Waxaan sii wadeynaa maqaalladayada taxanaha ah ee u go'an falanqaynta malware. IN Qayb ahaan, waxaanu u sheegnay sida Ilya Pomerantsev, oo ku takhasusay falanqaynta malware-ka ee CERT Group-IB, uu u sameeyay falanqayn tafatiran oo ku saabsan fayl lagu soo diray boostada mid ka mid ah shirkadaha Yurub oo uu halkaas ka helay spyware. AgentTesla. Maqaalkani, Ilya wuxuu bixiyaa natiijooyinka falanqaynta tallaabo-tallaabo ee cutubka ugu muhiimsan AgentTesla.
Wakiilka Tesla waa software basaasnimo modular ah oo la qaybiyay iyadoo la adeegsanayo qaab-adeeg ahaan malware-ka oo hoos imanaya magaca badeecada keylogger ee sharciga ah. Wakiilka Tesla wuxuu awood u leeyahay inuu ka soo saaro oo u gudbiyo aqoonsiga isticmaalaha daalacashada, macaamiisha iimaylka iyo macaamiisha FTP ee server-ka si ay u weeraraan, duubaan xogta sabuuradaha, iyo qabashada shaashadda qalabka. Waqtiga falanqaynta, mareegaha rasmiga ah ee horumariyayaashu lama helin.
Faylka qaabaynta
Jadwalka hoose waxa uu liis-garaynayaa hawsha khusaysa muunada aad isticmaalayso:
| Description | qiimaha |
| Calanka isticmaalka KeyLogger | run |
| Calan isticmaalka ScreenLogger | been ah |
| KeyLogger log soo diraya inta u dhaxaysa daqiiqado gudahood | 20 |
| ScreenLogger log soo diraya inta u dhaxaysa daqiiqado gudahood | 20 |
| Calan maaraynta furaha booska dambe. Been - gooynta kaliya. Run - waxay tirtirtaa furihii hore | been ah |
| Nooca CNC. Ikhtiyaarada: smtp, webpanel, ftp | SMTP |
| Calan kicinta xadhigga si loo joojiyo geeddi-socodyada liiska "% filter_list%" | been ah |
| UAC waxay joojisaa calanka | been ah |
| Maareeyaha Hawsha demi calanka | been ah |
| CMD waxay joojisaa calanka | been ah |
| Dariishada dariisow calanka | been ah |
| Daawaha Diiwaanka Daar Calanka | been ah |
| Dami nidaamka soo celinta calanka | run |
| Guddida xakamaynta waxay joojisaa calanka | been ah |
| MSCONFIG dami calanka | been ah |
| Calan si aad u damiso liiska macnaha guud ee Explorer | been ah |
| Calanka biinanka | been ah |
| Jidka koobiyaynta moduleka ugu muhiimsan marka lagu dhejiyo nidaamka | %startupfolder% %infolder%% inname% |
| Calan dejinta sifooyinka "Nidaamka" iyo "Qarin" ee cutubka ugu muhiimsan ee loo qoondeeyay nidaamka | been ah |
| Calan si aad dib u bilowdo marka lagu dhejiyo nidaamka | been ah |
| Calan u raridda cutubka ugu muhiimsan gal ku meel gaar ah | been ah |
| UAC calan dhaaf | been ah |
| Qaabka taariikhda iyo wakhtiga ee gaynta | yyyy-MM-dd HH:mm:ss |
| Calan u isticmaal shaandhada barnaamijka KeyLogger | run |
| Nooca shaandhaynta barnaamijka. 1 – magaca barnaamijka waxaa laga dhex raadiyaa cinwaanada daaqada 2 – Magaca barnaamijka waxaa laga raadiyaa magaca nidaamka daaqada |
1 |
| Shaandhaynta barnaamijka | "facebook" "twitter" "gmail" "instagram" "filim" "skype" "porn" "Hack" "Whatsapp" "khilaaf" |
Ku dhejinta cutubka ugu muhiimsan nidaamka
Haddii calanka u dhigma la dejiyo, moduleka ugu weyn waxaa lagu koobiyeeyay dariiqa ku qeexan qaabaynta sida dariiqa loo qoondeeyay nidaamka.
