Mune ino positi tichakuudza nzira iyo cyber boka OceanLotus (APT32 uye APT-C-00) nguva pfupi yadarika yakashandisa imwe yeinowanikwa pachena
OceanLotus inyanzvi mucyber espionage, ine zvibodzwa zvekutanga kuve nyika dziri kuSoutheast Asia. Vapambi vanogadzira magwaro anokwezva kutarisisa kwevanogona kubatwa kuti vanyengetedze kuuraya kuseri kwemba, uye vari kushandawo mukugadzira maturusi. Nzira dzinoshandiswa kugadzira huchi dzinosiyana pakurwiswa, kubva ku "double-extension" mafaera, anozvitora archives, zvinyorwa zvine macros, kune zvinozivikanwa zviitiko.
Kushandisa kushandiswa muMicrosoft Equation Editor
Pakati-2018, OceanLotus yakaita mushandirapamwe ichishandisa CVE-2017-11882 kusagadzikana. Imwe yemagwaro akashata eboka recyber yakaongororwa nenyanzvi kubva ku360 Threat Intelligence Center (
Nzvimbo yekutanga
Gwaro iri FW Report on demonstration of former CNRP in Republic of Korea.doc
(SHA-1: D1357B284C951470066AAA7A8228190B88A5C7C3
) yakafanana neyataurwa muchidzidzo chiri pamusoro. Zvinonakidza nekuti zvinonangana nevashandisi vanofarira zvematongerwo enyika eCambodian (CNRP - Cambodia National Rescue Party, yakanyungudika pakupera kwa2017). Pasinei nekuwedzera kwe .doc, gwaro riri mu RTF format (ona mufananidzo uri pasi apa), rine code yemarara, uye zvakare yakakanganiswa.
Mufananidzo 1. "marara" muRTF
Kunyangwe paine zvinhu zvakarasika, Shoko rinovhura iyi RTF faira zvinobudirira. Sezvauri kuona paMufananidzo 2, pane EQNOLEFILEHDR chimiro pa offset 0xC00, ichiteverwa nemusoro weMTEF, uyezve MTEF yekupinda (Mufananidzo 3) yefonti.
Mufananidzo 2. FONT entry values
Mufananidzo 3.
Kugona kufashukira mumunda zita, nekuti saizi yayo haitariswe isati yakopa. Zita rakareba rinokonzeresa kusagadzikana. Sezvauri kuona kubva mukati meiyo RTF faira (offset 0xC26 muFigure 2), iyo buffer izere neshellcode inoteverwa ne dummy command (0x90
) uye kudzorera kero 0x402114
. Kero inhengo yenhaurirano mukati EQNEDT32.exe
, zvichiratidza mirayiridzo RET
. Izvi zvinoita kuti EIP inongedze pakutanga kwemunda zitaine shellcode.
Mufananidzo 4. Kutanga kwekushandisa shellcode
Address 0x45BD3C
inochengetedza shanduko yakadzoserwa kusvika yasvika painongedzo kune chimiro chakaremerwa parizvino MTEFData
. Imwe yese shellcode iri pano.
Chinangwa che shellcode ndechekuita chikamu chechipiri che shellcode chakaiswa mugwaro rakashama. Iyo yekutanga shellcode inotanga kuedza kutsvaga iyo faira tsananguro yegwaro rakavhurika nekudzokorora pamusoro pezvese zvinotsanangura system (NtQuerySystemInformation
nenharo SystemExtendedHandleInformation
) uye kutarisa kana dzichienderana PID descriptor uye PID process WinWord
uye kuti gwaro rakavhurwa here nemasiki yekuwana - 0x12019F
.
Kusimbisa kuti mubato chaiwo wawanikwa (uye kwete mubato kune rimwe gwaro rakavhurika), zviri mukati mefaira zvinoratidzwa uchishandisa basa. CreateFileMapping
, uye shellcode inotarisa kana mana ekupedzisira ekupedzisira egwaro anowirirana "yyyy
"(Egg Hunting nzira). Kana mutambo wawanikwa, gwaro rinokopwa kune folda yenguva pfupi (GetTempPath
) Sei ole.dll
. Ipapo ekupedzisira gumi nemaviri bytes egwaro anoverengwa.
