Kuwunika kwa mitu yamutu kukuwonetsa kuti wotumiza kalatayo adasokonekera. Ndipotu kalatayo inachoka vps56[.]oneworldhosting[.]com.
Cholumikizira cha imelo chili ndi mbiri ya WinRar qoute_jpeg56a.r15 ndi fayilo yoyipa yomwe ingathe kuchitika QUUTE_JPEG56A.exe mkati.
Malware ecosystem
Tsopano tiyeni tiwone momwe chilengedwe cha pulogalamu yaumbanda yomwe tikuphunzira imawonekera. Chithunzi chomwe chili pansipa chikuwonetsa kapangidwe kake ndi njira zolumikizirana ndi zigawozo.
Tsopano tiyeni tione mwatsatanetsatane mbali iliyonse ya pulogalamu yaumbanda.
Loader
Fayilo yoyambirira QUUTE_JPEG56A.exe ndi gulu AutoIt v3 script.
Kuti musokoneze zolemba zoyambirira, cholumikizira chofanana ndi chofanana PELock AutoIT-Obfuscator makhalidwe.
Deobfuscation ikuchitika mu magawo atatu:
Kuchotsa obfuscation Kwa-Ngati
Gawo loyamba ndikubwezeretsa kuwongolera kwa script. Control Flow Flattening ndi imodzi mwa njira zodziwika kwambiri zotetezera ma code binary kuti asawunike. Zosintha zosokoneza zimachulukitsa kwambiri zovuta zochotsa ndikuzindikira ma algorithms ndi mapangidwe a data.
xgacyukcyzxz - yosavuta byte-byte XOR ya chingwe choyamba ndi kutalika kwa yachiwiri
Kuchotsa obfuscation BinaryToString ΠΈ Ikani
Katundu wamkulu amasungidwa mu mawonekedwe ogawidwa mu bukhuli zilembo zigawo zothandizira za fayilo.
Dongosolo la gluing ndi motere: Mtengo wa TIEQHCXWFG, EMI, Chithunzi cha SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, Zithunzi za JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
Fayilo yosasinthika imatumizidwa kuzinthu zolowetsamo RunPE, zomwe zimachita ProcessInject Π² RegAsm.exe pogwiritsa ntchito zomangidwa ShellCode (wotchedwanso RunPE ShellCode). Ulembi ndi wa munthu wogwiritsa ntchito Spanish forum zosazindikirika[.]net pansi pa dzina lakutchulidwa Wardow.
Ndikoyeneranso kudziwa kuti mu umodzi mwa ulusi wa forum iyi, obfuscator kwa Padenga okhala ndi zinthu zofanana zomwe zazindikirika pakuwunika kwachitsanzo.
Mwiniwake ShellCode zosavuta komanso zimakopa chidwi chongobwereka ku gulu la owononga AnunakCarbanak. API call hashing ntchito.
Tikudziwanso za milandu yogwiritsira ntchito Frenchy Shellcode Mabaibulo osiyanasiyana.
Kuphatikiza pa magwiridwe antchito omwe tafotokozawa, tidazindikiranso magwiridwe antchito:
Kuletsa kuyimitsa kwadongosolo lamanja mu woyang'anira ntchito
Kuyambitsanso ndondomeko ya mwana ikatha
Pitani ku UAC
Kusunga katunduyo ku fayilo
Chiwonetsero cha mawindo a modal
Kudikirira kuti cholozera cha mbewa chisinthe
AntiVM ndi AntiSandbox
Kudziwononga
Kupopera malipiro kuchokera pa netiweki
Tikudziwa kuti magwiridwe antchito ngati awa ndi oteteza CypherIT, yomwe, mwachiwonekere, ndi bootloader yomwe ikufunsidwa.
Main module ya mapulogalamu
Kenako, tifotokoza mwachidule gawo lalikulu la pulogalamu yaumbanda, ndikuyilingalira mwatsatanetsatane m'nkhani yachiwiri. Pankhaniyi, ndi ntchito pa .NET.
Laibulale imasungidwa ngati gawo lalikulu gwero ndipo ndi pulogalamu yowonjezera yodziwika bwino AgentTesla, yomwe imapereka magwiridwe antchito pochotsa zidziwitso zosiyanasiyana kuchokera pakusakatula kwa Internet Explorer ndi Edge.
Agent Tesla ndi pulogalamu yaukazitape yanthawi zonse yomwe imagawidwa pogwiritsa ntchito pulogalamu yaumbanda-monga-ntchito motengera chinthu chovomerezeka cha keylogger. Agent Tesla amatha kuchotsa ndi kutumiza zidziwitso za ogwiritsa ntchito kuchokera kwa asakatuli, makasitomala a imelo ndi makasitomala a FTP kupita ku seva kwa omwe akuukira, kujambula deta yojambula, ndi kujambula chithunzi cha chipangizo. Pa nthawi yowunikira, tsamba lovomerezeka la omanga silinapezeke.
Malo olowera ndi ntchito GetSavedPasswords kalasi InternetExplorer.
Nthawi zambiri, ma code execution ndi mzere ndipo alibe chitetezo chilichonse pakuwunika. Ntchito yokhayo yomwe sinakwaniritsidwe ndiyofunika kusamala GetSavedCookies. Mwachiwonekere, magwiridwe antchito a plugin amayenera kukulitsidwa, koma izi sizinachitike.
Kulumikiza bootloader ku dongosolo
Tiyeni tiphunzire momwe bootloader imalumikizidwa ndi dongosolo. Chitsanzo chomwe chikuphunziridwa sichimakhazikika, koma muzochitika zofanana zimachitika motsatira ndondomeko yotsatirayi:
Mu foda C: UsersPublic script idapangidwa Zooneka Basic
Script chitsanzo:
Zomwe zili mu fayilo ya bootloader zili ndi zilembo zopanda pake ndikusungidwa kufoda %Temp%<Dzina lachikwatu chamwambo>Dzina lafayilo>
Kiyi ya autorun imapangidwa mu registry ya fayilo ya script HKCUSoftwareMicrosoftWindowsCurrentVersionRun<Script name>
Chifukwa chake, kutengera zotsatira za gawo loyamba la kusanthula, tidatha kukhazikitsa mayina a mabanja amitundu yonse ya pulogalamu yaumbanda yomwe tikuphunzira, kusanthula mawonekedwe a matendawa, komanso kupeza zinthu zolembera ma signature. Tidzapitiliza kusanthula kwathu kwa chinthuchi m'nkhani yotsatira, pomwe tiwona gawo lalikulu mwatsatanetsatane AgentTesla. Musaphonye!
Mwa njira, pa Disembala 5 timayitanira owerenga onse ku webinar yaulere pamutu wakuti "Kusanthula pulogalamu yaumbanda: kusanthula milandu yeniyeni", pomwe wolemba nkhaniyi, katswiri wa CERT-GIB, awonetsa pa intaneti gawo loyamba la kusanthula kwa pulogalamu yaumbanda - kutulutsa mosadziwikiratu kwa zitsanzo pogwiritsa ntchito zitsanzo za milandu itatu yeniyeni yochokera muzochita, ndipo mutha kutenga nawo gawo pakuwunika. Webinar ndi yoyenera kwa akatswiri omwe ali ndi chidziwitso pakusanthula mafayilo oyipa. Kulembetsa kumangochokera ku imelo yamakampani: kulembetsa. Ndikukudikirirani!