Kune akati wandei anozivikanwa cyber mapoka ane hunyanzvi hwekuba mari kubva kumakambani ekuRussia. Isu takaona kurwiswa kuchishandisa masevhisi ekuchengetedza ayo anobvumidza kupinda kunetiweki yechinangwa. Kana vachinge vawana mukana, vanorwisa vanodzidza maitiro etiweki yesangano uye vanotumira maturusi avo ekubira mari. Muenzaniso wekare wemaitiro aya ndiwo mapoka ehacker Buhtrap, Cobalt uye Corkow.
Boka reRTM iro rinotariswa neshumo iri chikamu chemaitiro aya. Inoshandisa yakanyatsogadzirwa malware yakanyorwa muDelphi, iyo yatichatarisa zvakadzama muzvikamu zvinotevera. Matekisheni ekutanga ezvishandiso izvi muESET telemetry system akawanikwa mukupera kwa2015. Chikwata chinotakura akasiyana mamodules matsva pane ane hutachiona masisitimu sezvinodiwa. Kurwiswa uku kwakanangana nevashandisi vemabhangi masisitimu ari kure muRussia nedzimwe nyika dzakavakidzana.
1. Zvinangwa
Mushandirapamwe weRTM wakanangana nevashandisi vemakambani - izvi zviri pachena kubva mumatanho anoedza kuona vapambi muhurongwa hwakakanganisika. Chinotariswa chiri paaccounting software yekushanda nemabhanga ari kure masystem.
Rondedzero yemaitiro ekufarira kuRTM yakafanana nerondedzero inoenderana yeboka reBuhtrap, asi mapoka ane akasiyana mavector ehutachiona. Kana Buhtrap yakashandisa mapeji emanyepo kakawanda, saka RTM yakashandisa drive-nekurodha kurwisa (kurwisa pabrowser kana zvikamu zvayo) uye spamming neemail. Zvinoenderana nedatha ye telemetry, kutyisidzira kwakanangana neRussia uye akati wandei nyika dziri pedyo (Ukraine, Kazakhstan, Czech Republic, Germany). Zvisinei, nekuda kwekushandiswa kwemaitiro ekuparadzira kwevanhu vakawanda, kuona malware kunze kwenzvimbo dzakatarirwa hazvishamisi.
Huwandu hwese hwekuonekwa kwemalware hushoma. Kune rumwe rutivi, mushandirapamwe weRTM unoshandisa zvirongwa zvakaoma, izvo zvinoratidza kuti kurwiswa kwakanangidzirwa zvakanyanya.
Tawana magwaro akawanda ekunyepa anoshandiswa neRTM, anosanganisira zvibvumirano zvisipo, ma invoice kana magwaro eakaunzi emitero. Mamiriro emhando, akasanganiswa nemhando yesoftware yakanangwa nekurwiswa, inoratidza kuti vanorwisa vari "kupinda" network yemakambani eRussia kuburikidza nedhipatimendi re accounting. Boka racho rakaita maererano nechirongwa chimwe chetecho muna 2014-2015
Munguva yekutsvagisa, takakwanisa kutaurirana nemaseva akati wandei eC&C. Tichanyora rondedzero yakazara yemirairo muzvikamu zvinotevera, asi ikozvino tinogona kutaura kuti mutengi anotamisa data kubva kune keylogger zvakananga kune inorwisa server, kubva iyo yakawedzera mirairo inobva yagamuchirwa.
Nekudaro, iwo mazuva aungangobatanidza kune yekuraira uye control server uye kuunganidza ese data rawaifarira aenda. Isu takagadzira zvekare mafaera ezvinyorwa kuti tiwane mamwe mirairo yakakodzera kubva kuseva.
Chokutanga chazvo chikumbiro kubhoti kuendesa faira 1c_to_kl.txt - faira yekufambisa ye1C: Enterprise 8 chirongwa, chitarisiko chayo chinonyatsoongororwa neRTM. 1C inodyidzana nemabhengi ari kure masisitimu nekuisa data pamabhadharo anobuda kune faira remavara. Tevere, iyo faira inotumirwa kune iri kure banking system ye otomatiki uye itwa yekubhadhara kuraira.
Iyo faira ine ruzivo rwekubhadhara. Kana vanorwisa vakachinja ruzivo nezvekubhadhara kunobuda, kuendesa kunotumirwa uchishandisa manyepo kuakaundi evanorwisa.
