Ndi nkhaniyi timamaliza mndandanda wa zofalitsa zoperekedwa pakuwunika mapulogalamu oyipa. MU Tidasanthula mwatsatanetsatane fayilo yomwe ili ndi kachilombo yomwe kampani yaku Europe idalandira kudzera m'makalata ndikupeza mapulogalamu aukazitape a AgentTesla pamenepo. Mu adalongosola zotsatira za kusanthula kwapang'onopang'ono kwa gawo lalikulu la AgentTesla.
Lero, Ilya Pomerantsev, katswiri wofufuza zaumbanda ku CERT Gulu-IB, alankhula za gawo loyamba la kusanthula kwa pulogalamu yaumbanda - kutulutsa mosadziwikiratu kwa zitsanzo za AgentTesla pogwiritsa ntchito chitsanzo cha milandu itatu yaing'ono kuchokera ku akatswiri a CERT Gulu-IB.
Nthawi zambiri, gawo loyamba pakuwunika kwa pulogalamu yaumbanda ndikuchotsa chitetezo mu mawonekedwe a packer, cryptor, mtetezi kapena loader. Nthawi zambiri, vutoli litha kuthetsedwa poyendetsa pulogalamu yaumbanda ndikutaya, koma nthawi zina njira iyi si yoyenera. Mwachitsanzo, ngati pulogalamu yaumbanda ndi encryptor, ngati imateteza madera ake okumbukira kuti asatayidwe, ngati codeyo ili ndi makina ozindikira makina, kapena ngati pulogalamu yaumbanda iyambiranso itangoyamba. Zikatero, kutulutsa kotchedwa "semi-automatic" kumagwiritsidwa ntchito, ndiko kuti, wofufuzayo ali ndi mphamvu zonse pa ndondomekoyi ndipo akhoza kulowererapo nthawi iliyonse. Tiyeni tiganizire njirayi pogwiritsa ntchito zitsanzo zitatu za banja la AgentTesla monga chitsanzo. Iyi ndi pulogalamu yaumbanda yopanda vuto ngati muyimitsa intaneti yake.
Chitsanzo No. 1
Fayilo yoyambira ndi chikalata cha MS Word chomwe chimagwiritsa ntchito chiwopsezo cha CVE-2017-11882.
Zotsatira zake, zolipira zimatsitsidwa ndikuyambitsidwa.
Kusanthula kwa mtengo wa ndondomeko ndi zolembera zamakhalidwe zikuwonetsa jekeseni munjirayo RegAsm.exe.
Pali zolembera zamakhalidwe a AgentTesla.
Chitsanzo chotsitsidwa ndichotheka .NET-fayilo yotetezedwa ndi chitetezo NET Reactor.
Tiyeni titsegule muzothandizira dnSpy x86 ndi kupita kumalo olowera.
Popita kuntchito DateTimeOffset, tipeza nambala yoyambira yatsopano .NET- module. Tiyeni tiyike kuswa pamzere womwe timakonda ndikuyendetsa fayilo.
Mu imodzi mwazosungira zomwe zabwezedwa mutha kuwona siginecha ya MZ (0x4D 0x5A). Tiyeni tisunge.
Fayilo yomwe yatayidwa ndi laibulale yosinthika yomwe imakhala yonyamula, mwachitsanzo. amachotsa zolipira kuchokera kugawo lazothandizira ndikuyambitsa.
Panthawi imodzimodziyo, zofunikira zokhazokha sizipezeka pamatope. Iwo ali mu chitsanzo cha abambo.
Zothandiza dnSpy ili ndi magwiridwe antchito awiri omwe angatithandizire kupanga "Frankenstein" kuchokera pamafayilo awiri ogwirizana.
- Yoyamba imakulolani "kuyika" laibulale yosinthika mu chitsanzo cha makolo.
- Chachiwiri ndikulembanso kachidindo kantchito pamalo olowera kuti muyitane njira yomwe mukufuna laibulale yamphamvu yoyikidwa.
Timasunga "Frankenstein" yathu, yakhazikitsidwa kuswa pamzere wobwezera chosungira chokhala ndi zida zosinthidwa, ndikutulutsa kutayira mofananiza ndi gawo lapitalo.
Kutaya kwachiwiri kumalembedwamo VB.NET fayilo yomwe ingagwiritsidwe ntchito yomwe imatetezedwa ndi chitetezo chomwe timachidziwa bwino Zithunzi za ConfuserEx.
