Ho na le lihlopha tse 'maloa tse tsebahalang tsa cyber tse ipabolang ka ho utsoa lichelete ho tsoa ho lik'hamphani tsa Russia. Re bone litlhaselo tse sebelisang likheo tsa ts'ireletso tse lumellang ho fihlella marang-rang a sepheo. Hang ha ba fumana phihlello, bahlaseli ba hlahloba sebopeho sa marang-rang sa mokhatlo mme ba sebelisa lisebelisoa tsa bona ho utsoa chelete. Mohlala oa khale oa mokhoa ona ke lihlopha tsa barekisi ba Buhtrap, Cobalt le Corkow.
Sehlopha sa RTM seo tlaleho ena e shebaneng le sona ke karolo ea mokhoa ona. E sebelisa malware e entsoeng ka ho khetheha e ngotsoeng Delphi, eo re tla e sheba ka ho qaqileng haholoanyane likarolong tse latelang. Mehlala ea pele ea lisebelisoa tsena tsamaisong ea telemetry ea ESET e ile ea fumanoa qetellong ea 2015. Sehlopha se kenya li-module tse fapaneng tse ncha litsing tse nang le tšoaetso ha ho hlokahala. Litlhaselo li lebisitsoe ho basebelisi ba libanka tse hole tsa Russia le linaheng tse ling tsa boahisani.
1. Maikemisetso
Letšolo la RTM le lebisitsoe ho basebelisi ba mekhatlo - sena se totobetse ho tsoa lits'ebetsong tseo bahlaseli ba lekang ho li lemoha tsamaisong e senyehileng. Ho tsepamisitsoe maikutlo ho software ea accounting bakeng sa ho sebetsa le litsamaiso tsa libanka tse hole.
Lethathamo la lits'ebetso tse khahlang ho RTM le tšoana le lenane le ts'oanang la sehlopha sa Buhtrap, empa lihlopha li na le li-vector tse fapaneng tsa ts'oaetso. Haeba Buhtrap e ne e sebelisa maqephe a fake hangata, joale RTM e sebelisitse litlhaselo tsa ho jarolla (litlhaselo ho sebatli kapa likarolo tsa eona) le spamming ka lengolo-tsoibila. Ho ea ka lintlha tsa telemetry, tšoso e lebisitsoe ho Russia le linaheng tse 'maloa tse haufi (Ukraine, Kazakhstan, Czech Republic, Jeremane). Leha ho le joalo, ka lebaka la tšebeliso ea mekhoa ea ho ajoa ka bongata, ho lemoha malware ka ntle ho libaka tse reretsoeng ha ho makatse.
Palo eohle ea tšibollo ea malware e batla e fokola. Ka lehlakoreng le leng, letšolo la RTM le sebelisa mananeo a rarahaneng, a bontšang hore litlhaselo li lebisitsoe haholo.
Re fumane litokomane tse 'maloa tsa bolotsana tse sebelisoang ke RTM, ho kenyelletsa le likonteraka tse seng teng, li-invoice kapa litokomane tsa tlaleho ea lekhetho. Sebopeho sa lisebelisoa, se kopantsoeng le mofuta oa software e lebisitsoeng ke tlhaselo, e bontša hore bahlaseli ba "kena" marang-rang a lik'hamphani tsa Russia ka lefapha la likarabello. Sehlopha se ile sa sebetsa ho latela morero o tšoanang ka 2014-2015
Nakong ea lipatlisiso, re khonne ho sebelisana le li-server tse 'maloa tsa C&C. Re tla thathamisa lethathamo le feletseng la litaelo likarolong tse latelang, empa hajoale re ka re mofani o fetisetsa data ho tloha keylogger ka ho toba ho seva e hlaselang, eo ho eona ho fumanoang litaelo tse eketsehileng.
Leha ho le joalo, matsatsi ao ka 'ona u neng u ka hokela ho seva sa taelo le taolo 'me u bokelle lintlha tsohle tseo u li ratang a felile. Re ntlafalitse lifaele tsa 'nete ho fumana litaelo tse nepahetseng ho tsoa ho seva.
Ea pele ea bona ke kopo ho bot ho fetisetsa faele 1c_to_kl.txt - faele ea lipalangoang ea 1C: Lenaneo la Enterprise 8, ponahalo ea eona e hlahlojoa ka mafolofolo ke RTM. 1C e sebelisana le lits'ebetso tsa banka tse hole ka ho kenya data ea litefo tse tsoang faeleng ea mongolo. Ka mor'a moo, faele e romelloa tsamaisong ea banka e hōle bakeng sa ho iketsetsa le ho phethahatsa taelo ea tefo.
Faele e na le lintlha tsa tefo. Haeba bahlaseli ba fetola tlhahisoleseling mabapi le litefo tse tsoang, phetisetso e tla romelloa ho sebelisoa lintlha tsa bohata ho li-account tsa bahlaseli.
