Kubva pakupera kwegore rapfuura, takatanga kuronda mushandirapamwe wakashata wekuparadzira Trojan yekubhanga. Varwi vakatarisa kukanganisa makambani eRussia, i.e. vashandisi vemakambani. Mushandirapamwe wakashata wakashanda kweinenge gore uye, kunze kweTrojan yekubhanga, vapambi vakashandura kushandisa mamwe maturusi esoftware. Izvi zvinosanganisira yakakosha loader yakarongedzwa uchishandisa , uye spyware, iyo inovanza seyo inozivikanwa zviri pamutemo Yandex Punto software. Kana vapambi vakwanisa kukanganisa komputa yemunhu akabatwa, vanoisa backdoor uyezve yebhangi Trojan.
Kune yavo malware, vapambi vakashandisa akati wandei anoshanda (panguva iyoyo) zvitupa zvedhijitari uye nzira dzakakosha dzekunzvenga zvigadzirwa zveAV. Mushandirapamwe wakashata wakanangana nenhamba huru yemabhangi eRussia uye inonyanya kufarira nekuti vapambi vakashandisa nzira dzinowanzo shandiswa mukurwiswa kwakanangwa, i.e. kurwisa kusingakurudzirwe nekubiridzira kwemari chete. Tinogona kuona kumwe kufanana pakati pedanidziro iyi ine hutsinye uye chiitiko chikuru chakambozivikanwa zvikuru. Tiri kutaura nezveboka rematsotsi raishandisa bhanga Trojan /.
Varwi vakaisa malware chete pamakomputa aya aishandisa mutauro weRussia muWindows (localization) nekusarudzika. Iyo huru yekugovera vector yeTrojan yaive gwaro reIzwi rine kushandiswa. , iyo yakatumirwa sechibatanidzwa kune gwaro. Mifananidzo iri pazasi inoratidza kutaridzika kwemagwaro emanyepo akadaro. Gwaro rekutanga rine musoro wekuti "Invoice No. 522375-FLORL-14-115.doc", uye yechipiri "kontrakt87.doc", ikopi yekontrakiti yekupihwa kwemasevhisi ekufambisa nefoni megafon.
Mupunga. 1. Gwaro rePhishing.
Mupunga. 2. Imwe kugadziridzwa kwegwaro re phishing.
Izvi zvinotevera zvinoratidza kuti vapambi vakananga kumabhizinesi eRussia:
- kugovera malware uchishandisa magwaro emanyepo pane yakatarwa musoro;
- mazano evanorwisa uye midziyo yakaipa yavanoshandisa;
- zvinongedzo kune bhizinesi zvikumbiro mune mamwe executable modules;
- mazita enzvimbo dzakaipa dzakashandiswa mudanidziro iyi.
Akakosha maturusi esoftware anoiswa nevanorwisa pane yakakanganisika sisitimu inovatendera kuti vawane kure kure kutonga kweiyo system uye kutarisa mushandisi basa. Kuita mabasa aya, vanoisa backdoor uye vanoedzawo kuwana iyo Windows account password kana kugadzira account nyowani. Vanorwisa zvakare vanoshandisa masevhisi e keylogger (keylogger), Windows clipboard stealer, uye yakakosha software yekushanda neakangwara makadhi. Boka iri rakaedza kukanganisa mamwe makomputa aive panetiweki imwe chete yekombuta yemunhu akabatwa.
Yedu ESET LiveGrid telemetry system, iyo inotibvumira kukurumidza kuronda malware kugovera nhamba, yakatipa inonakidza geographical statistics pakugovaniswa kwemalware anoshandiswa nevanorwisa mumushandirapamwe wataurwa.
Mupunga. 3. Nhamba dzekugoverwa kwenzvimbo kwemalware anoshandiswa mumushandirapamwe unotyisa uyu.
Kuisa malware
Mushure mekunge mushandisi avhura gwaro rakashata nekushandisa pane isina njodzi system, yakakosha yekudhawunirodha yakarongedzwa uchishandisa NSIS ichatorwa uye kuurayiwa ipapo. Pakutanga kwebasa rayo, chirongwa chinotarisa nharaunda yeWindows nekuda kwekuvapo kwevanogadzirisa ipapo kana kumhanya mumamiriro emuchina chaiwo. Inotarisawo kugariswa kweWindows uye kana mushandisi akashanyira ma URL akanyorwa pazasi patafura mubrowser. MaAPI anoshandiswa pane izvi FindFirst/NextUrlCacheEntry uye SoftwareMicrosoftInternet ExplorerTypedURLs registry kiyi.
