Isu tinoenderera mberi nenhevedzano yedu yezvinyorwa zvakapihwa kuongororwa kwemalware. IN Muchikamu, takaudza kuti Ilya Pomerantsev, nyanzvi yekuongorora malware kuCERT Group-IB, akaita ongororo yakadzama yefaira yakagamuchirwa netsamba kubva kune imwe yemakambani ekuEurope akawana spyware ipapo. AgentTesla. Muchikamu chino, Ilya anopa zvigumisiro zvekuongorora-nhanho-nhanho yemodule huru AgentTesla.
Agent Tesla ndeye modular spying software yakagoverwa uchishandisa malware-se-a-sevhisi modhi pasi pechiratidziro chepamutemo keylogger chigadzirwa. Agent Tesla inokwanisa kuburitsa uye kutumira zvitupa zvemushandisi kubva kumabhurawuza, email vatengi uye FTP vatengi kune sevha kune vanorwisa, kurekodha clipboard data, uye nekubata mudziyo skrini. Panguva yekuongorora, webhusaiti yepamutemo yevagadziri yakanga isipo.
Configuration file
Tafura iri pazasi inoratidza kuti ndeupi mashandiro anoshanda kune sampuli yauri kushandisa:
| tsananguro | ukoshi |
| KeyLogger kushandiswa mureza | zvechokwadi |
| ScreenLogger yekushandisa mureza | venhema |
| KeyLogger log kutumira nguva mumaminitsi | 20 |
| ScreenLogger log inotumira nguva mumaminitsi | 20 |
| Backspace kiyi inobata mureza. Nhema - kutema matanda chete. Chokwadi - inodzima kiyi yapfuura | venhema |
| CNC mhando. Sarudzo: smtp, webpanel, ftp | SMTP |
| Thread activation mureza wekumisa maitiro kubva pane rondedzero "% filter_list%" | venhema |
| UAC inodzima mureza | venhema |
| Task maneja dzima mureza | venhema |
| CMD bvisa mureza | venhema |
| Mhanya hwindo disable mureza | venhema |
| Registry Viewer Dzima Mureza | venhema |
| Dzima mureza wemapoinzi system | zvechokwadi |
| Control panel disable flag | venhema |
| MSCONFIG dzima mureza | venhema |
| Mira kuti udzime menyu yemukati muExplorer | venhema |
| Pini mureza | venhema |
| Nzira yekukopa iyo huru module kana uchiipinza kune iyo system | %startupfolder% %infolder%%inname% |
| Mureza wekuisa iyo "System" uye "Yakavanzika" hunhu hweiyo huru module yakapihwa kune system | venhema |
| Mureza kuti utangezve kana wapinirwa kuhurongwa | venhema |
| Mureza wekufambisa iyo hombe module kune yechinguva folda | venhema |
| UAC bypass mureza | venhema |
| Date uye nguva fomati yekucheka matanda | yyy-MM-dd HH:mm:ss |
| Mureza kushandisa sefa yepurogiramu yeKeyLogger | zvechokwadi |
| Mhando yekusefa kwepurogiramu. 1 - zita rechirongwa rinotsvakwa mumahwindo mazita 2 - zita rechirongwa rinotariswa muzita rekuita hwindo |
1 |
| Sefa yepurogiramu | "facebook" "twitter" "gmail" "instagram" "bhaisikopo" "skype" "zvinonyadzisira" "hack" "whatsapp" "kusawirirana" |
Kubatanidza iyo huru module kune system
Kana mureza unoenderana wakaiswa, iyo huru module inoteedzerwa kugwara rakatsanangurwa mugadziriro senzira yekupihwa kuhurongwa.
Zvichienderana nekukosha kubva pakugadzirisa, faira inopiwa maitiro "Yakavanzika" uye "System".
Autorun inopihwa nemapazi maviri ekunyoresa:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%inregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %insregname%
Sezvo iyo bootloader inopinza mukuita RegAsm, kuseta mureza unoramba uripo weiyo huru module inotungamira kune inonakidza mhedzisiro. Panzvimbo pekuzvikopa, iyo malware yakanamatira iyo yekutanga faira kune system RegAsm.exe, panguva yakaitwa jekiseni.
Kudyidzana neC&C
Pasinei neipi nzira inoshandiswa, kutaurirana kwenetiweki kunotanga nekuwana iyo yekunze IP yemunhu anenge abatwa achishandisa sosi [.]amazonaws[.]com/.
