ProHoster > Blog > litaba tsa inthanete > Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang

Ka Tšitoe 2018, litsebi tsa Group-IB li ile tsa sibolla lelapa le lecha la basomi, le bitsoang FakeSecurityLi ne li sebelisoa ke sehlopha sa linokoane se ileng sa tšoaetsa liwebsaete tse sebelisang CMS. MagentoTlhahlobo e senotse hore letšolong la morao tjena, bahlaseli ba sebelisitse malware ho utsoa li-password. Bahlaseluoa e ne e le beng ba mabenkele a inthanete a tšoaelitsoeng ke sesebelisoa sa ho sniffer sa JavaScript. CERT ea Group-IB e ile ea lemosa libaka tse amehileng, 'me setsebi sa Group-IB Threat Intelligence Victor Okorokov Ke ile ka etsa qeto ea ho bua ka hore na re khonne ho lemoha liketso tsa botlokotsebe joang.

Ha re hopoleng hore ka Hlakubele 2019 Group-IB e phatlalalitsoe tlaleha "Botlokotsebe bo se nang kotlo: tlhahlobo ea malapa a sniffer a JS," e ileng ea hlahloba malapa a 15 a li-sniffers tse fapa-fapaneng tsa JS tse neng li sebelisoa ho tšoaetsa libaka tsa mabenkele tse fetang likete tse peli tsa marang-rang.

Aterese e le 'ngoe

Nakong ea ts'oaetso, bahlaseli ba kentse sehokelo sa mongolo o lonya ka har'a khoutu ea sebaka; sengoloa sena se ne se laetsoe mme, ka nako ea tefo ea thepa, e ile ea amohela data ea tefo ea moeti oa lebenkele la inthanete, ebe e e romella ho bahlaseli. 'server. Mehatong ea pele ea litlhaselo ho sebelisoa FakeSecurity, lingoloa tse lonya le li-gate sniffers ka botsona li ne li fumaneha sebakeng se le seng sa magento-security[.]org.

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang
Hamorao tse ling Magento-libaka tsa marang-rang li fumanoe li tšoaelitsoe ke lelapa le tšoanang la bafosi, empa lekhetlong lena bahlaseli ba sebelisitse mabitso a macha a domain ho boloka khoutu e kotsi:

  • fiswedbesign[.]com
  • alloaypparel[.]com

Mabitso ana ka bobeli a ngolisitsoe atereseng e le 'ngoe ea lengolo-tsoibila greenstreethunter@india[.]com. Aterese e tšoanang e ile ea boleloa ha ho ngolisoa lebitso la boraro la domain firstofbanks[.]com.Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang

Re kopa ka mosa

Tlhahlobo ea libaka tse tharo tse ncha tse sebelisoang ke sehlopha sa litlokotsebe tsa FakeSecurity li bonts'itse hore tse ling tsa tsona li kentse letsoho letšolong la kabo ea malware le qalileng ka Hlakubele 2019. Bahlaseli ba abile likhokahano tsa maqephe a boletseng hore mosebelisi o hloka ho kenya plugin e sieo ho hlahisa tokomane ka nepo. Haeba mosebelisi a qala ho khoasolla sesebelisoa, komporo ea hae e ne e kenoe ke malware a utsoang password.

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang
Kakaretso ea likhokahano tse ikhethang tse 11 li ile tsa bonoa tse lebisitseng ho maqephe a fake ho khothaletsa mosebelisi ho kenya malware.

  • hxxps://www.etodoors.com/uploads/Statement00534521[.]html
  • hxxps://www.healthcare4all.co.uk/manuals/Statement00534521[.]html
  • hxxps://www.healthcare4all.co.uk/lib/Statement001845[.]html
  • hxxps://www.healthcare4all.co.uk/doc/BankStatement001489232[.]html
  • hxxp://verticalinsider.com/bookmarks/Bank_Statement0052890[.]html
  • hxxp://thepinetree.net/n/docs/Statement00159701[.]html
  • hxxps://www.readicut.co.uk/media/pdf/Bank_Statement00334891[.]html
  • hxxp://www.e-cig.com/doc/pdf/eStmt[.]html
  • hxxps://www.genstattu.com/doc/PoliceStatement001854[.]html
  • hxxps://www.tokyoflash.com/pdf/statment001854[.]html
  • hxxps://www.readicut.co.uk/media/pdf/statment00789[.]html

