Mvura ine madhaka: matsotsi kubva kuMuddyWater akarwisa sei mugadziri weTurkey wemauto emagetsi

Iranian pro-hurumende hackers vari mudambudziko guru. Muchirimo chese, vanhu vasingazivikanwe vakaburitsa "zvakavanzika zvinoburitswa" paTeregiramu - ruzivo nezvemapoka eAPT ane hukama nehurumende yeIran - OilRig и MuddyWater - maturusi avo, vakakuvadzwa, vanobatanidza. Asi kwete nezvemunhu wese. Muna Kubvumbi, nyanzvi dzeBoka-IB dzakaburitsa kero dzetsamba dzesangano reTurkey ASELSAN A.Ş, iro rinogadzira maredhiyo emauto ehunyanzvi uye masisitimu ekudzivirira emagetsi emauto eTurkey. Anastasia Tikhonova, Boka-IB Advanced Threat Research Team Mutungamiriri, uye Nikita Rostovtsev, muongorori wechidiki paBoka-IB, akatsanangura mafambiro ekurwiswa kweASELSAN A.Ş uye akawana anogona kutora chikamu. MuddyWater.

Kuvhenekera kuburikidza neTeregiramu

Kuburitswa kwemapoka eIran APT kwakatanga nenyaya yekuti imwe Lab Doukhtegan yakaitwa pachena mabviro emakodhi ezvitanhatu zveAPT34 zvishandiso (aka OilRig uye HelixKitten), yakaratidza IP kero uye madomasi anobatanidzwa mukushanda, pamwe nedata revanhu makumi matanhatu nenhanhatu vakabatwa nembavha, kusanganisira Etihad Airways neEmirates National Oil. Lab Doookhtegan zvakare akaburitsa data nezve mashandiro eboka apfuura uye ruzivo nezve vashandi veIran Ministry yeRuzivo uye National Security avo vanonzi vane hukama nemashandiro eboka. OilRig iboka reAPT rakabatana neIran iro ravepo kubva kumakore a66 uye rinonangana nehurumende, masangano emari nemauto, pamwe nemakambani emagetsi nenhare kuMiddle East neChina.

Mushure mekunge OilRig yafumurwa, kuvuza kwakaenderera mberi - ruzivo nezve zviitiko zverimwe pro-state boka kubva kuIran, MuddyWater, rakaonekwa padarknet uye paTeregiramu. Nekudaro, kusiyana nekutanga kuvuza, panguva ino yanga isiri iyo kodhi makodhi akaburitswa, asi marasirwo, anosanganisira zvidzitiro zvemakodhi makodhi, maseva ekudzora, pamwe nekero dzeIP dzevakambobatwa nembavha. Panguva ino, Green Leakers hackers vakatora mutoro wekudonha kweMuddyWater. Ivo vane akati wandei eTeregiramu chiteshi uye darknet nzvimbo kwavanoshambadzira nekutengesa data rine chekuita neMuddyWater mashandiro.

Cyber ​​​​vasori vanobva kuMiddle East

MuddyWater iboka rave richishanda kubva 2017 kuMiddle East. Semuyenzaniso, sezvakataurwa nenyanzvi dzeBoka-IB, kubva muna Kukadzi kusvika Kubvumbi 2019, matsotsi akatevedzana ekutumira tsamba dzekubira akanangana nehurumende, masangano edzidzo, makambani ezvemari, ekufambiswa kwemashoko uye ekudzivirira muTurkey, Iran, Afghanistan, Iraq neAzerbaijan.

Nhengo dzeboka dzinoshandisa kuseri kwekusimudzira kwavo kwakavakirwa paPowerShell, inonzi POWERSTATS. Anogona:

• unganidza data nezve emunharaunda uye domain maakaundi, anowanikwa faira maseva, emukati uye ekunze IP kero, zita uye OS architecture;
• ita kure kure kodhi kuuraya;
• rodha uye dhawunirodha mafaera kuburikidza neC&C;
• kuona kuvapo kwezvirongwa zvekugadzirisa zvinoshandiswa pakuongorora mafaira akaipa;
• kuvhara sisitimu kana mapurogiramu ekuongorora mafaira akaipa akawanikwa;
• bvisa mafaira kubva kumadhiraivha emunharaunda;
• kutora skrini;
• dzima matanho ekuchengetedza muMicrosoft Office zvigadzirwa.

