Ho shebana le bo-accounting tlhaselong ea cyber, u ka sebelisa litokomane tsa mosebetsi tseo ba li batlang inthaneteng. Sena ke hoo e batlang e le seo sehlopha sa marang-rang se 'nileng sa se etsa likhoeling tse' maloa tse fetileng, se aba li-backdoors tse tsebahalang. и , hammoho le li-encryptors le software ea ho utsoa chelete ea crypto. Lipheo tse ngata li fumaneha Russia. Tlhaselo e ile ea etsoa ka ho beha papatso e mpe ho Yandex.Direct. Bahlaseluoa ba ka 'nang ba e-ba teng ba ile ba lebisoa sebakeng sa marang-rang moo ba ileng ba botsoa ho khoasolla faele e mpe e patiloeng e le template ea tokomane. Yandex e tlositse papatso e mpe ka mor'a temoso ea rona.
Khoutu ea mohloli oa Buhtrap e kile ea lutla inthaneteng hore mang kapa mang a ka e sebelisa. Ha re na leseli mabapi le ho fumaneha ha khoutu ea RTM.
Ka poso ena re tla u bolella kamoo bahlaseli ba ileng ba aba malware kateng ho sebelisa Yandex.Direct le ho e amohela ho GitHub. Poso e tla phethela ka tlhahlobo ea tekheniki ea malware.
Bhutrap le RTM li khutletse khoebong
Mokhoa oa ho hasana le bahlaseluoa
Meroalo e fapa-fapaneng e fuoang bahlaseluoa e arolelana mokhoa o tšoanang oa ho phatlalatsa. Lifaele tsohle tse mpe tse entsoeng ke bahlaseli li ile tsa behoa libakeng tse peli tse fapaneng tsa polokelo ea GitHub.
Ka tloaelo, polokelo e ne e e-na le faele e le 'ngoe e kotsi e ka jarolloang, e neng e fetoha khafetsa. Kaha GitHub e u lumella ho sheba nalane ea liphetoho sebakeng sa polokelo, re ka bona hore na malware a ile a ajoa ka nako e itseng. Ho kholisa motho ea hlokofalitsoeng hore a kope faele e mpe, ho ile ha sebelisoa websaete ea blanki-shabloni24[.]ru, e bontšitsoeng setšoantšong se ka holimo.
Moralo oa sebaka le mabitso ohle a lifaele tse lonya li latela mohopolo o le mong - liforomo, litempele, likonteraka, lisampole, joalo-joalo Ha re nahana hore software ea Buhtrap le RTM e se e sebelisitsoe litlhaselong tsa bo-accounting nakong e fetileng, re ne re nahana hore leano lets'olo le lecha le ts'oana. Potso feela ke hore na mohlaseluoa o fihlile joang websaeteng ea bahlaseli.
Tšoaetso
Bonyane batho ba 'maloa bao e ka bang bahlaseluoa ba ileng ba qetella ba le sebakeng sena sa marang-rang ba ile ba khahloa ke lipapatso tse lonya. Mona ke mohlala oa URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Joalo ka ha u bona sehokelong, banner e ne e behiloe sethaleng sa litaba sa molao bb.f2[.]kz. Ke habohlokoa ho hlokomela hore li-banner li ne li hlaha libakeng tse fapaneng, kaofela li ne li e-na le id ea phutuho e tšoanang (blanki_rsya), 'me boholo ba eona e amana le litšebeletso tsa lichelete kapa tsa thuso ea molao. URL e bonts'a hore motho eo e ka bang mohlaseluoa o sebelisitse kopo ea "foromo ea khoasolla," e ts'ehetsang maikutlo a rona a litlhaselo tse lebisitsoeng. Ka tlase ke libaka tseo li-banner li hlahileng ho tsona le lipotso tse amanang le tsona.
