Qoraaga biraawsarka Dayaxa Ciro macluumaadka ku saabsan tanaasulka server-ka archive.palemoon.org, kaas oo kaydiyay kaydka browserka hore ee la sii daayay ilaa iyo nooca 27.6.2. Intii lagu guda jiray jabsiga, weerarradu waxay ku dhufteen dhammaan faylasha la fulin karo rakibayaasha Pale Moon ee Windows oo ku yaal server-ka malware leh. Marka loo eego xogta hordhaca ah, beddelka malware-ka waxaa la sameeyay Diseembar 27, 2017, waxaana la ogaaday kaliya Luulyo 9, 2019, i.e. muddo sannad iyo badh ah lama ogaan.
Seerfarka dhibka leh ayaa hadda ku sugan offline si loo baaro. Server-ka kaas oo laga siidaayay hadda la qaybiyay
Pale Moon ma saameynayso, dhibaatadu waxay saamaysaa oo kaliya noocyadii hore ee Windows ee lagu rakibay kaydka (sii daynta waxaa loo raray kaydka marka noocyo cusub la sii daayo). Intii lagu guda jiray jabsiga, seerfarku waxa uu ku shaqaynayay Windows oo waxa uu ku shaqaynayay mishiin macmal ah oo laga soo kiraysto hawlwadeenka Frantech/BuyVM. Ilaa hadda ma cadda nooca nuglaanta laga faa'iidaystay iyo in ay gaar u tahay Windows ama ay saamaysay qaar ka mid ah codsiyada server-yada qolo saddexaad.
Ka dib markii la helo, weeraryahannadu waxay si xushmad leh u qaadeen dhammaan faylasha exe ee la xidhiidha Pale Moon (rakibaadaha iyo kaydinta is-soo-saarka) oo leh software Trojan , loogu talagalay in lagu xado cryptocurrency iyada oo lagu beddelayo ciwaannada bitcoin ee sabuuradda. Faylasha la fulin karo ee ku jira kaydka zip-ka ma saameeyaan. Isbeddellada rakibaha waxa laga yaabaa in uu ogaaday isticmaaluhu isagoo eegaya saxeexyada dhijitaalka ah ama xashiishyada SHA256 ee ku dheggan faylalka. Malware-ka la isticmaalay sidoo kale waa guul Antivirus-yada ugu badan ee hadda jira.
Maajo 26, 2019, inta lagu guda jiro hawsha server-ka weeraryahannada (ma cadda inay kuwani la mid yihiin weeraryahanadii jabsiga koowaad ama kuwa kale), hawlgalkii caadiga ahaa ee archive.palemoon.org waa la carqaladeeyey - martigeliyaha wuu awoodi waayay in dib loo bilaabo, xogtana waa la dhaawacay. Tan waxaa ku jiray luminta diiwaannada nidaamka, kaas oo ay ku jiri karaan raad faahfaahsan oo muujinaya nooca weerarka. Waqtigii guul-darreysigan, maamulayaashu kama warqabin tanaasulka waxayna dib u soo celiyeen kaydkii si ay u shaqeyso iyaga oo isticmaalaya jawi cusub oo ku saleysan CentOS oo ay ku beddeleen soodejinnada FTP HTTP. Maadaama dhacdada aan la dareemin, faylasha kaydka ee horeyba u cudurku dhacay ayaa loo wareejiyay server-ka cusub.
Falanqaynta sababaha suurtagalka ah ee tanaasulka, waxaa loo maleynayaa in weeraryahanadu ay heleen iyagoo qiyaasaya lambarka sirta ah ee xisaabta shaqaalaha martigelinta, helitaanka toos ah ee server-ka, weeraraya hypervisor si ay u xakameeyaan mashiinnada kale ee farsamada, jabsiga guddiga xakamaynta webka. , dhex galka fadhiga fog ee miiska (Brotokoolka RDP ayaa la isticmaalay) ama ka faa'iidaysiga nuglaanta gudaha Windows Server. Falalka xaasidnimada ah waxaa lagu fuliyay gudaha server-ka iyadoo la adeegsanayo qoraal si loogu sameeyo isbeddelada faylasha jira ee la fulin karo, halkii dib looga soo dejin lahaa dibadda.
Qoraaga mashruucu waxa uu ku andacoonayaa in isaga oo kaliya uu lahaan jiray maamulaha nidaamka, gelitaanka uu ku koobnaa hal ciwaanka IP-ga, iyo Windows OS-da hoose waa la cusboonaysiiyay lagana ilaaliyay weerarrada dibadda. Isla mar ahaantaana, nidaamyada RDP iyo FTP ayaa loo isticmaalay marin durugsan, iyo software suurtagal ah oo aan ammaan ahayn ayaa lagu soo bandhigay mashiinka farsamada, taas oo keeni karta jabsiga. Si kastaba ha noqotee, qoraaga Pale Moon wuxuu u janjeeraa inuu rumaysto in jabsiga uu ka go'an yahay ilaalinta ku filnaansho la'aanta kaabayaasha mashiinka farsamada ee bixiyaha (tusaale ahaan, hal mar, iyada oo loo marayo xulashada furaha bixiyaha amni-darrada ah iyadoo la adeegsanayo is-dhexgalka maaraynta farsamada casriga ah. OpenSSL website).
Source: opennet.ru