Pane imwe nguva, vapambi vakakanganisa uye vaongorori veReaQta vakakwanisa kuwana kero yekupedzisira yeIP, yaive muTehran. Tichifunga nezvezvinangwa zvakarwiswa neboka, pamwe nezvinangwa zvaro zvine chekuita necyber espionage, nyanzvi dzakaratidza kuti boka rinomiririra zvido zvehurumende yeIran.

Attack zviratidzoC&C:

• gladiator[.]tk
• 94.23.148[.]194
• 192.95.21[.]28
• 46.105.84[.]146
• 185.162.235[.]182

Mafaira:

• 09aabd2613d339d90ddbd4b7c09195a9
• cfa845995b851aacdf40b8e6a5b87ba7
• a61b268e9bc9b7e6c9125cdbfb1c422a
• f12bab5541a7d8ef4bbca81f6fc835a3
• a066f5b93f4ac85e9adfe5ff3b10bc28
• 8a004e93d7ee3b26d94156768bc0839d
• 0638adf8fb4095d60fbef190a759aa9e
• eed599981c097944fa143e7d7f7e17b1
• 21aebece73549b3c4355a6060df410e9
• 5c6148619abb10bb3789dcfb32f759a6

Türkiye iri kurwiswa

Musi waKubvumbi 10, 2019, Boka-IB nyanzvi dzakawana kuburitswa kwemakero ekambani yeTurkey ASELSAN A.Ş, iyo kambani hombe mumunda wemauto emagetsi muTurkey. Zvigadzirwa zvaro zvinosanganisira radar nemagetsi, electro-optics, avionics, unmanned systems, nyika, mauto emvura, zvombo uye air defense systems.

Kudzidza imwe yemasampula matsva ePOWERSTATS malware, Boka-IB nyanzvi dzakasarudza kuti boka reMuddyWater revapambi rakashandisa segwaro rechirauro chibvumirano cherezinesi pakati peKoç Savunma, kambani inogadzira mhinduro mumunda weruzivo nekudzivirira tekinoroji, uye Tubitak Bilgem. , nzvimbo yekutsvagisa ruzivo uye tekinoroji yepamusoro. Munhu wekusangana naKoç Savunma aive Tahir Taner Tımış, akabata chinzvimbo chePrograms Manager kuKoç Bilgi ve Savunma Teknolojileri A.Ş. kubva munaGunyana 2013 kusvika Zvita 2018. Gare gare akatanga kushanda kuASELSAN A.Ş.

Sample decoy gwaro
Mushure mekunge mushandisi amisa macros ane hutsinye, iyo POWERSTATS backdoor inotorwa kune komputa yemunhu akabatwa.

Kutenda kune metadata yeiyi decoy gwaro (MD5: 0638adf8fb4095d60fbef190a759aa9e) vatsvakurudzi vakakwanisa kuwana mamwe masampuli matatu ane maitiro akafanana, kusanganisira zuva rekusika uye nguva, zita rekushandisa, uye runyorwa rwemacros arimo:

• ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
• asd.doc (21aebece73549b3c4355a6060df410e9)
• F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)

Screenshot yemetadata yakafanana yeakasiyana magwaro edecoy

Rimwe remagwaro akawanikwa ane zita racho ListOfHackedEmails.doc ine rondedzero ye34 email kero dzeiyo domain @aselsan.com.tr.

Boka-IB nyanzvi dzakatarisa kero dzeemail mune dzinoburitswa pachena uye dzakaona kuti makumi maviri nemasere dzadzo dzakakanganiswa mukudonha kwakambowanikwa. Kutarisa musanganiswa wekuvuza kunowanikwa kwakaratidza nezve mazana mana akasiyana ekuisa anoenderana neiyi dura nemapassword kwavari. Zvinogoneka kuti varwisi vakashandisa iyi data inowanikwa pachena kurwisa ASELSAN A.Ş.