Pambuyo pochotsa woteteza, timagwiritsa ntchito malamulo a YARA omwe adalembedwa kale ndikuwonetsetsa kuti pulogalamu yaumbanda yosatulutsidwa ndi AgentTesla.
Chitsanzo No. 2
Fayilo yoyambira ndi chikalata cha MS Excel. Ma macro omangidwa amayambitsa kuphedwa kwa code yoyipa.
Zotsatira zake, script ya PowerShell imayambitsidwa.
Cholembacho chimachotsa kachidindo ya C # ndikusamutsira kuwongolera. Khodiyo yokha ndi bootloader, monga momwe tingawonere kuchokera ku lipoti la sandbox.
Malipiro amatha kuchitidwa .NET-fayilo.
Kutsegula fayilo mu dnSpy x86, mukuwona kuti ndizosamveka. Kuchotsa zosokoneza pogwiritsa ntchito chida de4dot ndi kubwereranso kusanthula.
Mukayang'ana code, mutha kupeza zotsatirazi:
Mizere yosindikizidwa ndiyodabwitsa EntryPoint ΠΈ Ikani. Timayika kuswa pamzere woyamba, thamangani ndikusunga mtengo wa buffer bati_0.
Kutaya ndi ntchito kachiwiri .NET ndi kutetezedwa Zithunzi za ConfuserEx.
Timachotsa obfuscation pogwiritsa ntchito de4dot ndi upload ku dnSpy. Kuchokera pamafotokozedwe a fayilo timamvetsetsa kuti tikukumana nawo CyaX-Sharp loader.
Chojambulira ichi chili ndi ntchito zambiri zotsutsana ndi kusanthula.
Kugwira ntchito kumeneku kumaphatikizapo kudutsa machitidwe otetezedwa a Windows, kuletsa Windows Defender, komanso sandbox ndi makina ozindikira makina. N'zotheka kukweza malipiro kuchokera pa intaneti kapena kusunga mu gawo lazinthu. Kukhazikitsa kumachitika kudzera munjira yakeyake, munjira yakeyake, kapena munjira zake MSBuild.exe, vbc.exe ΠΈ RegSvcs.exe kutengera parameter yosankhidwa ndi wowukirayo.
Komabe, kwa ife iwo ndi ocheperapo kuposa AntiDump-ntchito yomwe imawonjezera Zithunzi za ConfuserEx. Magwero ake angapezeke pa .
Kuti tiletse chitetezo, tidzagwiritsa ntchito mwayiwu dnSpy, zomwe zimakulolani kuti musinthe IL- kodi.
Sungani ndi kukhazikitsa kuswa pamzere woyitanira ntchito yotsitsa payload. Ili mu omanga kalasi yaikulu.
Timayamba ndi kutaya malipiro. Pogwiritsa ntchito malamulo olembedwa kale a YARA, timaonetsetsa kuti ndi AgentTesla.
Chitsanzo No. 3
Fayilo yoyambira ndiyotheka VB Native PE32-fayilo.
Kusanthula kwa Entropy kukuwonetsa kukhalapo kwa gawo lalikulu lazosungidwa.
Mukasanthula fomu yofunsira mu VB Decompiler mukhoza kuona zachilendo pixelated maziko.
Chithunzi cha Entropy bmp-chithunzichi ndi chofanana ndi chithunzi cha entropy cha fayilo yoyambirira, ndipo kukula kwake ndi 85% ya kukula kwa fayilo.
Maonekedwe ambiri a chithunzicho akuwonetsa kugwiritsa ntchito steganography.
Tiyeni tiyang'ane pa maonekedwe a mtengo wa ndondomeko, komanso kukhalapo kwa chizindikiro cha jekeseni.
Izi zikusonyeza kuti kumasula kuli mkati. Kwa Visual Basic loaders (aka Zithunzi za VBKrypt kapena Chithunzi cha VBInjector) ntchito wamba shell kodi kuyambitsa malipiro, komanso kupanga jekeseni yokha.
Analysis mu VB Decompiler adawonetsa kukhalapo kwa chochitika katundu pa fomu FegatassocAirballoon2.
Tiyeni tipite IDA pro ku adilesi yotchulidwa ndikuphunzira ntchitoyo. Codeyo imakhudzidwa kwambiri. Chidutswa chomwe chimatisangalatsa chili pansipa.
Apa danga adiresi ndondomeko si scanned kuti siginecha. Njira imeneyi ndi yokayikitsa kwambiri.