Panenge mwedzi mushure mekukumbira mafaera aya kubva kune yekuraira uye control server, takaona plugin nyowani, 1c_2_kl.dll, ichiiswa pane yakakanganiswa system. Iyo module (DLL) yakagadzirirwa kuongorora otomatiki faira rekurodha nekupinda muaccounting software process. Tichazvitsanangura zvakadzama muzvikamu zvinotevera.
Sezvineiwo, FinCERT yeBhange reRussia pakupera kwa2016 yakapa yambiro yekuzivisa nezvematsotsi epamhepo vachishandisa 1c_to_kl.txt kurodha mafaera. Vagadziri kubva ku1C vanoziva zvakare nezve chirongwa ichi; ivo vakatoita chirevo chepamutemo uye vakanyora matanho ekuzvidzivirira.
Mamwe mamodule akaiswawo kubva kumirairo server, kunyanya VNC (yayo 32 uye 64-bit shanduro). Inofanana neVNC module yaimboshandiswa muDridex Trojan kurwisa. Iyi module inonzi inoshandiswa kubatanidza kure kure nekombuta ine hutachiona uye kuita ongororo yakadzama yehurongwa. Zvadaro, vanorwisa vanoedza kutenderera netiweki, vachibvisa mapepa ekushandisa, kuunganidza ruzivo uye kuve nechokwadi chekuvapo kwe malware nguva dzose.
2. Vectors of infection
Nhamba inotevera inoratidza hutachiona hwehutachiona hwakaonekwa panguva yekudzidza yemushandirapamwe. Iri boka rinoshandisa akawanda mavheji, asi kunyanya kutyaira-nekurodha kurwiswa uye spam. Zvishandiso izvi zvakanakira kurwiswa kwakanangwa, nekuti mune yekutanga, vanorwisa vanogona kusarudza nzvimbo dzinoshanyirwa nevanogona kubatwa, uye mune yechipiri, vanogona kutumira email ine zvakabatanidzwa zvakananga kune vanodiwa vashandi vekambani.
Iyo malware inogoverwa kuburikidza nematanho akawanda, kusanganisira RIG neSundown exploit kits kana spam mailings, zvichiratidza kubatana pakati pevanorwisa uye vamwe cyberattackers inopa masevhisi aya.
2.1. RTM neBuhtrap zvine hukama sei?
Mushandirapamwe weRTM wakafanana chaizvo neBuhtrap. Mubvunzo wechisikigo ndewekuti: vanobatana sei kune mumwe nemumwe?
MunaGunyana 2016, takaona sampu yeRTM ichigoverwa pachishandiswa Buhtrap uploader. Pamusoro pezvo, takawana zvitupa zviviri zvedhijitari zvinoshandiswa muBuhtrap uye RTM.
Yekutanga, inonzi yakapihwa kukambani yeDNISTER-M, yakashandiswa kusaina fomu rechipiri reDelphi (SHA-1: 025C718BA31E43DB1B87DC13F94A61A9338C11CE) uye Buhtrap DLL (SHA-1: 1E2642B454B2D889D6D41116D83D6D2D4890DXNUMXBXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMX).
Yechipiri, yakapihwa kuBit-Tredj, yakashandiswa kusaina maBuhtrap loaders (SHA-1: 7C1B6B1713BD923FC243DFEC80002FE9B93EB292 uye B74F71560E48488D2153AE2FB51207 TM0E206A2)
Vashandi veRTM vanoshandisa zvitupa zvakajairwa kune dzimwe mhuri dzine malware, asi ivo vanewo chitupa chakasiyana. Zvinoenderana neESET telemetry, yakapihwa kuKit-SD uye yakangoshandiswa kusaina imwe RTM malware (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6).
RTM inoshandisa iyo yakafanana loader seBuhtrap, RTM zvikamu zvinotakurwa kubva kuBuhtrap infrastructure, saka mapoka ane zviratidzo zvakafanana zvetiweki. Zvisinei, maererano nekufungidzira kwedu, RTM neBuhtrap mapoka akasiyana, zvichida nokuti RTM inogoverwa nenzira dzakasiyana (kwete chete kushandisa "mutorwa" wekudhanilodha).
Pasinei neizvi, mapoka ehacker anoshandisa maitiro akafanana ekushanda. Ivo vanonangisa mabhizinesi vachishandisa accounting software, nenzira yakafanana kuunganidza ruzivo rwehurongwa, kutsvaga vaverengi vemakadhi akangwara, uye kutumira ruzhinji rwematurusi ane hutsinye kunosora kune vakabatwa.