Iyo bootloader inotarisa kuvepo kweanotevera maapplication pane system.
Rondedzero yematanho inonakidza uye, sezvauri kuona, haingosanganisire mabhengi ekunyorera. Semuenzaniso, faira rinoshandiswa rinonzi "scardsvr.exe" rinoreva software yekushanda nemakadhi akachenjera (Microsoft SmartCard reader). Iyo yekubhengi Trojan pachayo inosanganisira kugona kushanda nemakadhi akangwara.
Mupunga. 4. General diagram ye malware install process.
Kana cheki dzese dzakapedzwa zvinobudirira, mutakuri anodhawunirodha yakakosha faira (archive) kubva kune iri kure server, iyo ine ese akashata eecutable modules anoshandiswa nevanorwisa. Zvinonakidza kuziva kuti zvichienderana nekuita kwecheki dziri pamusoro, matura akatorwa kubva kure C&C server anogona kusiyana. Iyo archive inogona kana kusave yakaipa. Kana isiri yakaipa, inoisa Windows Live Toolbar yemushandisi. Zvingangodaro, vapambi vakashandisa nzira dzakafanana kunyengedza otomatiki faira yekuongorora masisitimu uye chaiwo muchina panoitwa mafaera anofungidzirwa.
Iyo faira yakatorwa neNSIS yekudhawunirodha ndeye 7z archive ine akasiyana malware module. Mufananidzo uri pazasi unoratidza iyo yese yekuisa maitiro eiyi malware uye akasiyana mamodule.
Mupunga. 5. General chirongwa chekuti malware inoshanda sei.
Kunyangwe mamodule akaremerwa achishandira zvinangwa zvakasiyana kune vanorwisa, akaiswa zvakafanana uye mazhinji acho akasainwa nezvitupa zvedhijitari. Takawana zvitupa zvina zvakashandiswa nevapambi kubva pakutanga kwemushandirapamwe. Zvichitevera chichemo chedu, zvitupa izvi zvakatorerwa. Zvinonakidza kuziva kuti zvitupa zvose zvakapiwa kumakambani akanyoreswa muMoscow.
Mupunga. 6. Chitupa chedhijitari chakashandiswa kusaina iyo malware.
Tafura inotevera inoratidza zvitupa zvedhijitari zvakashandiswa nevapambi mudanidziro yakaipa iyi.
Anenge ese akashata mamodule anoshandiswa nevanorwisa ane yakafanana yekuisa maitiro. Ivo vari kuzviburitsa 7zip zvinyorwa zvakadzivirirwa password.
Mupunga. 7. Chimedu chekuisa.cmd batch file.
Iyo batch .cmd faira ine basa rekuisa malware pane system uye kuvhura siyana kurwisa maturusi. Kana kuuraya kuchida kushayikwa kodzero dzekutonga, kodhi ine hutsinye inoshandisa nzira dzinoverengeka kuti iiwane (kunzvenga UAC). Kushandisa nzira yekutanga, mafaera maviri anoteedzeka anonzi l1.exe uye cc1.exe anoshandiswa, ayo anonangana nekupfuura UAC uchishandisa iyo. Carberp source code. Imwe nzira yakavakirwa pakushandisa iyo CVE-2013-3660 njodzi. Imwe neimwe malware module inoda ropafadzo yekukwira ine zvese 32-bit uye 64-bit vhezheni yekushandiswa.
Tichiri kutevera mushandirapamwe uyu, takaongorora zvinyorwa zvakati wandei zvakaiswa neanodhawunirodha. Zviri mukati mezvinyorwa zvakasiyana-siyana, zvichireva kuti vanorwisa vanogona kugadzirisa mamodules ane utsinye kune zvinangwa zvakasiyana.
User compromise
Sezvatataura pamusoro apa, vanorwisa vanoshandisa maturusi akakosha kukanganisa makomputa evashandisi. Zvishandiso izvi zvinosanganisira zvirongwa zvine faira rekuita mazita mimi.exe uye xtm.exe. Ivo vanobatsira vanorwisa kutora kutonga kwekombuta yemunhu akabatwa uye kuita hunyanzvi mukuita zvinotevera mabasa: kuwana / kudzoreredza mapassword eWindows account, kugonesa iyo RDP sevhisi, kugadzira account nyowani muOS.
