Timapitiliza zolemba zathu zowunikira pulogalamu yaumbanda. MU Mwa zina, tidafotokozera momwe Ilya Pomerantsev, katswiri wofufuza zaumbanda ku CERT Gulu-IB, adasanthula mwatsatanetsatane fayilo yomwe idalandilidwa ndi imelo kuchokera kumakampani aku Europe ndikutulukira mapulogalamu aukazitape kumeneko. AgentTesla. M'nkhaniyi, Ilya amapereka zotsatira za kusanthula kwapang'onopang'ono kwa gawo lalikulu AgentTesla.
Agent Tesla ndi pulogalamu yaukazitape yanthawi zonse yomwe imagawidwa pogwiritsa ntchito pulogalamu yaumbanda-monga-ntchito motengera chinthu chovomerezeka cha keylogger. Agent Tesla amatha kuchotsa ndi kutumiza zidziwitso za ogwiritsa ntchito kuchokera kwa asakatuli, makasitomala a imelo ndi makasitomala a FTP kupita ku seva kwa omwe akuukira, kujambula deta yojambula, ndi kujambula chithunzi cha chipangizo. Pa nthawi yowunikira, tsamba lovomerezeka la omanga silinapezeke.
Fayilo yosintha
Tebulo ili m'munsiyi likuwonetsa momwe mungagwiritsire ntchito chitsanzo chomwe mukugwiritsa ntchito:
| mafotokozedwe | mtengo |
| Chizindikiro chogwiritsa ntchito KeyLogger | koona |
| Mbendera yogwiritsira ntchito ScreenLogger | zabodza |
| Logi ya KeyLogger imatumiza nthawi mumphindi | 20 |
| ScreenLogger chipika kutumiza mphindi mu mphindi | 20 |
| Mbendera ya makiyi a Backspace. Zabodza - kudula mitengo kokha. Zowona - zimafufuta kiyi yapitayi | zabodza |
| Mtundu wa CNC. Zosankha: smtp, webpanel, ftp | smtp |
| Mbendera yotsegulira ulusi kuti muthetse njira pamndandanda "% filter_list%" | zabodza |
| UAC kuletsa mbendera | zabodza |
| Task Manager tsegulani mbendera | zabodza |
| CMD kuletsa mbendera | zabodza |
| Tsegulani zenera loletsa mbendera | zabodza |
| Registry Viewer Letsani mbendera | zabodza |
| Zimitsani mbendera zobwezeretsanso dongosolo | koona |
| Control panel zimitsa mbendera | zabodza |
| MSCONFIG zimitsani mbendera | zabodza |
| Lembani kuti mulepheretse mndandanda wazomwe zili mu Explorer | zabodza |
| Pina mbendera | zabodza |
| Njira yokopera gawo lalikulu mukayiyika padongosolo | %kuyamba chikwatu% %insfolder%%inname% |
| Lembani kuti muyike mawonekedwe a "System" ndi "Obisika" a gawo lalikulu lomwe laperekedwa kudongosolo | zabodza |
| Lembani chizindikiro kuti muyambitsenso mukakanizidwa kudongosolo | zabodza |
| Lembani chizindikiro chosunthira gawo lalikulu kupita ku foda yosakhalitsa | zabodza |
| UAC bypass mbendera | zabodza |
| Tsiku ndi nthawi yodula mitengo | yyy-MM-dd HH:mm:ss |
| Lembani kugwiritsa ntchito fyuluta ya pulogalamu ya KeyLogger | koona |
| Mtundu wa kusefa pulogalamu. 1 - dzina la pulogalamuyo limafufuzidwa pamitu yazenera 2 - dzina pulogalamu amayang'ana pa zenera ndondomeko dzina |
1 |
| Pulogalamu fyuluta | "facebook" "twitter" "gmail" "instagram" "filimu" "skype" "zolaula" "chokha" "whatsapp" "kusagwirizana" |
Kulumikiza gawo lalikulu ku dongosolo
Ngati mbendera yofananira yakhazikitsidwa, gawo lalikulu limakopera njira yomwe yafotokozedwa mu config monga njira yoperekedwa ku dongosolo.