Iyadoo ku xiran qiimaha qaabeynta, faylka waxaa la siiyaa sifooyinka "Qarin" iyo "System".
Autorun waxaa bixiya laba laamood oo diiwaanka:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%insregname%
- HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorerStartup ApprovedRun %insregname%
Tan iyo markii bootloader-ku durayo habka RegAsm, dejinta calanka joogtada ah ee cutubka ugu muhiimsan waxay keenaysaa cawaaqib aad u xiiso badan. Halkii uu iska koobi lahaa, malware-ku wuxuu ku lifaaqay feylkii asalka ahaa nidaamka RegAsm.exe, inta lagu guda jiro duritaanka.
Isdhexgalka C&C
Iyadoo aan loo eegin habka loo isticmaalo, isgaarsiinta shabakadu waxay ka bilaabataa helitaanka IP-ga dibadda ee dhibbanaha iyadoo la adeegsanayo kheyraadka [.]amazonaws[.]com/.
Kuwa soo socdaa waxay qeexayaan hababka is dhexgalka shabakada ee lagu soo bandhigay software-ka.
webpanel
Is dhexgalka wuxuu ku dhacaa hab-maamuuska HTTP. Malware-ku wuxuu fulinayaa codsiga POST isagoo wata madaxyada soo socda:
- Wakiilka Isticmaalaha: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Xiriirinta: Hay-Nool
- Nuxurka-Nooca: codsi/x-www-form-urlencoded
Ciwaanka serverka waxa lagu qeexay qiimaha %PostURL%. Fariinta sirta ah waxaa lagu soo diraa cabbirka «P». Habka sirta ayaa lagu qeexay qaybta "Encryption Algorithms" (Qaabka 2).
Fariinta la gudbiyay waxay u egtahay sidan:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Xildhibaan nooca waxay tilmaamaysaa nooca fariinta:
hwid - xashiish MD5 ayaa laga duubay qiyamka lambarka taxanaha Motherboard-ka iyo aqoonsiga processor-ka. Waxay u badan tahay in loo isticmaalo aqoonsiga isticmaale ahaan.
waqtiga - waxay u adeegtaa gudbinta wakhtiga iyo taariikhda hadda.
pcname - lagu qeexay sida /.
logdata - xogta log.
Marka la gudbinayo furaha sirta ah, fariintu waxay u egtahay:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Kuwa soo socdaa waa sharaxaadda xogta la xaday ee qaabka nclient[]={0}nlink[]={1}nusername[]={2}npassword[]={3}.
SMTP
Is dhexgalka wuxuu ku dhacaa hab-maamuuska SMTP. Xarafka la gudbiyay waa qaab HTML ah. Halbeegga JIRKA waxay u egtahay:
Ciwaanka warqaddu waxa uu leeyahay foomka guud ee soo socda: / . Nuxurka warqadda, iyo sidoo kale lifaaqa, lama sir.
Is dhexgalka wuxuu ku dhacaa habka FTP. Fayl magaca leh waxaa loo wareejiyaa serverka la cayimay _-_.html. Waxa ku jira faylka lama sir.
Algorithms-ka sireed
Kiiskan waxa uu isticmaalaa hababka sirta ah ee soo socda:
Habka 1
Habkan waxaa loo isticmaalaa in lagu sireeyo xargaha cutubka ugu muhiimsan. Algorithm-ka loo isticmaalo sirta waa AES.
Gelintu waa jajab tobanle lix-god ah. Isbeddelka soo socda ayaa lagu sameeyaa iyada:
f(x) = (( (x >> 2 - 31059) ^ 6380) - 1363) >> 3
Qiimaha natiijadu waa tusaha isku xidhka xogta.
Cunsurka array kastaa waa taxane DWORD. Marka la isku daro DWORD 32 bytes ee ugu horreeya waa furaha sirta ah, oo ay ku xigto 16 bytes ee vector-ka bilawga ah, inta soo hartayna waa xogta sir ah.
