Munguva ichangopfuura, mugadziri wekuEurope wekugadzira magetsi akasangana neBoka-IB - mushandi waro akagamuchira tsamba inonyumwira netsamba ine hutsinye. Ilya Pomerantsev, nyanzvi yekuongorora malware kuCERT Group-IB, yakaita ongororo yakadzama yefaira iyi, yakawana AgentTesla spyware ipapo uye akaudza zvekutarisira kubva kune malware akadaro uye kuti ine njodzi sei.
Nechinyorwa ichi tiri kuvhura nhevedzano yezvinyorwa pamusoro pekuongorora mafaera angangove ane ngozi, uye takamirira vanonyanya kuda kuziva musi wa5 Zvita kune yemahara inopindirana webinar pamusoro wenyaya. "Malware Analysis: Kuongorora Kwechokwadi Nyaya". Zvose zvinyorwa zviri pasi pekucheka.
Distribution mechanism
Isu tinoziva kuti iyo malware yakasvika muchina weakabatwa kuburikidza ne phishing emails. Akagamuchira tsamba angangove BCCed.
Ongororo yemisoro inoratidza kuti iye akatumira tsamba iyi aive akanganisa. Chokwadi tsamba yacho yakabva yaenda vps56[.]oneworldhosting[.]com.
Iyo email inonamatira ine WinRar archive qoute_jpeg56a.r15 ine faira ine hutsinye inogoneka QUUTE_JPEG56A.exe mukati.
Malware ecosystem
Zvino ngationei kuti ecosystem yeiyo malware iri pasi pekudzidza inoita sei. Mufananidzo uri pasi apa unoratidza chimiro chayo uye mazano ekubatana kwezvikamu.
Zvino ngatitarisei kune imwe neimwe yezvikamu zvemalware mune zvakadzama.
Loader
Original file QUUTE_JPEG56A.exe inoumbwa AutoIt v3 script.
Kudzima manyorero ekutanga, obfuscator ine zvakafanana PELock AutoIT-Obfuscator maitiro.
Deobfuscation inoitwa mumatanho matatu:
- Kubvisa obfuscation For-Kana
Danho rekutanga ndere kudzorera kuyerera kwechinyorwa. Kudzora Flow Flattening ndiyo imwe yedzakajairika nzira dzekudzivirira application binary code kubva pakuongorora. Shanduko dzinovhiringidza dzinowedzera zvakanyanya kuoma kwekutora uye kuziva maalgorithms uye data zvimiro.
- Row recovery
Mabasa maviri anoshandiswa encrypt tambo:
- gdorizabegkvfca - Inoita Base64-kunge decoding
- xgacyukcyzxz - nyore byte-byte XOR yetambo yekutanga nehurefu hwechipiri
- gdorizabegkvfca - Inoita Base64-kunge decoding
- Kubvisa obfuscation BinaryToString ΠΈ Execute
Mutoro mukuru unochengetwa mune yakakamurwa fomu mudhairekitori fonts resource zvikamu zvefaira.
Kurongeka kwegluing kunotevera: TIEQHCXWFG, EMI, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
Basa reWinAPI rinoshandiswa kubvisa data yakabviswa CryptoDecrypt, uye kiyi yechikamu inogadzirwa zvichienderana nekukosha inoshandiswa sekiyi fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Iyo decrypted executable faira inotumirwa kune basa rekuisa RunPE, izvo zvinoita ProcessInject Π² RegAsm.exe uchishandisa yakavakirwa-mukati ShellCode (inozivikanwawo se RunPE ShellCode) Hunyori ndehwemushandisi weSpanish forum indetectables[.]net pasi pezita remadunhurirwa rokuti Wardow.
Izvo zvakakoshawo kuziva kuti mune imwe yetambo dzeforum iyi, obfuscator ye Padenga ine zvinhu zvakafanana zvakaonekwa panguva yekuongorora sampuli.
Iye pachako ShellCode yakareruka uye inokwezva kutarisa chete yakakweretwa kubva kuboka rehacker AnunakCarbanak. API kufona hashing basa.
Isu tinoziva zvakare nezvekushandisa kesi Frenchy Shellcode shanduro dzakasiyana.
