Mumakore achangopfuura, maTrojans enhare anga achishingairira kutsiva maTrojans kumakomputa ega, saka kubuda kwemalware matsva e "mota" dzekare uye kushandiswa kwavo nesimba nematsotsi, kunyangwe zvisingafadzi, ichiri chiitiko. Nguva pfupi yadarika, CERT Boka-IB's XNUMX/XNUMX ruzivo rwekuchengetedza chiitiko chiitiko chakaona isina kujairika phishing email yaive yakaviga PC nyowani malware inosanganisa mabasa eKeylogger uye PasswordStealer. Kutarisisa kwevanoongorora kwakakweverwa kuti spyware yakapinda sei pamushini wemushandisi - vachishandisa izwi rakakurumbira messenger. Ilya Pomerantsev, nyanzvi yekuongorora malware kuCERT Group-IB, yakatsanangura kuti iyo malware inoshanda sei, nei ine njodzi, uye yakatowana mugadziri wayo kure Iraq.
Saka, ngatiendei muhurongwa. Pasi pechiratidziro chekunamatira, tsamba yakadaro yaive nemufananidzo, pakudzvanya iyo mushandisi akaendeswa kunzvimbo. cdn.discordapp.com, uye faira rakashata rakatorwa kubva ipapo.
Kushandisa Discord, izwi remahara uye mameseji messenger, hazvina kujairika. Kazhinji, dzimwe nhume pakarepo kana masocial network anoshandiswa kune izvi zvinangwa.
Munguva yekuongorora kwakadzama, mhuri yemalware yakaonekwa. Yakazove mutsva kumusika wemalware - 404 Keylogger.
Kushambadza kwekutanga kwekutengeswa kwekeylogger kwakaiswa pairi hackforums nemushandisi pasi pezita rekuti "404 Coder" musi wa8 Nyamavhuvhu.
Nzvimbo yechitoro yakanyoreswa nguva pfupi yadarika - munaGunyana 7, 2019.
Sezvakataurwa nevagadziri pawebhusaiti 404zvirongwa[.]xyz, 404 chishandiso chakagadzirirwa kubatsira makambani kudzidza nezvezviitwa nevatengi vavo (nemvumo yavo) kana kune avo vanoda kuchengetedza bhinari yavo kubva kune reverse engineering. Tichitarisa mberi, ngatitaure izvozvo nebasa rekupedzisira 404 zvirokwazvo hazvigone.
Takafunga kudzosera imwe yemafaira uye tarisa kuti "BEST SMART KEYLOGGER" chii.
Malware ecosystem
Loader 1 (AtillaCrypter)
Iyo faira faira inodzivirirwa uchishandisa EaxObfuscator uye inoita nhanho mbiri kurodha AtProtect kubva kuchikamu chezviwanikwa. Panguva yekuongorora mamwe masampuli akawanikwa paVirusTotal, zvakava pachena kuti danho iri harina kupiwa nemugadziri pachake, asi rakawedzerwa nemutengi wake. Yakazogadziriswa kuti iyi bootloader yaive AtillaCrypter.
Bootloader 2 (AtProtect)
Muchokwadi, ichi chinorodha chikamu chakakosha cheiyo malware uye, maererano nechinangwa chemugadziri, inofanira kutora basa rekuverengera kuongorora.
Nekudaro, mukuita, nzira dzekudzivirira ndedzechinyakare zvakanyanya, uye masisitimu edu anobudirira kuona iyi malware.
Iyo huru module inotakurwa uchishandisa Franchy ShellCode shanduro dzakasiyana. Nekudaro, isu hatisiyanise kuti dzimwe sarudzo dzingadai dzakashandiswa, semuenzaniso, RunPE.
Configuration file
Kubatanidza muhurongwa
Kubatanidzwa muhurongwa kunovimbiswa nebootloader AtProtect, kana mureza unoenderana wakaiswa.
- Iyo faira inokopwa munzira %AppData%GFqaakZpzwm.exe.
- Iyo faira yakagadzirwa %AppData%GFqaakWinDriv.url, kutanga Zpzwm.exe.
- Mushinda HKCUSoftwareMicrosoftWindowsCurrentVersionRun kiyi yekutanga inogadzirwa WinDriver.url.
Kudyidzana neC&C
Loader AtProtect
Kana mureza wakakodzera uripo, iyo malware inogona kuvhura yakavanzika maitiro iexplorer uye tevera chinongedzo chakataurwa kuti uzivise sevha nezve hutachiona hwakabudirira.