Habka 2
Algorithm la isticmaalay 3DES qaabka Afkhanistan oo leh suuf dhan bytes (PKCS7).
Furaha waxaa lagu qeexay cabbirka %urlkey%, si kastaba ha ahaatee, sirtu waxay isticmaashaa xashiishkeeda MD5.
Shaqeynta xaasidnimada leh
Muunadda daraasadda lagu sameeyay waxay isticmaashaa barnaamijyada soo socda si ay u hirgeliso hawsheeda xaasidnimo:
logger key
Haddii uu jiro calan u dhigma malware-ka iyadoo la isticmaalayo hawsha WinAPI SetWindowsHookEx waxay u xilsaartaa maamuleheeda dhacdooyinka riixida furaha ee kiiboodhka. Hawsha maamuluhu waxa ay ku bilaabataa helida ciwaanka daaqada firfircoon.
Haddii calanka shaandhaynta codsiga la dejiyo, shaandhaynta waxa la sameeyaa iyadoo ku xidhan nooca la cayimay:
- magaca barnaamijka waxaa laga raadiyaa cinwaanada daaqada
- magaca barnaamijka waxa lagu eegayaa habka daaqada magaca
Marka xigta, diiwaan ayaa lagu daraa loguska macluumaadka ku saabsan daaqada firfircoon ee qaabka:
Markaa macluumaadka ku saabsan furaha la riixay waa la duubayaa:
| Furaha | Diiwaan geli |
| Dib u celi | Iyada oo ku xidhan calanka habaynta furaha Backspace: Been – {DIB} Run - waxay tirtirtaa furihii hore |
| CAPSLOCK | {CAPSLOCK} |
| ESC | {ESC} |
| Bogga | {PageUp} |
| Down | ↓ |
| tirtirto | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| TAB | {TAB} |
| < | < |
| > | > |
| Meel bannaan | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + TAB | {ALT+TAB} |
| END | {DHAMMAAD} |
| F4 | {F4} |
| F2 | {F2} |
| Ctrl | {CTRL} |
| F6 | {F6} |
| Xuquuqda | → |
| Up | & uarr; |
| F1 | {F1} |
| Left | ← |
| PageDown | {Page Down} |
| insert | { Geli } |
| Win | {guulaysi} |
| Numlock | {NumLock} |
| F11 | {F11} |
| F3 | {F3} |
| HOME | {GURI} |
| GELIN | {geli} |
| ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| Furaha kale | Dabeecaddu waxay ku taal kiis sare ama hoose iyadoo ku xidhan boosaska CapsLock iyo furayaasha Shift |
Inta jeer ee la cayimay, diiwaanka la ururiyay waxaa loo diraa serfarka. Haddii wareejintu ay guul darreysato, diiwaanka waxaa lagu kaydiyaa fayl %TEMP%log.tmp qaab ahaan:
Marka saacaduhu dabco, faylka waxaa loo wareejin doonaa server-ka.
ScreenLogger
Inta jeer ee la cayimay, malware-ku wuxuu abuuraa sawir-qaadis qaabka Jpeg macne leh Tayada oo le'eg 50 wuxuuna ku kaydiyaa fayl %APPDATA % .jpg. Ka dib wareejinta, faylka waa la tirtiray.
ClipboardLogger
Haddii calanka ku habboon la dejiyo, beddelaad ayaa lagu sameeyaa qoraalka la dhexgalay sida ku cad shaxda hoose.