Izvi zvinotevera zvinotsanangura nzira dzekudyidzana kwenetiweki dzinoratidzwa musoftware.
webpanel
Kudyidzana kunoitika kuburikidza neHTTP protocol. Iyo malware inoita chikumbiro chePOST neinotevera misoro:
- Mushandisi-Mumiririri: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Kubatanidza: Chengeta-Upenyu
- Zvemukati-Rudzi: application/x-www-form-urlencoded
Sevha kero inotsanangurwa nekukosha %PostURL%. Iyo encrypted meseji inotumirwa muparameter Β«PΒ». Iyo encryption mechanism inotsanangurwa muchikamu "Encryption algorithms" (Nzira 2).
Iyo meseji yakatumirwa inoita seizvi:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Parameter mhando inoratidza mhando yemeseji:
hwid - MD5 hashi inorekodhwa kubva kuhunhu hweiyo mamaboard serial nhamba uye processor ID. Inonyanya kushandiswa seMushandisi ID.
nguva -Inoshanda kufambisa nguva yazvino uye zuva.
pcname - inotsanangurwa se <Zita rekushandisa>/<Zita reKombuta>.
logdata - log data.
Kana uchitumira mapassword, meseji inoita senge:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Izvi zvinotevera tsananguro dze data rakabiwa mufomati nclient[]={0}nlink[]={1}zita remushandisi[]={2}npassword[]={3}.
SMTP
Kudyidzana kunoitika kuburikidza neSMTP protocol. Tsamba inotumirwa iri muHTML format. Parameter MUVIRI zvinoita se:
Musoro wetsamba une fomu rekare: <ZITA REMUSHANDIRI>/<ZITA RECOMPUTER> <CONNTENT TYPE>. Zviri mukati metsamba, pamwe chete nezvakanamatira, hazvina kuvharirwa.
Kudyidzana kunoitika kuburikidza neFTP protocol. Faera rine zita rinoendeswa kune yakataurwa sevha <CONTENT TYPE>_<USER NAME>-<COMPUTER NAME>_<DATE AND TIME>.html. Zviri mukati mefaira hazvina kuvharwa.
Encryption algorithms
Iyi kesi inoshandisa zvinotevera encryption nzira:
Iyo 1 nzira
Iyi nzira inoshandiswa kuvharidzira tambo mune huru module. Iyo algorithm inoshandiswa pakunyorera ndeye AES.
Iko kupinza inhamba yedesimali ine manhamba matanhatu. Iyo inotevera shanduko inoitwa pairi:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Ukoshi hunobuda ndiyo indekisi yeakamisikidzwa data array.
Imwe neimwe array element ndeyekutevedzana DWORD. Pakubatanidza DWORD mabheti akawanda anowanikwa: yekutanga 32 bytes ndiyo kiyi yekuvharidzira, inoteverwa ne16 bytes yevheti yekutanga, uye mabheti akasara ndiwo akavharidzirwa data.
Iyo 2 nzira
Algorithm inoshandiswa 3DES in the mode ECB ne padding mumabytes akazara (PKCS7).
Kiyi inotsanangurwa neparameter %urlkey%, zvisinei, encryption inoshandisa yayo MD5 hashi.
Kushata kushanda
Muenzaniso uri muchidzidzo unoshandisa zvirongwa zvinotevera kuita basa rayo rakashata:
key logger
Kana paine inoenderana malware mureza uchishandisa WinAPI basa SetWindowsHookEx inopa chayo chibatiso chezviitiko zvekudzvanya pane keyboard. Basa remubati rinotanga nekuwana zita rehwindo rinoshanda.
Kana mureza wekusefa application ukaiswa, kusefa kunoitwa zvichienderana nerudzi rwakataurwa:
- zita rechirongwa rinotariswa mumazita epahwindo
- zita rechirongwa rinotariswa kumusoro muzita rekuita hwindo
Tevere, rekodhi inowedzerwa kune irogi ine ruzivo nezve hwindo rinoshanda mufomati:
Ipapo ruzivo nezve kiyi yakadzvanywa inorekodhwa:
| Kiyi | Rekodhi |
| Backspace | Zvichienderana neBackspace kiyi yekugadzirisa mureza: Nhema - {BACK} Chokwadi - inodzima kiyi yapfuura |
| CAPSLOCK | {CAPSLOCK} |
| ESC | {ESC} |
| PejiUp | {PejiUp} |
| pasi | β |
| Kudzima | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| TAB | {TAB} |
| < | < |
| > | > |
| Nzvimbo | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + TAB | {ALT+TAB} |
| END | {END} |
| F4 | {F4} |
| F2 | {F2} |
| Ctrl | {CTRL} |
| F6 | {F6} |
| Rudyi | β |
| Up | β |
| F1 | {F1} |
| Ruboshwe | β |
| PageDown | {PageDown} |
| Insert | {Isert} |
| kunda | {Win} |
| Numlock | {NumLock} |
| F11 | {F11} |
| F3 | {F3} |
| HOME | {KUMBA} |
| ENTER | {PINDA} |
| ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| Imwe kiyi | Hunhu huri mumusoro kana muzasi makesi zvichienderana nenzvimbo dzeCapsLock uye Shift makiyi |
Pane imwe nguva yakatarwa, iyo yakaunganidzwa log inotumirwa kune server. Kana kuchinjisa kusingabudiriri, irogi rinochengetwa kufaira %TEMP%log.tmp mufomati:
Kana iyo timer ichipisa, iyo faira ichaendeswa kune server.