- khoasolla invoice foromo – bb.f2[.]kz
- mohlala oa konteraka - Ipopen[.]ru
- mohlala oa tletlebo ea kopo - 77metrov[.]ru
- foromo ea tumellano - blank-dogovor-kupli-prodazhi[.]ru
- mohlala oa kopo ea lekhotla - zen.yandex[.]ru
- mohlala oa tletlebo - yurday[.]ru
- mehlala ea liforomo tsa konteraka - Regforum[.]ru
- foromo ea konteraka - assistentus[.]ru
- mohlala oa tumellano ea folete - napravah[.]com
- mehlala ea likonteraka tsa molao - avito[.]ru
Sebaka sa blanki-shabloni24[.]ru se ka 'na sa etsoa hore se fetise tlhahlobo e bonolo ea pono. Ka tloaelo, papatso e supang sebaka sa marang-rang se shebahalang e le setsebi se hokahaneng le GitHub ha e bonahale e le ntho e mpe ho hlakile. Ho feta moo, bahlaseli ba ile ba kenya lifaele tse kotsi sebakeng sa polokelo ka nako e lekanyelitsoeng feela, mohlomong nakong ea letšolo. Boholo ba nako, polokelo ea GitHub e ne e e-na le polokelo ea zip e se nang letho kapa faele ea EXE e se nang letho. Kahoo, bahlaseli ba ne ba ka aba lipapatso ka Yandex.Direct libakeng tseo ho ka etsahalang hore ebe li ile tsa eteloa ke bo-ralitaba ba tlileng ho arabela lipotso tse itseng tsa ho batla.
Ka mor'a moo, a re shebeng meputso e fapa-fapaneng e ajoang ka tsela ena.
Tlhahlobo ea Lekhetho
Tatelano ya nako ya kabo
Letšolo le lonya le qalile qetellong ea Mphalane 2018 mme le ntse le sebetsa ka nako ea ho ngola. Kaha polokelo eohle e ne e fumaneha phatlalatsa ho GitHub, re hlophisitse kemiso e nepahetseng ea nako ea kabo ea malapa a tšeletseng a fapaneng a malware (bona setšoantšo se ka tlase). Re kentse mola o bonts'ang hore na sehokelo sa banner se fumanoe neng, joalo ka ha se lekantsoe ke telemetry ea ESET, ha e bapisoa le nalane ea git. Joalokaha u bona, sena se amana hantle le ho fumaneha ha moputso ho GitHub. Phapang qetellong ea February e ka hlalosoa ke taba ea hore re ne re se na karolo ea histori ea phetoho hobane polokelo e ile ea tlosoa GitHub pele re ka e fumana ka botlalo.
Setšoantšo sa 1. Ho latela nako ea kabo ea malware.
Litifikeiti tsa ho Saena Khoutu
Letšolo lena le sebelisitse litifikeiti tse ngata. Tse ling li ne li saennoe ke malapa a fetang a le mong a malware, e leng se bontšang hape hore lisampole tse fapaneng e ne e le tsa letšolo le le leng. Ho sa tsotellehe ho fumaneha ha senotlolo sa poraefete, basebelisi ha baa ka ba saena li-binary ka mokhoa o hlophisehileng 'me ha baa ka ba sebelisa senotlolo bakeng sa mehlala eohle. Bofelong ba Hlakola 2019, bahlaseli ba ile ba qala ho etsa mesaeno e fosahetseng ba sebelisa setifikeiti sa Google seo ba neng ba se na senotlolo sa bona sa lekunutu.
Litifikeiti tsohle tse amehang lets'olo le malapa a malware ao ba a saenang li thathamisitsoe tafoleng e ka tlase.
Re boetse re sebelisitse litifikeiti tsena tsa ho saena khoutu ho theha likhokahano le malapa a mang a malware. Bakeng sa litifikeiti tse ngata, ha rea fumana lisampole tse sa kang tsa tsamaisoa ka polokelo ea GitHub. Leha ho le joalo, setifikeiti sa TOV "MARIYA" se sebelisitsoe ho saena malware a botnet , adware le basebetsi ba morafong. Ha ho bonahale malware ana a amana le lets'olo lena. Ho ka etsahala hore ebe setifikeiti se ile sa rekoa ho darknet.
