Posachedwapa, wopanga zida zamagetsi ku Europe adalumikizana ndi Gulu-IB - wogwira ntchitoyo adalandira kalata yokayikitsa yokhala ndi cholumikizira choyipa pamakalata. Ilya Pomerantsev, katswiri wofufuza zaumbanda ku CERT Gulu-IB, adasanthula mwatsatanetsatane fayiloyi, adapeza mapulogalamu aukazitape a AgentTesla pamenepo ndipo adauza zomwe zingayembekezere ku pulogalamu yaumbanda yotere komanso momwe ilili yowopsa.
Ndi positi iyi tikutsegula zolemba zingapo zamomwe tingasanthule mafayilo omwe ali owopsa, ndipo tikuyembekezera chidwi kwambiri pa Disembala 5 kuti tipeze tsamba lawebusayiti laulere pamutuwu. "Malware Analysis: Kusanthula Zochitika Zenizeni". Zonse zili pansi pa odulidwa.
Njira yogawa
Tikudziwa kuti pulogalamu yaumbanda idafika pamakina a wozunzidwayo kudzera pamaimelo achinyengo. Wolandira kalatayo mwina anali BCCed.
Kuwunika kwa mitu yamutu kukuwonetsa kuti wotumiza kalatayo adasokonekera. Ndipotu kalatayo inachoka vps56[.]oneworldhosting[.]com.
Cholumikizira cha imelo chili ndi mbiri ya WinRar qoute_jpeg56a.r15 ndi fayilo yoyipa yomwe ingathe kuchitika QUUTE_JPEG56A.exe mkati.
Malware ecosystem
Tsopano tiyeni tiwone momwe chilengedwe cha pulogalamu yaumbanda yomwe tikuphunzira imawonekera. Chithunzi chomwe chili pansipa chikuwonetsa kapangidwe kake ndi njira zolumikizirana ndi zigawozo.
Tsopano tiyeni tione mwatsatanetsatane mbali iliyonse ya pulogalamu yaumbanda.
Loader
Fayilo yoyambirira QUUTE_JPEG56A.exe ndi gulu AutoIt v3 script.
Kuti musokoneze zolemba zoyambirira, cholumikizira chofanana ndi chofanana PELock AutoIT-Obfuscator makhalidwe.
Deobfuscation ikuchitika mu magawo atatu:
- Kuchotsa obfuscation Kwa-Ngati
Gawo loyamba ndikubwezeretsa kuwongolera kwa script. Control Flow Flattening ndi imodzi mwa njira zodziwika kwambiri zotetezera ma code binary kuti asawunike. Zosintha zosokoneza zimachulukitsa kwambiri zovuta zochotsa ndikuzindikira ma algorithms ndi mapangidwe a data.
- Kuchira kwa mzere
Ntchito ziwiri zimagwiritsidwa ntchito kubisa zingwe:
- gdorizabegkvfca - Amapanga zolemba ngati Base64
- xgacyukcyzxz - yosavuta byte-byte XOR ya chingwe choyamba ndi kutalika kwa yachiwiri
- gdorizabegkvfca - Amapanga zolemba ngati Base64
- Kuchotsa obfuscation BinaryToString ΠΈ Ikani
Katundu wamkulu amasungidwa mu mawonekedwe ogawidwa mu bukhuli zilembo zigawo zothandizira za fayilo.
Dongosolo la gluing ndi motere: Mtengo wa TIEQHCXWFG, EMI, Chithunzi cha SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, Zithunzi za JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
Ntchito ya WinAPI imagwiritsidwa ntchito polemba deta yochotsedwa CryptDecrypt, ndipo kiyi yagawo yopangidwa kutengera mtengo imagwiritsidwa ntchito ngati kiyi fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Fayilo yosasinthika imatumizidwa kuzinthu zolowetsamo RunPE, zomwe zimachita ProcessInject Π² RegAsm.exe pogwiritsa ntchito zomangidwa ShellCode (wotchedwanso RunPE ShellCode). Ulembi ndi wa munthu wogwiritsa ntchito Spanish forum zosazindikirika[.]net pansi pa dzina lakutchulidwa Wardow.
Ndikoyeneranso kudziwa kuti mu umodzi mwa ulusi wa forum iyi, obfuscator kwa Padenga okhala ndi zinthu zofanana zomwe zazindikirika pakuwunika kwachitsanzo.
Mwiniwake ShellCode zosavuta komanso zimakopa chidwi chongobwereka ku gulu la owononga AnunakCarbanak. API call hashing ntchito.
Tikudziwanso za milandu yogwiritsira ntchito Frenchy Shellcode Mabaibulo osiyanasiyana.
