M'zaka zaposachedwa, ma Trojans am'manja akhala akulowa m'malo mwa Trojans pamakompyuta awo, kotero kuwonekera kwa pulogalamu yaumbanda yatsopano ya "magalimoto" abwino akale komanso kugwiritsidwa ntchito kwawo ndi zigawenga zapaintaneti, ngakhale sizosangalatsa, ndikadali chochitika. Posachedwapa, CERT Gulu-IB's XNUMX/XNUMX malo ochitira chitetezo chachitetezo chazidziwitso adapeza imelo yachilendo yachinyengo yomwe imabisa pulogalamu yaumbanda yatsopano ya PC yomwe imaphatikiza ntchito za Keylogger ndi PasswordStealer. Ofufuza adakopeka ndi momwe mapulogalamu aukazitape adafikira pamakina a wogwiritsa ntchito - pogwiritsa ntchito messenger wodziwika bwino. Ilya Pomerantsev, katswiri wofufuza za pulogalamu yaumbanda ku CERT Gulu-IB, adafotokoza momwe pulogalamu yaumbanda imagwirira ntchito, chifukwa chake ili yowopsa, ndipo adapezanso amene adayambitsa ku Iraq.
Kotero, tiyeni tipite mu dongosolo. Pansi pa chiphaso cha cholumikizira, kalata yotereyi inali ndi chithunzi, podina pomwe wogwiritsa ntchitoyo adatengedwa kupita patsambalo. cdn.discordapp.com, ndipo fayilo yoyipa idatsitsidwa kuchokera pamenepo.
Kugwiritsa ntchito Discord, mawu aulere ndi messenger, ndizosazolowereka. Nthawi zambiri, ma messenger ena apompopompo kapena malo ochezera a pa Intaneti amagwiritsidwa ntchito pazolinga izi.
Pakuwunika mwatsatanetsatane, banja la pulogalamu yaumbanda lidadziwika. Zinakhala zatsopano pamsika waumbanda - 404 Keylogger.
Kutsatsa koyamba kwa malonda a keylogger kunayikidwa hackforums ndi wogwiritsa pansi pa dzina loti "404 Coder" pa Ogasiti 8.
Malo ogulitsa adalembetsedwa posachedwa - pa Seputembara 7, 2019.
Monga opanga amanenera pa webusaitiyi 404projects[.]xyz, 404 ndi chida chothandizira makampani kudziwa zochita za makasitomala awo (ndi chilolezo chawo) kapena kwa iwo omwe akufuna kuteteza binary awo kuti asasinthe. Kuyang'ana m'tsogolo, tiyeni tinene kuti ndi ntchito yomaliza 404 ndithudi sizingapirire.
Tinaganiza zosintha fayilo imodzi ndikuwona kuti "BEST SMART KEYLOGGER" ndi chiyani.
Malware ecosystem
Loader 1 (AtillaCrypter)
Fayilo yoyambira imatetezedwa pogwiritsa ntchito EaxObfuscator ndipo imapanga masitepe awiri AtProtect kuchokera kugawo lazothandizira. Pakuwunika zitsanzo zina zomwe zidapezeka pa VirusTotal, zidawonekeratu kuti gawoli silinaperekedwe ndi wopanga yekha, koma adawonjezedwa ndi kasitomala wake. Pambuyo pake zidadziwika kuti bootloader iyi inali AtillaCrypter.
Bootloader 2 (AtProtect)
M'malo mwake, chojambulira ichi ndi gawo lofunikira la pulogalamu yaumbanda ndipo, molingana ndi cholinga cha wopanga, akuyenera kugwira ntchito yowerengera.
Komabe, m'machitidwe, njira zodzitetezera ndizakale kwambiri, ndipo makina athu amazindikira pulogalamu yaumbandayi.
Module yayikulu imayikidwa pogwiritsa ntchito Franchy ShellCode Mabaibulo osiyanasiyana. Komabe, sitikupatula kuti zosankha zina zikadagwiritsidwa ntchito, mwachitsanzo, RunPE.
Fayilo yosintha
Kuphatikizana mu dongosolo
Kuphatikizika mu dongosolo kumatsimikiziridwa ndi bootloader AtProtect, ngati mbendera yofananira yakhazikitsidwa.
- Fayilo imatsitsidwa panjira %AppData%GFqaakZpzwm.exe.
- Fayilo idapangidwa %AppData%GFqaakWinDriv.url, kuyambitsa Zpzwm.exe.
- Mu ulusi HKCUSoftwareMicrosoftWindowsCurrentVersionRun kiyi yoyambira imapangidwa WinDriv.url.
Zogwirizana ndi C&C
Loader AtProtect
Ngati mbendera yoyenera ilipo, pulogalamu yaumbanda ikhoza kuyambitsa njira yobisika woweruza ndipo tsatirani ulalo womwe watchulidwa kuti mudziwitse seva za matenda opambana.