Win32/Filecoder.Buhtrap
Karolo ea pele e ileng ea hapa tlhokomelo ea rona ke Win32/Filecoder e sa tsoa fumanoa.Buhtrap. Ena ke faele ea binary ea Delphi eo ka linako tse ling e pakiloeng. E ile ea ajoa haholo-holo ka Hlakola-Mots'eanong 2019. E sebetsa joalo ka ha e tšoanela lenaneo la thekollo - e batla li-drive tsa lehae le lifoldara tsa marang-rang ebe e koala lifaele tse bonoeng. Ha e hloke khokahanyo ea Marang-rang hore e senyehe hobane ha e hokahane le seva ho romella linotlolo tsa encryption. Ho e-na le hoo, e eketsa "letšoao" qetellong ea molaetsa oa thekollo, 'me e fana ka maikutlo a ho sebelisa imeile kapa Bitmessage ho ikopanya le basebetsi.
Ho patala lisebelisoa tse ngata tse hlokolosi ka hohle kamoo ho ka khonehang, Filecoder.Buhtrap e tsamaisa khoele e etselitsoeng ho koala software ea bohlokoa e ka 'nang ea e-ba le lisebelisoa tse bulehileng tse nang le boitsebiso ba bohlokoa bo ka sitisang ho kenyelletsa. Lits'ebetso tse reriloeng haholo ke lits'ebetso tsa taolo ea database (DBMS). Ho feta moo, Filecoder.Buhtrap e hlakola lifaele tsa log le li-backups ho etsa hore ho hlaphoheloa ha data ho be thata. Ho etsa sena, tsamaisa mongolo oa batch o ka tlase.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap e sebelisa ts'ebeletso e molaong ea inthanete ea IP Logger e etselitsoeng ho bokella tlhahisoleseling mabapi le baeti ba sebaka sa marang-rang. Sena se reretsoe ho latela bahlaseluoa ba ransomware, e leng boikarabello ba mohala oa taelo:
mshta.exe "javascript:document.write('');"
Lifaele tsa encryption li khethiloe haeba li sa lumellane le manane a mararo a kenyelletsoeng. Ntlha ea pele, lifaele tse nang le li-extensions tse latelang ha lia ngolisoa: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys le .bat. Taba ea bobeli, lifaele tsohle tseo tsela e felletseng e nang le likhoele tsa directory ho tsoa lenaneng le ka tlase ha li kenyellelitsoe.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Ntlha ea boraro, mabitso a mang a lifaele le 'ona ha a kenyelelitsoe ho encryption, har'a bona lebitso la faele la molaetsa oa thekollo. Lethathamo le hlahisoa ka tlase. Ho hlakile hore mekhelo ena kaofela e reretsoe ho boloka mochini o sebetsa, empa o na le ts'ebetso e nyane ea tsela.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Sekema sa encryption ea faele
Ha e se e phethiloe, malware a hlahisa 512-bit RSA key pair. The poraefete exponent (d) le modulus (n) joale li patiloe ka senotlolo sa sechaba se thata sa 2048-bit (sehlahisoa sa sechaba le modulus), zlib-packed, le base64 e kentsoeng. Khoutu e ikarabellang bakeng sa sena e bontšoa setšoantšong sa 2.
Setšoantšo sa 2. Sephetho sa Hex-Rays decompilation ea 512-bit RSA key pair process process.
Ka tlase ke mohlala oa mongolo o hlakileng o nang le senotlolo sa lekunutu se hlahisitsoeng, e leng lets'oao le khomaretsoeng molaetsa oa thekollo.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Senotlolo sa sechaba sa bahlaseli se fanoe ka tlase.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Lifaele li patiloe ho sebelisoa AES-128-CBC ka senotlolo sa 256-bit. Bakeng sa faele e 'ngoe le e' ngoe e patiloeng, ho hlahisoa senotlolo se secha le vector e ncha ea ho qala. Lintlha tsa bohlokoa li eketsoa qetellong ea faele e patiloeng. Ha re nahaneng ka sebopeho sa faele e patiloeng.