ScreenLogger
Nenguva yakatarwa, iyo malware inogadzira skrini mune iyo fomati jpeg zvine zvazvinoreva Quality yakaenzana ne50 uye inoichengeta kufaira %APPDATA %<Random kutevedzana kwemavara gumi>.jpg. Mushure mekutamiswa, iyo faira inodzimwa.
ClipboardLogger
Kana mureza wakakodzera ukaiswa, zvinotsiviwa zvinogadzirwa muzvinyorwa zvakatambirwa zvinoenderana netafura iri pazasi.
Mushure meizvi, chinyorwa chinoiswa mulog:
PasswordStealer
Iyo malware inogona kudhawunirodha mapassword kubva kune anotevera maapplication:
| Bhurawuza | Mail clients | FTP vatengi |
| Chrome | mataridzikiro | FileZilla |
| Firefox | Thunderbird | WS_FTP |
| IE/Edge | Foxmail | WinSCP |
| safari | Opera Mail | CoreFTP |
| Opera Bhurawuza | IncrediMail | FTP Navigator |
| Yandex | Pocommail | FlashFXP |
| Comodo | Eudora | SmartFTP |
| ChromePlus | TheBat | FTPCommander |
| chromium | Bhokisi rekutumira | |
| Torch | ClawsMail | |
| 7Star | ||
| Shamwari | ||
| BraveSoftware | Jabber vatengi | VPN vatengi |
| CentBrowser | Psi/Psi+ | Vhura VPN |
| Chedot | ||
| CocCoc | ||
| Elements Browser | Dhaunirodha Mamaneja | |
| Epic Yakavanzika Bhurawuza | Internet Download Manager | |
| Comet | JDownloader | |
| orbitum | ||
| Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Flock Browser | ||
| UC Browser | ||
| BlackHawk | ||
| CyberFox | ||
| K-meleon | ||
| ice cat | ||
| icedragon | ||
| PaleMoon | ||
| waterfox | ||
| Falcon Browser |
Kupikisa kune dynamic analysis
- Kushandisa basa hope. Inokutendera kuti upfuure mamwe mabhokisi ejecha nenguva
- Kuparadza shinda Zone.Chiziviso. Inokutendera kuti uvanze chokwadi chekurodha faira kubva paInternet
- Mune parameter %sefa_list% inotsanangura rondedzero yemaitiro ayo iyo malware ichagumisa panguva dzeimwe sekondi
- Kusiyanisa UAC
- Kudzima basa maneja
- Kusiyanisa CMD
- Kudzima hwindo "Mhanya"
- Kudzima Control Panel
- Kudzima chishandiso RegEdit
- Kudzima hurongwa hwekudzoreredza mapoinzi
- Dzima menyu yemukati muExplorer
- Kusiyanisa Msconfig
- Bypass UAC:
Zvisingashande zveiyo main module
Munguva yekuongororwa kweiyo module huru, mabasa akaonekwa aive akonzeresa kupararira kunetiweki uye kuteedzera chinzvimbo chegonzo.
munyurwi
Zviitiko zvekubatanidza zvinobviswa media zvinotariswa mune imwe shinda yakasiyana. Kana yakabatana, iyo malware ine zita inoteedzerwa kumudzi wefaira system scr.exe, mushure mezvo inotsvaga mafaera ane kuwedzera lnk. Chikwata chemunhu wese lnk kuchinja ku cmd.exe /c tanga scr.exe & tanga <original command> & kubuda.
Dhairekitori rega rega pamudzi wemedia rinopihwa hunhu "Zvakavigwa" uye faira inogadzirwa nekuwedzera lnk nezita redhairekitori rakavanzika uye murairo cmd.exe /c tanga scr.exe&explorer /mudzi,"%CD%<DIRECTORY NAME>" & buda.