Hoo e ka bang khoeli ka mor'a ho kopa lifaele tsena ho seva sa taelo le taolo, re ile ra bona plugin e ncha, 1c_2_kl.dll, e kenngoa tsamaisong e senyehileng. Mojule (DLL) e etselitsoe ho itlhahloba faele ea ho jarolla ka ho kenella lits'ebetsong tsa software ea accounting. Re tla e hlalosa ka botlalo likarolong tse latelang.
Hoa thahasellisa hore FinCERT ea Banka ea Russia qetellong ea 2016 e ile ea fana ka temoso ea litaba mabapi le linokoane tsa marang-rang tse sebelisang lifaele tsa 1c_to_kl.txt tsa ho kenya. Baetsi ba 1C le bona ba tseba ka morero ona; ba se ba entse polelo ea semmuso mme ba thathamisitse litemoso.
Li-module tse ling le tsona li ne li laeloa ho tsoa ho seva sa litaelo, haholo VNC (liphetolelo tsa eona tsa 32 le 64-bit). E tšoana le mojule oa VNC oo pele o neng o sebelisoa ho litlhaselo tsa Dridex Trojan. Ho lumeloa hore mojule ona o sebelisoa ho hokahanya khomphutha e nang le tšoaetso le ho etsa boithuto bo felletseng ba sistimi. Ka mor'a moo, bahlaseli ba leka ho pota-pota marang-rang, ho ntša li-passwords tsa basebelisi, ho bokella tlhahisoleseding le ho netefatsa boteng ba kamehla ba malware.
2. Likokoana-hloko tsa tšoaetso
Palo e latelang e bonts'a li-vector tsa ts'oaetso tse fumanoeng nakong ea thuto ea lets'olo. Sehlopha se sebelisa mefuta e mengata ea li-vector, empa haholo-holo litlhaselo tsa ho khoasolla le spam. Lisebelisoa tsena li loketse litlhaselo tse lebisitsoeng, kaha tabeng ea pele, bahlaseli ba ka khetha libaka tse eteloang ke batho bao e ka bang bahlaseluoa, 'me ka lekhetlo la bobeli, ba ka romella mangolo-tsoibila ka li-attachments ka ho toba ho basebetsi ba khamphani ba batlang.
Malware e ajoa ka likanale tse ngata, ho kenyeletsoa lisebelisoa tsa tšebeliso ea RIG le Sundown kapa mangolo a spam, a bonts'ang likhokahano lipakeng tsa bahlaseli le bahlaseli ba bang ba marang-rang ba fanang ka lits'ebeletso tsena.
2.1. RTM le Bhutrap li amana joang?
Letšolo la RTM le tšoana haholo le Bhutrap. Potso ea tlhaho ke: li amana joang?
Ka Loetse 2016, re bone sampole ea RTM e ajoa ho sebelisoa se uploader sa Buhtrap. Ho feta moo, re fumane litifikeiti tse peli tsa dijithale tse sebelisoang ho Buhtrap le RTM.
Ea pele, e ile ea fanoa ho Dniger ea Khampani-M, e ne e sebelisetsoa ho saena ha digilatice (Sha-1: 025E718b31b43d1 .
Ea bobeli, e fanoeng ho Bit-Tredj, e ne e sebelisetsoa ho saena li-loaders tsa Buhtrap (SHA-1: 7C1B6B1713BD923FC243DFEC80002FE9B93EB292 le B74F71560E48488D2153AE2FB51207 TM e le ho kenya lisebelisoa tsa R0 hantle le R206EBAC2).
Basebelisi ba RTM ba sebelisa litifikeiti tse tloaelehileng malapeng a mang a malware, empa hape ba na le setifikeiti se ikhethileng. Ho latela telemetry ea ESET, e ile ea fuoa Kit-SD 'me e ne e sebelisoa feela ho saena RTM malware (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6).
RTM e sebelisa mojaro o tšoanang le oa Buhtrap, likarolo tsa RTM li laeloa ho tloha mohahong oa mohaho oa Buhtrap, kahoo lihlopha li na le matšoao a tšoanang a marang-rang. Leha ho le joalo, ho ea ka likhakanyo tsa rona, RTM le Buhtrap ke lihlopha tse fapaneng, bonyane hobane RTM e ajoa ka litsela tse sa tšoaneng (eseng feela ho sebelisa downloader "ea linaheng tse ling".
Ho sa tsotellehe sena, lihlopha tsa li-hacker li sebelisa melao-motheo e tšoanang ea ts'ebetso. Ba shebile likhoebo tse sebelisang software ea accounting, ka mokhoa o ts'oanang ho bokella tlhahisoleseling ea sistimi, ho batla babali ba likarete tse bohlale, le ho sebelisa lisebelisoa tse ngata tse mpe ho hloela bahlaseluoa.
