Lilemong tsa morao tjena, li-Trojans tse tsamaeang li 'nile tsa nkela Trojans sebaka sa lik'homphieutha tsa botho, kahoo ho hlaha ha malware a macha bakeng sa "likoloi" tse ntle tsa khale le tšebeliso ea bona e sebetsang ke li-cybercriminals, le hoja e sa thabise, e ntse e le ketsahalo. Haufinyane tjena, setsi sa karabo ea ts'ireletso ea tlhahisoleseling ea CERT Group-IB's XNUMX/XNUMX se fumane lengolo-tsoibila le sa tloaelehang la phishing le neng le patile komporo e ncha ea malware e kopanyang mesebetsi ea Keylogger le PasswordStealer. Bahlahlobisisi ba ile ba hoheloa hore na spyware e kene joang mochining oa mosebelisi - e sebelisa lenģosa le tsebahalang la lentsoe. Ilya Pomerantsev, setsebi sa tlhahlobo ea malware ho CERT Group-IB, se hlalositse kamoo malware a sebetsang kateng, hore na ke hobane'ng ha e le kotsi, a ba a fumana moetsi oa eona Iraq e hōle.
Kahoo, ha re eeng ka tatellano. Tlas'a sefahleho sa sehokelo, lengolo le joalo le ne le e-na le setšoantšo, ha le tobetse moo mosebelisi a isitsoeng setšeng. cdn.discordapp.com, 'me faele e kotsi e ile ea kopitsoa ho tloha moo.
Ho sebelisa Discord, lentsoe la mahala le molaetsa oa mongolo, ha se ntho e tloaelehileng. Ka tloaelo, manqosa a mang a hang-hang kapa marang-rang a sechaba a sebelisetsoa merero ena.
Nakong ea tlhahlobo e qaqileng haholoanyane, ho ile ha fumanoa lelapa la malware. Ho ile ha fumaneha hore e ne e le motho e mocha 'marakeng oa malware - 404 Keylogger.
Papatso ea pele ea thekiso ea keylogger e ile ea behoa ho li-hackforums ka mosebelisi tlasa lebitso la bosoasoi "404 Coder" ka Phato 8.
Sebaka sa lebenkele se ngolisitsoe haufinyane - ka la 7 Loetse 2019.
Joalokaha bahlahisi ba re webosaeteng 404projects[.]xyz, 404 ke sesebelisoa se etselitsoeng ho thusa lik'hamphani ho ithuta ka mesebetsi ea bareki ba bona (ka tumello ea bona) kapa bakeng sa ba batlang ho sireletsa binary ea bona ho tloha morao boenjiniere. Ha re sheba pele, ha re bue joalo ka mosebetsi oa ho qetela 404 ka 'nete ha e khonehe.
Re nkile qeto ea ho khutlisa e 'ngoe ea lifaele ebe re sheba hore na "BEST SMART KEYLOGGER" ke eng.
Malware ecosystem
Loader 1 (AtillaCrypter)
Faele ea mohloli e sirelelitsoe ho sebelisoa EaxObfuscator mme e etsa ho kenya mehato e 'meli AtProtect ho tsoa karolong ea lisebelisoa. Nakong ea tlhahlobo ea mehlala e meng e fumanoeng ho VirusTotal, ho ile ha hlaka hore sethala sena ha sea ka sa fanoa ke moqapi ka boeena, empa se ekelitsoe ke mofani oa hae. Hamorao ho ile ha etsoa qeto ea hore bootloader ena e ne e le AtillaCrypter.
Bootloader 2 (AtProtect)
Ha e le hantle, mojaro ona ke karolo ea bohlokoa ea malware 'me, ho ea ka morero oa moqapi, o lokela ho nka ts'ebetso ea tlhahlobo ea countering.
Leha ho le joalo, ts'ebetsong, mekhoa ea ts'ireletso ke ea khale haholo, 'me litsamaiso tsa rona li khona ho lemoha malware ana.