3. Evolution
Muchikamu chino, tichatarisa mhando dzakasiyana dzemalware dzakawanikwa panguva yekudzidza.
3.1. Versioning
RTM inochengetedza data yekumisikidza muchikamu chekunyoresa, chikamu chinonakidza chiri botnet-prefix. Rondedzero yezvese kukosha kwatakaona mumasampuli atakadzidza inoratidzwa mutafura iri pazasi.
Zvinogoneka kuti hunhu hunogona kushandiswa kurekodha malware shanduro. Zvisinei, hatina kuona musiyano mukuru pakati shanduro dzakadai bit2 uye bit3, 0.1.6.4 uye 0.1.6.6. Uyezve, imwe ye prefixes yanga iripo kubva pakutanga uye yakashanduka kubva kune yakajairika C&C domain kuenda kune .bit domain, sezvazvicharatidzwa pazasi.
3.2. Purogiramu
Tichishandisa telemetry data, takagadzira girafu yekuitika kwemasampuli.
4. Kuongorora kwehunyanzvi
Muchikamu chino, tichatsanangura mabasa makuru eRTM banking Trojan, kusanganisira nzira dzekupikisa, shanduro yayo yeRC4 algorithm, network protocol, spying functionality uye zvimwe zvinhu. Kunyanya, isu tichatarisa paSHA-1 samples AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 uye 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B.
4.1. Kuisa uye kuchengetedza
4.1.1. Implementation
RTM musimboti iDLL, raibhurari inoiswa padhisiki uchishandisa .EXE. Iro faira rinoshandiswa rinowanzoiswa mukati uye rine DLL kodhi. Kana yangotangwa, inoburitsa iyo DLL uye inoimhanyisa uchishandisa murairo unotevera:
rundll32.exe β%PROGRAMDATA%Winlogonwinlogon.lnkβ,DllGetClassObject host4.1.2. DLL
Iyo DLL huru inogara yakatakurwa kudhisiki se winlogon.lnk mu% PROGRAMDATA%Winlogon forodha. Iri faira rekuwedzera rinowanzobatanidzwa nechidimbu, asi faira iri chaizvo DLL yakanyorwa muDelphi, inonzi core.dll nemugadziri, sezvakaratidzwa mumufananidzo uri pasi apa.
ΠΡΠΈΠΌΠ΅Ρ Π½Π°Π·Π²Π°Π½ΠΈΡ DLL F4C746696B0F5BB565D445EC49DD912993DE6361
Kana yangotangwa, iyo Trojan inomisikidza maitiro ayo ekupikisa. Izvi zvinogona kuitwa nenzira mbiri dzakasiyana, zvichienderana neropafadzo dzemunhu anenge abatwa muhurongwa. Kana iwe uine kodzero dzemaneja, iyo Trojan inowedzera Windows Update yekupinda kuHKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry. Iyo mirairo iri muWindows Update ichaita pakutanga kwechikamu chemushandisi.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Update [REG_SZ] = rundll32.exe β% PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host
Iyo Trojan inoedzawo kuwedzera basa kuWindows Task Scheduler. Basa racho richavhura winlogon.lnk DLL nemaparamita akafanana nepamusoro. Kodzero dzemushandisi wenguva dzose dzinobvumira Trojan kuwedzera Windows Update yekupinda neiyo data kuHKCUSoftwareMicrosoftWindowsCurrentVersionRun registry:
rundll32.exe β%PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host4.2. Yakagadziriswa RC4 algorithm
Pasinei nekukanganisa kwayo kunozivikanwa, iyo RC4 algorithm inogara ichishandiswa nevanyori vemalware. Nekudaro, vagadziri veRTM vakaigadzirisa zvishoma, pamwe kuita kuti basa revanoongorora hutachiona rive rakaoma. Iyo yakagadziridzwa vhezheni yeRC4 inoshandiswa zvakanyanya mune yakashata RTM maturusi encrypt tambo, network data, kumisikidza uye modules.
