Sanadihii la soo dhaafay, Trojans-ka mobilada ayaa si firfircoon u bedelaya Trojans kombiyuutarada gaarka ah, sidaa darteed soo bixitaanka malware cusub ee "baabuurta" hore iyo isticmaalkooda firfircoon ee internetka, inkasta oo aan fiicneyn, wali waa dhacdo. Dhowaan, CERT Group-IB's XNUMX/XNUMX xarunta jawaabta shilka amniga macluumaadka waxay ogaatay iimaylka phishing-ka aan caadiga ahayn kaas oo qarinaya malware-ka PC-ga cusub kaas oo isku daraya shaqooyinka Keylogger iyo PasswordStealer. Dareenka falanqeeyayaasha ayaa la soo jiitay sida spyware-ku ugu soo dhacay mashiinka isticmaalaha - iyadoo la adeegsanayo farriinta codka caanka ah. Ilya PomerantsevKhabiir ku takhasusay falanqaynta malware-ka ee CERT Group-IB, ayaa sharaxay sida malware-ku u shaqeeyo, sababta uu khatar u yahay, iyo xitaa uu ka helay Ciraaq fog.
Haddaba, aan u kala horrayno. Hoosta lifaaqa, warqad noocan oo kale ah ayaa ka kooban sawir, marka la gujiyo kaas oo isticmaalaha loo qaaday goobta cdn.discordapp.com, waxaana halkaas laga soo dejiyay fayl xaasidnimo ah.
Isticmaalka Discord, codka xorta ah iyo fariinta qoraalka, waa wax aan caadi ahayn. Caadi ahaan, fariimaha kale ee degdega ah ama shabakadaha bulshada ayaa loo isticmaalaa ujeedooyinkan.
Intii lagu jiray falanqaynta faahfaahsan, qoyska malware-ka ayaa la aqoonsaday. Waxay noqotay mid ku cusub suuqa malware- 404 Keylogger.
Xayeysiiskii ugu horreeyay ee iibinta keylogger ayaa la dhajiyay hackforums Isticmaale ku hoos naaneysta "404 Coder" Agoosto 8.
Bakhaarka dukaanka waxa la diiwaan galiyay dhawaan - Sebtembar 7, 2019.
Sida horumariyayaashu ku sheegaan mareegaha 404mashruuc[.]xyz, 404 waa qalab loogu talagalay in lagu caawiyo shirkadaha inay bartaan wax ku saabsan dhaqdhaqaaqyada macaamiishooda (iyaga oo ogolaansho haysta) ama kuwa raba inay ka ilaaliyaan laba-geesoodka injineernimada. Inaga oo hore u eegayna, aynu sidaas ku nidhaahno hawsha u dambaysa 404 hubaal ma la qabsanayso.
Waxa aanu go'aansanay in aanu mid ka mid ah feylasha ka noqono oo aanu hubino waxa uu yahay "KEYLOGGER SMART SMART".
Nidaamka deegaanka ee Malware
Soodejiyaha 1 (AtillaCrypter)
Faylka isha waa la ilaaliyaa iyadoo la isticmaalayo EaxObfuscator oo uu ku shubo laba-tallaabo Ilaali laga bilaabo qaybta khayraadka. Intii lagu guda jiray falanqaynta muunado kale oo laga helay VirusTotal, waxa caddaatay in marxaladan aanu bixin horumariyaha laftiisa, balse uu ku daray macmiilkiisa. Markii dambe waxaa la go'aamiyay in bootloader-kan uu ahaa AtillaCrypter.
Bootloader 2 (AtProtect)
Dhab ahaantii, rarkani waa qayb muhiim ah oo ka mid ah malware-ka, sida uu qabo ujeedada horumariyaha, waa inuu qaataa shaqeynta falanqaynta ka hortagga.
Si kastaba ha ahaatee, ficil ahaan, hababka ilaalintu waa kuwo hore, iyo nidaamyadeenu si guul leh u ogaadaan malware-kan.