Kutengera mtengo kuchokera ku config, fayilo imapatsidwa zizindikiro "Zobisika" ndi "System".
Autorun imaperekedwa ndi nthambi ziwiri zolembetsa:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun% inregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %inregname%
Popeza bootloader imalowetsamo RegAsm, kuyika mbendera yolimbikira ya gawo lalikulu kumabweretsa zotsatira zosangalatsa. M'malo modzitengera yokha, pulogalamu yaumbandayo idayika fayilo yoyambirira kudongosolo RegAsm.exe, pamene jekeseni anachitidwa.
Zogwirizana ndi C&C
Mosasamala kanthu za njira yomwe imagwiritsidwa ntchito, kulumikizana kwa intaneti kumayamba ndi kupeza IP yakunja ya wozunzidwayo pogwiritsa ntchito gwero [.]amazonaws[.]com/.
Zotsatirazi zikufotokozera njira zolumikizirana ndi maukonde zomwe zimaperekedwa mu pulogalamuyo.
tsamba lawebusayiti
Kulumikizana kumachitika kudzera pa protocol ya HTTP. Pulogalamu yaumbanda imapereka pempho la POST ndi mitu iyi:
- Wothandizira: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Kugwirizana: Khalani-Amoyo
- Mtundu-Zamkati: application/x-www-form-urlencoded
Adilesi ya seva imatchulidwa ndi mtengo %PostURL%. Uthenga wobisika umatumizidwa mu parameter Β«PΒ». The encryption limagwirira akufotokozedwa mu gawo "Zolemba Zachinsinsi" (Njira 2).
Uthenga woperekedwa umawoneka motere:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
chizindikiro mtundu ikuwonetsa mtundu wa meseji:
hwid - hashi ya MD5 imalembedwa pamikhalidwe ya nambala ya serial ya boardboard ndi ID ya purosesa. Nthawi zambiri amagwiritsidwa ntchito ngati ID ya Wogwiritsa.
nthawi - imathandizira kutumiza nthawi ndi tsiku.
pcname - kufotokozedwa ngati /.
logdata - Log data.
Mukatumiza mawu achinsinsi, uthengawo umawoneka ngati:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Zotsatirazi ndizofotokozera za deta yomwe yabedwa mumpangidwe nclient[]={0}nlink[]={1}nosername[]={2}npassword[]={3}.
smtp
Kulumikizana kumachitika kudzera pa protocol ya SMTP. Chilembo chotumizidwa chili mumtundu wa HTML. Parameter THUPI ali ndi mawonekedwe:
Mutu wa kalatayo uli ndi mawonekedwe onse: / . Zomwe zili m'kalatayo, komanso zomata zake, sizinasinthidwe.
Kulumikizana kumachitika kudzera mu protocol ya FTP. Fayilo yokhala ndi dzina imasamutsidwa ku seva yodziwika _-_.html. Zomwe zili mufayilo sizinasinthidwe.
Ma aligorivimu achinsinsi
Mlanduwu umagwiritsa ntchito njira zotsatirazi zachinsinsi:
Njira ya 1
Njirayi imagwiritsidwa ntchito kubisa zingwe mu gawo lalikulu. Algorithm yomwe imagwiritsidwa ntchito kubisa ndi AES.
Cholowacho ndi nambala ya decimal ya manambala asanu ndi limodzi. Kusintha uku kukuchitika pa izo:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Chotsatira chake ndicholondolera chamagulu ophatikizidwa a data.
Gulu lirilonse liri ndi ndondomeko DWORD. Pamene kugwirizanitsa DWORD ma byte angapo amapezedwa: ma byte 32 oyamba ndi kiyi yobisa, ndikutsatiridwa ndi ma byte 16 a vector yoyambira, ndipo ma byte otsalawo ndi data yobisika.