Screenshot yegwaro ListOfHackedEmails.doc

Screenshot yerunyorwa rweanopfuura mazana mana nemakumi mashanu akaonekwa ekupinda-password pairi mukuvuza kweruzhinji
Pakati pemasampuli akawanikwa paivewo negwaro rine musoro F35-Specifications.doc, zvichireva F-35 fighter jet. Gwaro rezviredzo irondedzero yeF-35 multi-role fighter-bomber, inoratidza hunhu hwendege uye mutengo. Musoro weiyi gwaro rekunyengedza zvakanangana nekuramba kweUS kupa F-35s mushure mekutenga kweTurkey kweS-400 masisitimu uye kutyisidzira kwekuendesa ruzivo nezve F-35 Mheni II kuRussia.

Yese data yakagamuchirwa yakaratidza kuti zvibodzwa zvikuru zveMuddyWater cyber kurwisa aive masangano ari muTurkey.

Gladiyator_CRK naNima Nikjoo ndivanaani?

Pakutanga, muna Kurume 2019, magwaro akashata akawanikwa akagadzirwa nemumwe mushandisi weWindows pasi pezita remadunhurirwa rekuti Gladiyator_CRK. Aya magwaro akagoverawo POWERSTATS backdoor uye akabatana neC&C server ine zita rakafanana gladiator[.]tk.

Izvi zvinogona kunge zvakaitwa mushure mekunge mushandisi Nima Nikjoo atumira paTwitter musi waKurume 14, 2019, achiedza kudhirodha kodhi yakasvibiswa ine chekuita neMuddyWater. Mune zvakataurwa kune iyi tweet, muongorori akati haakwanise kugovera zviratidzo zvekukanganisa iyi malware, sezvo ruzivo urwu rwakavanzika. Nehurombo, iyo positi yakatodzimwa, asi mitsvairo yayo inoramba iri online:

Nima Nikjoo ndiye muridzi weiyo Gladiyator_CRK mbiri pane yeIran vhidhiyo yekutambira saiti dideo.ir uye videoi.ir. Pane ino saiti, anoratidza maitiro ePoC kudzima maturusi eantivirus kubva kune vakasiyana vatengesi uye bypass sandboxes. Nima Nikjoo anonyora nezvake kuti inyanzvi yekuchengetedzwa kwetiweki, pamwe neanoita reverse engineer uye malware analyst anoshandira MTN Irancell, Iranian telecommunications company.

Mufananidzo wemavhidhiyo akachengetwa mumigumisiro yekutsvaga paGoogle:

Gare gare, munaKurume 19, 2019, mushandisi Nima Nikjoo pasocial network Twitter akachinja zita rake remadunhurirwa kuita Malware Fighter, uye akadzima zvakare mameseji ane hukama. Iyo mbiri yeGladiyator_CRK pavhidhiyo inotambira dideo.ir yakabviswawo, sezvazvaive zvakaita paYouTube, uye iyo mbiri pachayo yakanzi N Tabrizi. Nekudaro, ingangoita mwedzi gare gare (Kubvumbi 16, 2019), iyo Twitter account yakatanga kushandisa zita rekuti Nima Nikjoo zvakare.

Munguva yekudzidza, Boka-IB nyanzvi dzakaona kuti Nima Nikjoo akange atotaurwa nezvake zvine chekuita nemabasa ematsotsi. Muna Nyamavhuvhu 2014, Iran Khabarestan blog yakaburitsa ruzivo nezve vanhu vanodyidzana neboka rematsotsi epamhepo Iranian Nasr Institute. Imwe ongororo yeFireEye yakataura kuti Nasr Institute yaive kondirakiti yeAPT33 uye yakabatanidzwawo mukurwiswa kweDDoS kumabhanga eUS pakati pa2011 na2013 sechikamu chemushandirapamwe unonzi Operation Ababil.