Module-ka ugu weyn waxaa lagu shubaa iyadoo la isticmaalayo Franchy Shell Code noocyo kala duwan. Si kastaba ha ahaatee, kama saarayno in doorashooyin kale la isticmaali karay, tusaale ahaan, RunPE.
Faylka qaabaynta
Isku dhafka nidaamka
Isku-darka nidaamka waxaa xaqiijiya bootloader-ka Ilaali, haddii calanka u dhigma la dhigay.
- Faylka waxaa lagu koobiyeeyay wadada %AppData%GFqaakZpzwm.exe.
- Faylka waa la sameeyay %AppData%GFqaakWinDriv.url, furitanka Zpzwm.exe.
- Dunta ku jirta HKCUSoftwareMicrosoftWindowsCurrentVersionRun furaha bilowga ayaa la sameeyay WinDriv.url.
Isdhexgalka C&C
Loader AtProtect
Haddii calanka ku habboon uu jiro, malware-ku wuxuu bilaabi karaa hab qarsoodi ah iexplorer oo raac xiriirka la cayimay si aad u ogeysiiso server-ka wax ku saabsan caabuqa guulaystay.
Xogta Xatooyo
Iyadoo aan loo eegin habka loo isticmaalo, isgaarsiinta shabakadu waxay ka bilaabataa helitaanka IP-ga dibadda ee dhibbanaha iyadoo la adeegsanayo kheyraadka [http]://checkip[.]dyndns[.]org/.
Wakiilka Isticmaalaha: Mozilla/4.0 (ku habboon; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Qaab dhismeedka guud ee fariintu waa isku mid. Madaxa jooga
|——- 404 Keylogger — {Nooca} ——-|halkaas oo {nooca} u dhiganta nooca macluumaadka la gudbiyo.
Kuwa soo socda waa macluumaadka ku saabsan nidaamka:
_______ + MACLUUMAADKA DHIBBANAHA + _______
IP: {External IP}
Magaca Mulkiilaha: {Magaca kombiyuutarka}
Magaca OS: {Magaca OS}
Nooca OS: {Nooca OS}
Platform OS: {Platform}
Cabbirka RAM: {cabbirka RAM}
______________________________
Iyo ugu dambeyntii, xogta la gudbiyay.
SMTP
Dulucda warqaddu waa sidan. 404 K | {Nooca Fariinta} | Magaca Macmiilka: {Username}.
Waxa xiiso leh, in waraaqo loo geeyo macmiilka 404 Keylogger Seerfarka SMTP ee horumariyeyaasha ayaa la isticmaalaa.
Tani waxay suurtogal ka dhigtay in la aqoonsado qaar ka mid ah macaamiisha, iyo sidoo kale iimaylka mid ka mid ah horumarinta.
FTP
Marka la isticmaalayo habkan, macluumaadka la ururiyey waxaa lagu kaydiyaa fayl oo isla markiiba ka akhri halkaas.
Caqliga ka dambeeya falkani gabi ahaanba ma cadda, laakiin waxa ay abuurtaa farshaxan dheeraad ah oo lagu qoro xeerarka habdhaqanka.
%HOMEDRIVE%%HOMEPATH%DocumentsA{lambar gardarro ah}.txt
Pastebin
Waqtiga falanqaynta, habkan waxa kaliya loo isticmaalaa in lagu wareejiyo furaha sirta ah ee la xaday. Waxaa intaa dheer, looma isticmaalo beddelka labada hore, laakiin si barbar socda. Xaaladdu waa qiimaha joogtada ah ee la siman "Vavaa". Malaha kani waa magaca macmiilka.
Is-dhexgalku wuxuu ku dhacaa habka https ee API dhejis. Macnaha api_paste_gaar ah si siman PASTE_UNLISTED, kaas oo mamnuucaya raadinta boggagaas gudaha dhejis.