Njira ya 2
Algorithm yogwiritsidwa ntchito 3DES mu njira ECB ndi padding mu mabayiti onse (Chithunzi cha PKCS7).
Kiyi imatchulidwa ndi parameter %urlkey%, komabe, kubisa kumagwiritsa ntchito hashi yake ya MD5.
Zochita zoyipa
Chitsanzo chomwe chikugwiritsidwa ntchito chimagwiritsa ntchito mapulogalamu otsatirawa kuti akwaniritse ntchito zake zoipa:
key logger
Ngati pali mbendera yofananira ya pulogalamu yaumbanda pogwiritsa ntchito ntchito ya WinAPI Ikani WindowsHookEx imagawira chogwirizira chake pazomwe zikuchitika pa kiyibodi. Ntchito yothandizira imayamba ndikupeza mutu wazenera logwira ntchito.
Ngati mbendera yosefera yakhazikitsidwa, kusefa kumachitika kutengera mtundu womwe watchulidwa:
- dzina pulogalamu amayang'ana pa zenera maudindo
- dzina pulogalamu anayang'ana pa zenera ndondomeko dzina
Kenako, mbiri imawonjezedwa ku chipika chokhala ndi chidziwitso cha zenera lomwe likugwira ntchito mumtundu:
Kenako zidziwitso za kiyi yomwe wasindikiza zimalembedwa:
| Mfungulo | Jambulani |
| Backspace | Kutengera mbendera ya Backspace key processing: Zabodza - {BACK} Zowona - zimafufuta kiyi yapitayi |
| ZILEMBO ZAZIKULU | {ZILEMBO ZAZIKULU} |
| ESC | {ESC} |
| Tsamba | {PageUp} |
| Down | ↓ |
| DZIWANI | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| TAB | {TAB} |
| < | < |
| > | > |
| Malo | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + TAB | {ALT+TAB} |
| TSIRIZA | {TSIRIZA} |
| F4 | {F4} |
| F2 | {F2} |
| Ctrl | {CTRL} |
| F6 | {F6} |
| Chabwino | → |
| Up | ↑ |
| F1 | {F1} |
| kumanzere | ← |
| PageDown | {PageDown} |
| Ikani | {Ikani} |
| Win | {Kupambana} |
| Numlock | {NumLock} |
| F11 | {F11} |
| F3 | {F3} |
| HOME | {KUNYUMBA} |
| ENTER | {LOWANI} |
| ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| Kiyi ina | Khalidweli liri muzinthu zapamwamba kapena zochepa kutengera malo a CapsLock ndi Shift makiyi |
Pafupipafupi, chipika chosonkhanitsidwa chimatumizidwa ku seva. Ngati kusamutsa sikunayende bwino, chipikacho chimasungidwa ku fayilo %TEMP%log.tmp mumtundu:
Pamene timer ikuwotcha, fayilo idzasamutsidwa ku seva.
ScreenLogger
Pafupipafupi, pulogalamu yaumbanda imapanga chithunzi chojambula Jpeg ndi tanthauzo Quality zofanana ndi 50 ndikuzisunga ku fayilo %APPDATA %.jpg. Pambuyo kusamutsa, wapamwamba zichotsedwa.
ClipboardLogger
Ngati mbendera yoyenerera yakhazikitsidwa, m'malo mwake amapangidwa m'mawu olandilidwa malinga ndi tebulo ili m'munsimu.