Lifaele tse kentsoeng li na le sehlooho se latelang:
Lintlha tsa faele ea mohloli ka kenyelletso ea boleng ba boselamose ba VEGA li patiloe ho li-byte tsa pele tsa 0x5000. Lintlha tsohle tsa decryption li hokeletsoe faeleng e nang le sebopeho se latelang:
- Letšoao la boholo ba faele le na le letšoao le bontšang hore na faele e kholo ho feta 0x5000 bytes ka boholo
- AES key blob = ZlibCompress(RSAEncrypt(AES key + IV, key key ya RSA key pair))
- RSA key blob = ZlibCompress(RSAEncrypt(generated RSA private key, hard-coded RSA public key))
Win32/ClipBanker
Win32/ClipBanker ke karolo e ileng ea ajoa nako le nako ho tloha bofelong ba Mphalane ho isa mathoasong a Tšitoe 2018. Karolo ea eona ke ho lekola litaba tsa clipboard, e batla liaterese tsa li-wallet tsa chelete ea crypto. Ha e se e fumane aterese ea sepache e shebiloeng, ClipBanker e e nkela sebaka ka aterese eo ho lumeloang hore ke ea basebelisi. Lisampole tseo re li hlahlobileng li ne li se na mabokose kapa hona ho hlaka. Mokhoa o le mong feela o sebelisoang ho pata boitšoaro ke string encryption. Liaterese tsa sepache sa opereishene li ngotsoe ka mokhoa oa RC4. Lichelete tsa crypto tse reriloeng ke Bitcoin, chelete ea Bitcoin, Dogecoin, Ethereum le Ripple.
Nakong eo malware a neng a hasana ho li-wallet tsa bahlaseli ba Bitcoin, chelete e nyenyane e ile ea romeloa ho VTS, e leng se etsang hore ho be le lipelaelo ka katleho ea letšolo lena. Ho feta moo, ha ho na bopaki bo bontšang hore litšebelisano tsena li ne li amana le ClipBanker ho hang.
Win32/RTM
Karolo ea Win32/RTM e ile ea ajoa ka matsatsi a 'maloa mathoasong a Hlakubele 2019. RTM ke banka ea Trojan e ngotsoeng Delphi, e reretsoeng mekhoa ea libanka e hole. Ka 2017, bafuputsi ba ESET ba phatlalalitse ea lenaneo lena, tlhaloso e ntse e le ea bohlokoa. Ka Pherekhong 2019, Palo Alto Networks le eona e ile ea lokolloa .
Bhutrap Loader
Ka nako e itseng, downloader e ne e fumaneha ho GitHub e neng e sa tšoane le lisebelisoa tse fetileng tsa Buhtrap. O retelehela ho https://94.100.18[.]67/RSS.php?<some_id> ho fumana mokhahlelo o latelang le ho o jarisa ka kotloloho mohopolong. Re ka khetholla mekhoa e 'meli ea khoutu ea mohato oa bobeli. Ho URL ea pele, RSS.php e fetisitse monyako oa morao oa Buhtrap ka ho toba - ntlo ena e ka morao e tšoana haholo le e fumanehang ka mor'a hore khoutu ea mohloli e lutle.
Ho khahlisang, re bona matšolo a 'maloa ka backdoor ea Buhtrap,' me ho thoe a tsamaisoa ke basebelisi ba fapaneng. Tabeng ena, phapang e kholo ke hore ntlo e ka morao e kenngoa ka ho toba mohopolong 'me ha e sebelise mokhoa o tloaelehileng ka mokhoa oa ho tsamaisa DLL oo re buileng ka oona. . Ntle le moo, basebelisi ba fetotse senotlolo sa RC4 se sebelisoang ho patala sephethephethe sa marang-rang ho seva sa C&C. Boholo ba masolo ao re a boneng, basebelisi ha ba ka ba itšoenya ka ho fetola senotlolo sena.
Boitšoaro ba bobeli, bo rarahaneng haholo e ne e le hore URL ea RSS.php e fetisetsoe ho mojaro o mong. E kentse ts'ebetso ea bofokoli bo bong, joalo ka ho aha bocha tafole ea thepa e tsoang kantle. Sepheo sa bootloader ke ho ikopanya le seva sa C&C [.]com/api/F27F84EDA4D13B15/2, romella lintlha ebe u emela karabo. E sebetsana le karabelo joalo ka blob, e e kenya mohopolong ebe e e phetha. Chelete ea moputso eo re e boneng e sebelisa mojaro ona e ne e le eona Buhtrap backdoor, empa ho ka ba le likarolo tse ling.