Algorithms-ka sireed
Soo celinta faylka ilaha
Culayska waxa lagu kaydiyaa agabka bootloader Ilaali qaabka sawirada Bitmap. Soo saarista waxaa lagu fuliyaa dhowr marxaladood:
- Soo koobid bytes ah ayaa laga soo saaray sawirka. pixel kasta waxaa loola dhaqmaa sida isku xigxiga 3 bytes ee habka BGR. Ka dib markii la soo saaro, 4ta bytes ee hore ee array waxay kaydiyaan dhererka fariinta, kuwa ku xiga waxay kaydiyaan fariinta lafteeda.
- Furaha waa la xisaabiyaa. Si taas loo sameeyo, MD5 waxaa laga xisaabiyaa qiimaha "ZpzwmjMJyfTNiRalKVrcSkxCN" ee lagu qeexay erayga sirta ah. Xashiishkii ka dhashay waxa la qoray laba jeer.
- Decryption waxaa lagu sameeyaa iyadoo la isticmaalayo algorithm AES ee qaabka ECB.
Shaqeynta xaasidnimada leh
Downloader
Laga hirgaliyay bootloader-ka Ilaali.
- Adigoo la xiriiraya [activelink-repalce] Heerka serverka ayaa la codsanayaa si loo xaqiijiyo inuu diyaar u yahay inuu u adeego faylka. Seerfarku waa inuu soo noqdaa “DAAR”.
- Tixraac [downloadlink-bedel] Culayska waa la soo dejiyay
- Iyada oo gargaar ah FranchyShellcode culayska ayaa lagu duraa habka [inj-bedel].
Inta lagu jiro falanqaynta domain 404mashruuc[.]xyz kiisas dheeraad ah ayaa lagu aqoonsaday VirusTotal 404 Keylogger, iyo sidoo kale dhowr nooc oo loaders ah.
Caadi ahaan, waxay u qaybsamaan laba nooc:
- Soo dejinta waxaa laga fuliyaa kheyraadka 404mashruuc[.]xyz.
Xogtu waa Base64 oo la duubay oo AES waa la siryay. - Doorashadani waxay ka kooban tahay dhowr marxaladood waxayna u badan tahay in lala isticmaalo bootloader Ilaali.
- Marxaladda koowaad, xogta ayaa laga soo raray dhejis oo la decoded iyadoo la isticmaalayo shaqada HexToByte.
- Marxaladda labaad, isha rarida waa 404mashruuc[.]xyz. Si kastaba ha ahaatee, hawl-fududeynta iyo habayntu waxay la mid yihiin kuwa laga helo DataStealer. Waxay u badan tahay in markii hore la qorsheeyay in la hirgeliyo shaqeynta bootloader ee cutubka ugu muhiimsan.
- Marxaladdan, culeyska mushaharka ayaa horeyba ugu jiray muujinta kheyraadka qaab la isku riixay. Hawlaha soo saarista la mid ah ayaa sidoo kale laga helay cutubka ugu muhiimsan.
Soodejiyeyaal ayaa laga dhex helay faylalka la falanqeeyay njRat, SpyGate iyo RAT-yada kale.
Keylogger
Xilliga dirista Log: 30 daqiiqo.
Dhammaan jilayaasha waa la taageeray Jilayaal gaar ah ayaa baxsaday. Waxaa jira habayn loogu talagalay BackSpace iyo Delete furayaasha. Kiis xasaasi ah.
ClipboardLogger
Xilliga dirista Log: 30 daqiiqo.
Muddada cod bixinta ee kaydka ah: 0,1 ilbiriqsi.
Baxsashada xiriirinta la fuliyay.
ScreenLogger
Xilliga dirista Log: 60 daqiiqo.
Sawir-qaadista ayaa lagu keydiyay gudaha %HOMEDRIVE%%HOMEPATH%Documents404k404pic.png.
Kadib diritaanka faylka 404k waa laga saaray.