Mojule oa mantlha o kenngoe ka ho sebelisoa Franchy ShellCode mefuta e fapaneng. Leha ho le joalo, ha re behelle ka thoko hore likhetho tse ling li ka be li sebelisitsoe, mohlala, RunPE.
Faele ea tlhophiso
Ho kopanya tsamaisong
Ho kopanya tsamaisong ho netefatsoa ke bootloader AtProtect, haeba folakha e tsamaisanang e behiloe.
- Faele e kopitsoa tseleng %AppData%GFqaakZpzwm.exe.
- Faele e entsoe %AppData%GFqaakWinDriv.url, ho qala Zpzwm.exe.
- Ka khoele HKCUSoftwareMicrosoftWindowsCurrentVersionRun senotlolo sa ho qala sea etsoa WinDriver.url.
Khokahano le C&C
Loader AtProtect
Haeba folakha e nepahetseng e le teng, malware a ka qala ts'ebetso e patiloeng iexplorer 'me u latele sehokelo se boletsoeng ho tsebisa seva mabapi le ts'oaetso e atlehileng.
DataStealer
Ho sa tsotellehe mokhoa o sebelisoang, puisano ea marang-rang e qala ka ho fumana IP e ka ntle ea phofu e sebelisang mohloli [http]://checkip[.]dyndns[.]org/.
Moemeli-Mosebelisi: Mozilla/4.0 (e sebetsa; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Sebopeho se akaretsang sa molaetsa sea tšoana. Sehlooho se teng
|——- 404 Keylogger — {Mofuta} ——-|kae {mofuta} e tsamaellana le mofuta wa ditaba tse fetisoang.
Lintlha tse latelang ke tse mabapi le sistimi:
_______ + LITSEBISO TSA MAHLOMOLA + _______
IP: {IP ea Kantle}
Lebitso la Mong'a: {Lebitso la Khomphutha}
Lebitso la OS: {OS Name}
Mofuta oa OS: {OS Version}
OS PlatForm: {Sethala}
Boholo ba RAM: {RAM boholo}
______________________________
'Me qetellong, data e fetisitsoeng.
SMTP
Sehlooho sa lengolo ke se latelang: 404 K | {Mofuta oa Molaetsa} | Lebitso la Moreki: {Username}.
Ho khahlisang, ho isa mangolo ho moreki 404 Keylogger Seva ea SMTP ea bahlahisi ea sebelisoa.
Sena se entse hore ho khonehe ho tsebahatsa bareki ba bang, hammoho le lengolo-tsoibila la e mong oa bahlahisi.
FTP
Ha u sebelisa mokhoa ona, boitsebiso bo bokelitsoeng bo bolokiloe faeleng 'me hang-hang bo baloe ho tloha moo.
Maikutlo a ts'ebetsong ena ha a hlake ka ho feletseng, empa a theha boitsebiso bo eketsehileng bakeng sa ho ngola melao ea boitšoaro.
%HOMEDRIVE%%HOMEPATH%DocumentsA{Nomoro e sa reroang}.txt
Pastebin
Nakong ea tlhahlobo, mokhoa ona o sebelisoa feela ho fetisetsa li-password tse utsoitsoeng. Ho feta moo, ha e sebelisoe e le mokhoa o mong ho tse peli tsa pele, empa ka ho tšoana. Boemo ke boleng ba kamehla bo lekanang le "Vavaa". Ho ka etsahala hore lena ke lebitso la moreki.
Tšebelisano e etsahala ka https protocol ka API pastebin. Tlhaloso api_paste_private ka ho lekana PASTE_UNLISTED, e thibelang ho batla maqephe a joalo ka pastebin.
