Nechinyorwa ichi tinopedzisa nhevedzano yezvinyorwa zvakapihwa kuongororwa kwesoftware yakaipa. IN Takaita ongororo yakadzama yefaira rine hutachiona rakagashirwa nekambani yeEuropean netsamba ndokuwana AgentTesla spyware ipapo. In yakatsanangura mhedzisiro yenhanho-ne-nhanho kuongororwa kweiyo huru AgentTesla module.
Nhasi Ilya Pomerantsev, nyanzvi yekuongorora malware kuCERT Boka-IB, achataura nezve nhanho yekutanga yekuongorora malware - semi-otomatiki unpacking yemasamples eAgentTesla vachishandisa muenzaniso wematatu mini-kesi kubva mukuita kweCERT Boka-IB nyanzvi.
Kazhinji, nhanho yekutanga mukuongorora malware ndeye kubviswa kwedziviriro muchimiro chepakiti, cryptor, mudziviriri kana loader. Muzviitiko zvakawanda, dambudziko iri rinogona kugadziriswa nekumhanyisa iyo malware uye kuita dump, asi pane mamiriro ezvinhu apo iyi nzira haina kukodzera. Semuenzaniso, kana iyo malware iri encryptor, kana ichidzivirira nzvimbo dzayo dzekurangarira kuti dzirege kuraswa, kana iyo kodhi ine chaiwo mashini ekuona michina, kana iyo malware ichitangazve pakarepo mushure mekutanga. Mumamiriro ezvinhu akadaro, iyo inonzi "semi-automatic" unpacking inoshandiswa, kureva kuti, muongorori ane simba rakakwana pamusoro pekuita uye anogona kupindira chero nguva. Ngatitarisei maitiro aya tichishandisa masampuli matatu emhuri yeAgentTesla semuenzaniso. Iyi imalware isingakuvadze kana ukadzima network yayo kupinda.
Muenzaniso Nhamba 1
Iyo faira faira igwaro reMS Word iro rinoshandisa kusadzikama CVE-2017-11882.
Nekuda kweizvozvo, iyo payload inotorwa uye yakatangwa.
Ongororo yemuti wekuita uye maitiro emakaki inoratidza jekiseni mukuita RegAsm.exe.
Kune maitiro ekumaka hunhu hweAgentTesla.
Sample yakadhawunirodherwa ndiyo inogoneka .com-faira yakachengetedzwa nemudziviriri .NET Reactor.
Ngatiivhure mukushandisa dnSpy x86 uye pfuurira kunzvimbo yekupinda.
Nekuenda kumusangano DateTimeOffset, tichawana iyo yekutanga kodhi yeitsva .com-module. Ngatiisei break point pamutsetse watiri kufarira uye mhanyisa faira.
Mune imwe yeakadzoserwa buffers unogona kuona iyo MZ siginecha (0x4D 0x5A) Ngatizvichengetedze.
A dumped executable faira iraibhurari ine simba iri loader, i.e. inobvisa iyo payload kubva kune resource chikamu uye inotangisa iyo.
Panguva imwecheteyo, zviwanikwa zvinodiwa pachazvo hazvipo mukurasa. Ivo vari mumuenzaniso wevabereki.
Zvinobatsira dnSpy ine maviri anobatsira zvakanyanya mashandiro ayo achatibatsira nekukurumidza kugadzira "Frankenstein" kubva kune maviri ane hukama mafaera.
- Yekutanga inobvumidza iwe "kuisa" raibhurari ine simba mumuenzaniso wemubereki.
- Yechipiri ndeyekunyora patsva kodhi yebasa panzvimbo yekupinda kuti ufonere nzira yaunoda yeraibhurari inosimba yakaiswa.
Isu tinochengetedza yedu "Frankenstein", seti break point pamutsetse unodzosera buffer ine decrypted zviwanikwa, uye gadzira yekurasa nekuenzanisa nedanho rakapfuura.
Yechipiri yekuraswa yakanyorwa mukati VB.NET faira rinogoneka rinodzivirirwa nemudziviriri anoziva kwatiri ConfuserEx.