Furaha sirta ah tuugta
| Browser | Macaamiisha boostada | Macaamiisha FTP |
|---|---|---|
| Chrome | Muuqaalka | FileZilla |
| Firefox | Thunderbird | |
| SeaMonkey | Foxmail | |
| icedragon | ||
| PaleMoon | ||
| Cyber Firefox | ||
| Chrome | ||
| BraveBrowser | ||
| QQBrowser | ||
| Iridium Browser | ||
| XvastBrowser | ||
| Chedot | ||
| 360 Browser | ||
| ComodoDragon | ||
| 360Chrome | ||
| SuperBird | ||
| CentBrowser | ||
| GhostBrowser | ||
| Bir Browser | ||
| chromium | ||
| Vivaldi | ||
| Browser Slimjet | ||
| orbitum | ||
| CocCoc | ||
| Shuclada | ||
| UCBrowser | ||
| EpicBrowser | ||
| Blisk Browser | ||
| Opera |
Ka-hortagga falanqaynta firfircoon
- Hubinta in hab-socodku ku jiro falanqayn
Lagu fuliyay iyadoo la isticmaalayo habka raadinta hawlgal, ProcessHacker, procp64, wax ka sheegid, procmon. Haddii ugu yaraan mid la helo, malware-ku wuu baxayaa.
- Hubinta haddii aad ku sugan tahay jawi macmal ah
Lagu fuliyay iyadoo la isticmaalayo habka raadinta vmtoolsd, Adeegga VGAuth, vmacthlp, Adeegga VBox, VBoxTray. Haddii ugu yaraan mid la helo, malware-ku wuu baxayaa.
- Hurdo 5 ilbiriqsi
- Muujinta noocyada kala duwan ee sanduuqyada wada hadalka
Waxa loo isticmaali karaa in lagu dhaafo sanduuqyada ciidda qaarkood.
- Ka gudub UAC
Lagu sameeyay iyadoo la tafatirayo furaha diiwaanka EnableLUA ee dejinta Siyaasadda Kooxda.
- Ku dabaqa sifada "Qarin" ee faylka hadda jira.
- Awoodda lagu tirtiro faylka hadda jira
Tilmaamaha Aan Firfircoonayn
Inta lagu guda jiro falanqaynta bootloader iyo moduleka ugu muhiimsan, hawlaha ayaa la helay kuwaas oo mas'uul ka ah shaqeyn dheeraad ah, laakiin meelna looma isticmaalo. Tani waxay u badan tahay inay sabab u tahay xaqiiqda ah in malware-ku uu weli ku jiro horumarinta iyo shaqeynta ayaa la ballaarin doonaa dhawaan.
Loader AtProtect
Waxa la helay hawl ka masuul ah rarista iyo duritaanka hawsha msiexec.exe module gar-daran.
Xogta Xatooyo
- Isku dhafka nidaamka
- Depression iyo hawlo kala saarid
Waxay u badan tahay in sirta xogta inta lagu jiro isgaadhsiinta shabakadu dhawaan la hirgelin doono. - Joojinta hababka antivirus
| zlclient | Dvp95_0 | Pavsched | avgserv9 |
| egi | Ecengine | Pavw | avgserv9schedapp |
| badheedh ah | Esafe | PCCIOMON | avgemc |
| npfmsg | Espwatch | PCCMAIN | shwebsv |
| olydbg | F-Agnt95 | PCwin98 | ashdisp |
| anubis | Findvir | Pcfwallicon | ashmaysv |
| wireshark | Fprot | Persfw | ashserver |
| avastui | F-Prot | POP3TRAP | aswUpdSv |
| _Avp32 | F-Prot95 | PVIEW95 | symwsc |
| vsmon | Fp-Win | Rav 7 | Norton |
| mbam | Frw | Rav7win | Norton Auto-Ilaalinta |
| furaha | F-Stopw | Samatabbixinta | norton_av |
| _Avpcc | Iamapp | Safeweb | nortonav |
| _Avpm | Iamserv | Iskaan 32 | ccsetmgr |
| Ackwin32 | Ibmasn | Iskaan 95 | ccevtmgr |