DataStealer
Pasinei neipi nzira inoshandiswa, kutaurirana kwenetiweki kunotanga nekuwana iyo yekunze IP yemunhu anenge abatwa achishandisa sosi [http]://checkip[.]dyndns[.]org/.
Mushandisi-Mumiriri: Mozilla/4.0 (inoenderana; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Maumbirwo eshoko racho akafanana. Header iripo
|ββ- 404 Keylogger β {Type} ββ-|kupi {type} zvinoenderana nerudzi rwemashoko ari kufambiswa.
Izvi zvinotevera ruzivo nezve system:
_______ + VICTIM INFO + _______
IP: {External IP}
Muridzi Zita: {Zita reKombuta}
Zita reSystem: {OS Name}
OS Version: {OS Version}
OS PlatForm: {Platform}
Saizi yeRAM: {RAM saizi}
______________________________
Uye pakupedzisira, iyo data yakatumirwa.
SMTP
Musoro wetsamba wakamira seizvi: 404 K | {Rudzi rweMharidzo} | Zita reMutengi: {Username}.
Sezvineiwo, kuendesa tsamba kune mutengi 404 Keylogger Iyo Developers' SMTP server inoshandiswa.
Izvi zvakaita kuti zvikwanise kuziva vamwe vatengi, pamwe neemail yemumwe wevagadziri.
ftp
Paunenge uchishandisa nzira iyi, iyo yakaunganidzwa ruzivo inochengetwa kune faira uye pakarepo inoverenga kubva ipapo.
Mafungiro ari kumashure kwechiito ichi haana kunyatso kujeka, asi anogadzira imwe artifact yekunyora maitiro emitemo.
%HOMEDRIVE%%HOMEPATH%DocumentsA{Arbitrary number}.txt
Pastebin
Panguva yekuongorora, nzira iyi inongoshandiswa kutamisa mapassword akabiwa. Uyezve, inoshandiswa kwete seimwe nzira kune yekutanga maviri, asi yakafanana. Mamiriro acho kukosha kwekugara kwakaenzana ne "Vavaa". Zvichida iri ndiro zita remutengi.
Kudyidzana kunoitika kuburikidza ne https protocol kuburikidza neAPI pastebin. Meaning api_paste_private zvakaenzana PASTE_UNLISTED, iyo inorambidza kutsvaga mapeji akadaro mukati pastebin.
Encryption algorithms
Kutora faira kubva kune zviwanikwa
Iyo payload inochengetwa mubootloader zviwanikwa AtProtect muchimiro cheBitmap mifananidzo. Kuchera kunoitwa mumatanho akati wandei:
- Mutsara wemabhaiti anotorwa kubva pamufananidzo. Pixel yega yega inobatwa senhevedzano ye3 bytes muBGR order. Mushure mekubviswa, yekutanga 4 bytes yearray inochengeta kureba kweshoko, dzinotevera dzinochengeta meseji pachayo.
- Kiyi inoverengwa. Kuti uite izvi, MD5 inoverengerwa kubva pamutengo we "ZpzwmjMJyfTNiRalKVrcSkxCN" inotsanangurwa sepassword. Iyo hashi inoguma inonyorwa kaviri.
- Decryption inoitwa uchishandisa iyo AES algorithm muECB modhi.
Kushata kushanda
Downloader
Inoshandiswa mubootloader AtProtect.
- Nekubata [activelink-repalce] Mamiriro eSevha anokumbirwa kuratidza kuti yagadzirira kushandisa faira. Sevha inofanira kudzoka "ON".
- Link [downloadlink-tsiva] Mubayiro wakadhaunirodwa.
- Nekubatsirwa kwe FranchyShellcode iyo payload inopinzwa mukuita [inj-tsiva].
Panguva yekuongorora domain 404zvirongwa[.]xyz zvimwe zviitiko zvakaonekwa paVirusTotal 404 Keylogger, pamwe nemhando dzinoverengeka dzekutakura.
Conventionally, vakakamurwa kuva marudzi maviri:
- Kurodha kunoitwa kubva kune sosi 404zvirongwa[.]xyz.
Dhata ndeye Base64 encoded uye AES yakavharidzirwa. - Iyi sarudzo ine matanho akati wandei uye inonyanya kushandiswa pamwe chete nebootloader AtProtect.