Mufananidzo 5. Kupera kwezvinyorwa zvinyorwa
32-bit kukosha pakati pemakaka AABBCCDD
и yyyy
ndiko kugadzirisa kweiyo shellcode inotevera. Inonzi kushandisa basa CreateThread
. Yakabvisa iyo shellcode imwechete yaishandiswa neOceanLotus boka kare.
Chikamu chechipiri
Kubvisa Zvikamu
Mazita efaira nemadhairekitori anosarudzwa zvine simba. Iyo kodhi inosarudzika inosarudza zita rezvinogoneka kana DLL faira mukati C:Windowssystem32
. Inobva yaita chikumbiro kune zviwanikwa zvayo uye inotora munda FileDescription
kushandisa sezita refolda. Kana izvi zvikasashanda, kodhi inosarudza zita refolda kubva kumadhairekitori %ProgramFiles%
kana C:Windows
(kubva GetWindowsDirectoryW). Inodzivirira kushandisa zita rinogona kupokana nemafaira aripo uye inova nechokwadi chekuti haina mazwi anotevera: windows
, Microsoft
, desktop
, system
, system32
kana syswow64
. Kana dhairekitori riripo kare, "NLS_{6 mavara}" anowedzerwa kuzita racho.
Zvinyorwa 0x102
inoongororwa uye mafaira anorasirwa mukati %ProgramFiles%
kana %AppData%
, kune dhairekitori rakasarudzwa zvisina tsarukano. Yakachinja nguva yekugadzira kuti ive nemhando dzakafanana kernel32.dll
.
Semuenzaniso, heino dhairekitori uye runyorwa rwemafaira akagadzirwa nekusarudza anozoitwa C:Windowssystem32TCPSVCS.exe
senzvimbo yedata.
Mufananidzo 6. Kutora zvikamu zvakasiyana-siyana
Resource structure 0x102
mu dropper zvakaoma. Muchidimbu, ine:
— Mazita emafaira
- Saizi yefaira uye zvirimo
- Compression fomati (COMPRESSION_FORMAT_LZNT1
, inoshandiswa nebasa RtlDecompressBuffer
)
Iyo yekutanga faira inoiswa patsva se TCPSVCS.exe
, zviri pamutemo AcroTranscoder.exe
(maererano ne FileDescription
, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3
).
Iwe unogona kunge waona kuti mamwe mafaera eDLL akakura kupfuura 11 MB. Izvi zvinodaro nekuti yakakura contiguous buffer ye random data inoiswa mukati meexecutable faira. Zvinogoneka kuti iyi inzira yekunzvenga kuonekwa nezvimwe zvigadzirwa zvekuchengetedza.
Kuvimbisa kutsungirira
Zvinyorwa 0x101
mu dropper ine maviri 32-bit integers anotsanangura kuti kushingirira kunofanira kupihwa sei. Kukosha kwekutanga kunotsanangura kuti iyo malware icharamba iripo sei pasina kodzero yemutungamiriri.
Tafura 1. Kuramba kuchishandiswa pasina kodzero yemutungamiri
Kukosha kwechipiri nhamba inotsanangura kuti iyo malware inofanira kuwana sei kushingirira kana ichimhanya nekodzero dzemutungamiriri.
Tafura 2. Kushingirira nzira ine kodzero dzemaneja
Zita rebasa ndiro zita refaira risina kuwedzera; zita rekuratidzira ndiro zita refolda, asi kana yatovepo, tambo " inowedzerwa kwairiRevision 1
” (nhamba yacho inowedzera kusvikira zita risina kushandiswa rawanikwa). Vashandisi vakave nechokwadi chekuti kutsungirira kuburikidza nesevhisi kwaive kwakasimba - kana ikatadza, sevhisi inofanirwa kutangwazve mushure mesekondi imwe. Zvadaro kukosha WOW64
Iyo nyowani sevhisi registry kiyi yakaiswa kune 4, zvichiratidza kuti ibasa re32-bit.