| Soo bixid | Ibmavsp | Scanpm | avadmin |
| Anti-Trojan | Icload95 | Scrscan | avcenter |
| KA-hortagga | Icloadnt | Adeegga95 | avgnt |
| Apvxdwin | Icmon | smc | avguard |
| DHAQAN | Icsup95 | SMCSERVICE | garwaaqsi |
| Autodown | Icsupnt | Snort | avscan |
| Avconsol | Iface | sphinx | guardgui |
| Waddada32 | Iomon98 | Xaaq95 | nod32krn |
| Avgctrl | Jedi | SYMPROXYSVC | nod32kui |
| Avkserver | Quful2000 | Tbscan | clamscan |
| Avnt | fiirsasho | Tca | clamTray |
| Avp | Luall | Tds2-98 | clamWin |
| Avp32 | macafee | Tds2-Nt | cusub |
| Avpcc | Moolive | TermiNET | oladdin |
| Avpdos32 | MPftray | Vet95 | sigtool |
| Avpm | N32scanw | Vetray | w9xpopen |
| Avptc32 | NAVAPSVC | Vscan40 | Xir |
| Avpupd | NAVAPW32 | Vsecomr | cmgradian |
| Avsched32 | NAVLU32 | Vshwin32 | alogserver |
| AVSYNMGR | Navnt | Vsstat | mcshield |
| Awwin95 | NAVRUNR | Webscanx | vshwin32 |
| Avwupd32 | Navw32 | SHABEEBKA | avconsol |
| Blackd | Navwnt | Wfindv32 | vsstat |
| Madow | NeoWatch | Zone alarm | avsynmgr |
| Cfiadmin | NISSERV | LOCKDOWN2000 | avcmd |
| Cfiaudit | Nisum | BADBAADIN32 | avconfig |
| Cfinet | Nmain | LUCOMSERVER | licmgr |
| Cfinet32 | Normist | avgcc | jeexjeexay |
| Claw95 | NORTON | avgcc | horudhac |
| Claw95cf | Kordhi | avgamsvr | MsMpEng |
| nadiifiye | Nvc95 | avgupsvc | MSASCui |
| Nadiifiye3 | Soo bixid | avgw | Avira.Systray |
| Defwatch | Padmin | avgcc32 | |
| Dvp95 | Pavcl | avgserver |
- Is-burburinta
- Soodejinaya xogta qoraalka kheyraadka ee la cayimay
- Koobiyaynta fayl ku socda wadada %Temp%tmpG[Taariikhda iyo wakhtiga hadda ee millise seconds].tmp
Waxa xiiso leh, shaqo isku mid ah ayaa ku jirta AgentTesla malware. - shaqeynta Gooryaanka
Malware-ku wuxuu helayaa liiska warbaahinta la saari karo. Nuqul ka mid ah malware-ka ayaa lagu abuuray xididka nidaamka faylka warbaahinta ee magaca leh Sys.exe. Autorun waxaa lagu fuliyaa iyadoo la isticmaalayo fayl autorun.inf.
Muuqaalka weerarka
Inta lagu guda jiro falanqaynta xarunta taliska, waxaa suurtagal ah in la dhiso emailka iyo naanaysta horumariyaha - Razer, aka Brwa, Brwa65, HiDDen PerSOn, 404 Coder. Marka xigta, waxaanu ka helnay muuqaal xiiso leh YouTube-ka kaas oo muujinaya la shaqaynta wax-dhisaha.
Tani waxay suurtogal ka dhigtay in la helo kanaalka horumariyaha asalka ah.
Waxaa caddaatay inuu waayo-aragnimo u lahaa qorista cryptographers. Waxa kale oo jira xidhiidhiya boggaga shabakadaha bulshada, iyo sidoo kale magaca dhabta ah ee qoraaga. Waxa uu noqday qof degan Ciraaq.
Tani waa waxa loo malaynayo horumariyaha 404 Keylogger. Sawir laga soo qaaday boggiisa gaarka ah ee Facebook.
Kooxda CERT-IB ayaa ku dhawaaqday khatar cusub - 404 Keylogger - xarun XNUMX-saac ah oo la socodka iyo ka jawaabista hanjabaadaha internetka (SOC) ee Bahrain.
Source: www.habr.com