3. Tlhabologo
Karolong ena, re tla sheba mefuta e fapaneng ea malware e fumanoeng nakong ea boithuto.
3.1. Phetolelo
RTM e boloka lintlha tsa tlhophiso karolong ea ngoliso, karolo e khahlisang haholo e le botnet-prefix. Lethathamo la litekanyetso tsohle tseo re li boneng lisampong tseo re ithutileng tsona li hlahisoa tafoleng e ka tlase.
Ho ka etsahala hore litekanyetso li ka sebelisoa ho rekota mefuta ea malware. Leha ho le joalo, ha rea ka ra hlokomela phapang e khōlō pakeng tsa liphetolelo tse kang bit2 le bit3, 0.1.6.4 le 0.1.6.6. Ho feta moo, e 'ngoe ea li-prefixes esale e le teng ho tloha qalong' me e fetohile ho tloha sebakeng se tloaelehileng sa C & C ho ea sebakeng sa .bit, joalokaha ho tla bontšoa ka tlase.
3.2. Kemiso
Re sebelisa lintlha tsa telemetry, re thehile graph ea ho hlaha ha disampole.
4. Tlhahlobo ea tekheniki
Karolong ena, re tla hlalosa mesebetsi e ka sehloohong ea Trojan ea banka ea RTM, ho kenyelletsa le mekhoa ea ho hanyetsa, phetolelo ea eona ea RC4 algorithm, protocol ea marang-rang, ts'ebetso ea bohloela le likarolo tse ling. Ka ho khetheha, re tla tsepamisa maikutlo ho lisampole tsa SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 le 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B.
4.1. Ho kenya le ho boloka
4.1.1. Phethahatso
Koko ea RTM ke DLL, laebrari e kenngoa ho disk e sebelisa .EXE. Faele e ka sebetswang hangata e pakwa mme e na le khoutu ya DLL. Ha e se e qalile, e ntša DLL ebe e e tsamaisa ka taelo e latelang:
rundll32.exe “%PROGRAMDATA%Winlogonwinlogon.lnk”,DllGetClassObject host4.1.2. DLL
DLL e kholo e lula e kentsoe disk joalo ka winlogon.lnk ka har'a foldara ea %PROGRAMDATA%Winlogon. Katoloso ena ea faele hangata e amahanngoa le tsela e khuts'oane, empa faele ha e le hantle ke DLL e ngotsoeng Delphi, e bitsoang core.dll ke moqapi, joalo ka ha ho bonts'itsoe setšoantšong se ka tlase.
Пример названия DLL F4C746696B0F5BB565D445EC49DD912993DE6361
Hang ha e qala, Trojan e kenya mochine oa eona oa ho hanyetsa. Sena se ka etsoa ka litsela tse peli tse fapaneng, ho itšetlehile ka litokelo tsa mohlaseluoa tsamaisong. Haeba u na le litokelo tsa molaoli, Trojan e eketsa kenyelletso ea Windows Update ho HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry. Litaelo tse fumanehang ho Windows Update li tla sebetsa qalong ea lenaneo la mosebedisi.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Update [REG_SZ] = rundll32.exe “%PROGRAMDATA%winlogon.lnk”,DllGetClassObject host
Trojan e boetse e leka ho eketsa mosebetsi ho Windows Task Scheduler. Mosebetsi o tla qala winlogon.lnk DLL ka li-parameter tse tšoanang le tse ka holimo. Litokelo tsa kamehla tsa mosebelisi li lumella Trojan ho eketsa kenyelletso ea Windows Update ka data e tšoanang ho HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry:
rundll32.exe “%PROGRAMDATA%winlogon.lnk”,DllGetClassObject host4.2. Algorithm ea RC4 e fetotsoeng
Leha e na le mefokolo e tsebahalang, algorithm ea RC4 e sebelisoa khafetsa ke bangoli ba malware. Leha ho le joalo, baetsi ba RTM ba e fetotse hanyenyane, mohlomong ho etsa hore mosebetsi oa bahlahlobisisi ba kokoana-hloko o be thata haholoanyane. Phetolelo e fetotsoeng ea RC4 e sebelisoa haholo ho lisebelisoa tse kotsi tsa RTM ho kenyelletsa likhoele, data ea marang-rang, tlhophiso le li-module.
4.2.1. Liphapang
Algorithm ea mantlha ea RC4 e kenyelletsa mekhahlelo e 'meli: s-block initialization (aka KSA - Key-Scheduling Algorithm) le pseudo-random sequence generation (PRGA - Pseudo-Random Generation Algorithm). Mokhahlelo oa pele o kenyelletsa ho qala s-lebokose ho sebelisa senotlolo, 'me mothating oa bobeli mohloli oa mongolo o sebetsoa ho sebelisoa s-box bakeng sa encryption.
