ActionsService
Mndandanda wa malamulo omwe njira zogwiritsira ntchito zikuphatikizapo kuchitapo. Lamulo likalandiridwa, gawo la processing processing limapeza ntchitoyi kuti ipereke lamulo lowonjezereka. Ntchitoyi imavomereza chinthu cha JSON ngati parameter. Service ikhoza kuchita zotsatirazi:

1. PARAMS_ACTION - polandira lamulo lotere, ntchitoyo imayamba kulandira kuchokera ku JSON parameter mtengo wa Type key, womwe ungakhale motere:

  • serviceInfo - subcommand imapeza mtengo ndi kiyi kuchokera pagawo la JSON kuphatikizaNotImportant. Ngati mbendera ndi yowona, pulogalamuyo imayika mbendera FLAG_ISOLATED_PROCESS ku ntchito pogwiritsa ntchito Accessibility Service. Mwanjira iyi ntchitoyo idzayambitsidwa mwanjira ina.
  • muzu - landirani ndi kutumiza ku seva zambiri zawindo lomwe likuyang'ana pano. Pulogalamuyi imapeza zambiri pogwiritsa ntchito kalasi ya AccessibilityNodeInfo.
  • boma - pemphani ufulu woyang'anira.
  • kuchedwa - kuyimitsa ntchito ya ActionsService chifukwa cha kuchuluka kwa ma milliseconds otchulidwa pagawo la "data" key.
  • mawindo - tumizani mndandanda wa mawindo omwe amawoneka kwa wogwiritsa ntchito.
  • kukhazikitsa - khazikitsani pulogalamuyo pa chipangizo chomwe chili ndi kachilomboka. Dzina la phukusi lazosungidwa lili mu kiyi ya "fileName". Zosungidwa zomwe zili muzowongolera zotsitsa.
  • padziko lonse - subcommand ikufuna kuyenda kuchokera pawindo lomwe lilipo:
    • pa menyu ya Quick Settings
    • kumbuyo
    • kunyumba
    • ku zidziwitso
    • kuwindo la mapulogalamu omwe atsegulidwa posachedwa

  • Kutuluka - yambitsani pulogalamuyi. Dzina la ntchito limabwera ngati parameter ndi kiyi deta.
  • zomveka - sinthani mawu omveka kukhala chete.
  • tidziwe - imayatsa nyali yakumbuyo ya chinsalu ndi kiyibodi kuti iwonekere. Pulogalamuyi imachita izi pogwiritsa ntchito WakeLock, kutchula chingwe [Lebulo la Ntchito]:INFO ngati tag.
  • permitOverlay - ntchitoyo sinagwiritsidwe ntchito (yankho la kulamula ndi {"message":"Not support"} or {"message":"low sdk"})
  • chizindikiro - ntchitoyo sinagwiritsidwe ntchito (yankho la kulamula ndi {"uthenga": "Sindikuthandizira"} kapena {"message":"Low API"})
  • zilolezo - lamulo ili ndilofunika kuti mupemphe zilolezo pakugwiritsa ntchito. Komabe, ntchito yamafunso simayendetsedwa, chifukwa chake lamuloli lilibe tanthauzo. Mndandanda waufulu womwe wapemphedwa umabwera ngati gulu la JSON lomwe lili ndi kiyi ya "zilolezo". Mndandanda wokhazikika:
    • chilolezo.READ_PHONE_STATE
    • android.permission.READ_CONTACTS
    • android.permission.CALL_PHONE
    • android.permission.RECEIVE_SMS
    • android.permission.SEND_SMS
    • android.permission.READ_SMS
    • android.permission.READ_EXTERNAL_STORAGE
    • android.permission.WRITE_EXTERNAL_STORAGE

  • lotseguka - onetsani zenera lachinyengo. Kutengera magawo omwe akuchokera ku seva, pulogalamuyo imatha kuwonetsa mazenera otsatirawa:
    • Onetsani zenera lachinyengo lomwe zalembedwa mufayilo mu bukhu <% chikwatu chakunja%>/hgps/<%param_filename%>. Zotsatira za kuyanjana kwa wosuta ndi zenera zidzatumizidwa <%CnC%>/records.php
    • Onetsani zenera lachinyengo lomwe zolemba zake zidakwezedwa kuchokera ku adilesi <%url_param%>?id=<%bot_id%>&app=<%packagename%>. Zotsatira za kuyanjana kwa wosuta ndi zenera zidzatumizidwa <%CnC%>/records.php
    • Onetsani zenera lachinyengo lopangidwa ngati Google Play Card.