Pambuyo pake, mawuwo amalowetsedwa mu chipika:
PasswordStealer
Pulogalamu yaumbanda imatha kutsitsa mawu achinsinsi pamapulogalamu otsatirawa:
| Osakatula | Makasitomala amakalata | Makasitomala a FTP |
| Chrome | Chiyembekezo | FileZilla |
| Firefox | Thunderbird | WS_FTP |
| IE/Edge | Foxmail | WinSCP |
| Safari | Makalata a Opera | Mtengo wa CoreFTP |
| Opera Msakatuli | IncrediMail | FTP Navigator |
| Yandex | Pocommail | FlashFXP |
| Comodo | Eudora | SmartFTP |
| ChromePlus | TheBat | FTPCommander |
| Chromium | Bokosi la positi | |
| Chiwala | ClawsMail | |
| 7Star | ||
| Mzanga | ||
| BraveSoftware | Makasitomala a Jabber | Makasitomala a VPN |
| CentBrowser | Psi/Psi+ | Tsegulani VPN |
| Chedot | ||
| CocCoc | ||
| Elements Browser | Tsitsani Oyang'anira | |
| Msakatuli Wachinsinsi wa Epic | Wothandizira Pa Intaneti | |
| Komata | JDownloader | |
| orbitum | ||
| Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Flock Browser | ||
| UC Msakatuli | ||
| BlackHawk | ||
| CyberFox | ||
| K-meleon | ||
| ayezi mphaka | ||
| chinjoka | ||
| PaleMoon | ||
| WaterFox | ||
| Msakatuli wa Falkon |
Kutsutsana ndi kusanthula kwamphamvu
- Kugwiritsa ntchito tulo. Imakulolani kuti mulambalale mabokosi a mchenga pomaliza nthawi
- Kuwononga ulusi Malo. Imakulolani kuti mubise mfundo yotsitsa fayilo pa intaneti
- Mu parameter %sefa_list% imatchula mndandanda wazinthu zomwe pulogalamu yaumbanda idzathetsedwa pakadutsa mphindi imodzi
- Kukhazikika UAC
- Kuyimitsa woyang'anira ntchito
- Kukhazikika CMD
- Kuletsa zenera "Thamanga"
- Kuletsa Control Panel
- Kuyimitsa chida Lemberani
- Kuyimitsa malo obwezeretsa dongosolo
- Letsani menyu yankhani mu Explorer
- Kukhazikika MSCONFIG
- Kulambalala UAC:
Zosagwira ntchito za gawo lalikulu
Pakuwunika kwa gawo lalikulu, ntchito zinadziwika zomwe zinali ndi udindo wofalitsa pa intaneti ndikutsata malo a mbewa.
Zowawa
Zochitika zolumikizira zochotsa zochotseka zimawunikidwa mu ulusi wosiyana. Mukalumikizidwa, pulogalamu yaumbanda yomwe ili ndi dzina imakopera ku mizu yamafayilo scr.exe, pambuyo pake imasaka mafayilo omwe ali ndi zowonjezera lnk. Gulu la aliyense lnk kusintha ku cmd.exe /c yambani scr.exe & yambani & kutuluka.
Chikwatu chilichonse pamizu ya media chimapatsidwa mawonekedwe "Zobisika" ndipo fayilo imapangidwa ndikuwonjezera lnk ndi dzina la bukhu lobisika ndi lamulo cmd.exe /c yambani scr.exe&explorer /root,"%CD%" & tulukani.
MouseTracker
Njira yothetsera vutoli ndi yofanana ndi yomwe imagwiritsidwa ntchito pa kiyibodi. Izi zikugwirabe ntchito.
Zochita pafayilo
| njira | mafotokozedwe |
| %Temp% temp.tmp | Muli ndi kauntala ya zoyeserera za UAC bypass |
| %yamba chikwatu%%infolder%%inname% | Njira yoperekedwa ku dongosolo la HPE |
| %Temp%tmpG{Nthawi yapano mu mamilliseconds}.tmp | Njira yosungiramo ma module akulu |
| %Temp%log.tmp | Log file |
| %AppData%{Nkhani zingapo za zilembo 10}.jpeg | Zithunzi |
| C:UsersPublic{Kutsatizana kwa zilembo 10}.vbs | Njira yopita ku fayilo ya vbs yomwe bootloader angagwiritse ntchito kuti agwirizane ndi dongosolo |
| %Temp%{Dzina lafoda mwamakonda {Fayilo dzina} | Njira yogwiritsidwa ntchito ndi bootloader kuti igwirizane ndi dongosolo |
Mbiri ya oukira
Chifukwa cha data yotsimikizika yolimba, tinatha kupeza mwayi wopita kumalo olamulira.