Bangoli ba RTM ba kentse mohato o mahareng lipakeng tsa s-box initialization le encryption. Senotlolo sa tlatsetso sea feto-fetoha 'me se behiloe ka nako e ts'oanang le data e lokelang ho ngolisoa le ho hlakoloa. Mosebetsi o etsang mohato ona o eketsehileng o bontšoa setšoantšong se ka tlase.
4.2.2. Khoele ea khoele
Ha u habanya feela, ho na le mela e 'maloa e ka baloang ho DLL e kholo. Tse ling kaofela li patiloe ho sebelisoa algorithm e hlalositsoeng kaholimo, sebopeho sa eona se bonts'itsoeng setšoantšong se latelang. Re fumane linotlolo tse fetang 25 tse fapaneng tsa RC4 bakeng sa encryption ea likhoele lisampoleng tse hlahlobiloeng. Senotlolo sa XOR se fapane bakeng sa mola o mong le o mong. Boleng ba sebaka sa linomoro tse arolang mela e lula e le 0xFFFFFFFF.
Qalong ea ts'ebetso, RTM e hlakola likhoele hore e be phetoho ea lefats'e. Ha ho hlokahala ho fihlella khoele, Trojan e bala ka matla aterese ea likhoele tse hlakotsoeng ho latela aterese ea motheo le offset.
Likhoele li na le lintlha tse khahlisang mabapi le mesebetsi ea malware. Likhoele tse ling tsa mohlala li fanoe ho Karolo ea 6.8.
4.3. Marang-rang
Tsela eo RTM malware e ikopanyang le seva sa C&C ka eona e fapana ho ea ka mofuta. Liphetoho tsa pele (Mphalane 2015 - Mmesa 2016) li sebelisitse mabitso a marang-rang a setso hammoho le phepelo ea RSS ho livejournal.com ho ntlafatsa lenane la litaelo.
Ho tloha ka Mmesa 2016, re bone phetoho ho libaka tsa .bit ho data ea telemetry. Sena se netefatsoa ke letsatsi la ngoliso ea domain - sebaka sa pele sa RTM fde05d0573da.bit se ngolisitsoe ka la 13 Hlakubele 2016.
Li-URL tsohle tseo re li boneng ha re ntse re beha leihlo letšolo lena li ne li e-na le tsela e tšoanang: /r/z.php. Ha e tloaelehe 'me e tla thusa ho tseba likopo tsa RTM ho phallo ea marang-rang.
4.3.1. Channel bakeng sa litaelo le taolo
Mehlala ea lefa e sebelisitse mocha ona ho ntlafatsa lenane la bona la li-server tsa litaelo le taolo. Hosting e fumaneha livejournal.com, ka nako ea ho ngola tlaleho e ne e lula ho URL hxxp://f72bba81c921(.)livejournal(.)com/ data/rss.
Livejournal ke k'hamphani ea Russia-Amerika e fanang ka sethala sa blogging. Basebelisi ba RTM ba theha blog ea LJ moo ba behang sengoloa se nang le litaelo tse nang le likhoutu - bona skrini.
Mela ea litaelo le taolo e kentsoe ho sebelisoa algorithm ea RC4 e fetotsoeng (Karolo ea 4.2). Mofuta oa hajoale (November 2016) oa mocha o na le litaelo tse latelang le liaterese tsa seva sa taolo:
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. .bit domains
Mehlala ea morao-rao ea RTM, bangoli ba hokahana le libaka tsa C&C ba sebelisa .bit TLD ea boemo bo holimo. Ha e teng lethathamong la ICANN (Domain Name le Internet Corporation) la libaka tsa maemo a holimo. Ho e-na le hoo, e sebelisa mokhoa oa Namecoin, o hahiloeng holim'a theknoloji ea Bitcoin. Bangoli ba Malware ha ba sebelise hangata .bit TLD bakeng sa libaka tsa bona, le hoja mohlala oa tšebeliso e joalo o kile oa hlokomeloa phetolelong ea Necurs botnet.
Ho fapana le Bitcoin, basebelisi ba database ea Namecoin e ajoang ba na le bokhoni ba ho boloka data. Tšebeliso e ka sehloohong ea tšobotsi ena ke sebaka sa .bit se holimo-limo. U ka ngolisa libaka tse tla bolokoa sebakeng sa polokelo ea litaba tse ajoang. Likenyo tse tsamaellanang ho database li na le liaterese tsa IP tse rarollotsoeng ke domain. TLD ena ha e na "censorship-resistant" hobane ke motho ea ngolisitseng feela ea ka fetolang qeto ea sebaka sa .bit. Sena se bolela hore ho thata haholo ho emisa sebaka se kotsi se sebelisang mofuta ona oa TLD.
