Mu Disembala 2018, akatswiri a Gulu-IB adapeza banja latsopano laosuta, lotchedwa FakeSecurityZinagwiritsidwa ntchito ndi gulu la zigawenga lomwe linayambitsa matenda pa mawebusayiti omwe anali ndi CMS. MagentoKafukufuku wasonyeza kuti mu kampeni yaposachedwa, owukira adagwiritsa ntchito pulogalamu yaumbanda kuba mawu achinsinsi. Ozunzidwawo anali eni masitolo apaintaneti omwe ali ndi kachilombo ka JavaScript sniffer. CERT ya Group-IB idadziwitsa malo omwe akhudzidwa, komanso katswiri wa Group-IB Threat Intelligence Victor Okorokov Ndinaganiza zokambitsirana za momwe tinatha kuzindikira zigawenga.
Tikumbukire kuti mu Marichi 2019 Gulu-IB idasindikizidwa "Upandu wopanda chilango: kusanthula mabanja a JS sniffer," yomwe idasanthula mabanja 15 a anthu osuta osiyanasiyana a JS omwe amagwiritsidwa ntchito kupatsira malo ogulitsa pa intaneti oposa zikwi ziwiri.
Adilesi imodzi
Panthawi ya matendawa, owukirawo adayika ulalo wa script yoyipa patsamba latsambalo; script iyi idakwezedwa ndipo, panthawi yolipira katunduyo, idalanda zolipira za mlendo wa sitolo yapaintaneti, kenako ndikutumiza kwa omwe akuwukira. 'seva. Pazigawo zoyamba zowukira pogwiritsa ntchito FakeSecurity, zolemba zoyipa ndi zonunkhira pazipata zomwezo zinali pamalo omwewo a magento-security[.]org.
Pambuyo pake ena Magento-mawebusayiti adapezeka kuti ali ndi kachilombo ka banja lomwelo la anthu osuta fodya, koma nthawi ino owukirawo adagwiritsa ntchito mayina atsopano a domain kuti asunge code yoyipa:
- fiswedbesign[.]com
- alloaypparel[.]com
Mayina onsewa adalembetsedwa ku imelo yomweyi greenstreethunter@india[.]com. Adilesi yomweyi idatchulidwa polembetsa dzina lachitatu firstofbanks[.]com.
Tikupempha mwachifundo
Kuwunika kwa madambwe atatu atsopano omwe agwiritsidwa ntchito ndi gulu lachigawenga la FakeSecurity adawonetsa kuti ena mwaiwo adachita nawo kampeni yogawa pulogalamu yaumbanda yomwe idayamba mu Marichi 2019. Owukirawo adagawa maulalo kumasamba omwe amati wogwiritsa ntchito akufunika kuyikira pulogalamu yowonjezera yosowa kuti awonetse chikalatacho molondola. Ngati wogwiritsa ntchito atayamba kutsitsa pulogalamuyo, kompyuta yake idakhudzidwa ndi pulogalamu yaumbanda yoba mawu achinsinsi.
Maulalo apadera a 11 adadziwika omwe adapangitsa masamba abodza kulimbikitsa wogwiritsa ntchito kukhazikitsa pulogalamu yaumbanda.
- hxxps://www.etodoors.com/uploads/Statement00534521[.]html
- hxxps://www.healthcare4all.co.uk/manuals/Statement00534521[.]html
- hxxps://www.healthcare4all.co.uk/lib/Statement001845[.]html
- hxxps://www.healthcare4all.co.uk/doc/BankStatement001489232[.]html
- hxxp://verticalinsider.com/bookmarks/Bank_Statement0052890[.]html
- hxxp://thepinetree.net/n/docs/Statement00159701[.]html
- hxxps://www.readicut.co.uk/media/pdf/Bank_Statement00334891[.]html
- hxxp://www.e-cig.com/doc/pdf/eStmt[.]html
- hxxps://www.genstattu.com/doc/PoliceStatement001854[.]html
- hxxps://www.tokyoflash.com/pdf/statment001854[.]html
- hxxps://www.readicut.co.uk/media/pdf/statment00789[.]html
Munthu yemwe angakhale wozunzidwa ndi kampeni yoyipa adalandira imelo ya sipamu yomwe ili ndi ulalo wopita patsamba loyamba. Tsambali ndi chikalata chaching'ono cha HTML chokhala ndi iframe, zomwe zili patsamba lachiwiri. Tsamba lachiwiri ndi tsamba lofikira lomwe lili ndi zomwe zimalimbikitsa wolandirayo kukhazikitsa fayilo yomwe ingathe kuchitika. Pankhani ya kampeni yoyipayi, owukirawo adagwiritsa ntchito tsamba lofikira lomwe lili ndi mutu woyika pulogalamu yowonjezera ya Adobe Reader yomwe ikusowa, kotero tsamba loyambalo lidatsanzira ulalo wa fayilo ya PDF yomwe idatsegulidwa mumsakatuli wowonera pa intaneti. Tsamba lachiwiri lili ndi ulalo wa fayilo yoyipa yomwe imagawidwa ngati gawo la kampeni yoyipa, yomwe idzatsitsidwa mukadina batani. Tsitsani pulogalamu yowonjezera.