Iyo mimi.exe inogoneka inosanganisira yakagadziridzwa vhezheni yeinozivikanwa yakavhurika sosi chishandiso . Ichi chishandiso chinokutendera iwe kuti uwane Windows mushandisi account password. Vapambi vakabvisa chikamu kubva kuMimikatz icho chine basa rekudyidzana kwevashandisi. Iyo kodhi inogoneka yakagadziridzwa zvakare kuti kana yatangwa, Mimikatz inomhanya nerombo::debug uye sekurlsa:logonPasswords mirairo.
Imwe faira inogoneka, xtm.exe, inotangisa zvinyorwa zvakakosha zvinogonesa iyo RDP sevhisi muhurongwa, edza kugadzira account nyowani muOS, uye zvakare shandura masisitimu ehurongwa kubvumira vashandisi vakati wandei kuti vabatane panguva imwe chete kune yakakanganiswa komputa kuburikidza neRDP. Zviripachena, aya matanho anodiwa kuti uwane kutonga kwakazara kweiyo yakakanganiswa system.
Mupunga. 8. Mirairo yakaitwa ne xtm.exe pane system.
Vanorwisa vanoshandisa imwe faira inogona kuurayiwa inonzi impack.exe, iyo inoshandiswa kuisa yakakosha software pane system. Iyi software inonzi LiteManager uye inoshandiswa nevanorwisa sebackdoor.
Mupunga. 9. LiteManager interface.
Kana yangoiswa pane yemushandisi sisitimu, LiteManager inobvumira vanorwisa kuti vabatane zvakananga kune iyo system uye nekuidzora kure. Iyi software ine yakakosha mitsara yemirairo yekumisikidza kwayo yakavanzika, kusikwa kweiyo yakakosha mitemo ye firewall, uye kuvhura module yayo. Maparameter ese anoshandiswa nevanorwisa.
Iyo yekupedzisira module yemarware package inoshandiswa nevanorwisa ibhengi malware chirongwa (bhengi) ine rinoitwa faira zita pn_pack.exe. Anoita hunyanzvi hwekusora pamushandisi uye ane basa rekudyidzana neC&C server. Mubhengi anotangwa achishandisa zviri pamutemo Yandex Punto software. Punto inoshandiswa nevanorwisa kuvhura maraibhurari eDLL ane hutsinye (DLL Side-Loading nzira). Iyo malware pachayo inogona kuita zvinotevera mabasa:
- tevera makiyi makiyi uye clipboard zvirimo kune yavo inotevera kutumira kune iri kure server;
- nyora ese akangwara makadhi aripo muhurongwa;
- taurirana neC&C server iri kure.
Iyo malware module, iyo ine basa rekuita ese aya mabasa, iri encrypted DLL raibhurari. Iyo yakaderedzwa uye inotakurwa mundangariro panguva yePunto kuurayiwa. Kuti uite mabasa ari pamusoro, iyo DLL inogoneka kodhi inotanga tambo nhatu.
Icho chokwadi chekuti vanorwisa vakasarudza Punto software nekuda kwezvinangwa zvavo hazvishamisi: mamwe maforamu eRussia anopa pachena ruzivo rwakadzama pamisoro yakadai sekushandisa kukanganisa mune software yepamutemo kukanganisa vashandisi.
Raibhurari yakashata inoshandisa RC4 algorithm kuvharidzira tambo dzayo, uye panguva yekudyidzana netiweki neC&C server. Iyo inobata sevha maminetsi maviri ega ega uye inotumira ipapo data rese rakaunganidzwa pane yakakanganiswa system panguva ino yenguva.
Mupunga. 10. Chikamu chekubatana kwetiweki pakati pebhoti nevhavha.
Pazasi pane mamwe emirairo yeC&C server iyo raibhurari inogona kugamuchira.
Mukupindura kugamuchira mirairo kubva kuC&C server, iyo malware inopindura nekodhi yemamiriro. Zvinonakidza kuona kuti ese mamodule emabhengi atakaongorora (iyo ichangoburwa ine zuva rekubatanidza raNdira 18) ine tambo "TEST_BOTNET", inotumirwa mune yega meseji kune C&C server.
mhedziso
Kukanganisa vashandisi vemakambani, vanorwisa padanho rekutanga vanokanganisa mumwe mushandi wekambani nekutumira meseji yekubira nekubiridzira. Tevere, kana iyo malware yaiswa pahurongwa, vanozoshandisa maturusi esoftware anovabatsira zvakanyanya kuwedzera masimba avo pahurongwa uye kuita mamwe mabasa pairi: kukanganisa mamwe makomputa pane network yekambani uye kusora mushandisi, pamwe chete. kutengeserana kwebhangi kwaanoita.
Source: www.habr.com