RTM Trojan ha e kenye software e hlokahalang ho bala database ea Namecoin e abuoang. E sebelisa li-server tsa DNS tse bohareng tse kang dns.dot-bit.org kapa li-server tsa OpenNic ho rarolla libaka tsa .bit. Ka hona, e na le nako e ts'oanang le li-server tsa DNS. Re hlokometse hore lihlopha tse ling tsa lihlopha ha li sa hlola li fumanoa ka mor'a hore li boleloe posong ea blog.
Molemo o mong oa .bit TLD bakeng sa basomi ke litšenyehelo. Ho ngolisa domain, basebetsi ba hloka ho lefa feela 0,01 NK, e lumellanang le $ 0,00185 (ho tloha ka la 5 December 2016). Ha ho bapisoa, domain.com e bitsa bonyane $10.
4.3.3. Protocol
Ho buisana le seva sa taelo le taolo, RTM e sebelisa likopo tsa HTTP POST tse nang le data e hlophisitsoeng ho sebelisoa protocol ea moetlo. Boleng ba tsela ke kamehla /r/z.php; Mozilla/5.0 moemedi wa mosebedisi (e sebetsa; MSIE 9.0; Windows NT 6.1; Trident/5.0). Likopo ho seva, data e hlophisitsoe ka tsela e latelang, moo litekanyetso tsa offset li hlahisoang ka li-byte:
Li-byte 0 ho isa ho 6 ha lia khoute; li-byte tse qalang ho tloha ho tse 6 li kentsoe ka khouto ho sebelisa algorithm e fetotsoeng ea RC4. Sebopeho sa pakete ea karabo ea C&C se bonolo haholoanyane. Li-byte li kentsoe ho tloha ho 4 ho isa ho boholo ba pakete.
Lethathamo la litekanyetso tse ka bang teng tsa ketso li hlahisoa tafoleng e ka tlase:
Malware e lula e bala CRC32 ea data e sirelelitsoeng ebe e e bapisa le se teng ka har'a pakete. Haeba li fapane, Trojan e lahlela pakete.
Lintlha tsa tlatsetso li kanna tsa ba le lintho tse fapaneng, ho kenyeletsoa faele ea PE, faele e lokelang ho batloa ho sistimi ea faele, kapa li-URL tse ncha tsa taelo.
4.3.4. Phanele
Re hlokometse hore RTM e sebelisa phanele ho li-server tsa C&C. Setšoantšo sa skrini se ka tlase:
4.4. Letšoao la sebopeho
RTM ke Trojan e tloaelehileng ea banka. Ha ho makatse hore ebe basebelisi ba batla tlhahisoleseling mabapi le sistimi ea motho ea hlokofalitsoeng. Ka lehlakoreng le leng, bot e bokella lintlha tse akaretsang mabapi le OS. Ka lehlakoreng le leng, e fumana hore na tsamaiso e senyehileng e na le litšobotsi tse amanang le mekhoa ea libanka e hōle ea Russia.
4.4.1. lintlha tse akaretsang
Ha malware e kentsoe kapa e qala ka mor'a ho qala bocha, tlaleho e romelloa ho seva sa taelo le taolo e nang le tlhaiso-leseling e akaretsang ho kenyelletsa:
- Nako ea sebaka;
- puo ea kamehla ea tsamaiso;
- mangolo a lumelletsoeng a basebelisi;
- boemo ba botšepehi ba ts'ebetso;
- Username;
- lebitso la komporo;
- mofuta oa OS;
- li-module tse ling tse kentsoeng;
- lenaneo la antivirus le kentsoeng;
- lenane la babali ba likarete tse bohlale.
4.4.2 Tsamaiso ea libanka e hole
Sepheo se tloaelehileng sa Trojan ke tsamaiso ea banka e hole, 'me RTM le eona e joalo. E 'ngoe ea li-module tsa lenaneo e bitsoa TBdo, e etsang mesebetsi e fapaneng, ho kenyelletsa le ho hlahloba li-disk le histori ea ho bala.
Ka ho hlahloba disk, Trojan e hlahloba hore na software ea banka e kentsoe mochineng. Lenane le felletseng la mananeo a shebiloeng le teng tafoleng e ka tlase. Ha e se e fumane faele e thahasellisang, lenaneo le romela tlhahisoleseding ho seva sa litaelo. Liketso tse latelang li itšetlehile ka logic e boletsoeng ke li-algorithms tsa setsi sa litaelo (C&C).