Basa rakarongwa rinogadzirwa kuburikidza akati wandei COM interfaces: ITaskScheduler
, ITask
, ITaskTrigger
, IPersistFile
и ITaskScheduler
. Chaizvoizvo, iyo malware inogadzira basa rakavanzika, inoseta iyo account ruzivo pamwe neyazvino mushandisi kana maneja ruzivo, uye yobva yaisa chinokonzeresa.
Iri ibasa rezuva nezuva rine nguva yemaawa makumi maviri nemana uye kupindirana pakati pekuuraya kuviri kwemaminetsi gumi, zvinoreva kuti ichaenderera mberi.
Njodzi
Mumuenzaniso wedu, iyo faira inogoneka TCPSVCS.exe
(AcroTranscoder.exe
) isoftware yepamutemo inoremedza maDLL anoiswa patsva pamwe chete nawo. Muchiitiko ichi, inofarira Flash Video Extension.dll
.
Basa rayo DLLMain
inongodaidza rimwe basa. Mamwe madhiriketi asina kujeka aripo:
Mufananidzo 7. Fuzzy predicates
Mushure mekuongorora uku kunotsausa, kodhi inowana chikamu .text
faira TCPSVCS.exe
, inoshandura kudzivirira kwayo ku PAGE_EXECUTE_READWRITE
uye anonyora zvakare nekuwedzera dummy mirairo:
Mufananidzo 8. Kutevedzana kwemirairo
Pakupera kwekero yebasa FLVCore::Uninitialize(void)
, kunze kwenyika Flash Video Extension.dll
, murayiridzo unowedzerwa CALL
. Izvi zvinoreva kuti mushure mekunge DLL yakashata yaremerwa, kana nguva yekumhanya ichifona WinMain
в TCPSVCS.exe
, chinongedzo chekuraira chinonongedzera kuNOP, chichikonzera FLVCore::Uninitialize(void)
, nhanho inotevera.
Basa racho rinongogadzira mutex kutanga {181C8480-A975-411C-AB0A-630DB8B0A221}
ichiteverwa nezita rekushandisa razvino. Inobva yaverenga yakaraswa *.db3 faira, ine chinzvimbo-yakazvimirira kodhi, uye inoshandisa CreateThread
kuita zviri mukati.
Zviri mukati me *.db3 faira ishekodhi inoshandiswa neboka reOceanLotus. Isu takabudirira zvakare kuburitsa mubhadharo wayo tichishandisa emulator script yatakaburitsa
Iyo script inoburitsa nhanho yekupedzisira. Ichi chikamu ibackdoor, iyo yatakatoongorora mairi {A96B020F-0000-466F-A96D-A91BBF8EAC96}
binary file. Iyo malware kumisikidza ichiri encrypted muPE sosi. Iyo ine inenge yakafanana gadziriro, asi maseva eC&C akasiyana neaya apfuura:
- andreagahuvrauvin[.]com
- byronorenstein[.]com
- stienollmache[.]xyz
Chikwata cheOceanLotus chinoratidza zvakare musanganiswa wemaitiro akasiyana ekudzivirira kuonekwa. Vakadzoka nemufananidzo "wakanatswa" wehutachiona hwehutachiona. Nekusarudza mazita asina kurongeka uye kuzadza zvinoitwa neasina dhata, ivo vanoderedza huwandu hweakavimbika maIoCs (zvichienderana nehashi nemazita emafaira). Uyezve, nekuda kwekushandiswa kwechitatu-bato DLL kurodha, vanorwisa vanongoda kubvisa iyo yepamutemo bhinari. AcroTranscoder
.