4.2.1. Kusiyana
Iyo yekutanga RC4 algorithm inosanganisira matanho maviri: s-block kutanga (aka KSA - Kiyi-Kuronga Algorithm) uye pseudo-random sequence chizvarwa (PRGA - Pseudo-Random Generation Algorithm). Danho rekutanga rinosanganisira kutanga s-bhokisi uchishandisa kiyi, uye muchikamu chechipiri chinyorwa chezvinyorwa chinogadziriswa uchishandisa s-bhokisi rekunyorera.
Vanyori veRTM vakawedzera nhanho yepakati pakati pekutanga s-bhokisi uye encryption. Iyo kiyi yekuwedzera inoshanduka uye inoiswa panguva imwe chete iyo data inofanira kuvharwa nekudzikiswa. Basa rinoita danho iri rekuwedzera rinoratidzwa mumufananidzo uri pasi apa.
4.2.2. String encryption
Pakutanga kutarisa, kune akati wandei mitsara inoverengeka muiyo huru DLL. Mamwe ese akavharidzirwa achishandisa algorithm inotsanangurwa pamusoro, chimiro chayo chinoratidzwa mumufananidzo unotevera. Takawana anopfuura makumi maviri neshanu akasiyana eRC25 makiyi e tambo encryption mumasampuri akaongororwa. Kiyi yeXOR yakasiyana pamutsara wega wega. Kukosha kwendima yenhamba yekuparadzanisa mitsetse inogara iri 4xFFFFFFFF.
Pakutanga kwekuuraya, RTM inobvisa tambo kuita shanduko yepasirese. Kana zvichidikanwa kuti uwane tambo, iyo Trojan ine simba inoverengera kero yeiyo decrypted tambo zvichibva pane base kero uye offset.
Tambo dzacho dzine ruzivo runonakidza pamusoro pemabasa e-malware. Mimwe mienzaniso tambo inopiwa muChikamu 6.8.
4.3. Network
Nzira iyo RTM malware inobata nayo C&C server inosiyana kubva kushanduro kuenda kune shanduro. Magadzirirwo ekutanga (Gumiguru 2015 - Kubvumbi 2016) akashandisa mazita echinyakare domain pamwe neRSS feed pa livejournal.com kugadzirisa rondedzero yemirairo.
Kubva muna Kubvumbi 2016, takaona shanduko kuenda ku.bit domains mune telemetry data. Izvi zvinosimbiswa nezuva rekunyoresa rezita - yekutanga RTM domain fde05d0573da.bit yakanyoreswa munaKurume 13, 2016.
Ma URL ese atakaona tichiongorora mushandirapamwe aive nenzira yakafanana: /r/z.php. Izvo hazvina kujairika uye zvichabatsira kuona zvikumbiro zveRTM mukuyerera kwetiweki.
4.3.1. Channel yemirairo uye kutonga
Mienzaniso yenhaka yakashandisa chiteshi ichi kugadzirisa rondedzero yavo yekuraira uye kutonga maseva. Hosting iri pa livejournal.com, panguva yekunyora report yakaramba iri paURL hxxp://f72bba81c921(.)livejournal(.)com/ data/rss.
Livejournal ikambani yekuRussia-America inopa bhurogi chikuva. Vashandi veRTM vanogadzira LJ blog umo vanoisa chinyorwa chine mirairo ine coded - ona skrini.
Mirairo uye mitsara yekutonga yakavharwa uchishandisa yakagadziridzwa RC4 algorithm (Chikamu 4.2). Iyo yazvino vhezheni (Mbudzi 2016) yechiteshi ine inotevera kuraira uye control server kero:
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. .bit domains
Mumasamples eRTM achangopfuura, vanyori vanobatana neC&C domains vachishandisa .bit TLD yepamusoro-level domain. Haisi paICANN (Domain Name uye Internet Corporation) runyorwa rwepamusoro-level domains. Pane kudaro, inoshandisa iyo Namecoin system, iyo yakavakwa pamusoro peBitcoin tekinoroji. Vanyori veMalware havawanzo shandisa .bit TLD kumatunhu avo, kunyange zvazvo muenzaniso wekushandiswa kwakadaro wakamboonekwa mune imwe shanduro yeNecurs botnet.
Kusiyana neBitcoin, vashandisi vezita rakaparadzirwa reNamecoin vane kugona kuchengetedza data. Chishandiso chikuru chechinhu ichi ndeye .bit top-level domain. Iwe unogona kunyoresa madomasi ayo achachengetwa mune yakagoverwa dhatabhesi. Iwo anoenderana mapindiro mudhatabhesi ane IP kero yakagadziriswa neiyo domain. TLD iyi "inopikisa" nekuti chete anonyoresa anogona kushandura kugadzirisa kwe.bit domain. Izvi zvinoreva kuti zvakanyanya kuoma kumisa nzvimbo yakaipa uchishandisa iyi mhando yeTLD.