RTM e boetse e batla lipaterone tsa URL nalaneng ea sebatli sa hau le li-tab tse bulehileng. Ntle le moo, lenaneo le hlahloba ts'ebeliso ea mesebetsi ea FindNextUrlCacheEntryA le FindFirstUrlCacheEntryA, hape le hlahloba sekeno se seng le se seng ho bapisa URL le e 'ngoe ea mekhoa e latelang:
Ha e se e fumane li-tab tse bulehileng, Trojan e ikopanya le Internet Explorer kapa Firefox ka mochine oa Dynamic Data Exchange (DDE) ho hlahloba hore na tab e lumellana le mohlala.
Ho hlahloba nalane ea hau ea ho bala le li-tab tse bulehileng ho etsoa ka loop ea WHILE (loop e nang le precondition) ka khefu ea motsotsoana oa 1 lipakeng tsa licheke. Lintlha tse ling tse behiloeng leihlo ka nako ea sebele li tla tšohloa karolong ea 4.5.
Haeba mohlala o fumanoa, lenaneo le tlaleha sena ho seva sa litaelo ho sebelisa lethathamo la likhoele tse tsoang tafoleng e latelang:
4.5 Tlhokomelo
Ha Trojan e ntse e sebetsa, tlhahisoleseding e mabapi le litšobotsi tsa tsamaiso e nang le tšoaetso (ho akarelletsa le tlhahisoleseding e mabapi le boteng ba software ea banka) e romelloa ho seva sa taelo le taolo. Ho hatisa menoana ho etsahala ha RTM e qala ho tsamaisa sistimi ea ho beha leihlo hang ka mor'a ho hlahloba OS ea pele.
4.5.1. Banka e hole
Mojule oa TBdo o boetse o ikarabella ho beha leihlo lits'ebetso tse amanang le libanka. E sebelisa phapanyetsano ea data e matla ho lekola li-tab ho Firefox le Internet Explorer nakong ea tlhahlobo ea pele. Mojule o mong oa TShell o sebelisoa ho hlokomela litaelo lifensetere (Internet Explorer kapa File Explorer).
Mojule o sebelisa li-interface tsa COM IShellWindows, iWebBrowser, DWebBrowserEvents2 le IConnectionPointContainer ho beha leihlo lifensetere. Ha mosebelisi a ea leqepheng le lecha la webo, malware e hlokomela sena. E ntan'o bapisa URL ea leqephe le lipaterone tse kaholimo. Ha e se e hlokometse papali, Trojan e nka li-screenshots tse tšeletseng tse latellanang ka nako ea metsotsoana e 5 ebe e li romella ho seva sa taelo ea C&S. Lenaneo le boetse le hlahloba mabitso a lifensetere a amanang le software ea banka - lenane le felletseng le ka tlase:
4.5.2. Smart card
RTM e u lumella ho beha leihlo libali tsa likarete tse bohlale tse hokahaneng le likhomphutha tse nang le tšoaetso. Lisebelisoa tsena li sebelisoa linaheng tse ling ho hokahanya litaelo tsa ho lefa. Haeba mofuta ona oa sesebelisoa o khomaretsoe k'homphieutheng, e ka bontša Trojan hore mochine o sebelisetsoa ho etsa libanka.
Ho fapana le li-Trojan tse ling tsa banka, RTM e ke ke ea sebelisana le likarete tse bohlale joalo. Mohlomong ts'ebetso ena e kenyelelitsoe mojuleng oa tlatsetso oo re e-so bone.
4.5.3. Keylogger
Karolo ea bohlokoa ea ho beha leihlo PC e tšoaelitsoeng ke ho ts'oara li-keystrokes. Ho bonahala eka bahlahisi ba RTM ha ba lahleheloe ke tlhahisoleseding leha e le efe, kaha ha ba shebe linotlolo tse tloaelehileng feela, empa hape le keyboard le lebokose la lipapali.
Ho etsa sena, sebelisa mosebetsi oa SetWindowsHookExA. Bahlaseli ba kenya linotlolo tse hatisitsoeng kapa linotlolo tse tsamaellanang le keyboard, hammoho le lebitso le letsatsi la lenaneo. Ebe buffer e romelloa ho seva sa taelo ea C&C.
Mosebetsi oa SetClipboardViewer o sebelisetsoa ho thibela clipboard. Li-Hackers li kenya litaba tsa clipboard ha data e le mongolo. Lebitso le letsatsi le tsona li kentsoe pele buffer e romelloa ho seva.
4.5.4. Litšoantšo tsa skrini
Mosebetsi o mong oa RTM ke ho thibela skrini. Karolo e sebelisoa ha mojule oa ho shebella fensetere o fumana sebaka sa marang-rang kapa software ea banka e khahlang. Lits'oants'o li nkuoa ho sebelisoa laebrari ea litšoantšo tse hlakileng ebe li fetisetsoa ho seva sa taelo.