Li-algorithms tsa encryption
Ho fumana faele ho tsoa mehloling
Lekhetho le bolokiloe mehloling ea bootloader AtProtect ka mokhoa oa litšoantšo tsa Bitmap. Extraction e etsoa ka mekhahlelo e mengata:
- Letoto la li-byte le ntšoa setšoantšong. Pixel e 'ngoe le e' ngoe e tšoaroa e le tatellano ea li-byte tse 3 ka tatellano ea BGR. Ka mor'a ho ntšoa, li-byte tse 4 tsa pele tsa sehlopha li boloka bolelele ba molaetsa, tse latelang li boloka molaetsa ka boeona.
- Senotlolo se baloa. Ho etsa sena, MD5 e baloa ho tloha ho boleng "ZpzwmjMJyfTNiRalKVrcSkxCN" e boletsoeng e le password. Hashe e hlahisoang e ngotsoe habeli.
- Decryption e etsoa ho sebelisoa algorithm ea AES ka mokhoa oa ECB.
Ts'ebetso e mpe
Moqapi
E sebelisoa ho bootloader AtProtect.
- Ka ho iteanya [activelink-repalce] Boemo ba seva bo kopuoa ho netefatsa hore e se e loketse ho fana ka faele. Seva e lokela ho khutla “BUTSA”.
- Sehokelo [downloadlink-replace] Lekhetho le jarollotsoe.
- Ka thuso ea FranchyShellcode moputso o kenngoa ts'ebetsong [inj-replace].
Nakong ea tlhahlobo ea domain 404projects[.]xyz linyeoe tse ling li fumanoe ho VirusTotal 404 Keylogger, hammoho le mefuta e mengata ea li-loaders.
Conventionally, ba arotsoe ka mefuta e 'meli:
- Ho jarolla ho etsoa ho tsoa mohloling 404projects[.]xyz.
Lintlha li kentsoe Base64 'me li ngotsoe ka AES. - Khetho ena e na le mekhahlelo e 'maloa' me e ka 'na eaba e sebelisoa hammoho le bootloader AtProtect.
- Mothating oa pele, data e laeloa ho tloha pastebin le decoded ka ho sebelisa tshebetso HexToByte.
- Mokhahlelong oa bobeli, mohloli oa ho kenya ke 404projects[.]xyz. Leha ho le joalo, mesebetsi ea decompression le decoding e tšoana le e fumanoang ho DataStealer. Mohlomong qalong e ne e reriloe ho kenya tšebetsong tšebetso ea bootloader mojuleng o ka sehloohong.
- Mothating ona, moputso o se o ntse o le ponts'ong ea lisebelisoa ka mokhoa o hatelitsoeng. Ts'ebetso tse ts'oanang tsa ho ntša li ile tsa fumanoa hape mojulung oa mantlha.
Li-download li fumanoe har'a lifaele tse hlahlobiloeng njRat, SpyGate le li-RAT tse ling.
Keylogger
Nako ea ho romella lintlha: metsotso e 30.
Litlhaku tsohle lia tšehetsoa. Litlhaku tse khethehileng lia phonyoha. Ho na le ts'ebetso ea linotlolo tsa BackSpace le Delete. E latela litlhaku.
ClipboardLogger
Nako ea ho romella lintlha: metsotso e 30.
Nako ea khetho ea Buffer: metsotsoana e 0,1.
Sehokelo se kentsoeng ho baleha.
ScreenLogger
Nako ea ho romella lintlha: metsotso e 60.
Lits'oants'o tsa skrini li bolokiloe %HOMEDRIVE%%HOMEPATH%Documents404k404pic.png.
Ka mor'a ho romela foldara 404k e hlakotsoe.