  • zotenga - lamuloli lidapangidwa kuti lizilumikizana ndi mawindo a mapulogalamu ena pogwiritsa ntchito AcessibilityService. Ntchito yapadera yakhazikitsidwa mu pulogalamu yolumikizirana. Pulogalamu yomwe ikufufuzidwa imatha kulumikizana ndi mawindo:
    • Pakali pano. Pankhaniyi, parameter ili ndi id kapena zolemba (dzina) za chinthu chomwe muyenera kulumikizana nacho.
    • Zowoneka kwa wogwiritsa ntchito panthawi yomwe lamulolo likuperekedwa. Pulogalamuyi imasankha windows ndi id.

    Polandira zinthu AccessibilityNodeInfo Pazinthu zamawindo zomwe zimakonda, kugwiritsa ntchito, kutengera magawo, kumatha kuchita izi:

    • focus - khazikitsani cholinga pa chinthucho.
    • dinani - dinani pa chinthu.
    • actionId - chitanipo kanthu ndi ID.
    • setText - sintha mawu a chinthu. Kusintha malemba ndi kotheka m'njira ziwiri: kuchitapo kanthu ACTION_SET_TEXT (ngati mtundu wa Android wa chipangizocho uli wocheperako kapena wofanana ndi LOLIPOP), kapena poyika chingwe pa clipboard ndikuchiyika mu chinthu (chamitundu yakale). Lamuloli lingagwiritsidwe ntchito kusintha deta mu pulogalamu yakubanki.

2. PARAMS_ACTIONS - chimodzimodzi PARAMS_ACTION, ndi malamulo a JSON okha omwe amafika.

Zikuwoneka kuti anthu ambiri adzakhala ndi chidwi ndi momwe ntchito yolumikizirana ndi mawindo a pulogalamu ina imawonekera. Umu ndi momwe ntchitoyi imagwiritsidwira ntchito ku Gustuff:

boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
    int count = action.optInt("repeat", 1);
    Iterator aiListIterator = ((Iterable)aiList).iterator();
    int count = 0;
    while(aiListIterator.hasNext()) {
        Object ani = aiListIterator.next();
        if(1 <= count) {
            int index;
            for(index = 1; true; ++index) {
                if(action.has("focus")) {
                    if(((AccessibilityNodeInfo)ani).performAction(1)) {
                        ++count;
                    }
                }
                else if(action.has("click")) {
                    if(((AccessibilityNodeInfo)ani).performAction(16)) {
                        ++count;
                    }
                }
                else if(action.has("actionId")) {
                    if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
                        ++count;
                    }
                }
                else if(action.has("setText")) {
                    customHeader ch = CustomAccessibilityService.a;
                    Context context = this.getApplicationContext();
                    String text = action.optString("setText");
                    if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
                        ++count;
                    }
                }
                if(index == count) {
                    break;
                }
            }
        }
        ((AccessibilityNodeInfo)ani).recycle();
    }
    res.addPropertyNumber("res", Integer.valueOf(count));
}

Ntchito yosinthira mawu:

boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
    boolean result;
    if(Build$VERSION.SDK_INT >= 21) {
        Bundle b = new Bundle();
        b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
        result = ani.performAction(0x200000, b);  // ACTION_SET_TEXT
    }
    else {
        Object clipboard = context.getSystemService("clipboard");
        if(clipboard != null) {
        ((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
        result = ani.performAction(0x8000);  // ACTION_PASTE
        }
        else {
            result = false;
        }
    }
    return result;
}

Chifukwa chake, ndi kasinthidwe koyenera kwa seva yowongolera, Gustuff amatha kudzaza zolemba pamabanki ndikudina mabatani ofunikira kuti amalize ntchitoyo. Trojan sichifunikanso kulowa mu pulogalamuyi-ndikokwanira kutumiza lamulo kuti muwonetse zidziwitso za PUSH ndikutsegula pulogalamu yakubanki yomwe idayikidwa kale. Wogwiritsa adzitsimikizira yekha, pambuyo pake Gustuff adzatha kudzaza galimotoyo.