Iyo RTM Trojan haina kudzvanya software inodiwa kuverenga yakagoverwa Namecoin dhatabhesi. Inoshandisa maseva epakati eDNS akadai sedns.dot-bit.org kana OpenNic maseva kugadzirisa .bit domains. Naizvozvo, ine kusimba kwakafanana seDNS maseva. Isu takaona kuti mamwe madomasi echikwata haasati aonekwa mushure mekutaurwa mune blog post.
Imwe mukana weiyo .bit TLD yevanokuvadza imutengo. Kuti unyore dura, vashandisi vanofanirwa kubhadhara chete 0,01 NK, iyo inoenderana ne0,00185 $ (kubva muna Zvita 5, 2016). Kuenzanisa, domain.com inodhura zvishoma $10.
4.3.3. Protocol
Kuti utaure nemirairo uye control server, RTM inoshandisa zvikumbiro zveHTTP POST ine data yakarongwa uchishandisa tsika protocol. Nzira yakakosha inogara iri /r/z.php; Mozilla/5.0 mushandisi mumiririri (inoenderana; MSIE 9.0; Windows NT 6.1; Trident/5.0). Mune zvikumbiro kune sevha, iyo data inoumbwa nenzira inotevera, uko ukoshi hwekugadzirisa hunoratidzwa mumabhaiti:
Mabhayiti 0 kusvika 6 haana kukodha; mabhayiti anotangira kubva pa6 akaiswa encoded uchishandisa yakagadziridzwa RC4 algorithm. Chimiro cheC&C mhinduro packet chiri nyore. Mabhayiti akaiswa encoded kubva pa4 kusvika pakukura kwepaketi.
Rondedzero yezvinogona kuita byte kukosha inoratidzwa mutafura pazasi:
Iyo malware inogara ichiverenga iyo CRC32 yedhepted data uye inoienzanisa nezviripo mupacket. Kana vakasiyana, iyo Trojan inodonhedza pakiti.
Iyo yekuwedzera data inogona kunge iine zvinhu zvakasiyana siyana, kusanganisira PE faira, faira rekutsvagirwa mufaira system, kana maURL matsva ekuraira.
4.3.4. Panel
Isu takaona kuti RTM inoshandisa pani pane C&C maseva. Screenshot pazasi:
4.4. Chiratidzo chehunhu
RTM inguva yebhangi Trojan. Hazvishamisi kuti vashandisi vanoda ruzivo nezve system yemunhu akabatwa. Kune rimwe divi, bot inounganidza ruzivo rwese nezve OS. Kune rimwe divi, inoona kana iyo yakakanganisika system ine hunhu hwakabatana neRussia kure mabhengi masisitimu.
4.4.1. General information
Kana malware akaiswa kana kutangwa mushure mekutangwazve, chirevo chinotumirwa kumirairo uye control server ine ruzivo rwakakwana kusanganisira:
- Timezone;
- default system mutauro;
- magwaro emushandisi ane mvumo;
- process kuperera mwero;
- Username;
- zita rekombiyuta;
- OS shanduro;
- mamwe ma module akaiswa;
- yakaiswa antivirus chirongwa;
- rondedzero yevaverengi vemakadhi akangwara.
4.4.2 Remote banking system
Iyo yakajairwa Trojan tarisiro ndeyekure banking system, uye RTM haina mutsauko. Imwe yemamodule echirongwa ichi inonzi TBdo, inoita mabasa akasiyana siyana, kusanganisira kuongorora madhisiki uye nhoroondo yekubhurawuza.
Nekutarisa dhisiki, iyo Trojan inotarisa kana banking software yakaiswa pamushini. Rondedzero yakazara yezvirongwa zvinonangwa iri mutafura iri pazasi. Mushure mekuona faira yekufarira, chirongwa chinotumira ruzivo kune server yekuraira. Zviito zvinotevera zvinoenderana nemafungiro anotsanangurwa neiyo command centre (C&C) algorithms.