Kuphatikiza pa magwiridwe antchito omwe tafotokozawa, tidazindikiranso magwiridwe antchito:
- Kuletsa kuyimitsa kwadongosolo lamanja mu woyang'anira ntchito
- Kuyambitsanso ndondomeko ya mwana ikatha
- Pitani ku UAC
- Kusunga katunduyo ku fayilo
- Chiwonetsero cha mawindo a modal
- Kudikirira kuti cholozera cha mbewa chisinthe
- AntiVM ndi AntiSandbox
- Kudziwononga
- Kupopera malipiro kuchokera pa netiweki
Tikudziwa kuti magwiridwe antchito ngati awa ndi oteteza CypherIT, yomwe, mwachiwonekere, ndi bootloader yomwe ikufunsidwa.
Main module ya mapulogalamu
Kenako, tifotokoza mwachidule gawo lalikulu la pulogalamu yaumbanda, ndikuyilingalira mwatsatanetsatane m'nkhani yachiwiri. Pankhaniyi, ndi ntchito pa .NET.
Pakuwunika, tidapeza kuti obfuscator idagwiritsidwa ntchito Zotsatira ConfuserEX.
IELibrary.dll
Laibulale imasungidwa ngati gawo lalikulu gwero ndipo ndi pulogalamu yowonjezera yodziwika bwino AgentTesla, yomwe imapereka magwiridwe antchito pochotsa zidziwitso zosiyanasiyana kuchokera pakusakatula kwa Internet Explorer ndi Edge.
Agent Tesla ndi pulogalamu yaukazitape yanthawi zonse yomwe imagawidwa pogwiritsa ntchito pulogalamu yaumbanda-monga-ntchito motengera chinthu chovomerezeka cha keylogger. Agent Tesla amatha kuchotsa ndi kutumiza zidziwitso za ogwiritsa ntchito kuchokera kwa asakatuli, makasitomala a imelo ndi makasitomala a FTP kupita ku seva kwa omwe akuukira, kujambula deta yojambula, ndi kujambula chithunzi cha chipangizo. Pa nthawi yowunikira, tsamba lovomerezeka la omanga silinapezeke.
Malo olowera ndi ntchito GetSavedPasswords kalasi InternetExplorer.
Nthawi zambiri, ma code execution ndi mzere ndipo alibe chitetezo chilichonse pakuwunika. Ntchito yokhayo yomwe sinakwaniritsidwe ndiyofunika kusamala GetSavedCookies. Mwachiwonekere, magwiridwe antchito a plugin amayenera kukulitsidwa, koma izi sizinachitike.
Kulumikiza bootloader ku dongosolo
Tiyeni tiphunzire momwe bootloader imalumikizidwa ndi dongosolo. Chitsanzo chomwe chikuphunziridwa sichimakhazikika, koma muzochitika zofanana zimachitika motsatira ndondomeko yotsatirayi:
- Mu foda C: UsersPublic script idapangidwa Zooneka Basic
Script chitsanzo:
- Zomwe zili mu fayilo ya bootloader zili ndi zilembo zopanda pake ndikusungidwa kufoda %Temp%<Dzina lachikwatu chamwambo>Dzina lafayilo>
- Kiyi ya autorun imapangidwa mu registry ya fayilo ya script HKCUSoftwareMicrosoftWindowsCurrentVersionRun<Script name>
Chifukwa chake, kutengera zotsatira za gawo loyamba la kusanthula, tidatha kukhazikitsa mayina a mabanja amitundu yonse ya pulogalamu yaumbanda yomwe tikuphunzira, kusanthula mawonekedwe a matendawa, komanso kupeza zinthu zolembera ma signature. Tidzapitiliza kusanthula kwathu kwa chinthuchi m'nkhani yotsatira, pomwe tiwona gawo lalikulu mwatsatanetsatane AgentTesla. Musaphonye!
Mwa njira, pa Disembala 5 timayitanira owerenga onse ku webinar yaulere pamutu wakuti "Kusanthula pulogalamu yaumbanda: kusanthula milandu yeniyeni", pomwe wolemba nkhaniyi, katswiri wa CERT-GIB, awonetsa pa intaneti gawo loyamba la kusanthula kwa pulogalamu yaumbanda - kutulutsa mosadziwikiratu kwa zitsanzo pogwiritsa ntchito zitsanzo za milandu itatu yeniyeni yochokera muzochita, ndipo mutha kutenga nawo gawo pakuwunika. Webinar ndi yoyenera kwa akatswiri omwe ali ndi chidziwitso pakusanthula mafayilo oyipa. Kulembetsa kumangochokera ku imelo yamakampani: . Ndikukudikirirani!
Yara
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
Ma Hashes
| dzina | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
Mtengo wa 890E643316E9276156EDC8A |
| Type | Sungani WinRAR |
| kukula | 823014 |
| dzina | QUUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| Type | PE (Yopangidwa ndi AutoIt Script) |
| kukula | 1327616 |
| Dzina Loyamba | Unknown |
| DateStamp | 15.07.2019 |
| Wophatikiza | Microsoft Linker(12.0)[EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| Type | ShellCode |
| kukula | 1474 |
Source: www.habr.com