SMS processing module

Pulogalamuyi imayika chothandizira kuti chipangizocho chilandire mauthenga a SMS. Ntchito yomwe ikuphunziridwa ikhoza kulandira malamulo kuchokera kwa wogwiritsa ntchito, omwe amabwera mu thupi la uthenga wa SMS. Malamulo amabwera mumtundu:

7!5=<%Base64 encoded command%>

Pulogalamuyi imasaka zingwe mu mauthenga onse a SMS omwe akubwera 7;5;, chingwe chikapezeka, chimachotsa chingwe kuchokera ku Base64 pa offset 4 ndikukhazikitsa lamulo. Malamulowa ndi ofanana ndi omwe ali ndi CnC. Zotsatira zakupha zimatumizidwa ku nambala yomweyo yomwe lamulo linachokera. Mayankho mawonekedwe:

7*5=<%Base64 encode of β€œresult_code command”%>

Optionally, ntchito akhoza kutumiza mauthenga onse analandira kwa Muzu nambala. Kuti muchite izi, nambala ya Root iyenera kufotokozedwa mufayilo yokonda ndipo mbendera yotumizira uthenga iyenera kukhazikitsidwa. Mauthenga a SMS amatumizidwa ku nambala ya wowukirayo motere:

<%Kuchokera nambala%> - <%Nthawi, mtundu: dd/MM/yyyy HH:mm:ss%> <%SMS body%>

Komanso, mwina, pulogalamuyi imatha kutumiza mauthenga ku CnC. Mauthenga a SMS amatumizidwa ku seva mumtundu wa JSON: 

{
    "id":<%BotID%>,
    "sms":
    {
        "text":<%SMS body%>,
        "number":<%From number%>,
        "date":<%Timestamp%>
    }
}

Ngati mbendera yakhazikitsidwa dzinaJenereta("DEFAULT_APP_SMS") - pulogalamuyo imasiya kukonza uthenga wa SMS ndikuchotsa mndandanda wa mauthenga omwe akubwera.

Pulogalamu ya proxy

Ntchito yomwe ikuphunziridwa ili ndi gawo la Backconnect Proxy (lomwe limadziwika kuti Proxy module), lomwe lili ndi kalasi yosiyana yomwe imaphatikizapo madera osasunthika ndi kasinthidwe. Zosintha zamasinthidwe zimasungidwa muchitsanzo momveka bwino:

Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu

Zochita zonse zochitidwa ndi gawo la Proxy zimalowetsedwa m'mafayilo. Kuti muchite izi, kugwiritsa ntchito Kusungirako Kunja kumapanga bukhu lotchedwa "logs" (gawo la ProxyConfigClass.logsDir mu kalasi yokonzekera), momwe mafayilo a log amasungidwa. Kulowetsa kumachitika m'mafayilo okhala ndi mayina:

  1. chachikulu.txt - ntchito ya kalasi yotchedwa CommandServer yalowetsedwa mufayilo iyi. Zotsatirazi, kulowetsa chingwe mu fayiloyi kudzatchulidwa kuti mainLog(str).
  2. gawo-<%id%>.txt - Fayiloyi imasunga chipika cholumikizidwa ndi gawo linalake la proxy. Zotsatirazi, kulowetsa chingwe ku fayiloyi kudzatchulidwa kuti sessionLog (str).
  3. seva.txt - fayiloyi imagwiritsidwa ntchito polemba zonse zomwe zalembedwa pamafayilo omwe afotokozedwa pamwambapa.

Mtundu wa Log data:

<%Date%> [Ulusi[<%thread id%>], id[]]: log-string

Kupatulapo zomwe zimachitika pakugwira ntchito kwa Proxy module zimalowetsedwanso ku fayilo. Kuti muchite izi, pulogalamuyo imapanga chinthu cha JSON motere: 

{
    "uncaughtException":<%short description of throwable%>
    "thread":<%thread%>
    "message":<%detail message of throwable%>
    "trace":        //Stack trace info
        [
            {
                "ClassName":
                "FileName":
                "LineNumber":
                "MethodName":
            },
            {
                "ClassName":
                "FileName":
                "LineNumber":
                "MethodName":
            }
        ]
}

Kenako amachitembenuza kukhala choyimira chingwe ndikuchilemba.

The Proxy module imayambitsidwa pambuyo polandira lamulo lofanana. Pamene lamulo lokhazikitsa gawo la Proxy lalandiridwa, ntchitoyo imayamba ntchito yotchedwa MainService, yomwe ili ndi udindo woyang'anira ntchito ya gawo la Proxy - kuyamba ndi kuimitsa.

Magawo oyambira ntchito:

1. Imayambitsa chowerengera chomwe chimayenda kamodzi pa miniti ndikuwunika zochita za gawo la Proxy. Ngati gawoli silikugwira ntchito, limayamba.
Komanso pamene chochitikacho chinayambika android.net.conn.CONNECTIVITY_CHANGE Module ya Proxy yakhazikitsidwa.

2. Pulogalamuyi imapanga wake-lock ndi parameter PARTIAL_WAKE_LOCK namugwira. Izi zimalepheretsa chipangizo cha CPU kupita kumalo ogona.