RTM inotarisawo mapatani e URL munhoroondo yebrowser yako uye ma tabo akavhurika. Pamusoro pezvo, chirongwa ichi chinoongorora mashandisirwo eFirstNextUrlCacheEntryA uye FindFirstUrlCacheEntryA mabasa, uye zvakare chinotarisa chinongedzo chega chega kuti chienderane neURL neimwe yeanotevera mapatani:
Mushure mekuona ma tabo akavhurika, iyo Trojan inobata Internet Explorer kana Firefox kuburikidza neDynamic Data Exchange (DDE) nzira yekutarisa kana iyo tebhu inoenderana nepatani.
Kuongorora nhoroondo yako yekubhurawuza uye ma tabo akavhurika anoitwa mune WHILE loop (loop ine precondition) ine 1 yechipiri kuzorora pakati pecheki. Imwe data inotariswa munguva chaiyo ichakurukurwa muchikamu 4.5.
Kana pateni yawanikwa, chirongwa chinoshuma izvi kune sevha yekuraira uchishandisa runyoro rwetambo kubva patafura inotevera:
4.5 Kuongorora
Ipo iyo Trojan iri kushanda, ruzivo nezve maitiro eiyo hutachiona system (kusanganisira ruzivo nezve kuvapo kwebhangi software) inotumirwa kune yekuraira uye control server. Kudhindisa zvigunwe kunoitika kana RTM inotanga kumhanyisa sisitimu yekutarisisa mushure mekutanga OS scan.
4.5.1. Remote banking
Iyo TBdo module ine basa rekutarisa maitiro ane chekuita nemabhanga. Inoshandisa shanduko yedata inochinja kutarisa ma tabo muFirefox neInternet Explorer panguva yekutanga scan. Imwe TShell module inoshandiswa kutarisa command windows (Internet Explorer kana File Explorer).
Iyo module inoshandisa iyo COM interfaces IShellWindows, iWebBrowser, DWebBrowserEvents2 uye IConnectionPointContainer kutarisa windows. Kana mushandisi achienda kune peji rewebhu idzva, iyo malware inoona izvi. Inobva yaenzanisa URL yepeji nemapateni ari pamusoro. Yaona mutambo, iyo Trojan inotora zvidzitiro zvitanhatu zvakateedzana nechinguva chemasekonzi mashanu uye inotumira kune C&S yekuraira server. Iyo purogiramu inotarisawo mamwe mazita emahwindo ane chekuita nebhangi software - iyo yakazara runyorwa iri pazasi:
4.5.2. Smart card
RTM inokutendera kuti utarise maverengi emakadhi akangwara akabatana nemakomputa ane hutachiona. Midziyo iyi inoshandiswa kune dzimwe nyika kuyananisa maodha ekubhadhara. Kana rudzi urwu rwemudziyo rwakasungirirwa pakombiyuta, zvinogona kuratidza kuTrojan kuti muchina uyu uri kushandiswa kubhangi.
Kusiyana nemamwe maTrojans ekubhengi, RTM haigone kupindirana nemakadhi akangwara akadaro. Zvichida kushanda uku kunosanganisirwa mune imwe module yatisati taona.
4.5.3. Keylogger
Chinhu chakakosha chekutarisa PC ine hutachiona kutora makiyi. Zvinoita sekuti vagadziri veRTM havasi kupotsa chero ruzivo, sezvo vasingatarise makiyi enguva dzose, asiwo iyo chaiyo keyboard uye clipboard.
Kuti uite izvi, shandisa SetWindowsHookExA basa. Vanorwisa vanoisa makiyi akadzvanywa kana makiyi anoenderana neiyo chaiyo kiyibhodhi, pamwe chete nezita uye zuva rechirongwa. Iyo buffer inobva yatumirwa kuC&C command server.
Iyo SetClipboardViewer basa rinoshandiswa kubata clipboard. Hackers vanoisa zviri mukati me clipboard kana iyo data iri mavara. Zita uye zuva zvakaiswa zvakare buffer isati yatumirwa kuseva.
4.5.4. Screenshots
Rimwe RTM basa ndere screenshot interception. Iyo ficha inoshandiswa kana iyo hwindo yekutarisa module inoona saiti kana kubhengi software yekufarira. Screenshots inotorwa uchishandisa raibhurari yemifananidzo yemifananidzo uye inoendeswa kune yekuraira server.