DataStealer
Mosasamala kanthu za njira yomwe imagwiritsidwa ntchito, kulumikizana kwa intaneti kumayamba ndi kupeza IP yakunja ya wozunzidwayo pogwiritsa ntchito gwero [http]://checkip[.]dyndns[.]org/.
Wothandizira: Mozilla/4.0 (n'zogwirizana; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Kapangidwe kake ka uthenga ndi kofanana. Mutu ulipo
|ββ- 404 Keylogger β {Mtundu} ββ-|kumene {mtundu} zimagwirizana ndi mtundu wa chidziwitso chomwe chikuperekedwa.
Zotsatirazi ndizokhudza dongosolo:
_________ + VICTIM INFO + _______
IP: {IP Yakunja}
Dzina la Mwini: {Dzina la kompyuta}
Dzina la OS: {Dzina la OS}
Mtundu wa OS: {OS Version}
OS PlatForm: {Platform}
Kukula kwa RAM: {RAM kukula}
______________________________
Ndipo potsiriza, zofalitsidwa deta.
SMTP
Mutu wa kalatayo uli motere: 404K | {Mtundu wa Mauthenga} | Dzina la Makasitomala: {Username}.
Chochititsa chidwi, kupereka makalata kwa kasitomala 404 Keylogger Seva ya SMTP ya opanga ikugwiritsidwa ntchito.
Izi zidapangitsa kuti zitheke kuzindikira makasitomala ena, komanso imelo ya m'modzi mwa opanga.
FTP
Mukamagwiritsa ntchito njirayi, zomwe zasonkhanitsidwa zimasungidwa ku fayilo ndipo nthawi yomweyo zimawerengedwa kuchokera pamenepo.
Lingaliro kumbuyo kwa izi sizomveka bwino, koma limapanga chowonjezera cholembera malamulo amakhalidwe.
%HOMEDRIVE%%HOMEPATH%DocumentsA{Nambala yosasinthika}.txt
Pastebin
Pa nthawi yowunikira, njirayi imagwiritsidwa ntchito pokhapokha kusamutsa mapasiwedi obedwa. Komanso, sichigwiritsidwa ntchito ngati njira ina ya ziwiri zoyambirira, koma mofanana. Mkhalidwewo ndi mtengo wanthawi zonse wofanana ndi "Vavaa". Mwina ili ndi dzina la kasitomala.
Kuyanjana kumachitika kudzera pa https protocol kudzera pa API pastebin. Tanthauzo api_paste_private zofanana PASTE_UNLISTED, zomwe zimaletsa kusaka masamba otere mu pastebin.
Ma aligorivimu achinsinsi
Kubweza fayilo kuchokera kuzinthu
Malipiro amasungidwa muzothandizira za bootloader AtProtect mu mawonekedwe a zithunzi za Bitmap. M'zigawo ikuchitika mu magawo angapo:
- Mndandanda wa ma byte wachotsedwa pachithunzichi. Pixel iliyonse imatengedwa ngati ma 3 byte mu dongosolo la BGR. Pambuyo pochotsa, ma byte 4 oyambirira a gululo amasunga utali wa uthengawo, otsatirawa amasunga uthengawo.
- Mfungulo imawerengedwa. Kuti muchite izi, MD5 imawerengedwa kuchokera pamtengo "ZpzwmjMJyfTNiRalKVrcSkxCN" yotchulidwa ngati mawu achinsinsi. Zotsatira zake zimalembedwa kawiri.
- Decryption imachitika pogwiritsa ntchito algorithm ya AES mumayendedwe a ECB.
Zochita zoyipa
Wotsitsa
Yakhazikitsidwa mu bootloader AtProtect.
- Polumikizana [activelink-repalce] Udindo wa seva ukufunsidwa kuti utsimikizire kuti yakonzeka kutumiza fayiloyo. Seva iyenera kubwerera βPAβ.
- Lumikizani [tsitsani-lowani m'malo] Malipiro amatsitsidwa.
- Ndi chithandizo cha FranchyShellcode malipiro amalowetsedwa mu ndondomekoyi [m'malo].
Pa kusanthula domain 404projects[.]xyz zowonjezera zidadziwika pa VirusTotal 404 Keylogger, komanso mitundu ingapo ya ma loaders.
Conventionally, iwo amagawidwa mu mitundu iwiri:
- Kutsitsa kumachitika kuchokera kuzinthu 404projects[.]xyz.
Deta ndi Base64 encoded ndi AES encrypted. - Izi zimakhala ndi magawo angapo ndipo nthawi zambiri zimagwiritsidwa ntchito limodzi ndi bootloader AtProtect.