Kuwunika kwa masamba omwe adagwiritsidwa ntchito pamsonkhanowu adawonetsa kuti nthawi zambiri masamba amtundu wachiwiri amakhala pazigawo za owukira, pomwe tsamba loyamba ndi fayilo yoyipayo nthawi zambiri amakhala pamasamba omwe adabedwa.
Tsamba lachitsanzo pogawa pulogalamu yaumbanda
Kupyolera mu spam, wozunzidwa amalandira ulalo wa fayilo ya HTML, mwachitsanzo, hxxps://www.healthcare4all[.]co[.]uk/manuals/Statement00534521[.]html. Fayilo ya HTML pa ulalo ili ndi chinthu cha iframe chokhala ndi ulalo wazomwe zili patsamba; mu chitsanzo ichi, zomwe zili patsamba zili pa hxxps://alloaypparel[.]com/view/public/Statement00534521/PDF/Statement001854[.]pdf. Monga tikuonera pachitsanzo ichi, pankhaniyi owukirawo adagwiritsa ntchito domeni yolembetsedwa, osati tsamba lobedwa, kuti atumize zomwe zili patsamba. Mu mawonekedwe omwe akuwonetsedwa pa ulalo uwu, pali batani Tsitsani pulogalamu yowonjezera. Ngati wozunzidwayo adina batani ili, fayilo yomwe ingathe kuchitidwa idzatsitsidwa kuchokera pa ulalo womwe wafotokozedwa patsamba; mu chitsanzo ichi, file executable ndi dawunilodi pa ulalo hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe, ndiye kuti, fayilo yoyipayo imasungidwa pamalo omwe adabedwa.
"Mephistopheles" nthawi yathu
Domain Analysis alloaypparel[.]com adawulula kuti Mephistophilus phishing kit idagwiritsidwa ntchito kugawa pulogalamu yaumbanda, yomwe imakupatsani mwayi wopanga ndi kutumiza masamba achinyengo kuti mugawire pulogalamu yaumbanda: Mephistophilus amagwiritsa ntchito mitundu ingapo yamasamba omwe amalimbikitsa wogwiritsa ntchito kukhazikitsa pulogalamu yowonjezera yomwe akuti ikusowa kuti pulogalamuyo igwire ntchito. M'malo mwake, wogwiritsa ntchitoyo adzayika pulogalamu yaumbanda, ulalo womwe wogwiritsa ntchitoyo amawonjezera kudzera pagulu loyang'anira la Mephistophilus.
Njira ya Mephistophilus yolimbana ndi chinyengo idagulitsidwa pamabwalo achinsinsi mu Ogasiti 2016. Uwu ndi chinyengo chodziwika bwino chogwiritsa ntchito mabodza a pa intaneti omwe amapereka kutsitsa pulogalamu yaumbanda m'malo mwakusintha pulogalamu yowonjezera (MS Word, MS Excel, PDF, YouTube) kuti muwone zomwe zili m'chikalata kapena tsamba. Mephistophilus idapangidwa ndikumasulidwa ndi wogwiritsa ntchito mobisa Kokain. Kuti alowetse bwino pogwiritsa ntchito zida zachinyengo, wowukirayo ayenera kukopa wogwiritsa ntchito kuti adina ulalo wopita patsamba lopangidwa ndi Mephistophilus. Mosasamala kanthu za mutu wa tsamba la phishing, uthenga udzawoneka wosonyeza kuti muyenera kuyika pulogalamu yowonjezera yosowa kuti muwonetse bwino chikalata cha pa intaneti kapena kanema wa YouTube. Kuti achite izi, Mephistophilus ali ndi masamba angapo achinyengo omwe amatsanzira ntchito zovomerezeka:
- Wowonera zikalata pa intaneti wa Microsoft Office365 Mawu kapena Excel
- Wowonera pa intaneti wa PDF
- Tsamba lachitsanzo la ntchito za YouTube
Ozunzidwa
Monga gawo la kampeni yoyipa, gulu lachigawenga silinangogwiritsa ntchito mayina a mayina odzilembetsa okha: kusunga zitsanzo zamafayilo oyipa omwe adagawidwa, owukirawo adagwiritsanso ntchito malo angapo ogula pa intaneti omwe adadwalapo kale FakeSecurity sniffer.