Mushure mekubvisa mudziviriri, isu tinoshandisa iyo YARA mitemo yakanyorwa kare uye ive shuwa kuti iyo isina kuvharwa malware ndeyechokwadi AgentTesla.
Muenzaniso Nhamba 2
Iyo faira faira ndeye MS Excel gwaro. Iyo yakavakirwa-mukati macro inokonzera kuurayiwa kweiyo yakaipa kodhi.
Nekuda kweizvozvo, iyo PowerShell script inotangwa.
Iyo script inobvisa iyo C # kodhi uye inoendesa kutonga kwairi. Iyo kodhi pachayo ndeye bootloader, sezvinogonawo kuonekwa kubva kune sandbox report.
The payload is an executable .com-file.
Kuvhura faira mukati dnSpy x86, iwe unoona kuti yakashata. Kubvisa obfuscation uchishandisa utility de4dot uye kudzokera kuongororo.
Paunenge uchiongorora iyo kodhi, unogona kuwana rinotevera basa:
Mitsetse yakavharidzirwa inoshamisa EntryPoint ΠΈ Kukoka. Tinoisa break point kumutsetse wekutanga, mhanya uye chengetedza iyo buffer kukosha byte_0.
Kuraswa kwave kushanda zvakare .com uye kudzivirirwa ConfuserEx.
Isu tinobvisa obfuscation tichishandisa de4dot uye upload ku dnSpy. Kubva pane tsananguro yefaira tinonzwisisa kuti takatarisana nayo CyaX-Sharp loader.
Iyi loader ine yakakura anti-analysis mashandiro.
Kushanda uku kunosanganisira kudarika akavakirwa-mukati maWindows kudzivirira masisitimu, kudzima Windows Defender, pamwe nebhokisi rejecha uye chaiwo makina ekuona michina. Zvinokwanisika kutakura mubhadharo kubva kunetiweki kana kuichengeta muchikamu chezviwanikwa. Launch inoitwa kuburikidza nejekiseni mune yayo pachayo maitiro, mune duplicate yayo pachayo maitiro, kana mune maitiro MSBuild.exe, vbc.exe ΠΈ RegSvcs.exe zvichienderana neparameter yakasarudzwa neanorwisa.
Zvisinei, kwatiri ivo havana kukosha pane AntiDump-basa rinowedzera ConfuserEx. Yayo kodhi kodhi inogona kuwanikwa pa .
Kudzima kudzivirira, isu tichashandisa mukana dnSpy, iyo inokutendera iwe kugadzirisa IL-code.
Sevha uye isa break point kumutsetse wekudaidza iyo payload decryption basa. Inowanikwa muvaki wekirasi huru.
Isu tinotanga uye tinorasa mubhadharo. Tichishandisa iyo yakambonyorwa YARA mitemo, isu tinoita shuwa kuti iyi ndiyo AgentTesla.
Muenzaniso Nhamba 3
Iyo source file ndiyo inogoneka VB Native PE32-file.
Entropy ongororo inoratidza kuvepo kwechidimbu chakakura che data yakavharidzirwa.
Paunenge uchiongorora fomu rekunyorera mukati VB Decompiler unogona kuona isinganzwisisike pixelated kumashure.
Entropy grafu bmp-image yakafanana neye entropy graph yefaira rekutanga, uye saizi i85% yehukuru hwefaira.
Kuonekwa kwakawanda kwechifananidzo kunoratidza kushandiswa kwe steganography.
Ngatitarisei kutaridzika kwemuti wekuita, pamwe nekuvapo kwejekiseni marker.
Izvi zvinoratidza kuti kuburitsa zvinhu kuri kuenderera mberi. YeVisual Basic loaders (aka VBKrypt kana VBInjector) kushandiswa kwakajairika shellcode kutanga mubhadharo, pamwe nekuita jekiseni pacharo.
Analysis in VB Decompiler yakaratidza kuvapo kwechiitiko mutoro pafomu FegatassocAirballoon2.
Handei ku IDA pro kune kero yakatarwa uye dzidza basa racho. Iyo kodhi yakavharwa zvakanyanya. Chimedu chinotifadza chinoratidzwa pazasi.
Pano nzvimbo yekero yemaitiro inotariswa kuti iwane siginicha. Iyi nzira inokahadzika zvakanyanya.