PasswordStealer
| Браузеры | Basebelisi ba mangolo | Basebelisi ba FTP |
|---|---|---|
| Chrome | Outlook | FileZilla |
| Firefox | Thunderbird | |
| SeaMonkey | Foxmail | |
| icedragon | ||
| PaleMoon | ||
| Ts'oaetso | ||
| Chrome | ||
| BraveBrowser | ||
| QQBrowser | ||
| IridiumBrowser | ||
| XvastBrowser | ||
| Chedot | ||
| 360Sebatli | ||
| ComodoDragon | ||
| 360Chrome | ||
| SuperBird | ||
| CentBrowser | ||
| GhostBrowser | ||
| IronBrowser | ||
| Chromium | ||
| Vivaldi | ||
| SlimjetBrowser | ||
| orbitum | ||
| CocCoc | ||
| Torch | ||
| UCBrowser | ||
| EpicBrowser | ||
| BliskBrowser | ||
| Opera |
Khahlano le tlhahlobo e matla
- Ho hlahloba hore na ts'ebetso e ntse e hlahlojoa
E entsoe ka mokhoa oa ho batla mosebetsi, ProcessHacker, procexp64, procexp, procmon. Haeba bonyane e fumanoa, malware a tsoa.
- Ho hlahloba hore na o sebakeng sa nnete
E entsoe ka mokhoa oa ho batla vmtoolsd, Tšebeletso ea VGAuth, vmacthlp, Tšebeletso ea VBox, VBoxTray. Haeba bonyane e fumanoa, malware a tsoa.
- Ho robala metsotsoana e mehlano
- Pontšo ea mefuta e fapaneng ea mabokose a lipuisano
E ka sebelisoa ho qoba li-sandbox tse ling.
- Pheta UAC
E entsoe ka ho hlophisa konopo ea registry EnableLUA ka litlhophiso tsa Group Policy.
- E sebelisa tšobotsi e "Patiloeng" ho faele ea hajoale.
- Bokhoni ba ho hlakola faele ea hajoale.
Likarolo tse sa sebetseng
Nakong ea tlhahlobo ea bootloader le module e kholo, ho fumanoe mesebetsi e neng e ikarabella bakeng sa ts'ebetso e eketsehileng, empa ha e sebelisoe kae kapa kae. Mohlomong sena se bakoa ke taba ea hore malware e ntse e tsoela pele mme ts'ebetso e tla atolosoa haufinyane.
Loader AtProtect
Ho ile ha fumanoa ts'ebetso e ikarabellang bakeng sa ho kenya le ho kenya ts'ebetsong msiexec.exe mojule oa boikhethelo.
DataStealer
- Ho kopanya tsamaisong
- Decompression le decryption mesebetsi
Ho ka etsahala hore encryption ea data nakong ea puisano ea marang-rang e tla kengoa ts'ebetsong haufinyane. - Ho emisa lits'ebetso tsa antivirus
| zlclient | Dvp95_0 | Pavsched | avgserv9 |
| egui | Ecengine | Pavw | avgserv9schedapp |
| bdagent | E bolokehile | PCCIOMON | avgemc |
| npfmsg | Espwatch | PCCMAIN | ashwebsv |
| olydbg | F-Agnt95 | Pccwin98 | molora |
| anubis | Fumanavir | Pcfwallicon | ashmaisv |
| wireshark | Fprot | Persfw | ashserv |
| avastui | F-Prot | POP3TRAP | aswUpdSv |
| _Avp32 | F-Prot95 | PVIEW95 | symwsc |
| vsmon | Fp-Hlola | Setšoantšo sa 7 | Norton |
| mbam | Frw | Rav7win | Norton Auto-Protect |
| keyscrambler | F-Stopw | Pholoso | norton_av |
| _Avpcc | Iamapp | Safeweb | nortonav |
| _Avpm | Iamserv | Sesepa32 | ccsetmgr |
| Ackwin32 | Ibmann | Sesepa95 | ccvtmgr |
| Sebaka se ka ntle | Ibmavsp | Scanpm | avadmin |