- Mu gawo loyamba, deta imakwezedwa kuchokera pastebin ndi decoded pogwiritsa ntchito Zithunzi za HexToByte.
- Pa gawo lachiwiri, gwero la kutsitsa ndi 404projects[.]xyz. Komabe, ntchito za decompression ndi decoding ndizofanana ndi zomwe zimapezeka mu DataStealer. Mwinamwake zidakonzedweratu kuti zikhazikitse ntchito ya bootloader mu gawo lalikulu.
- Pakadali pano, kuchuluka kwa malipiro kuli kale mu mawonekedwe azinthu. Ntchito zofanana zochotsa zidapezekanso mu gawo lalikulu.
Otsitsa adapezeka pakati pa mafayilo omwe adawunikidwa njRat, SpyGate ndi makoswe ena.
Keylogger
Nthawi yotumiza chipika: Mphindi 30.
Makhalidwe onse amathandizidwa. Malembo apadera athawa. Pali kukonza kwa BackSpace ndi Chotsani makiyi. Zotengera makulidwe azilembo.
ClipboardLogger
Nthawi yotumiza chipika: Mphindi 30.
Nthawi yoponya mavoti: 0,1 masekondi.
Ulalo wokhazikika wothawa.
ScreenLogger
Nthawi yotumiza chipika: Mphindi 60.
Zithunzi zimasungidwa mkati %HOMEDRIVE%%HOMEPATH%Documents404k404pic.png.
Pambuyo kutumiza chikwatu 404k chachotsedwa.
PasswordStealer
Osakatula | Makasitomala amakalata | Makasitomala a FTP |
---|---|---|
Chrome | Chiyembekezo | FileZilla |
Firefox | Thunderbird | |
SeaMonkey | Foxmail | |
chinjoka | ||
PaleMoon | ||
cyberfox | ||
Chrome | ||
BraveBrowser | ||
QQBrowser | ||
IridiumBrowser | ||
XvastBrowser | ||
Chedot | ||
360 Msakatuli | ||
ComodoDragon | ||
360 Chrome | ||
SuperBird | ||
CentBrowser | ||
GhostBrowser | ||
IronBrowser | ||
Chromium | ||
Vivaldi | ||
SlimjetBrowser | ||
orbitum | ||
CocCoc | ||
Chiwala | ||
UCBrowser | ||
EpicBrowser | ||
BliskBrowser | ||
Opera |
Kutsutsana ndi kusanthula kwamphamvu
- Kuyang'ana ngati ndondomeko ikufufuzidwa
Kuchitidwa pogwiritsa ntchito kusaka ntchito, ProcessHacker, ndondomeko 64, procexp, procmon. Ngati chimodzi chapezeka, pulogalamu yaumbanda imachoka.
- Kuyang'ana ngati muli m'malo enieni
Kuchitidwa pogwiritsa ntchito kusaka vmtoolsd, VGAuthService, vmacthlp, VBoxService, Zithunzi za VBoxTray. Ngati chimodzi chapezeka, pulogalamu yaumbanda imachoka.
- Kugona kwa 5 masekondi
- Chiwonetsero chamitundu yosiyanasiyana yamabokosi a zokambirana
Itha kugwiritsidwa ntchito kudutsa ma sandbox ena.
- Pitani ku UAC
Kuchitidwa ndikusintha kiyi ya registry YambitsaniLUA muzokonda za Group Policy.
- Imagwiritsa ntchito "chobisika" ku fayilo yomwe ilipo.
- Kutha kufufuta fayilo yomwe ilipo.
Zosagwira Ntchito
Pakuwunika kwa bootloader ndi gawo lalikulu, ntchito zinapezeka zomwe zinali ndi ntchito zowonjezera, koma sizigwiritsidwa ntchito kulikonse. Izi mwina ndichifukwa choti pulogalamu yaumbanda ikukula ndipo magwiridwe antchito adzakulitsidwa posachedwa.
Loader AtProtect
Ntchito idapezeka yomwe ili ndi udindo wotsitsa ndikulowetsa munjirayo msiexec.exe mosinthana ma module.