Kutanga, iyo scanning inotanga kero 0x400100. Kukosha uku kwakamira uye hakugadziriswe kana hwaro hwachinjwa. Mumamiriro ezvinhu akanaka egreenhouse icharatidza kuguma PE-musoro wefaira rinogoneka. Zvisinei, iyo database haina kumira, kukosha kwayo kunogona kuchinja, uye kutsvaga kero chaiyo yesignature inodiwa, kunyange zvazvo isingazokonzeri kushanduka kwepamusoro, inogona kutora nguva yakareba kwazvo.
Chechipiri, zvinoreva siginicha iWGK. Ini ndinofunga zviri pachena kuti 4 bytes idiki zvakanyanya kuvimbisa kusarudzika. Uye kana iwe ukatora pfungwa yekutanga, mukana wekuita chikanganiso wakanyanya kukwirira.
Kutaura zvazviri, chidimbu chinodiwa chinosungirirwa kumagumo ezvakambowanikwa bmp- mifananidzo ne offset 0xA1D0D.
Performance Shellcode inoitwa mumatanho maviri. Yekutanga inodudzira mutumbi mukuru. Muchiitiko ichi, kiyi inotsanangurwa nechisimba chine simba.
Rasa iyo yakabviswa Shellcode uye tarisa mitsara.
Kutanga, isu tava kuziva basa rekugadzira maitiro emwana: GadziraProcessInternalW.
Chechipiri, takaziva nezve magadzirirwo ekugadzirisa muhurongwa.
Ngatidzokerei kumaitiro ekutanga. Ngatiisei break point pamusoro GadziraProcessInternalW uye enderera mberi nekuuraya. Zvadaro tinoona kubatana NtGetContextThread/NtSetContextThread, iyo inoshandura kero yekutanga yekuuraya kukero ShellCode.
Isu tinobatanidza kune yakagadzirwa maitiro nedebugger uye shandisa chiitiko Misa pane libraryu load/unload, tangazve maitiro uye mirira kurodha .com-raibhurari.
Kuwedzera kushandisa ProcessHacker nzvimbo dzekurasira dzine zvisina kurongedzerwa .com-application.
Isu tinomisa maitiro ese uye tinodzima kopi yeiyo malware yakanyudzwa muhurongwa.
Iyo faira yakaraswa inodzivirirwa nemudziviriri .NET Reactor, iyo inogona kubviswa nyore nyore uchishandisa utility de4dot.
Tichishandisa iyo YARA mitemo yakanyorwa kare, isu tinoita shuwa kuti iyi ndiyo AgentTesla.
Ngationei muchidimbu
Saka, isu takaratidza zvakadzama maitiro ekuburitsa semi-otomatiki sampuro tichishandisa matatu mini-kesi semuenzaniso, uye zvakare akaongorora malware zvichienderana nenyaya yakazara, tichiona kuti sampuli iri pakudzidza ndeye AgentTesla, ichisimbisa mashandiro ayo uye a. runyoro rwakakwana rwezviratidzo zvekubvumirana.
Kuongororwa kwechinhu chakaipa chatakaita kunoda nguva yakawanda uye kushanda nesimba, uye basa iri rinofanira kuitwa nemushandi anokosha mukambani, asi haasi makambani ose akagadzirira kushandisa muongorori.
Imwe yemasevhisi anopihwa neBoka-IB Laboratory yeComputer Forensics uye Malicious Code Analysis ndeyekupindura kune cyber zviitiko. Uye kuitira kuti vatengi vasatambise nguva vachibvumidza magwaro uye nekuakurukura pakati pekurwiswa kwecyber, Boka-IB yakatanga. Chiitiko Response Retainer, pre-subscription chiitiko chemhinduro sevhisi iyo inosanganisirawo nhanho yekuongorora malware. Mamwe mashoko pamusoro peizvi anogona kuwanikwa .
Kana iwe uchida kudzidza zvakare kuti maAgentTesla samples anovhurwa sei uye woona kuti CERT Boka-IB nyanzvi inozviita sei, unogona kudhawunirodha webinar kurekodha pane iyi nyaya. .
Source: www.habr.com