4.6. Uninstallation
Seva ea C&C e ka emisa malware ho sebetsa le ho hloekisa komporo ea hau. Taelo e u lumella ho hlakola lifaele le li-registry tse entsoeng ha RTM e ntse e sebetsa. Joale DLL e sebelisoa ho tlosa malware le faele ea winlogon, ka mor'a moo taelo e koala k'homphieutha. Joalokaha ho bontšitsoe setšoantšong se ka tlase, DLL e tlosoa ke baetsi ba sebelisa erase.dll.
Seva e ka romella Trojan taelo e senyang ea ho notlolla. Tabeng ena, haeba u na le litokelo tsa mookameli, RTM e tla hlakola MBR boot sector ho hard drive. Haeba sena se hloleha, Trojan e tla leka ho fetisetsa lekala la boot la MBR sebakeng se sa reroang - ebe komporo e ke ke ea khona ho bulela OS kamora ho koala. Sena se ka lebisa ho tsosolosoa ka ho feletseng ha OS, ho bolelang ho timetsoa ha bopaki.
Ntle le litokelo tsa motsamaisi, malware a ngola .EXE e kentsoeng ka har'a RTM DLL e tlase. E phethisoang e sebelisa khoutu e hlokahalang ho koala komporo ebe e ngolisa mojule ka har'a konopo ea registry ea HKCUCurrentVersionRun. Nako le nako ha mosebelisi a qala lenaneo, komporo ea koala hang-hang.
4.7. Faele ea tlhophiso
Ka nako e sa lekanyetsoang, RTM ha e na faele ea tlhophiso, empa seva sa taelo le taolo se ka romella litekanyetso tsa tlhophiso tse tla bolokoa ho ngolisoeng le ho sebelisoa ke lenaneo. Lethathamo la linotlolo tsa tlhophiso le hlahisoa tafoleng e ka tlase:
Tokiso e bolokoa ka har'a konopo ea ngoliso ea Software[Pseudo-random string]. Boleng bo bong le bo bong bo lumellana le o mong oa mela e hlahisitsoeng tafoleng e fetileng. Boleng le data li kentsoe ho sebelisoa algorithm ea RC4 ho RTM.
Lintlha li na le sebopeho se ts'oanang le marang-rang kapa likhoele. Senotlolo sa XOR sa li-byte tse 'ne se eketsoa qalong ea data e kentsoeng. Bakeng sa litekanyetso tsa tlhophiso, senotlolo sa XOR se fapane 'me se itšetlehile ka boholo ba boleng. E ka baloa ka tsela e latelang:
xor_key = (len(config_value) << 24) | (len(config_value) << 16)
| len(config_value)| (len(config_value) << 8)
4.8. Mesebetsi e meng
Ka mor'a moo, a re shebeng lits'ebetso tse ling tseo RTM e li tšehetsang.
4.8.1. Li-module tse ling
Trojan e kenyelletsa li-module tse ling, e leng lifaele tsa DLL. Li-module tse rometsoeng ho tsoa ho seva sa taelo ea C&C li ka etsoa joalo ka mananeo a kantle, a bonts'itsoeng ho RAM mme a qalisoa ka likhoele tse ncha. Bakeng sa polokelo, li-module li bolokiloe lifaeleng tsa .dtt 'me li kentsoe ho sebelisoa algorithm ea RC4 e nang le senotlolo se tšoanang se sebelisetsoang puisano ea marang-rang.
Ho fihlela joale re hlokometse ho kenngoa ha mojule oa VNC (8966319882494077C21F66A8354E2CBCA0370464), mojule oa ho ntša data ea sebatli (03DE8622BE6B2F75A364A275995C3411626C4D9C1D2E1C562D1F69F) FC6FBA58 B88753BE7D0B3E4CFAB).
Ho kenya mochine oa VNC, seva sa C & C se fana ka taelo e kopang lihokelo ho seva sa VNC atereseng e itseng ea IP ho port 44443. Plugin ea ho khutlisa data ea sebatli e sebelisa TBrowserDataCollector, e ka balang nalane ea ho bala ea IE. Ebe e romella lenane le felletseng la li-URL tse etetsoeng ho seva sa taelo ea C&C.
Mojule oa ho qetela o fumanoeng o bitsoa 1c_2_kl. E ka sebelisana le sephutheloana sa software sa 1C Enterprise. Mojule o kenyelletsa likarolo tse peli: karolo e kholo - DLL le liakhente tse peli (32 le 64 bit), tse tla kenngoa ts'ebetsong ka 'ngoe, ho ngolisa tlamo ho WH_CBT. Ha e se e kentsoe tšebetsong ea 1C, mojule o tlama mesebetsi ea CreateFile le WriteFile. Nako le nako ha tšebetso e tlamahaneng ea CreateFile e bitsoa, module e boloka tsela ea faele 1c_to_kl.txt mohopolong. Ka mor'a ho thibela mohala oa WriteFile, e bitsa mosebetsi oa WriteFile mme e romela tsela ea faele 1c_to_kl.txt ho mojule oa DLL o moholo, e fetisetsa molaetsa o entsoeng ka Windows WM_COPYDATA.