3. Ikuyambitsa kalasi yoyendetsera ntchito ya gawo la Proxy, choyamba ndikudula mzere mainLog ("kuyamba seva") ΠΈ

Seva ::start() host[<%proxy_cnc%>], commandPort[<%command_port%>], proxyPort[<%proxy_port%>]

kumene proxy_cnc, command_port ndi proxy_port - magawo omwe apezedwa kuchokera ku kasinthidwe ka seva ya Proxy.

Lamulo processing kalasi amatchedwa CommandConnection. Pambuyo poyambira, imagwira ntchito zotsatirazi:

4. Amalumikizana ndi ProxyConfigClass.host: ProxyConfigClass.commandPort ndikutumiza zambiri za chipangizo chomwe chili ndi kachilombo komweko mumtundu wa JSON:

{
    "id":<%id%>,
    "imei":<%imei%>,
    "imsi":<%imsi%>,
    "model":<%model%>,
    "manufacturer":<%manufacturer%>,
    "androidVersion":<%androidVersion%>,
    "country":<%country%>,
    "partnerId":<%partnerId%>,
    "packageName":<%packageName%>,
    "networkType":<%networkType%>,
    "hasGsmSupport":<%hasGsmSupport%>,
    "simReady":<%simReady%>,
    "simCountry":<%simCountry%>,
    "networkOperator":<%networkOperator%>,
    "simOperator":<%simOperator%>,
    "version":<%version%>
}

Kumeneko:

  • id - chizindikiritso, amayesa kupeza mtengo ndi gawo la "id" kuchokera pafayilo yogawana nawo yotchedwa "x". Ngati mtengowu sunapezeke, umapanga wina. Chifukwa chake, gawo la Proxy lili ndi chizindikiritso chake, chomwe chimapangidwa mofanana ndi ID ya Bot.
  • imei - IMEI ya chipangizocho. Ngati cholakwika chinachitika panthawi yopezera mtengo, meseji yolakwika idzalembedwa m'malo mwa gawoli.
  • imsi - International Mobile Subscriber Identity ya chipangizocho. Ngati cholakwika chinachitika panthawi yopezera mtengo, meseji yolakwika idzalembedwa m'malo mwa gawoli.
  • chitsanzo - Dzina lowoneka-wogwiritsa ntchito kumapeto.
  • wopanga - Wopanga mankhwala / zida (Build.MANUFACTURER).
  • androidVersion - chingwe chamtundu wa "<%release_version%> (<%os_version%>),<%sdk_version%>"
  • dziko - komwe kuli chipangizochi.
  • PartnerId ndi chingwe chopanda kanthu.
  • packageName - dzina la phukusi.
  • networkType - mtundu wamalumikizidwe amakono (mwachitsanzo: "WIFI", "MOBILE"). Pakachitika cholakwika, amabwerera null.
  • hasGsmSupport - zoona - ngati foni imathandizira GSM, mwinamwake zabodza.
  • simReady - SIM khadi state.
  • simCountry - Khodi ya dziko ya ISO (kutengera wopereka SIM khadi).
  • networkOperator - dzina la opareta. Ngati cholakwika chinachitika panthawi yopezera mtengo, meseji yolakwika idzalembedwa m'malo mwa gawoli.
  • simOperator - Dzina Lopereka Utumiki (SPN). Ngati cholakwika chinachitika panthawi yopezera mtengo, meseji yolakwika idzalembedwa m'malo mwa gawoli.
  • mtundu - gawoli limasungidwa m'gulu la config; pamitundu yoyesedwa ya bot inali yofanana ndi "1.6".

5. Imasinthira kunjira yodikirira malamulo kuchokera pa seva. Malamulo ochokera ku seva amabwera motere:

  • 0 offset - lamulo
  • 1 kuchepetsa - gawoId
  • 2 kuchepetsa - kutalika
  • 4 kuchotsera - data

Lamulo likafika, ntchitoyo imalemba:
mainLog("Mutu {sessionId<%id%>], mtundu[<%command%>], kutalika[<%length%>] }")

Malamulo otsatirawa kuchokera pa seva ndi otheka:

dzina lamulo Deta Kufotokozera
kugwirizanaId 0 ID yolumikizira Pangani kulumikizana kwatsopano
SULA 3 Time Imitsani gawo la Proxy
PING_PONG 4 - Tumizani uthenga wa PONG

Uthenga wa PONG uli ndi ma byte 4 ndipo umawoneka motere: 0x04000000.

Pamene lamulo la connectionId lilandiridwa (kupanga mgwirizano watsopano) CommandConnection amapanga chitsanzo cha kalasi Kulumikizana kwa Proxy.