Motho eo e ka bang mohlaseluoa oa lets'olo le lonya o fumane lengolo-tsoibila la spam le nang le sehokelo sa leqephe la boemo ba pele. Leqephe lena ke tokomane e nyane ea HTML e nang le iframe, eo litaba tsa eona li kentsoeng leqepheng la boemo ba bobeli. Leqephe la boemo ba bobeli ke leqephe la ho fihla le nang le litaba tse khothaletsang moamoheli ho kenya faele e sebetsang. Tabeng ea phutuho ena e kotsi, bahlaseli ba sebelisitse leqephe la ho lulisa le nang le sehlooho sa ho kenya plugin e sieo bakeng sa Adobe Reader, kahoo leqephe la boemo ba pele le etsisa sehokelo sa faele ea PDF e butsoeng ka mokhoa oa ho shebella inthaneteng ho sebatli. Leqephe la boemo ba bobeli le na le sehokelo sa faele e mpe e abjoang e le karolo ea lets'olo le kotsi, le tla daunelouta ha o tobetsa konopo. Khoasolla plugin.

Tlhahlobo ea maqephe a sebelisitsoeng letšolong lena e bontšitse hore hangata maqephe a boemo ba bobeli a ne a le libakeng tsa bahlaseli, athe leqephe la boemo ba pele le faele e mpe ka boeona li ne li atisa ho fumanoa libakeng tsa khoebo tsa e-commerce tse hacked.

Mohlala oa sebopeho sa leqephe la ho aba malware

Ka spam, motho ea ka bang lehlatsipa o fumana sehokelo sa faele ea HTML, mohlala, hxxps://www.healthcare4all[.]co[.]uk/manuals/Statement00534521[.]html. Faele ea HTML sehokelong e na le ntho ea iframe e nang le sehokelo sa litaba tsa sehlooho tsa leqephe; mohlaleng ona, litaba tsa leqephe li fumaneha ho hxxps://alloaypparel[.]com/view/public/Statement00534521/PDF/Statement001854[.]pdf. Joalokaha re ka bona mohlaleng ona, tabeng ena bahlaseli ba sebelisitse sebaka se ngolisitsoeng, eseng sebaka sa marang-rang se qhetsoeng, ho beha litaba tsa leqephe. Sehokelong se bonts'itsoeng sehokelong sena, ho na le konopo Khoasolla plugin. Haeba motho ea hlokofalitsoeng a tobetsa konopo ena, faele e ka phethisoang e tla kopitsoa ho tsoa sehokelong se boletsoeng khoutu ea leqephe; mohlaleng ona, faele e phethisoang e jarollotsoe sehokelong hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe, ke hore, faele e kotsi ka boeona e bolokiloe sebakeng sa hau sa marang-rang.

"Mephistopheles" mehleng ea rona

Domain Analysis alloaypparel[.]com e senotse hore Mephistophilus phishing kit e ne e sebelisetsoa ho aba malware, e leng se u lumellang hore u thehe le ho sebelisa maqephe a phishing ho aba malware: Mephistophilus e sebelisa mefuta e 'maloa ea maqephe a lulisa a khothalletsang mosebedisi ho kenya plugin eo ho thoeng ha e eo e hlokahalang hore kopo e sebetse. Ebile, mosebelisi o tla kengoa malware, sehokelo seo opareitara a se eketsang ka phanele ea tsamaiso ea Mephistophilus.