Choyamba, kusanthula kumayambira adilesi 0x400100. Mtengo uwu ndi wosasunthika ndipo susinthidwa pamene maziko asinthidwa. Mu mikhalidwe yabwino wowonjezera kutentha izo zimasonyeza mapeto PE- mutu wa fayilo yomwe ingagwiritsidwe ntchito. Komabe, databaseyi siimakhazikika, mtengo wake ukhoza kusintha, ndipo kufunafuna adiresi yeniyeni ya siginecha yofunikira, ngakhale kuti sikudzachititsa kuti kuchuluke kusinthasintha, kungatenge nthawi yaitali kwambiri.
Kachiwiri, tanthauzo la siginecha iWGK. Ndikuganiza kuti ndizodziwikiratu kuti ma byte 4 ndi ang'ono kwambiri kuti asatsimikizire zapadera. Ndipo ngati mutaganizira mfundo yoyamba, mwayi wolakwitsa ndi waukulu kwambiri.
M'malo mwake, chidutswa chofunikira chimalumikizidwa kumapeto kwa zomwe zidapezeka kale bmp- zithunzi ndi offset 0xA1D0D.
Kuphedwa Shellcode unachitika mu magawo awiri. Yoyamba imatanthauzira thupi lalikulu. Pankhaniyi, fungulo limatsimikiziridwa ndi mphamvu yankhanza.
Tayani yomwe yasinthidwa Shellcode ndi kuyang'ana pa mizere.
Choyamba, tikudziwa tsopano ntchito yopangira njira ya mwana: PanganiProcessInternalW.
Kachiwiri, tidazindikira momwe zimakhalira mu dongosolo.
Tiyeni tibwerere ku ndondomeko yoyamba. Tiyeni tiyike kuswa pa PanganiProcessInternalW ndi kupitiriza kupha. Kenako tikuwona kugwirizana NtGetContextThread/NtSetContextThread, zomwe zimasintha adilesi yoyambira ku adilesi ShellCode.
Timagwirizanitsa ndi ndondomeko yopangidwa ndi debugger ndikuyambitsa chochitikacho Imitsani pa libraryu load/unload, yambitsaninso ndondomekoyi ndikudikirira kutsitsa .NET-malaibulale.
Kugwiritsanso ntchito ProcessHacker zinyalala zomwe zili ndi zosapakidwa .NET- ntchito.
Timayimitsa njira zonse ndikuchotsa kopi ya pulogalamu yaumbanda yomwe yayikidwa mudongosolo.
Fayilo yotayidwa imatetezedwa ndi chitetezo NET Reactor, yomwe imatha kuchotsedwa mosavuta pogwiritsa ntchito zofunikira de4dot.
Pogwiritsa ntchito malamulo a YARA omwe adalembedwa kale, timaonetsetsa kuti ndi AgentTesla.
Tiyeni tifotokozere mwachidule
Chifukwa chake, tidawonetsa mwatsatanetsatane njira yotulutsira zitsanzo zodziwikiratu pogwiritsa ntchito zitsanzo zitatu zazing'ono, komanso kusanthula pulogalamu yaumbanda kutengera vuto lathunthu, tikupeza kuti chitsanzo chomwe tikuphunzira ndi AgentTesla, ndikukhazikitsa magwiridwe antchito ake ndi a. mndandanda wathunthu wa zizindikiro za kusagwirizana.
Kuwunika kwa chinthu choyipa chomwe tidachita kumafuna nthawi yambiri ndi khama, ndipo ntchitoyi iyenera kuchitidwa ndi wogwira ntchito yapadera mu kampani, koma si makampani onse omwe ali okonzeka kugwiritsa ntchito katswiri.
Chimodzi mwazinthu zoperekedwa ndi Gulu-IB Laboratory of Computer Forensics and Malicious Code Analysis ndikuyankha zochitika za cyber. Ndipo kuti makasitomala asataye nthawi kuvomereza zikalata ndikukambirana pakati pa kuukira kwa cyber, Gulu-IB idayambitsa. Wosunga Mayankho a Zochitika, ntchito yoyankha musanalembetse zomwe zikuphatikizanso gawo lowunikira pulogalamu yaumbanda. Zambiri za izi zitha kupezeka .
Ngati mukufuna kuphunziranso momwe zitsanzo za AgentTesla zimatulutsidwa ndikuwona momwe katswiri wa CERT Gulu-IB amachitira, mutha kutsitsa zojambulira pa intaneti pamutuwu. .
Source: www.habr.com