- Muchikamu chekutanga, data inotakurwa kubva pastebin uye decoded uchishandisa basa HexToByte.
- Pachikamu chechipiri, kunobva kurodha ndiko 404zvirongwa[.]xyz. Nekudaro, iyo decompression uye decoding mabasa akafanana neanowanikwa muDataStealer. Ingangove yakatanga kurongwa kuita iyo bootloader mashandiro mune huru module.
- Panguva ino, iyo payload yatove mune resource inoratidza mune yakamanikidzwa fomu. Mafanana ekubvisa mabasa akawanikwawo mune huru module.
Madhaunirodha akawanikwa pakati pemafaira akaongororwa njRat, SpyGate nemamwe maRAT.
Keylogger
Log kutumira nguva: maminitsi makumi matatu.
Mavara ese anotsigirwa. Mavara akakosha anotiza. Iko kune kugadzirisa kweBackSpace uye Delete makiyi. Case sensitive.
ClipboardLogger
Log kutumira nguva: maminitsi makumi matatu.
Buffer nguva yekuvhota: 0,1 masekondi.
Implemented link escaping.
ScreenLogger
Log kutumira nguva: maminitsi makumi matatu.
Screenshots inochengetwa mukati %HOMEDRIVE%%HOMEPATH%Documents404k404pic.png.
Mushure mekutumira folda 404k inodzimwa.
PasswordStealer
Bhurawuza | Mail clients | FTP vatengi |
---|---|---|
Chrome | mataridzikiro | FileZilla |
Firefox | Thunderbird | |
SeaMonkey | Foxmail | |
icedragon | ||
PaleMoon | ||
cyberfox | ||
Chrome | ||
BraveBrowser | ||
QQBrowser | ||
IridiumBrowser | ||
XvastBrowser | ||
Chedot | ||
360Bhurawuza | ||
ComodoDragon | ||
360Chrome | ||
SuperBird | ||
CentBrowser | ||
GhostBrowser | ||
IronBrowser | ||
chromium | ||
Vivaldi | ||
SlimjetBrowser | ||
orbitum | ||
CocCoc | ||
Torch | ||
UCBrowser | ||
EpicBrowser | ||
BliskBrowser | ||
dhanzi |
Kupikisa kune dynamic analysis
- Kutarisa kana chirongwa chiri pasi pekuongorora
Kuitwa pachishandiswa process search mutemggr, ProcessHacker, procexp64, procexp, procmon. Kana imwe yakawanikwa, iyo malware inobuda.
- Kutarisa kana iwe uri munharaunda chaiyo
Kuitwa pachishandiswa process search vmtoolsd, VGAuthService, vmacthlp, VBoxService, VBoxTray. Kana imwe yakawanikwa, iyo malware inobuda.
- Kurara kwe5 seconds
- Kuratidzira kwemhando dzakasiyana dzemabhokisi emabhokisi
Inogona kushandiswa kunzvenga mamwe mabhokisi ejecha.
- Bypass UAC
Kuitwa nekugadzirisa registry kiyi EnableLUA muGroup Policy marongero.
- Inoshandisa iyo "Yakavanzika" hunhu kune yazvino faira.
- Kugona kudzima faira iripo.
Zvisizvo Zvimiro
Munguva yekuongororwa kweiyo bootloader uye iyo huru module, mabasa akawanikwa aive nebasa rekuwedzera kushanda, asi haana kushandiswa chero kupi. Izvi zvingangove zvichikonzerwa nekuti iyo malware ichiri mukusimudzira uye mashandiro acho achawedzerwa munguva pfupi.
Loader AtProtect
Basa rakawanikwa rine basa rekurodha nekupinza mukuita inorex.exe zvisingaite module.