Android/Spy.Banker
Ho khahlisang, karolo ea Android e boetse e fumanoe sebakeng sa polokelo ea GitHub. O bile lekaleng le leholo ka letsatsi le le leng feela - la 1 Pulungoana 2018. Ntle le ho romelloa ho GitHub, telemetry ea ESET ha e fumane bopaki ba hore malware ana a ajoa.
Karolo ena e hlophisitsoe joalo ka Sephutheloana sa Sesebelisoa sa Android (APK). E hlakisitsoe haholo. Boitšoaro bo lonya bo patiloe ho JAR e kentsoeng ka har'a APK. E patiloe ka RC4 ho sebelisoa senotlolo sena:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
E tšoanang senotlolo le algorithm li sebelisoa ho encrypt likhoele. JAR e fumaneha APK_ROOT + image/files. Li-byte tsa pele tse 4 tsa faele li na le bolelele ba JAR e patiloeng, e qalang hang kamora sebaka sa bolelele.
Kamora ho hlakola faele, re ile ra fumana hore e ne e le Anubis - pejana banker bakeng sa Android. Malware e na le likarolo tse latelang:
- ho rekota maekrofounu
- ho nka li-screenshots
- ho fumana lihokahanyo tsa GPS
- keylogger
- khokahanyo ea data ea sesebelisoa le tlhoko ea thekollo
- ho romela spam
Ho khahlisang, rabanka o sebelisitse Twitter joalo ka mocha oa puisano oa bekapo ho fumana seva se seng sa C&C. Mohlala oo re o hlahlobileng o sebelisitse akhaonto ea @JonesTrader, empa nakong ea tlhahlobo e ne e se e thibetsoe.
Rabanka e na le lethathamo la likopo tse shebiloeng ho sesebelisoa sa Android. E telele ho feta lenane le fumanoeng thutong ea Sophos. Lenane lena le kenyelletsa lits'ebetso tse ngata tsa banka, mananeo a ho reka ka marang-rang a kang Amazon le eBay, le lits'ebeletso tsa chelete ea crypto.
MSIL/ClipBanker.IH
Karolo ea ho qetela e ileng ea ajoa e le karolo ea phutuho ena e ne e le .NET Windows e sebetsang, e hlahileng ka Hlakubele 2019. Boholo ba liphetolelo tse ithutoang li ne li phuthetsoe ka ConfuserEx v1.0.0. Joalo ka ClipBanker, karolo ena e sebelisa clipboard. Sepheo sa hae ke mefuta e mengata ea lichelete tsa crypto, hammoho le litlhahiso ho Steam. Ho feta moo, o sebelisa tšebeletso ea IP Logger ho utsoa senotlolo sa poraefete sa Bitcoin sa WIF.
Mekhoa ea Tšireletso
Ntle le melemo eo ConfuserEx e fanang ka eona ho thibela ho lokisa liphoso, ho lahla le ho senya, karolo ena e kenyelletsa bokhoni ba ho bona lihlahisoa tsa antivirus le mechini ea sebele.
Ho netefatsa hore e sebetsa ka mochini o sebetsang, malware e sebelisa mohala oa taelo oa Windows WMI o hahelletsoeng (WMIC) ho kopa tlhaiso-leseling ea BIOS, e leng:
wmic bios
Ebe lenaneo le fetisa tlhahiso ea taelo ebe le sheba mantsoe a bohlokoa: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Ho bona lihlahisoa tsa antivirus, malware e romela kopo ea Windows Management Instrumentation (WMI) ho Windows Security Center e sebelisa ManagementObjectSearcher API joalokaha ho bontšitsoe ka tlase. Kamora ho khetha ho tloha ho base64 mohala o shebahala tjena:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Setšoantšo sa 3. Mokhoa oa ho khetholla lihlahisoa tsa antivirus.