Mojule oa mantlha oa DLL o bula le ho hlophisa faele ho fumana litaelo tsa tefo. E lemoha chelete le nomoro ea transaction e leng faeleng. Boitsebiso bona bo romelloa ho seva sa litaelo. Re lumela hore mojule ona o ntse o ntlafatsoa hobane o na le molaetsa oa tharollo 'me o ke ke oa khona ho fetola 1c_to_kl.txt.
4.8.2. Keketseho ea tokelo
RTM e ka leka ho eketsa menyetla ka ho hlahisa melaetsa ea liphoso tse fosahetseng. Malware e etsisa tlhahlobo ea ngoliso (sheba setšoantšo se ka tlase) kapa e sebelisa lets'oao la 'nete la ho ngolisa. Ka kopo hlokomela ho ema ha mopeleto o fosahetseng - whait. Ka mor'a metsotsoana e seng mekae ea ho hlahloba, lenaneo le bontša molaetsa oa phoso oa bohata.
Molaetsa oa bohata o tla thetsa basebelisi ba tloaelehileng habonolo, ho sa tsotellehe liphoso tsa sebōpeho-puo. Haeba mosebelisi a tobetsa e 'ngoe ea lihokelo tse peli, RTM e tla leka ho eketsa litokelo tsa eona tsamaisong.
Kamora ho khetha e 'ngoe ea likhetho tse peli tsa ho hlaphoheloa, Trojan e qala DLL e sebelisa khetho ea runas ts'ebetsong ea ShellExecute ka litokelo tsa motsamaisi. Mosebelisi o tla bona molaetsa oa Windows oa 'nete (sheba setšoantšo se ka tlase) bakeng sa bophahamo. Haeba mosebelisi a fana ka litumello tse hlokahalang, Trojan e tla sebetsa ka litokelo tsa motsamaisi.
Ho ipapisitse le puo ea kamehla e kentsoeng tsamaisong, Trojan e bonts'a melaetsa ea liphoso ka Serussia kapa Senyesemane.
4.8.3. Setifikeiti
RTM e ka eketsa litifikeiti Lebenkeleng la Windows mme ea netefatsa ho ts'epahala ha tlatsetso ka ho tobetsa konopo ea "e" lebokoseng la puisano la csrss.exe. Boitšoaro bona ha bo bocha; mohlala, Trojan Retefe ea banka e boetse e tiisa ka boikemelo ho kenya setifikeiti se secha.
4.8.4. Khokahano ea morao
Bangoli ba RTM le bona ba thehile kotopo ea Backconnect TCP. Ha re so bone sebopeho se ntseng se sebelisoa, empa se etselitsoe ho lekola li-PC tse tšoaelitsoeng hole.
4.8.5. Tsamaiso ea faele ea Host
Seva ea C&C e ka romela taelo ho Trojan ho fetola faele ea moamoheli ea Windows. Faele ea moamoheli e sebelisoa ho etsa liqeto tsa tloaelo tsa DNS.
4.8.6. Fumana mme o romelle faele
Seva e kanna ea kopa ho batla le ho khoasolla faele ho sistimi e nang le tšoaetso. Mohlala, nakong ea lipatlisiso re fumane kopo ea faele 1c_to_kl.txt. Joalo ka ha ho hlalositsoe pejana, faele ena e hlahisoa ke 1C: Sistimi ea accounting ea Enterprise 8.
4.8.7. Nchafatso
Qetellong, bangoli ba RTM ba ka ntlafatsa software ka ho fana ka DLL e ncha ho nkela mofuta oa hajoale sebaka.
5. Qetello
Lipatlisiso tsa RTM li bontša hore tsamaiso ea libanka ea Russia e ntse e hohela bahlaseli ba cyber. Lihlopha tse kang Buhtrap, Corkow le Carbanak li atlehile ho utsoa chelete ho tsoa mekhatlong ea lichelete le bareki ba bona Russia. RTM ke sebapali se secha indastering ena.
Lisebelisoa tse kotsi tsa RTM esale li sebelisoa ho tloha bonyane morao 2015, ho latela telemetry ea ESET. Lenaneo le na le mefuta e mengata ea bokhoni ba ho hlahloba, ho kenyelletsa ho bala likarete tse bohlale, ho thibela likonopo le ho beha leihlo litšebelisano tsa banka, hammoho le ho batla 1C: Lifaele tsa lipalangoang tsa Enterprise 8.
Ts'ebeliso ea sebaka sa marang-rang se ikemetseng, se sa ts'oaroang sa .bit se netefatsa lisebelisoa tse tsitsitseng haholo.
Source: www.habr.com