Intaa ka dib, qoraalka ayaa la geliyey log:
Furaha sirta ah tuugta
Malware-ku wuxuu soo dejisan karaa furaha sirta ah ee codsiyada soo socda:
| Browser | Macaamiisha boostada | Macaamiisha FTP |
| Chrome | Muuqaalka | FileZilla |
| Firefox | Thunderbird | WS_FTP |
| IE/Edge | Foxmail | WinSCP |
| Safari | Boostada Opera | CoreFTP |
| Browser Opera | IncrediMail | FTP Navigator |
| Yandex | Pocomail | FlashFXP |
| Comodo | Eudora | SmartFTP |
| ChromePlus | TheBat | Taliyaha FTP |
| chromium | Sanduuqa boostada | |
| Shuclada | ClawsMail | |
| 7Star | ||
| Amigo | ||
| BraveSoftware | macaamiisha Jabber | macaamiisha VPN |
| CentBrowser | Psi/Psi+ | Furan VPN |
| Chedot | ||
| CocCoc | ||
| Qaybaha Browser | Soo dejiso Maareeyayaasha | |
| Browser asturnaanta Epic | Maareeyaha Internet Download | |
| Comet | JDownloader | |
| orbitum | ||
| Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Browser Flock | ||
| UC Browser | ||
| BlackHawk | ||
| CyberFox | ||
| K-meleon | ||
| bisad baraf | ||
| icedragon | ||
| PaleMoon | ||
| WaterFox | ||
| Falcon Browser |
Ka-hortagga falanqaynta firfircoon
- Isticmaalka shaqada Hurdo. Waxay kuu ogolaataa inaad dhaafto sanduuqyada-cammuudka qaarkood marka wakhtigu dhammaanayo
- Dumin dunta Aagga.Cadee. Kuu ogolaanayaa inaad qariso xaqiiqda ka soo degista faylka internetka
- Qiyaas ahaan %filter_list% qeexaa liiska hababka uu malware-ku joojin doono inta u dhaxaysa hal ilbiriqsi
- Kala goynta UAC
- Deminta maamulaha hawsha
- Kala goynta CMD
- Deminta daaqada "Bыполнить"
- Deminta Guddida Xakamaynta
- Deminta qalabka RegEdit
- Naafaynta dhibcaha soo celinta nidaamka
- Dami liiska macnaha guud ee Explorer
- Kala goynta MSCONFIG
- Ka gudub UAC:
Tilmaamaha aan firfircoonayn ee cutubka ugu muhiimsan
Inta lagu jiro falanqaynta cutubka ugu muhiimsan, shaqooyinka ayaa la aqoonsaday kuwaas oo mas'uul ka ahaa faafinta shabakada iyo la socodka booska jiirka.
Worm
Dhacdooyinka isku xidhka warbaahinta la saari karo waxaa lagula socdaa dun gaar ah. Marka la xidho, malware-ka leh magaca waxa lagu koobiyeeyaa xididka nidaamka faylka scr.exe, ka dib markaa waxay raadisaa faylasha leh kordhinta lnk. Kooxda qof walba lnk u beddelo cmd.exe /c bilow scr.exe&bilow & ka bax.
Tusi kasta oo salka u ah warbaahinta waxa la siiyaa sifo "Qaran" iyo fayl la abuuray kordhinta lnk oo leh magaca diiwaanka qarsoon iyo amarka cmd.exe /c bilow scr.exe & sahamiyaha / xididka,"% CD% " & bixi.
MouseTracker
Habka loo sameeyo dhexda ayaa la mid ah kan loo isticmaalo kiiboodhka. Shaqadani wali way ku socotaa horumar
Dhaqdhaqaaqa faylka
| Jidka | Description |
| %Temp%temp.tmp | Waxa ku jira miiska isku dayga dhaafitaanka UAC |
| %startupfolder%% gelis %% inname% | Dariiqa loo qoondeeyay nidaamka HPE |
| %Temp%tmpG{wakhtiga hadda ee millise seconds}.tmp | Jidka loogu talagalay kaydinta moduleka ugu weyn |
| %Temp%log.tmp | Gal gal |
| %AppData%{Taxane aan sabab lahayn oo ah 10 xaraf}.jpeg | Screenshots |
| C:UsersPublic{Tix-raac aan sabab lahayn oo 10 xaraf ah}.vbs | Jidka faylka vbs ee bootloader u isticmaali karo si uu ugu dhejiyo nidaamka |
| %Temp%{Custom folder name} Magaca faylka} | Jidka uu isticmaalo bootloader si uu ugu xidho nidaamka |
Muuqaalka weerarka
Thanks to hardcoded xogta xogta, waxaan awoodnay inaan galno xarunta taliska.