DataStealer
- Kubatanidza muhurongwa
- Decompression uye decryption mabasa
Zvingangoita kuti encryption yedata panguva yekutaurirana network ichakurumidza kuitwa. - Kumisa antivirus maitiro
zlclient | Dvp95_0 | Pavsched | avgserv9 |
egui | Ecengine | Pavw | avgserv9schedapp |
bdagent | Esafe | PCCIOMON | avgemc |
npfmsg | Espwatch | PCCMAIN | ashwebsv |
olydbg | F-Agnt95 | Pccwin98 | ashdisp |
anubis | Findvir | Pfwallicon | ashmaisv |
wireshark | Fprot | Persfw | ashserv |
avastui | F-Dzivirira | POP3TRAP | aswUpdSv |
_Avp32 | F-Prot95 | PVIEW95 | symwsc |
vsmon | Fp-Win | Rav7 | Norton |
mbam | Frw | Rav7win | Norton Auto-Protect |
keyscrambler | F-Stopw | ponesa | norton_av |
_Avpcc | Iamapp | Safeweb | nortonav |
_Avpm | Iamserv | Scan32 | ccsetmgr |
Ackwin32 | Ibmasn | Scan95 | ccevtmgr |
Outpost | Ibmavsp | Scanpm | avadmin |
Anti-Trojan | Icload95 | Scrscan | avcenter |
ANTIVIR | Icloadnt | Serv95 | avgnt |
Apvxdwin | Icmon | Smc | avguard |
ATRACK | Icsup95 | SMCSERVICE | avnotify |
Autodown | Icsupnt | Kunonoka | avscan |
Avconsol | Iface | sphinx | guardgui |
Ave32 | Iomon98 | Kutsvaira95 | nod32krn |
Avgctrl | Jedi | SYMPROXYSVC | nod32kui |
Avkserv | Lockdown2000 | Tbscan | clamsca |
Avnt | Chenjera | Tca | clamTray |
Avp | Luall | Tds2-98 | clamWin |
Avp32 | mcafee | Tds2-Nt | newclam |
Avpcc | Moolive | TermiNET | oladdin |
Avpdos32 | MPftray | Vet95 | sigtool |
Avpm | N32scanw | Vettray | w9xpopen |
Avptc32 | NAVAPSVC | Vscan40 | Close |
Avpupd | NAVAPW32 | Vsecomr | cmgrdian |
Avsched32 | NAVLU32 | Vshwin32 | alogserv |
AVSYNMGR | Navnt | Vsstat | mcshield |
Avwin95 | NAVRUNR | Webscanx | vshwin32 |
Avwupd32 | Navw32 | WEBTRAP | avconsol |
Blackd | Navwnt | Wfindv32 | vsstat |
Blackice | NeoWatch | Zonealarm | avsynmgr |
Cfiadmin | NISERV | LOCKDOWN2000 | avcmd |
Cfiaudit | Nisum | RESCUE32 | avconfig |
Cfinet | Nmain | LUCOMSERVER | limgr |
Cfinet32 | Normist | avgcc | sched |
Claw95 | NORTON | avgcc | preupd |
Claw95cf | Nupgrade | avgamsvr | MsMpEng |
Kushambidza | Nvc95 | avgupsvc | MSACui |
Cleaner3 | Outpost | avgw | Avira.Systray |
Defwatch | Padmin | avgcc32 | |
Dvp95 | Pavcl | avgserv |
- Kuzviparadza
- Kurodha data kubva kune yakatsanangurwa resource manifest
- Kukopa faira munzira %Temp%tmpG[Date razvino nenguva mumamilliseconds].tmp
Sezvineiwo, basa rakafanana riripo muAgentTesla malware. - Worm kushanda
Iyo malware inogamuchira rondedzero yezvinobvisika midhiya. Kopi yemarware inogadzirwa mumudzi weiyo midhiya faira system ine zita Sys.exe. Autorun inoshandiswa uchishandisa faira autorun.inf.
Attacker profile
Munguva yekuongororwa kwenzvimbo yekuraira, zvakakwanisika kumisikidza email uye zita remadunhurirwa remugadziri - Razer, aka Brwa, Brwa65, HiDDen PerSON, 404 Coder. Tevere, takawana vhidhiyo inonakidza paYouTube inoratidza kushanda nemuvaki.
Izvi zvakaita kuti zvikwanise kuwana yekutanga dhizaini chiteshi.
Zvakava pachena kuti akanga ane ruzivo rwokuzviwanira mukunyora ma<em>cryptographer. Kune zvakare zvinongedzo kumapeji pasocial network, pamwe chete nezita chairo remunyori. Akazove mugari weIraq.
Izvi ndizvo zvinoita 404 Keylogger mugadziri anofungidzirwa senge. Mufananidzo kubva kune yake yega Facebook mbiri.
CERT Boka-IB yakazivisa kutyisidzira kutsva - 404 Keylogger - XNUMX-awa yekutarisa uye yekupindura nzvimbo yekutyisidzira kwecyber (SOC) muBahrain.
Source: www.habr.com