Maulalo 5 apadera opita ku zitsanzo 5 zapadera za pulogalamu yaumbanda adapezeka, 4 mwa iwo adasungidwa pa mawebusayiti omwe adabedwa omwe akuyendetsa CMS. Magento:
- hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
- hxxps://www.genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- hxxps://firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
- hxxp://e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- hxxp://thepinetree[.]net/docs/msw070619.exe
Zitsanzo za pulogalamu yaumbanda zomwe zagawidwa mu kampeni iyi ndi zitsanzo za mbava ya Vidar, yopangidwa kuti ibe mawu achinsinsi pa asakatuli ndi mapulogalamu ena. Itha kusonkhanitsanso mafayilo molingana ndi magawo omwe adanenedwa ndikusamutsira ku gulu loyang'anira, zomwe zimapangitsa kuti zikhale zosavuta, mwachitsanzo, kuba mafayilo kuchokera ku zikwama za cryptocurrency. Vidar imayambitsa pulogalamu yaumbanda-monga-ntchito: zonse zomwe zasonkhanitsidwa zimasamutsidwa pachipata, kenako zimatumizidwa ku gulu loyang'anira lapakati, pomwe wogula aliyense wakuba amatha kuwona zipika zomwe zidachokera pamakompyuta omwe ali ndi kachilombo.
Wakuba Wokhoza
Wakuba Vidar adawonekera mu Novembala 2018. Idapangidwa ndikumasulidwa kuti igulidwe pamabwalo apansi panthaka ndi wogwiritsa ntchito dzina lachinyengo Loadbaks. Malinga ndi kufotokozera kwa wopanga, Vidar akhoza kuba mawu achinsinsi kuchokera kwa asakatuli, mafayilo pogwiritsa ntchito njira zina ndi masks, deta ya khadi la banki, mafayilo ozizira a chikwama, Telegram ndi Skype makalata, komanso mbiri yoyendera webusaiti kuchokera kwa osatsegula. Mtengo wobwereketsa wakuba ukuchokera pa $250 mpaka $300 pamwezi. Gulu loyang'anira wakuba ndi madera omwe amagwiritsidwa ntchito ngati zipata ali pa ma seva a olemba Vidar, zomwe zimachepetsa ndalama zowonongeka kwa ogula.
Pankhani ya fayilo yoyipa msw070619.exe, kuwonjezera pa kufalitsidwa pogwiritsa ntchito tsamba lofikira la Mephistophilus, fayilo yoyipa ya DOC idapezekanso. BankStatement0040918404.doc (MD5: 1b8a824074b414419ac10f5ded847ef1), yomwe idagwetsera fayilo yotheka ku disk pogwiritsa ntchito macros. Fayilo ya DOC BankStatement0040918404.doc idalumikizidwa ngati cholumikizira maimelo oyipa omwe adatumizidwa ngati gawo la kampeni yoyipa.
Kugawa kuukira
Kalata yopezeka (MD5: 53554192ca888cccbb5747e71825facd) inatumizidwa ku adilesi yolumikizirana ndi tsamba lomwe likugwiritsa ntchito CMS Magento, zomwe tinganene kuti chimodzi mwa zolinga za kampeni yoipayi chinali oyang'anira masitolo apaintaneti, ndipo cholinga cha kachilomboka chinali kupeza gulu loyang'anira. Magento ndi nsanja zina zamalonda apaintaneti kuti zikhazikitse chotsukira ndi kuba deta ya makasitomala m'masitolo omwe ali ndi kachilomboka.
Chifukwa chake, dongosolo la matenda onse linali ndi njira zotsatirazi:
- Owukirawo adatumiza gulu loyang'anira la Mephistophilus Phishing Kit kwa omwe adalandira alloaypparel[.]com.
- Owukirawo adayika pulogalamu yaumbanda yobera mawu achinsinsi pamasamba ovomerezeka omwe adabedwa komanso patsamba lawo.
- Pogwiritsa ntchito zida zachinyengo, owukirawo adatumiza masamba angapo kuti agawire pulogalamu yaumbanda, ndikupanganso zikalata zoyipa ndi macro omwe adatsitsa pulogalamu yaumbanda pakompyuta ya wogwiritsa ntchito.
- Otsutsawo adachita kampeni ya spam kuti atumize maimelo okhala ndi zomata zoyipa, komanso maulalo amasamba otsikira kuti muyike pulogalamu yaumbanda. Ena mwa omwe akuwukirawo akufuna kukhala oyang'anira malo ogulitsa pa intaneti.
- Pamene kompyuta ya woyang’anira sitolo ya pa intaneti inasokonezedwa bwino, zikalata zobedwazo zinagwiritsiridwa ntchito kufikira gulu loyang’anira sitoloyo ndi kuika kapu ya JS sniffer kuba makadi akubanki a anthu amene amalipira pa malo amene ali ndi kachilomboka.