Tani waxay noo ogolaatay inaan aqoonsanno iimaylka ugu dambeeya ee weeraryahannada:
junaid[.]in***@gmail[.]com.
Magaca domainka ee xarunta taliska waxa uu ku diiwaan gashan yahay boostada sg***@gmail[.]com.
gunaanad
Intii lagu jiray falanqaynta faahfaahsan ee malware-ka loo adeegsaday weerarka, waxaan awoodnay inaan dejino shaqeyntiisa oo aan helno liiska ugu dhameystiran ee tilmaamayaasha tanaasulka ee khuseeya kiiskan. Fahamka hababka is dhexgalka shabakada ee ka dhexeeya malware ayaa suurtageliyay in la bixiyo talooyin ku saabsan hagaajinta hawlgalka qalabka amniga macluumaadka, iyo sidoo kale qorista sharciyada IDS ee deggan.
Khatarta ugu weyn AgentTesla sida DataStealer taas oo ah in aysan u baahnayn in ay gasho nidaamka ama sugto amarka xakamaynta si ay u qabato hawlaheeda. Marka mashiinka, isla markiiba wuxuu bilaabaa ururinta macluumaadka gaarka ah wuxuuna u gudbiyaa CnC. Dabeecaddan gardarada ah ayaa siyaabooyin qaar ula mid ah dhaqanka ransomware, iyadoo farqiga kaliya uu yahay in kan dambe uusan xitaa u baahnayn xiriir shabakad. Haddii aad la kulanto qoyskan, ka dib markaad nadiifiso nidaamka cudurka qaba malware laftiisa, waa inaad hubaal ka beddeshaa dhammaan furayaasha sirta ah ee, ugu yaraan aragti ahaan, lagu keydin karo mid ka mid ah codsiyada kor ku xusan.
Inaga oo hore u eegayna, aynu nidhaahno weeraryahannada ayaa soo diraya AgentTesla, Raadiyaha boot-ka bilowga ah ayaa la beddelaa marar badan. Tani waxay kuu ogolaaneysaa inaad ka warqabto iskaannada taagan iyo falanqeeyayaasha heuristic waqtiga weerarka. Iyo u janjeera qoyskan in ay isla markiiba bilaabaan hawlahooda ayaa ka dhigaya kormeerayaasha nidaamka mid aan faa'iido lahayn. Habka ugu fiican ee lagula dagaallamo AgentTesla waa falanqaynta hordhaca ah ee sanduuqa ciid.
Maqaalka saddexaad ee taxanahan waxaan ku eegi doonaa bootloaders kale oo la isticmaalo AgentTesla, iyo sidoo kale derso habka wax-ka-soo-saarkooda semi-otomaatigga ah. Ha seegin!
Hash
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
C&C
| URL |
| sina-c0m[.] icu |
| smtp[.]sina-c0m[.] icu |
RegKey
| Diiwaangelinta |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Script name} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%insregname% |
| HKCUSOFTWAREMIMicrosoftWindowsCurrentVersionExplorerStartup ApprovedRun%insregname% |
mutexes
Ma jiraan tilmaameyaal.
files
| Dhaqdhaqaaqa faylka |
| %Temp%temp.tmp |
| %startupfolder%% gelis %% inname% |
| %Temp%tmpG{wakhtiga hadda ee millise seconds}.tmp |
| %Temp%log.tmp |
| %AppData%{Taxane aan sabab lahayn oo ah 10 xaraf}.jpeg |
| C:UsersPublic{Tix-raac aan sabab lahayn oo 10 xaraf ah}.vbs |
| %Temp%{Custom folder name} Magaca faylka} |
Tusaalooyinka Macluumaadka
| magaca | Unknown |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| nooca | PE (.NET) |
| Cabbirka | 327680 |
| Magaca asalka ah | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| Taariikhda Stamp | 01.07.2019 |
| Sababaha | VB.NET |
| magaca | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| nooca | PE (.NET DLL) |
| Cabbirka | 16896 |
| Magaca asalka ah | IELibrary.dll |
| Taariikhda Stamp | 11.10.2016 |
| Sababaha | Microsoft Linker (48.0*) |
Source: www.habr.com