4.6. Uninstallation
Iyo C&C sevha inogona kumisa iyo malware kubva kumhanya uye kuchenesa komputa yako. Iwo murairo unokubvumira kujekesa mafaira uye registry zvinyorwa zvakagadzirwa apo RTM iri kushanda. DLL inobva yashandiswa kubvisa malware uye winlogon file, mushure mokunge mutemo unovhara kombiyuta. Sezvinoratidzwa pamufananidzo uri pazasi, DLL inobviswa nevagadziri vachishandisa erase.dll.
Sevha inogona kutumira iyo Trojan murairo unoparadza uninstall-lock. Muchiitiko ichi, kana uine kodzero dzemaneja, RTM inodzima iyo MBR boot sector pane hard drive. Kana izvi zvikatadza, iyo Trojan inoedza kushandura iyo MBR bhutsu chikamu kune isina kurongeka chikamu - ipapo komputa haizokwanisa kubhuya OS mushure mekudzima. Izvi zvinogona kutungamira mukudzoreredzwa kwakazara kweOS, zvinoreva kuparadzwa kwehumbowo.
Pasina ropafadzo dzemutungamiri, iyo malware inonyora .EXE yakavharidzirwa mukati meRTM DLL. Iyo inogoneka inoita kodhi inodiwa kuvhara komputa uye kunyoresa iyo module muHKCUCurrentVersionRun registry kiyi. Pese apo mushandisi anotanga chikamu, komputa inodzima pakarepo.
4.7. The configuration file
Nekumisikidza, RTM inenge isina faira yekumisikidza, asi iyo yekuraira uye yekudzora sevha inogona kutumira zvimiro zvekugadzirisa izvo zvichachengetwa murejista uye kushandiswa nechirongwa. Rondedzero yemakiyi ekugadzirisa inoratidzwa mutafura iri pazasi:
Iyo gadziriso inochengetwa muSoftware[Pseudo-random tambo] registry kiyi. Kukosha kwega kwega kunofanana neimwe yemitsara yakaratidzwa mutafura yapfuura. Hushe uye data yakavharirwa uchishandisa iyo RC4 algorithm muRTM.
Iyo data ine chimiro chakafanana netiweki kana tambo. A mana-byte XOR kiyi inowedzerwa pakutanga kweiyo encoded data. Nekumisikidza kukosha, kiyi yeXOR yakasiyana uye zvinoenderana nehukuru hwekukosha. Inogona kuverengwa sezvinotevera:
xor_key = (len(config_value) << 24) | (len(config_value) << 16)
| len(config_value)| (len(config_value) << 8)
4.8. Zvimwe zvinhu
Tevere, ngatitarisei mamwe mabasa anotsigirwa neRTM.
4.8.1. Mamwe ma modules
Iyo Trojan inosanganisira mamwe mamodule, ari DLL mafaera. Mamodule anotumirwa kubva kuC&C command server anogona kuitwa sezvirongwa zvekunze, zvinoratidzwa muRAM uye kutangwa mune nyowani tambo. Nekuchengetedza, ma modules anochengetwa mu .dtt mafaira uye encoded uchishandisa RC4 algorithm ine kiyi imwechete inoshandiswa pakukurukurirana kwetiweki.
Parizvino taona kuisirwa kweVNC module (8966319882494077C21F66A8354E2CBCA0370464), iyo browser yekuwedzera data module (03DE8622BE6B2F75A364A275995C3411626C4D9F1C2D1F562C1D69F6E58C88753D7F0 module) FBA3B4 XNUMXBEXNUMXDXNUMXBXNUMXEXNUMXCFAB).
Kuti utakure iyo VNC module, iyo C&C server inoburitsa murairo uchikumbira kubatana kune VNC server pane yakatarwa IP kero pachiteshi 44443. Iyo browser data retrieval plugin inoitisa TBrowserDataCollector, iyo inogona kuverenga IE browsing nhoroondo. Inobva yatumira runyorwa ruzere rwema URL akashanyirwa kuC&C command server.
Yekupedzisira module yawanikwa inonzi 1c_2_kl. Inogona kupindirana ne1C Enterprise software package. Iyo module inosanganisira zvikamu zviviri: chikamu chikuru - DLL uye maviri maajenti (32 uye 64 bit), ayo anozoiswa mune yega yega maitiro, kunyoresa kusunga kuWH_CBT. Yakaunzwa mune 1C maitiro, iyo module inosunga iyo CreateFile uye WriteFile mabasa. Pese panodanwa kuti CreateFile bound function, module inochengeta nzira yefaira 1c_to_kl.txt mundangariro. Mushure mekutambisa kufona kweWritFile, inodaidza iyo WriteFile basa uye inotumira nzira yefaira 1c_to_kl.txt kune main DLL module, ichipfuura iyo yakagadzirwa Windows WM_COPYDATA meseji.