Kuzvitora-kubvisa zvinyorwa
Mushure memafaira eRTF, boka rakatamira kune-yega (SFX) mudura nemifananidzo yakajairika yegwaro kuti iwedzere kuvhiringa mushandisi. Threatbook akanyora pamusoro peizvi ({A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
. Kubva pakati paNdira 2019, OceanLotus yanga ichishandisa nzira iyi, asi ichichinja mamwe magadzirirwo nekufamba kwenguva. Muchikamu chino tichataura nezvehunyanzvi uye shanduko.
Kugadzira Chirevo
Gwaro iri THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE
(SHA-1: AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB
) yakatanga kuwanikwa muna 2018. Iyi SFX faira yakagadzirwa nehungwaru - mune tsananguro (Shanduro Info) inoti uyu mufananidzo weJPEG. Iyo SFX script inoita seizvi:
Mufananidzo 9. SFX Mirairo
Iyo malware inogadzirisa zvakare {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx
(SHA-1: EFAC23B0E6395B1178BCF7086F72344B24C04DCC
), pamwe nemufananidzo 2018 thich thong lac.jpg.
Mufananidzo wedecoy unotaridzika seizvi:
Mufananidzo 10. Decoy image
Iwe unogona kunge waona kuti mitsetse miviri yekutanga mune SFX script inodaidza iyo OCX faira kaviri, asi ichi hachisi chikanganiso.
{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)
Kuyerera kwekutonga kwefaira reOCX kwakafanana nezvimwe zvikamu zveOceanLotus - akawanda anoteedzana JZ/JNZ
и PUSH/RET
, kuchinjanisa nekodhi yemarara.
Mufananidzo 11. Obfuscated code
Mushure mekusefa kunze kwejunk code, tumira kunze DllRegisterServer
, akadaidzwa regsvr32.exe
, sezvinotevera:
Mufananidzo 12. Basic installer code
Chaizvoizvo, pakufona kwekutanga DllRegisterServer
kunze kunoisa registry kukosha HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Model
ye encrypted offset muDLL (0x10001DE0
).
Kana basa racho ranzi kechipiri, rinoverenga kukosha kwakafanana uye rinoita pakero iyoyo. Kubva pano sosi uye zviito zvakawanda mu RAM zvinoverengwa nekuitwa.
Iyo shellcode ndiyo yakafanana PE loader yakashandiswa munguva yakapfuura OceanLotus mishandirapamwe. Inogona kutevedzerwa kushandisa db293b825dcc419ba7dc2c49fa2757ee.dll
, inoiisa mundangariro uye inoita DllEntry
.
Iyo DLL inobvisa zviri mukati meiyo sosi, decrypts (AES-256-CBC) uye decompresses (LZMA) iyo. Iyo sosi ine chaiyo fomati iyo iri nyore kupatsanura.
Mufananidzo 13. Installer configuration structure (KaitaiStruct Visualizer)
Iyo gadziriso inotsanangurwa zvakajeka - zvichienderana neiyo ropafadzo level, binary data ichanyorerwa %appdata%IntellogsBackgroundUploadTask.cpl
kana %windir%System32BackgroundUploadTask.cpl
(kana SysWOW64
ye64-bit masisitimu).
Kuwedzera kushingirira kunovimbiswa nekugadzira basa rine zita BackgroundUploadTask[junk].job
kupi [junk]
inomiririra seti yemabhaiti 0x9D
и 0xA0
.
Task Application Name %windir%System32control.exe
, uye kukosha kweparameter ndiyo nzira inoenda kune yakatorwa binary faira. Basa rakavanzika rinomhanya zuva rega rega.
Zvimiro, CPL faira iDLL ine zita remukati ac8e06de0a6c4483af9837d96504127e.dll
, iyo inotumira kunze basa CPlApplet
. Iri faira rinobvisa resource raro chete {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
, wobva waisa iyi DLL uye inodaidzira kutumira kwayo chete DllEntry
.