DataStealer
- Kuphatikizana mu dongosolo
- Decompression ndi decryption ntchito
Zikuoneka kuti kubisa kwa data panthawi yolankhulana pa intaneti kudzachitika posachedwa. - Kuthetsa ma antivayirasi njira
zlclient | Dvp95_0 | Pavsched | avgserv9 |
edzi | Engine | Pavw | avgserv9schedapp |
bdagent | Esafe | Mtengo wa PCCIOMON | avgemc |
npfmsg | Espwatch | PCCMAIN | ashwebsv |
olydbg | F-Agnt95 | Pccwin98 | ashdisp |
anu | Pezanivir | Pcfwallicon | ashmaisv |
wireshark | Fprot | Persfw | ashserv |
avastui | F-Kuteteza | Chithunzi cha POP3TRAP | aswUpdSv |
_Avp32 | F-Prot95 | PVIEW95 | symwsc |
vsmoni | Fp-Win | Zamgululi | Norton |
mbam | Frw | Rav7win | Norton Auto-Protect |
keyscrambler | F-Stopw | Kupulumutsa | norton_av |
_Avpcc | Iamapp | Safeweb | nortonav |
_Avpm | Iamserv | Jambulani 32 | ccsetmgr |
Ackwin32 | Ibmann | Jambulani 95 | ccvtmgr |
Malo akutali | Ibmavsp | Scanpm | avadmin |
Anti-Trojan | Icload95 | Scrscan | avcenter |
CHITSANZO | Icloadnt | Ntchito 95 | avgnt |
Apvxdwin | Icmon | Smc | avguard |
ATRACK | Zithunzi za 95 | Malingaliro a kampani SMCSERVICE | avnotify |
Autodown | Icsupnt | Sungani | avscan |
Avconsol | Iface | masinfikisi | guardgui |
32 | Iomon98 | Sesa95 | ndi 32kr |
Avgctrl | Jedi | Mtengo wa SYMPROXYSVC | nd32 ku |
Avkserv | Lockdown2000 | Tbscan | clamscan |
Avnt | Chenjerani | Tca | ClamTray |
Avp | Luall | Tds2-98 | clamWin |
avp32 | mcafe | Tds2-Nt | mwatsopano |
Avpcc | Molive | Zotsatira TermiNET | oladi |
Avpdos32 | MPftray | Chithunzi cha 95 | chizindikiro |
Avpm | N32 chithunzi | Vetray | w9xpa |
Avptc32 | Chithunzi cha NAVAPSVC | Vscan40 | Wclose |
Avpupd | NAVAPW32 | Vsecomr | cmgrdian |
Avsched32 | NAVLU32 | Vshwin32 | alogserv |
Mtengo wa AVSYNMGR | Navnt | Vsstat | mcshield |
Avwin95 | Chithunzi cha NAVRUNR | Webscanx | vshwin32 |
Avwupd32 | Navw32 | WEBTRAP | avconsol |
Blackd | Navwnt | Wfindv32 | vsstat |
Blackice | NeoWatch | Zonealarm | avsynmgr |
Cfiadmin | NISERV | LOCKDOWN2000 | avcmd |
Cfiaudit | Nisum | KUPULUMUTSA32 | avconfig |
Cfinet | Ine | LUCOMSERVER | limgr |
Cfinet32 | Normist | avgcc | sched |
Chiwomba95 | NORTON | avgcc | preupd |
Claw95cf | Kukweza | avgamsvr | MsMpeng |
Oyera | Nd95 | avgupsvc | MSACui |
Woyeretsa3 | Malo akutali | avgw | Avira.Systray |
Defwatch | Padmin | avgcc32 | |
Dvp95 | Pavcl | avgserv |
- Kudziwononga
- Kutsegula zidziwitso kuchokera kuzinthu zomwe zafotokozedwa
- Kukopera fayilo panjira %Temp%tmpG[Tsiku ndi nthawi yamakono mu mamilliseconds].tmp
Chosangalatsa ndichakuti, ntchito yofananira ilipo mu pulogalamu yaumbanda ya AgentTesla. - Worm ntchito
Pulogalamu yaumbanda imalandira mndandanda wazinthu zochotseka. Kope la pulogalamu yaumbanda imapangidwa muzu wa fayilo ya media ndi dzina Sys.exe. Autorun imayendetsedwa ndi fayilo autorun.inf.
Mbiri ya oukira
Pakuwunika malo olamulira, zinali zotheka kukhazikitsa imelo ndi dzina lakutchulidwa la wopanga - Razer, aka Brwa, Brwa65, HiDDen Person, 404 Coder. Kenako, tidapeza kanema wosangalatsa pa YouTube yemwe akuwonetsa kugwira ntchito ndi womanga.
Izi zidapangitsa kuti zitheke kupeza njira yoyambira yoyambira.
Zinali zoonekeratu kuti anali ndi luso lolemba ma cryptographer. Palinso maulalo amasamba pamasamba ochezera, komanso dzina lenileni la wolemba. Anapezeka kuti anali nzika yaku Iraq.
Izi ndi zomwe wopanga 404 Keylogger akuti akuwoneka. Chithunzi kuchokera ku mbiri yake ya Facebook.
CERT Gulu-IB yalengeza chiwopsezo chatsopano - 404 Keylogger - malo oyang'anira ndi kuyankha kwa maola XNUMX paziwopsezo za cyber (SOC) ku Bahrain.
Source: www.habr.com