Iyo hombe DLL module inovhura uye inotambidza faira kuti itarise maodha ekubhadhara. Iyo inoziva huwandu uye nhamba yekutengeserana iri mufaira. Ruzivo urwu runotumirwa kune server yekuraira. Tinotenda kuti module iyi pari zvino iri kugadzirwa nekuti ine meseji yedebug uye haikwanise kuzvishandura 1c_to_kl.txt.
4.8.2. Kuwedzera kweropafadzo
RTM inogona kuedza kuwedzera ropafadzo nekuratidza nhema dzenhema meseji. Iyo malware inotevedzera registry cheki (ona mufananidzo pazasi) kana kushandisa chaiyo registry editor icon. Ndokumbira utarise kutadza kuperetera - whait. Mushure memasekondi mashoma ekutarisa, chirongwa chinoratidza meseji yenhema.
Mharidzo yenhema inonyengedza nyore nyore mushandisi wepakati, kunyangwe zvikanganiso zvegirama. Kana mushandisi akadzvanya pane imwe yeaya malink, RTM inoedza kuwedzera ropafadzo dzayo muhurongwa.
Mushure mekusarudza imwe yesarudzo mbiri dzekudzoreredza, iyo Trojan inotangisa iyo DLL ichishandisa iyo runas sarudzo muShellExecute basa rine kodzero dzemaneja. Mushandisi achaona chaiyo Windows kukurumidza (ona mufananidzo uri pazasi) wekukwira. Kana mushandisi akapa mvumo inodiwa, iyo Trojan inomhanya neropafadzo dzemaneja.
Zvichienderana nemutauro wakasarudzika wakaiswa pane system, iyo Trojan inoratidza mhosho meseji muchiRussia kana Chirungu.
4.8.3. Chitupa
RTM inogona kuwedzera zvitupa kuWindows Store uye kusimbisa kuvimbika kwekuwedzera nekudzvanya otomatiki bhatani rekuti "hongu" mubhokisi rebhokisi re csrss.exe. Maitiro aya haasi matsva; semuenzaniso, iyo yekubhengi Trojan Retefe zvakare yakazvimiririra inosimbisa kuiswa kwechitupa chitsva.
4.8.4. Reverse connection
Vanyori veRTM vakagadzirawo Backconnect TCP mugero. Hatisati taona chimiro chiri kushandiswa, asi chakagadzirirwa kutarisa kure kure maPC ane hutachiona.
4.8.5. Host file management
Iyo C&C sevha inogona kutumira rairo kuTrojan kugadzirisa iyo Windows host file. Iyo faira yekugamuchira inoshandiswa kugadzira tsika DNS resolution.
4.8.6. Tsvaga uye utumire faira
Sevha inogona kukumbira kutsvaga uye kudhawunirodha faira pane ine hutachiona system. Semuenzaniso, panguva yekutsvagisa takagamuchira chikumbiro chefaira 1c_to_kl.txt. Sezvakatsanangurwa kare, iyi faira inogadzirwa ne1C: Enterprise 8 accounting system.
4.8.7. Update
Pakupedzisira, vanyori veRTM vanogona kugadzirisa software nekuendesa DLL itsva kutsiva iyo yazvino vhezheni.
5. Mhedziso
Tsvagiridzo yeRTM inoratidza kuti iyo Russian banking system ichiri kukwezva cyber vanorwisa. Mapoka akadai seBuhtrap, Corkow neCarbanak vakabudirira kuba mari kubva kumasangano emari nevatengi vavo muRussia. RTM mutambi mutsva muindastiri iyi.
Zvishandiso zvakashata zveRTM zvave zvichishandiswa kubva pakupera kwa2015, maererano neESET telemetry. Chirongwa ichi chine huwandu hwakazara hwekusora, kusanganisira kuverenga makadhi akangwara, kubata makiyi uye kutarisa kutengeserana kwebhangi, pamwe nekutsvaga 1C: Enterprise 8 mafaera ekufambisa.
Kushandiswa kwenzvimbo, isina .bit yepamusoro-level domain inova nechokwadi chekugadzirisa zvivakwa.
Source: www.habr.com