Backdoor configuration file
Iyo backdoor kumisikidza yakavharidzirwa uye yakamisikidzwa muzviwanikwa zvayo. Chimiro chefaira chekugadzirisa chakafanana zvikuru nechakapfuura.
Mufananidzo 14. Backdoor configuration structure (KaitaiStruct Visualizer)
Kunyangwe iyo chimiro chakafanana, mazhinji emunda kukosha akagadziridzwa kubva kune anoratidzwa mukati
Chinhu chekutanga chebinary array chine DLL (HttpProv.dll
MD5: 2559738D1BD4A999126F900C7357B759
),
Kuwedzera Kutsvakurudza
Tichiri kuunganidza sampuli, takaona mamwe maitiro. Muenzaniso uchangobva kutsanangurwa wakaonekwa muna Chikunguru 2018, uye mamwe akafanana nawo akaonekwa nguva pfupi yadarika pakati paNdira kusvika kutanga kwaFebruary 2019. Iyo SFX archive yakashandiswa sehutachiona hwehutachiona, ichidonhedza gwaro rekunyepedzera uye nehutsinye OSX faira.
Kunyangwe OceanLotus ichishandisa manyepo enguva, takaona kuti nguva dzeSFX neOCX mafaera dzinogara dzakafanana (0x57B0C36A
(08/14/2016 @ 7:15pm UTC) uye 0x498BE80F
(02/06/2009 @ 7:34am UTC) zvichiteerana). Izvi zvimwe zvinoratidza kuti vanyori vane imwe mhando ye "mugadziri" anoshandisa matemplate akafanana uye anongochinja mamwe maitiro.
Pakati pezvinyorwa zvatakadzidza kubva pakutanga kwe2018, pane mazita akasiyana anoratidza nyika dzinofarira kune vanorwisa:
- Ruzivo rutsva rwekutaurirana rweCambodia Media(Itsva).xls.exe
— 李建香 (个人简历).exe (fake pdf gwaro reCV)
- mhinduro, Rally muUSA kubva munaChikunguru 28-29, 2018.exe
Sezvo backdoor yakawanikwa {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
uye kuburitswa kweongororo yayo nevatsvaguri vakati wandei, takaona dzimwe shanduko mudata rekugadzirisa malware.
Kutanga, vanyori vakatanga kubvisa mazita kubva kumubatsiri DLLs (DNSprov.dll
uye shanduro mbiri HttpProv.dll
) Vashandi vakabva vamira kurongedza yechitatu DLL (yechipiri vhezheni HttpProv.dll
), vachisarudza kumisa imwe chete.
Kechipiri, minda yakawanda yekumashure yekumisikidza yakashandurwa, ingangoita kutiza kuoneswa sezvo maIoC mazhinji akawanikwa. Nzvimbo dzakakosha dzakagadziridzwa nevanyori dzinosanganisira:
- AppX registry kiyi yakashandurwa (ona maIoCs)
- mutex encoding tambo ("def", "abc", "ghi")
- port number
Chekupedzisira, mavhezheni ese matsva akaongororwa ane C&C matsva akanyorwa muchikamu cheIoCs.
zvakawanikwa
OceanLotus inoramba ichikura. Iro cyber boka rakatarisana nekunatsa nekuwedzera maturusi uye decoys. Vanyori vanovanza mitoro yakaipa vachishandisa zvinyorwa zvinobata pfungwa dzine musoro wenyaya kune avo vanenge vachida kubatwa. Ivo vanogadzira zvirongwa zvitsva uye zvakare vanoshandisa maturusi anowanikwa pachena, senge Equation Editor exploit. Zvakare, ivo vari kuvandudza maturusi ekudzikisa huwandu hwezvigadzirwa zvakasara pamichina yevakabatwa, nekudaro vachidzikisa mukana wekuonekwa neantivirus software.
Zviratidzo zvekukanganisa
Zviratidzo zvekukanganisa pamwe neMITER ATT & CK hunhu huripo
Source: www.habr.com