Izi zidatipangitsa kuzindikira imelo yomaliza ya omwe adawukirawo:
junaid[.]mu***@gmail[.]com.
Dzina lachidziwitso la malo olamulira limalembedwa ku makalata sg***@gmail[.]com.
Pomaliza
Pakuwunika mwatsatanetsatane za pulogalamu yaumbanda yomwe idagwiritsidwa ntchito pakuwukira, tidatha kukhazikitsa magwiridwe ake ndikupeza mndandanda wathunthu wazizindikiro zomwe zikugwirizana ndi nkhaniyi. Kumvetsetsa momwe ma network amagwirira ntchito pakati pa pulogalamu yaumbanda kunapangitsa kuti zitheke kupereka malingaliro pakusintha magwiridwe antchito a zida zotetezera zidziwitso, komanso kulemba malamulo okhazikika a IDS.
Choopsa chachikulu AgentTesla monga DataStealer chifukwa sichiyenera kudzipereka ku dongosolo kapena kuyembekezera lamulo lolamulira kuti ligwire ntchito zake. Ikangofika pamakina, nthawi yomweyo imayamba kutolera zinsinsi ndikuzitumiza ku CnC. Khalidwe laukalili m'njira zina limafanana ndi machitidwe a ransomware, kusiyana kokhako ndikuti omalizawo safuna ngakhale kulumikizana ndi netiweki. Mukakumana ndi banja ili, mutatsuka dongosolo lomwe lili ndi kachilomboka kuchokera pa pulogalamu yaumbanda, muyenera kusintha mawu achinsinsi omwe atha kupulumutsidwa m'modzi mwamapulogalamu omwe atchulidwa pamwambapa.
Kuyang'ana m'tsogolo, tinene kuti owukira akutumiza AgentTesla, chojambulira choyambirira cha boot chimasinthidwa pafupipafupi. Izi zimakuthandizani kuti mukhale osazindikirika ndi ma static scanner ndi heuristic analyzers panthawi yakuukira. Ndipo chizoloΕ΅ezi cha banja ili kuti ayambe ntchito zawo nthawi yomweyo kumapangitsa kuti oyang'anira dongosolo akhale opanda ntchito. Njira yabwino yothanirana ndi AgentTesla ndikusanthula koyambirira mu sandbox.
M'nkhani yachitatu ya mndandandawu tiwona ma bootloaders ena omwe amagwiritsidwa ntchito AgentTesla, ndikuphunziranso momwe amatulutsira semi-automatic. Musaphonye!
Hash
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
C & C.
| ulalo |
| sina-c0m[.]icu |
| smtp[.]sina-c0m[.]icu |
RegKey
| Registry |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Script name} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname% |
| HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%inregname% |
Mutex
Palibe zizindikiro.
owona
| Zochita pafayilo |
| %Temp% temp.tmp |
| %yamba chikwatu%%infolder%%inname% |
| %Temp%tmpG{Nthawi yapano mu mamilliseconds}.tmp |
| %Temp%log.tmp |
| %AppData%{Nkhani zingapo za zilembo 10}.jpeg |
| C:UsersPublic{Kutsatizana kwa zilembo 10}.vbs |
| %Temp%{Dzina lafoda mwamakonda {Fayilo dzina} |
Zitsanzo Info
| dzina | Unknown |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| Type | PE (.NET) |
| kukula | 327680 |
| Dzina Loyamba | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| DateStamp | 01.07.2019 |
| Wopanga | VB.NET |
| dzina | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| Type | PE (.NET DLL) |
| kukula | 16896 |
| Dzina Loyamba | IELibrary.dll |
| DateStamp | 11.10.2016 |
| Wopanga | Microsoft Linker(48.0*) |
Source: www.habr.com