Pamusoro pekushanda kwakatsanangurwa, isu takaonawo zvisingaite mabasa:
- Kuvharira manyorero maitiro kugumiswa mune basa maneja
- Kutangazve mwana process kana yapera
- Bypass UAC
- Kuchengetedza mubhadharo kune faira
- Kuratidzira kwe modal windows
- Kumirira kuti mbeva yechitubu ichinje
- AntiVM uye AntiSandbox
- Kuzviparadza
- Kupomba payload kubva kunetiweki
Isu tinoziva kuti kushanda kwakadaro kwakajairwa kune mudziviriri CypherIT, iyo, sezviri pachena, ndiyo bootloader iri mubvunzo.
Main module yesoftware
Tevere, isu tichatsanangura muchidimbu iyo huru module yeiyo malware, uye tifunge nezvayo zvakadzama mune yechipiri chinyorwa. Muchiitiko ichi, ndeye application pane .com.
Panguva yekuongorora, takaona kuti obfuscator yakashandiswa ConfuserEX.
IELibrary.dll
Raibhurari inochengetwa seyo huru module sosi uye inozivikanwa plugin ye AgentTesla, iyo inopa mashandiro ekutora ruzivo rwakasiyana kubva kuInternet Explorer uye Edge browser.
Agent Tesla ndeye modular spying software yakagoverwa uchishandisa malware-se-a-sevhisi modhi pasi pechiratidziro chepamutemo keylogger chigadzirwa. Agent Tesla inokwanisa kuburitsa uye kutumira zvitupa zvemushandisi kubva kumabhurawuza, email vatengi uye FTP vatengi kune sevha kune vanorwisa, kurekodha clipboard data, uye nekubata mudziyo skrini. Panguva yekuongorora, webhusaiti yepamutemo yevagadziri yakanga isipo.
Nzvimbo yekupinda ndiyo basa GetSavedPasswords kirasi InternetExplorer.
Muzhinji, kodhi kuuraya ndeye mutsara uye haina chero dziviriro kubva pakuongorora. Chete basa risati raitika rinofanirwa kutariswa GetSavedCookies. Sezviri pachena, kushanda kweplugin kwaifanira kuwedzerwa, asi izvi hazvina kumboitwa.
Kubatanidza iyo bootloader kune system
Ngatidzidzei kuti bootloader yakanamirwa sei kune system. Muenzaniso uri pasi pekudzidza hausike, asi muzviitiko zvakafanana zvinoitika maererano nechirongwa chinotevera:
- Mune folda C:VashandisiParuzhinji script inogadzirwa Visual Basic
Script muenzaniso:
- Zviri mukati meiyo loader faira zvakaputirwa neasina hunhu uye zvakachengetwa kune folda % Temp% Zita refaira>
- Kiyi ye autorun inogadzirwa muregistry ye script file HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Saka, zvichibva pamhedzisiro yechikamu chekutanga chekuongorora, takakwanisa kumisa mazita emhuri dzezvikamu zvese zvemarware pasi pekudzidza, kuongorora maitiro ehutachiona, uye zvakare kuwana zvinhu zvekunyora masiginicha. Tichaenderera mberi nekuongorora kwedu kwechinhu ichi muchinyorwa chinotevera, apo isu tichatarisa iyo huru module mune zvakadzama AgentTesla. Usapotsa!
Nenzira, musi wa5 Zvita tinokoka vaverengi vese kune yemahara inopindirana webinar pamusoro wenyaya "Ongororo yemalware: kuongororwa kwemakesi chaiwo", apo munyori wechinyorwa ichi, CERT-GIB nyanzvi, acharatidza online nhanho yekutanga malware kuongorora - semi-otomatiki unpacking yemasampuli uchishandisa muenzaniso weatatu chaiwo mini-kesi kubva pakuita, uye iwe unogona kutora chikamu mukuongorora. Iyo webinar yakakodzera kune nyanzvi dzinotova neruzivo mukuongorora mafaera akaipa. Kunyoresa kunobva kune email yekambani: . Ndakakumirira iwe!
Yara
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
Hashes
| zita | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890E643316E9276156EDC8A |
| mhando | Chengetedza WinRAR |
| zera | 823014 |
| zita | QUUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| mhando | PE (Yakasanganiswa AutoIt Script) |
| zera | 1327616 |
| OriginalName | tsva |
| DateStamp | 15.07.2019 |
| linker | Microsoft Linker(12.0)[EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| mhando | ShellCode |
| zera | 1474 |
Source: www.habr.com