  • Magulu awiri amatenga nawo gawo pakuyimilira: Kulumikizana kwa Proxy ΠΈ TSIRIZA. Popanga kalasi Kulumikizana kwa Proxy kulumikiza ku adilesi ProxyConfigClass.host: ProxyConfigClass.proxyPort ndikudutsa chinthu cha JSON:

 {
    "id":<%connectionId%>
}

Poyankha, seva imatumiza uthenga wa SOCKS5 womwe uli ndi adilesi ya seva yakutali yomwe kulumikizana kuyenera kukhazikitsidwa. Kuyanjana ndi seva iyi kumachitika kudzera m'kalasi TSIRIZA. Kukonzekera kolumikizana kungathe kuimiridwa mwadongosolo motere:

Momwe Android Trojan Gustuff imasinthira zonona (fiat ndi crypto) kuchokera muakaunti yanu

Kulumikizana kwa intaneti

Kuti mupewe kusanthula kwamayendedwe ndi osuta pamaneti, kuyanjana pakati pa seva ya CnC ndi pulogalamuyo kumatha kutetezedwa pogwiritsa ntchito protocol ya SSL. Zonse zotumizidwa kuchokera ndi kupita ku seva zimaperekedwa mumtundu wa JSON. Pulogalamuyi imagwira ntchito zotsatirazi:

  • http://<%CnC%>/api/v1/set_state.php - zotsatira za kuphedwa kwa lamulo.
  • http://<%CnC%>/api/v1/get.php - kulandira lamulo.
  • http://<%CnC%>/api/v1/load_sms.php - kutsitsa ma SMS kuchokera ku chipangizo chomwe chili ndi kachilombo.
  • http://<%CnC%>/api/v1/load_ab.php - kukweza mndandanda wa anthu omwe ali ndi kachilomboka.
  • http://<%CnC%>/api/v1/aevents.php - pempho limapangidwa pokonzanso magawo omwe ali mufayilo yokonda.
  • http://<%CnC%>/api/v1/set_card.php - kukweza zomwe zapezeka pogwiritsa ntchito zenera lachinyengo lomwe likuwoneka ngati Msika wa Google Play.
  • http://<%CnC%>/api/v1/logs.php - kukweza zipika.
  • http://<%CnC%>/api/v1/records.php - kukweza zomwe mwapeza kudzera pazenera la phishing.
  • http://<%CnC%>/api/v1/set_error.php - chidziwitso cha cholakwika chomwe chachitika.

ayamikira

Pofuna kuteteza makasitomala awo ku chiopsezo cha Trojans yam'manja, makampani ayenera kugwiritsa ntchito njira zothetsera mavuto zomwe zimawalola kuyang'anira ndi kuteteza ntchito zoipa popanda kukhazikitsa mapulogalamu owonjezera pazipangizo za ogwiritsa ntchito.

Kuti muchite izi, njira zosainira zozindikirira ma Trojans am'manja ziyenera kulimbikitsidwa ndi matekinoloje owunikira machitidwe a kasitomala ndi pulogalamu yomwe. Chitetezocho chiyeneranso kukhala ndi ntchito yozindikiritsa chipangizo pogwiritsa ntchito teknoloji ya digito ya zala, zomwe zidzatheketsa kumvetsetsa pamene akaunti ikugwiritsidwa ntchito kuchokera ku chipangizo cha atypical ndipo yagwera kale m'manja mwa munthu wachinyengo.

Mfundo yofunika kwambiri ndi kupezeka kwa kusanthula kwanjira, komwe kumalola makampani kuwongolera zoopsa zomwe zimabwera osati pa intaneti kokha, komanso panjira yam'manja, mwachitsanzo, pakufunsira kubanki yam'manja, pakugulitsa ndi cryptocurrencies ndi zina zilizonse komwe ndalama zitha kuchitika.

Malamulo otetezedwa kwa ogwiritsa ntchito:

  • osayika mapulogalamu a foni yam'manja yokhala ndi Android OS kuchokera kumagwero ena kupatula Google Play, samalani kwambiri zaufulu womwe wafunsidwa;
  • nthawi zonse kukhazikitsa zosintha za Android OS;
  • samalani ndi zowonjezera za mafayilo otsitsidwa;
  • musayendere zinthu zokayikitsa;
  • Osadina maulalo olandilidwa mu mauthenga a SMS.

Kusewera Semyon Rogacheva, katswiri wamkulu wofufuza zaumbanda ku Gulu-IB Computer Forensics Laboratory.

Source: www.habr.com

Kuwonjezera ndemanga