Ubale ndi kuukira kwina
Zomangamanga za omwe akuwukirawo zidayikidwa pa seva yokhala ndi adilesi ya IP 200.63.40.2, yomwe ndi ya seva yobwereketsa. Panamaservers[.]com. Pulogalamu ya FakeSecurity isanachitike, seva iyi idagwiritsidwa ntchito ngati chinyengo, komanso kuchititsa magulu oyang'anira a mapulogalamu oyipa osiyanasiyana kuti abe mapasiwedi.
Kutengera zomwe zachitika pa kampeni ya FakeSecurity, titha kuganiziridwa kuti magulu oyang'anira akuba Lokibot ndi AZORULT, omwe ali pa seva iyi, akadagwiritsidwa ntchito pakuwukira kwam'mbuyomu ndi gulu lomwelo mu Januware 2019. Malinga ndi , Pa Januware 14, 2019, zigawenga zosadziwika zidagawa pulogalamu yaumbanda ya Lokibot pogwiritsa ntchito maimelo ambiri okhala ndi fayilo yoyipa ya DOC ngati cholumikizira. Januware 18, 2019 analinso kugawa zikalata zoyipa zomwe zidayika pulogalamu yaumbanda ya AZORULT. Kuwunika kwa kampeniyi kunavumbulutsa magulu otsatirawa omwe ali pa seva yokhala ndi adilesi ya IP 200.63.40.2:
- http[:]//chuxagama[.]com/web-obtain/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
- http[:]//umbra-diego[.]com/wp/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
- http[:]//chuxagama[.]com/web-obtain/Panel/five/index.php (AZORUlt)
Mayina a madambwe chuxagama[.]com ndi umbra-diego[.]com adalembetsedwa ndi munthu yemweyo ndi imelo adilesi dicksonfletcher@gmail.com. Adilesi yomweyi idagwiritsidwanso ntchito kulembetsa dzina la domain worldcourrierservices[.]com mu Meyi 2016, yomwe idagwiritsidwa ntchito ngati tsamba lawebusayiti yakampani yachinyengo ya World Courier Service.
Kutengera kuti monga gawo la kampeni yoyipa ya FakeSecurity, owukirawo adagwiritsa ntchito pulogalamu yaumbanda kuba mapasiwedi ndikugawa kudzera pa imelo sipamu, komanso adagwiritsa ntchito seva yokhala ndi adilesi ya IP 200.63.40.2, zitha kuganiza kuti kampeni yoyipa ya Januware. 2019 idachitika gulu lomwelo lachigawenga.
Zizindikiro
Dzina lafayilo Adobe-Reader-PDF-Plugin-2.37.2.exe
- MD5 3ec1ac0be981ce6d3f83f4a776e37622
- SHA-1 346d580ecb4ace858d71213808f4c75341a945c1
- SHA-256 6ec8b7ce6c9858755964f94acdf618773275589024e2b66583e3634127b7e32c
- Kukula 615984
Dzina lafayilo Adobe-Reader-PDF-Plugin-2.31.4.exe
- MD5 58476e1923de46cd4b8bee4cdeed0911
- SHA-1 aafa9885b8b686092b003ebbd9aaf8e604eea3a6
- SHA-256 15abc3f55703b89ff381880a10138591c6214dee7cc978b7040dd8b1e6f96297
- Kukula 578048
Dzina lafayilo Adobe-Reader-PDF-Plugin-2.35.8.exe
- MD5 286096c7e3452aad4acdc9baf897fd0c
- SHA-1 26d71553098b5c92b55e49db85c719f5bb366513
- SHA-256 af04334369878408898a223e63ec50e1434c512bc21d919769c97964492fee19
- Kukula 1069056
Dzina lafayilo Adobe-Reader-PDF-Plugin-2.31.4.exe
- MD5 fd0e11372a4931b262f0dd21cdc69c01
- SHA-1 54d34b6a6c4dc78e62ad03713041891b6e7eb90f
- SHA-256 4587da5dca2374fd824a15e434dae6630b24d6be6916418cee48589aa6145ef6
- Kukula 856576
Dzina lafayilo msw070619.exe
- MD5 772db176ff61e9addbffbb7e08d8b613
- SHA-1 6ee62834ab3aa4294eebe4a9aebb77922429cb45
- SHA-256 0660059f3e2fb2ab0349242b4dde6bf9e37305dacc2da870935f4bede78aed34
- Kukula 934448
- fiswedbesign[.]com
- alloaypparel[.]com
- firstofbanks[.]com
- magento-chitetezo[.]org
- mage-security[.]org
- https[:]//www[.]healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
- https[:]//www[.]genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- https[:]//firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
- http[:]//e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
- http[:]//thepinetree[.]net/docs/msw070619.exe
Source: www.habr.com