Saka mublog rimwe chetero, Nima Nikju-Nikjoo akataurwa, aigadzira malware kuti asore vanhu vekuIran, nekero yake yeemail: gladiyator_cracker@yahoo[.]com.

Screenshot yedata inofungidzirwa kune cybercriminals kubva kuIran Nasr Institute:

Dudziro yezvinyorwa zvakaratidzwa muchiRussian: Nima Nikio - Spyware Developer - Email:.

Sezvinoonekwa kubva muruzivo urwu, iyo email kero yakabatana nekero yakashandiswa mukurwiswa uye vashandisi Gladiyator_CRK naNima Nikjoo.

Pamusoro pezvo, chinyorwa chaChikumi 15, 2017 chakataura kuti Nikjoo aive asina hanya nekutumira mareferensi kuKavosh Security Center paakatangazve. Eat mafungirokuti Kavosh Security Center inotsigirwa nenyika yeIran kupa mari vapambi vehurumende.

Ruzivo nezve kambani kwaishanda Nima Nikjoo:

Mushandisi weTwitter Nima Nikjoo's LinkedIn profile anonyora nzvimbo yake yekutanga yebasa seKavosh Security Center, kwaakashanda kubva 2006 kusvika 2014. Munguva yebasa rake, akadzidza dzakasiyana siyana malware, uye zvakare akabata nereverse uye obfuscation-inoenderana nebasa.

Ruzivo nezve kambani yakashandirwa naNima Nikjoo pa LinkedIn:

MuddyWater uye kuzviremekedza kwakanyanya

Zvinoda kuziva kuti boka reMuddyWater rinotarisisa mishumo yese uye meseji kubva kunyanzvi dzekuchengetedza ruzivo dzakaburitswa nezvadzo, uye kunyange nemaune vakasiya mireza yenhema pakutanga kuitira kukanda vaongorori kubva kunhuhwirira. Semuenzaniso, kurwisa kwavo kwekutanga kwakatsausa nyanzvi nekuona kushandiswa kweDNS Messenger, iyo yaiwanzobatanidzwa neboka reFIN7. Mune kumwe kurwiswa, vakaisa tambo dzeChinese mukodhi.

Pamusoro pezvo, boka rinoda kusiya mameseji kune vaongorori. Semuenzaniso, ivo havana kufarira kuti Kaspersky Lab yakaisa MuddyWater munzvimbo yechitatu mukutyisidzira kwayo kwegore. Panguva imwecheteyo, mumwe munhu - pamwe boka reMuddyWater - akaisa PoC yekubiridzira kuYouTube inodzima iyo LK antivirus. Vakasiyawo mhinduro pasi pechinyorwa.

Screenshots yevhidhiyo pakudzima Kaspersky Lab antivirus uye chirevo pazasi:

Zvichiri kunetsa kuita mhedziso isina kujeka nezve kubatanidzwa kwe "Nima Nikjoo". Boka-IB nyanzvi dziri kufunga shanduro mbiri. Nima Nikjoo, zvechokwadi, anogona kunge ari mubiki kubva kuboka reMuddyWater, akauya kuzojekeswa nekuda kwekuregeredza kwake uye nekuwedzera chiitiko pane network. Chechipiri sarudzo ndeyekuti "akafumurwa" nemaune nedzimwe nhengo dzeboka kuitira kuti vabvise kufungira kubva kwavari. Chero zvazvingava, Boka-IB inoenderera mberi nekutsvagisa kwayo uye inonyatso taura zvayakawana.

Kana ari maIran APTs, mushure mekudonhedza uye kudonhedza kwakatevedzana, vangangosangana ne "debriefing" yakakomba - matsotsi anomanikidzwa kuchinja maturusi avo zvakanyanya, kuchenesa nzira dzavo uye nekuwana "zvipfukuto" mumapoka avo. Nyanzvi hadzina kutonga kuti vangatotora nguva, asi mushure mekuzorora kwenguva pfupi, kurwiswa kweIran APT kwakaenderera zvakare.

Source: www.habr.com