| Anti-Trojan | Ikload95 | Hlakola | avcenter |
| MOEKETSI NTSANE | Icloadnt | Sebetsa95 | moelelo |
| Apvxdwin | Icmon | Smc | avguard |
| ATRACK | Setšoantšo sa 95 | SMCSERVICE | avnotify |
| Autodown | Icsupnt | Tlisa | avscan |
| Avconsol | Iface | khafrae | guardgui |
| EA-32-NW | Iomon98 | Fiela95 | nod32kr |
| Avgctrl | lagedi | SYMPROXYSVC | nod32kui |
| Avkserv | Lockdown2000 | Tbscan | clamscan |
| Avnt | Hlokomela | Tca | clamTray |
| Avp | Luall | Tds2-98 | clamWin |
| Avp32 | mcafee | Tds2-Nt | bocha |
| Avpcc | Moolive | TermiNET | oladin |
| Avpdos32 | MPftray | Vet95 | sigtool |
| Avpm | Setšoantšo sa N32 | Vettray | w9xpo bula |
| Avptc32 | NAVAPSVC | Vscan40 | Koala |
| Avpupd | NAVAPW32 | Vsecomr | cmgrdian |
| Avsched32 | NAVLU32 | Vshwin32 | alogserv |
| AVSYNMGR | Navnt | Vsstat | mcshield |
| Avwin95 | NAVRUNR | Webscanx | vshwin32 |
| Avwupd32 | Navw32 | WEBTRAP | avconsol |
| Motsho | Navwnt | Wfindv32 | vsstat |
| Blackice | NeoWatch | Zonealarm | avsynmgr |
| Cfiadmin | NISERV | LOCKDOWN2000 | avcmd |
| Cfiaudit | Nisum | PHOLOSO32 | avconfig |
| Cfinet | Nmain | LUCOMSERVER | limgr |
| Cfinet32 | Normist | avgcc | sched |
| Claw95 | NONTS'OANE | avgcc | preupd |
| Claw95cf | Phahamisa | avgamsvr | MmeMpEng |
| Hloekisa | NVC95 | avgupsvc | MMASCui |
| Mohloeki3 | Sebaka se ka ntle | avgw | Avira.Systray |
| Defwatch | Padmin | avgcc32 | |
| Dvp95 | Pavcl | avgserv |
- Boiketsi ba ho senya
- E kenya data ho tsoa ho ponahatso ea lisebelisoa tse boletsoeng
- Ho kopitsa faele tseleng %Temp%tmpG[Letsatsi le nako ea hajoale ka milliseconds].tmp
Ho khahlisang, ts'ebetso e ts'oanang e teng ho AgentTesla malware. - Mosebetsi oa seboko
Malware e fumana lethathamo la mecha ea phatlalatso e ka tlosoang. Kopi ea malware e entsoe motso oa sistimi ea faele ea media e nang le lebitso Sys.exe. Autorun e sebelisoa ho sebelisa faele kumsen.inf.
Boemo ba mohlaseli
Nakong ea tlhahlobo ea setsi sa litaelo, ho ile ha khoneha ho theha lengolo-tsoibila le lebitso la bosoasoi la moqapi - Razer, aka Brwa, Brwa65, HiDDen Person, 404 Coder. Ka mor'a moo, re fumane video e thahasellisang ho YouTube e bontšang ho sebetsa le sehahi.
Sena se entse hore ho khonehe ho fumana mocha oa pele oa moqapi.
Ho ile ha hlaka hore o na le phihlelo ea ho ngola li-cryptographer. Ho boetse ho na le lihokela tsa maqephe a marang-rang a marang-rang, hammoho le lebitso la 'nete la mongoli. Ho ile ha fumaneha hore e ne e le moahi oa Iraq.
Sena ke seo nts'etsopele ea 404 Keylogger ho thoeng e shebahala joalo. Setšoantšo se tsoang ho profil ea hae ea Facebook.
CERT Group-IB e phatlalalitse tšokelo e ncha - 404 Keylogger - setsi sa ho shebella le ho arabela lihora tse XNUMX bakeng sa litšokelo tsa cyber (SOC) naheng ea Bahrain.
Source: www.habr.com