Sistimi ea tlhaselo ea bosholu ea Mephistophilus e ile ea rekisoa liforamong tsa sekhukhu ka Phato 2016. Ona ke bosholu bo tloaelehileng bo sebelisang mashano a marang-rang a fanang ka khoasollo ea malware ka boikaketsi ba ho nchafatsa plugin (MS Word, MS Excel, PDF, YouTube) ho sheba litaba tsa tokomane kapa leqephe. Mephistophilus e ile ea hlahisoa mme ea lokolloa ke mosebelisi oa foramo ea sekhukhu Kokain. Ho tšoaetsa ka katleho ho sebelisa lisebelisoa tsa phishing, mohlaseli o hloka ho susumetsa mosebelisi ho tobetsa sehokelo se lebisang leqepheng le hlahisitsoeng ke Mephistophilus. Ho sa tsotelehe sehlooho sa leqephe la phishing, molaetsa o tla hlaha o bonts'a hore o hloka ho kenya plugin e sieo ho bonts'a tokomane ea inthaneteng kapa video ea YouTube ka nepo. Ho etsa sena, Mephistophilus o na le mefuta e 'maloa ea maqephe a phishing a etsisang litšebeletso tse molaong:

  • Seshebelli sa litokomane tsa inthaneteng bakeng sa Microsoft Office365 Word kapa Excel
  • Online PDF viewer
  • Leqephe la mohlala oa litšebeletso tsa YouTube

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang

Bahlaseluoa

E le karolo ea phutuho e mpe, sehlopha sa linokoane ha sea ka sa itšehla thajana ka ho sebelisa mabitso a marang-rang a ngolisitsoeng: ho boloka lisampole tsa lifaele tse mpe tse ajoang, bahlaseli ba ile ba boela ba sebelisa libaka tse 'maloa tsa mabenkele tsa marang-rang tseo pele li neng li tšoaelitsoe ke FakeSecurity sniffer.

Ho fumanoe lihokelo tse 5 tse ikhethang ho isa lisampoleng tse 5 tse ikhethang tsa malware, tse 4 tsa tsona li bolokiloe liwebsaeteng tse utsoitsoeng tse sebelisang CMS. Magento:

  • hxxps://www.healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
  • hxxps://www.genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
  • hxxps://firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
  • hxxp://e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
  • hxxp://thepinetree[.]net/docs/msw070619.exe

Mehlala ea malware e ajoang lets'olong lena ke mehlala ea "Vidar stealer", e etselitsoeng ho utsoa li-password ho tsoa ho libatli le lits'ebetsong tse ling. E ka boela ea bokella lifaele ho ea ka mekhahlelo e boletsoeng ebe e li fetisetsa ho phanele ea tsamaiso, e leng ho nolofalletsang, ka mohlala, ho utsoa lifaele ho li-wallet tsa cryptocurrency. Vidar e hlahisa malware-as-a-service: lintlha tsohle tse bokelitsoeng li fetisetsoa hekeng, ebe li romelloa ho phanele ea tsamaiso e bohareng, moo moreki e mong le e mong ea utsoang a ka bonang li-log tse tsoang lik'homphieutha tse nang le tšoaetso.

Lesholu le khonang

Mosholu oa Vidar o hlahile ka Pulungoana 2018. E ile ea ntlafatsoa 'me ea lokolloa hore e rekisoe liforamong tsa ka tlas'a lefatše ke mosebedisi tlas'a lebitso la pseudonym Loadbaks. Ho ea ka tlhaloso ea moqapi, Vidar e ka utsoa li-passwords ho li-browser, lifaele tse sebelisang litsela le limaske tse itseng, lintlha tsa karete ea banka, lifaele tse batang tsa sepache, mangolo a Telegram le Skype, hammoho le histori ea ho etela sebaka sa marang-rang ho tsoa ho libatli. Theko ea khiriso ea lesholu e tloha ho $250 ho isa ho $300 ka khoeli. Phanele ea tsamaiso ea motho ea utsoang le libaka tse sebelisoang e le liheke li fumaneha ho li-server tsa bangoli ba Vidar, e leng se fokotsang litšenyehelo tsa litšebeletso bakeng sa bareki.