Ho feta moo, malware a hlahloba hore na , sesebelisoa sa ho itšireletsa khahlanong le litlhaselo tsa clipboard, 'me, ha e sebetsa, e emisa likhoele tsohle ts'ebetsong eo, kahoo e sitisa tšireletso.
Ho phehella
Mofuta oa malware oo re ithutileng oona o ipapisitse le oona %APPDATA%googleupdater.exe 'me e seta tšobotsi e "patiloeng" bakeng sa google directory. Ebe o fetola boleng SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell ho registry ea Windows ebe o eketsa tsela updater.exe. Ka tsela ena, malware e tla etsoa nako le nako ha mosebelisi a kena.
Boitšoaro bo lonya
Joalo ka ClipBanker, malware e beha leihlo litaba tse ka har'a clipboard mme e sheba liaterese tsa sepache sa cryptocurrency, 'me ha e fumanoa, e e nkela e 'ngoe ea liaterese tsa opereishene. Ka tlase ke lethathamo la liaterese tse lebisitsoeng ho latela se fumanoang khoutu.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Bakeng sa mofuta o mong le o mong oa aterese ho na le polelo ea kamehla e lumellanang. Boleng ba STEAM_URL bo sebelisoa ho hlasela sistimi ea Steam, joalo ka ha ho bonoa polelong e tloaelehileng e sebelisoang ho hlalosa buffer:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Lekanale la exfiltration
Ntle le ho nkela liaterese sebakeng sa buffer, malware e lebisa linotlolo tsa poraefete tsa WIF tsa Bitcoin, Bitcoin Core le Electrum Bitcoin wallet. Lenaneo le sebelisa plogger.org joalo ka mocha oa phetiso ho fumana senotlolo sa lekunutu sa WIF. Ho etsa sena, basebelisi ba eketsa lintlha tsa senotlolo sa lekunutu ho hlooho ea Moemeli oa HTTP, joalo ka ha ho bonts'itsoe ka tlase.
Setšoantšo sa 4. IP Logger console e nang le data e hlahisoang.
Basebelisi ha baa ka ba sebelisa iplogger.org ho ntša li wallet. Mohlomong ba ile ba sebelisa mokhoa o fapaneng ka lebaka la moeli oa batho ba 255 tšimong User-Agente bonts'itsoeng ho sebopeho sa webo sa IP Logger. Mehlala eo re ithutileng eona, seva se seng sa tlhahiso se ne se bolokiloe tikolohong e fapaneng DiscordWebHook. Ho makatsang ke hore phetoho ena ea tikoloho ha e abeloe kae kapa kae khoutu. Sena se fana ka maikutlo a hore malware e ntse e le ka har'a nts'etsopele mme phetoho e abeloa mochini oa liteko oa opareitara.
Ho na le sesupo se seng sa hore lenaneo le nts'etsopele. Faele ea binary e kenyelletsa li-URL tse peli tsa iplogger.org, 'me ka bobeli li botsoa ha data e hlakoloa. Ka kopo ho e 'ngoe ea li-URL tsena, boleng bo tšimong ea Referer bo etelloa pele ke "DEV /". Hape re fumane mofuta o neng o sa kengoa ka har'a ConfuserEx, moamoheli oa URL ena o bitsoa DevFeedbackUrl. Ho ipapisitsoe le lebitso le feto-fetohang la tikoloho, re lumela hore basebelisi ba rera ho sebelisa litšebeletso tse molaong tsa Discord le sistimi ea eona ea ho thibela marang-rang ho utsoa li-wallet tsa cryptocurrency.
fihlela qeto e
Letšolo lena ke mohlala oa tšebeliso ea litšebeletso tse molaong tsa papatso litlhaselong tsa marang-rang. Morero ona o shebane le mekhatlo ea Russia, empa re ke ke ra makala ha re bona tlhaselo e joalo e sebelisa litšebeletso tseo e seng tsa Serussia. Ho qoba ho sekisetsa, basebelisi ba tlameha ho tšepa botumo ba mohloli oa software eo ba e jarollang.
Lethathamo le felletseng la matšoao a ho sekisetsa le litšoaneleho tsa MITER ATT&CK li fumaneha ho .
Source: www.habr.com