MouseTracker
Nzira yekuita interception yakafanana neyo inoshandiswa pa keyboard. Basa iri richiri pasi pekuvandudzwa.
Faira chiitiko
| Nzira | tsananguro |
| %Temp% temp.tmp | Iine counter yeUAC bypass kuedza |
| %startupfolder%%infolder%%insname% | Nzira yekupihwa iyo HPE system |
| %Temp%tmpG{Ikozvino mumamilliseconds}.tmp | Nzira yekuchengetedza iyo huru module |
| %Temp%log.tmp | Log file |
| %AppData%{Kutevedzana kwemavara gumi}.jpeg | Screenshots |
| C:UsersPublic{Kutevedzana kwemavara gumi}.vbs | Nzira yekuenda kune vbs faira iyo bootloader inogona kushandisa kubatanidza kune system |
| %Temp%{Zita refodhi rakasarudzika}{Zita refaira} | Nzira inoshandiswa nebootloader kuzvibatanidza kune system |
Attacker profile
Nekuda kweiyo hardcode yechokwadi data, isu takakwanisa kuwana mukana wekuraira centre.
Izvi zvakatibvumira kuziva email yekupedzisira yevanorwisa:
junaid[.]mu***@gmail[.]com.
The domain name of the command center is registered to the mail sg***@gmail[.]com.
mhedziso
Munguva yekuongorora kwakadzama kweiyo malware yakashandiswa mukurwiswa, takakwanisa kumisikidza mashandiro ayo uye nekuwana iyo yakazara yakazara rondedzero yezviratidzo zvekukanganisa zvine chekuita nenyaya iyi. Kunzwisisa maitiro ekudyidzana kwetiweki pakati pemalware kwakaita kuti zvikwanise kupa mazano ekugadzirisa mashandiro ezvekuchengetedza ruzivo maturusi, pamwe nekunyora yakagadzikana IDS mitemo.
Dambudziko guru AgentTesla kufanana neDataStealer pakuti haidi kuzvipira kuhurongwa kana kumirira murairo wekutonga kuti uite mabasa ayo. Kamwe pamushini, anobva atanga kuunganidza ruzivo rwepachivande uye oendesa kuCnC. Hunhu hwehasha uhu mune dzimwe nzira hwakafanana nehunhu hwe ransomware, nemusiyano chete uri wekuti iyo yekupedzisira haitomboda network yekubatanidza. Kana iwe ukasangana nemhuri iyi, mushure mekuchenesa iyo ine hutachiona system kubva kune iyo malware pachayo, iwe unofanirwa kunyatso shandura mapassword anogona, zvirinani ne theoretically, kuchengetwa mune chimwe chezvishandiso zvakanyorwa pamusoro.
Tichitarisa kumberi, ngatiti vanorwisa vanotumira AgentTesla, yekutanga boot loader inochinjwa kazhinji. Izvi zvinokutendera kuti urambe usina kucherechedzwa nema static scanners uye heuristic analyzers panguva yekurwiswa. Uye katsika kemhuri iyi kekutanga kuita mabasa avo kunoita kuti ma monitors ashaye basa. Nzira yakanakisa yekurwisa AgentTesla ndeyekutanga kuongororwa mubhokisi rejecha.
Muchinyorwa chechitatu cheiyi nhevedzano tichatarisa mamwe mabootloaders anoshandiswa AgentTesla, uye zvakare dzidza maitiro eiyo semi-otomatiki unpacking. Usapotsa!
Hash
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
C & C.
| URL |
| sina-c0m[.]icu |
| smtp[.]sina-c0m[.]icu |
RegKey
| Registry |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Script name} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname% |
| HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%insregname% |
mutexes
Hapana zviratidzo.
Files
| Faira chiitiko |
| %Temp% temp.tmp |
| %startupfolder%%infolder%%insname% |
| %Temp%tmpG{Ikozvino mumamilliseconds}.tmp |
| %Temp%log.tmp |
| %AppData%{Kutevedzana kwemavara gumi}.jpeg |
| C:UsersPublic{Kutevedzana kwemavara gumi}.vbs |
| %Temp%{Zita refodhi rakasarudzika}{Zita refaira} |
Samples Info
| zita | tsva |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| mhando | PE (.NET) |
| zera | 327680 |
| OriginalName | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| DateStamp | 01.07.2019 |
| Mutengesi | VB.NET |
| zita | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| mhando | PE (.NET DLL) |
| zera | 16896 |
| OriginalName | IELibrary.dll |
| DateStamp | 11.10.2016 |
| Mutengesi | Microsoft Linker(48.0*) |
Source: www.habr.com