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang
Haeba ho na le faele e kotsi msw070619.exe, ho phaella tabeng ea ho ajoa ho sebelisoa leqephe la ho fihla la Mephistophilus, ho ile ha boela ha fumanoa faele ea DOC e kotsi. BankStatement0040918404.doc (MD5: 1b8a824074b414419ac10f5ded847ef1), e ileng ea lahlela faele ena e sebetsang ho disk e sebelisa macros. Faele ea DOC BankStatement0040918404.doc e ne e khomaretsoe e le sehokelo ho li-imeile tse lonya tse rometsoeng e le karolo ea letšolo le kotsi.

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang

Ho qhaqholla tlhaselo

Lengolo le sibollotsoeng (MD5: 53554192ca888cccbb5747e71825facd) e rometsoe atereseng ea ho ikopanya ea sebaka sa marang-rang se sebelisang CMS Magento, eo ho eona re ka fihlelang qeto ea hore e 'ngoe ea lipheo tsa letšolo lena le kotsi e ne e le batsamaisi ba mabenkele a inthanete, 'me sepheo sa tšoaetso e ne e le phihlello ho phanele ea tsamaiso Magento le li-platform tse ling tsa khoebo ea inthanete bakeng sa ho kenya sesebelisoa sa ho fofonela le ho utsuoa ha data ea bareki mabenkeleng a tšoaelitsoeng.

Li-sniffer tse ka khonang: kamoo lelapa la FakeSecurity le tšoaelitseng mabenkele a marang-rang

Kahoo, morero oa ts'oaetso ka kakaretso o ne o e-na le mehato e latelang:

  1. Bahlaseli ba ile ba kenya sehlopha sa tsamaiso sa Mephistophilus Phishing Kit ho moamoheli alloaypparel[.]com.
  2. Bahlaseli ba kentse malware a utsoang password libakeng tsa marang-rang tse utsoitsoeng le libakeng tsa bona.
  3. Ka ho sebelisa sesebelisoa sa phishing, bahlaseli ba ile ba sebelisa maqephe a mangata a ho lulisa ho aba malware, hape ba thehile litokomane tse mpe ka macro e jarollotseng malware komporong ea mosebelisi.
  4. Bahlaseli ba ile ba etsa lets'olo la spam ho romella mangolo-tsoibila a nang le lihokelo tse mpe, hammoho le likhokahano tsa maqephe a lulisa bakeng sa ho kenya malware. Bonyane ba bang ba sepheo sa bahlaseli ke batsamaisi ba libaka tsa mabenkele tsa marang-rang.
  5. Ha komporo ea mookameli oa lebenkele la inthaneteng e ne e sekisetsoa ka katleho, mangolo a bopaki a utsoitsoeng a ile a sebelisoa ho fihlella phanele ea tsamaiso ea lebenkele le ho kenya mochine oa JS sniffer ho utsoa likarete tsa banka tsa basebelisi ba lefang sebakeng se nang le tšoaetso.

Kamano le litlhaselo tse ling

Lisebelisoa tsa bahlaseli li kentsoe setsing sa marang-rang se nang le aterese ea IP 200.63.40.2, eo e leng ea tšebeletso ea khiriso ea seva. Panamaservers[.] com. Pele ho phutuho ea FakeSecurity, seva sena se ne se sebelisetsoa phishing, hammoho le ho amohela liphanele tsa tsamaiso tsa mananeo a fapaneng a lonya ho utsoa li-password.

Ho ipapisitsoe le lintlha tsa lets'olo la FakeSecurity, ho ka nahanoa hore liphanele tsa tsamaiso tsa masholu Lokibot le AZORULT, tse fumanehang ho seva sena, li ka be li sebelisitsoe litlhaselong tse fetileng tsa sehlopha se le seng ka Pherekhong 2019. Ho latela sehlooho sena, Ka la 14 Pherekhong 2019, bahlaseli ba sa tsejoeng ba ile ba aba malware a Lokibot ba sebelisa mangolo a mangata a nang le faele e mpe ea DOC joalo ka sehokelo. Pherekhong 18, 2019 le eona e ne e le teng e entsoe kabo ea litokomane tse mpe tse kentseng malware a AZORULT. Tlhahlobo ea lets'olo lena e senotse liphanele tse latelang tsa tsamaiso tse fumanehang ho seva e nang le aterese ea IP 200.63.40.2:

  • http[:]//chuxagama[.]com/web-obtain/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
  • http[:]//umbra-diego[.]com/wp/Panel/five/PvqDq929BSx_A_D_M1n_a.php (Lokibot)
  • http[:]//chuxagama[.]com/web-obtain/Panel/five/index.php (AZORUlt)

Mabitso a domain chuxagama[.]com le umbra-diego[.]com a ngolisitsoe ke mosebelisi a le mong ka lengolo-tsoibila la dicksonfletcher@gmail.com. Aterese eona eo e ile ea sebelisoa ho ngolisa domain name worldcourrierservices[.]com ka May 2016, e neng e sebelisoa e le sebaka sa marang-rang sa k'hamphani ea bolotsana ea World Courier Service.

Ho itšetlehile ka 'nete ea hore e le karolo ea letšolo le kotsi la FakeSecurity, bahlaseli ba sebelisitse malware ho utsoa li-passwords le ho li aba ka spam ea imeile, hape ba sebelisa seva e nang le aterese ea IP 200.63.40.2, ho ka nkoa hore letšolo le lonya la January. 2019 e entsoe sehlopha se tšoanang sa botlokotsebe.

Lipontšo

Lebitso la faele Adobe-Reader-PDF-Plugin-2.37.2.exe

  • MD5 3ec1ac0be981ce6d3f83f4a776e37622
  • SHA-1 346d580ecb4ace858d71213808f4c75341a945c1
  • SHA-256 6ec8b7ce6c9858755964f94acdf618773275589024e2b66583e3634127b7e32c
  • Boholo 615984

Lebitso la faele Adobe-Reader-PDF-Plugin-2.31.4.exe

  • MD5 58476e1923de46cd4b8bee4cdeed0911
  • SHA-1 aafa9885b8b686092b003ebbd9aaf8e604eea3a6
  • SHA-256 15abc3f55703b89ff381880a10138591c6214dee7cc978b7040dd8b1e6f96297
  • Boholo 578048

Lebitso la faele Adobe-Reader-PDF-Plugin-2.35.8.exe

  • MD5 286096c7e3452aad4acdc9baf897fd0c
  • SHA-1 26d71553098b5c92b55e49db85c719f5bb366513
  • SHA-256 af04334369878408898a223e63ec50e1434c512bc21d919769c97964492fee19
  • Boholo 1069056

Lebitso la faele Adobe-Reader-PDF-Plugin-2.31.4.exe

  • MD5 fd0e11372a4931b262f0dd21cdc69c01
  • SHA-1 54d34b6a6c4dc78e62ad03713041891b6e7eb90f
  • SHA-256 4587da5dca2374fd824a15e434dae6630b24d6be6916418cee48589aa6145ef6
  • Boholo 856576

Lebitso la faele msw070619.exe

  • MD5 772db176ff61e9addbffbb7e08d8b613
  • SHA-1 6ee62834ab3aa4294eebe4a9aebb77922429cb45
  • SHA-256 0660059f3e2fb2ab0349242b4dde6bf9e37305dacc2da870935f4bede78aed34
  • Boholo 934448
  • fiswedbesign[.]com
  • alloaypparel[.]com
  • firstofbanks[.]com
  • magento-security[.]org
  • mage-security[.]org
  • https[:]//www[.]healthcare4all[.]co[.]uk/manuals/Adobe-Reader-PDF-Plugin-2.37.2.exe
  • https[:]//www[.]genstattu[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
  • https[:]//firstofbanks[.]com/file_d/Adobe-Reader-PDF-Plugin-2.35.8.exe
  • http[:]//e-cig[.]com/doc/Adobe-Reader-PDF-Plugin-2.31.4.exe
  • http[:]//thepinetree[.]net/docs/msw070619.exe

Source: www.habr.com

Reka sebaka se tšepahalang sa libaka tse nang le ts'ireletso ea DDoS, li-server tsa VPS VDS 🔥 Reka sebaka se tšepahalang sa ho amohela webosaete ka tšireletso ea DDoS, li-server tsa VPS VDS | ProHoster