Haufinyane tjena, moetsi oa Europe oa lisebelisoa tsa ho kenya motlakase o ile a ikopanya le Sehlopha-IB - mosebeletsi oa eona o ile a fumana lengolo le belaetsang le nang le sehokelo se kotsi ka poso. Ilya Pomerantsev, setsebi sa tlhahlobo ea malware ho CERT Group-IB, se ile sa etsa tlhahlobo e qaqileng ea faele ena, sa sibolla AgentTesla spyware moo 'me sa bolella seo u ka se lebellang ho malware a joalo le hore na e kotsi hakae.
Ka poso ena re bula letoto la lingoloa mabapi le mokhoa oa ho sekaseka lifaele tse joalo tse ka bang kotsi, 'me re emetse ba labalabelang ho tseba haholo ka la 5 Tšitoe bakeng sa webinar ea mahala e sebetsanang le sehlooho sena. "Malware Analysis: Tlhahlobo ea Maemo a 'Nete". Lintlha tsohle li tlas'a sehiloeng.
Mokhoa oa ho aba
Rea tseba hore malware e fihlile mochining oa motho ea hlasetsoeng ka li-imeile tsa phishing. Motho ea amohetseng lengolo mohlomong e ne e le BCCed.
Tlhahlobo ea lihlooho e bontša hore motho ea rometseng lengolo o ne a qhekelloa. Ha e le hantle, lengolo le ile la tsamaea le vps56[.]oneworldhosting[.]com.
В аттаче письма находится архив WinRar qoute_jpeg56a.r15 e nang le faele e sebetsang e kotsi QUUTE_JPEG56A.exe ka hare.
Malware ecosystem
Joale ha re boneng hore na ecosystem ea malware e ntseng e ithutoa e shebahala joang. Setšoantšo se ka tlase se bontša sebopeho sa eona le litaelo tsa ho sebelisana ha likarolo.
Joale ha re shebeng karolo ka 'ngoe ea malware ka botlalo.
Loader
Faele ea mantlha QUUTE_JPEG56A.exe ke e hlophisitsoeng AutoIt v3 mongolo.
Ho nyenyefatsa mongolo oa mantlha, obfuscator ka se tšoanang PELock AutoIT-Obfuscator характеристиками.
Deobfuscation e etsoa ka mekhahlelo e meraro:
- Ho tlosa obfuscation Bakeng sa-Haeba
Mohato oa pele ke ho khutlisetsa taolo ea script. Control Flow Flattening ke e 'ngoe ea litsela tse atileng haholo tsa ho sireletsa khoutu ea binary ea kopo ho tsoa tlhahlobong. Liphetoho tse ferekanyang li eketsa haholo ho rarahana ha ho hula le ho lemoha li-algorithms le libopeho tsa data.
- Pholiso ea mela
Mesebetsi e 'meli e sebelisoa ho kenyelletsa likhoele:
- gdorizabegkvfca - E etsa decoding e kang ea Base64
- xgacyukcyzxz — простой побайтовый XOR первой строки с длиной второй
- gdorizabegkvfca - E etsa decoding e kang ea Base64
- Ho tlosa obfuscation BinaryToString и Qetella
Mojaro o ka sehloohong o bolokoa ka mokhoa o arohaneng bukeng ea libuka Melao likarolo tsa lisebelisoa tsa faele.
Порядок склейки следующий: TIEQHCXWFG, EMI, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
Mosebetsi oa WinAPI o sebelisetsoa ho hlakola data e nkiloeng cryptDecrypt, 'me senotlolo sa seboka se hlahisitsoeng ho latela boleng se sebelisoa e le senotlolo fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Faele e phethiloeng e hlakotsoeng e romelloa ho sesebelisoa sa tšebetso RunPE, e phethang ProcessInject в RegAsm.exe ho sebedisa se ahelletsoeng ShellCode (e tsejoang hape e le RunPE ShellCode). Авторство принадлежит пользователю испанского форума tse sa bonahaleng[.] letlooa tlas'a lebitso la bosoasoi la Wardow.
Hape ke habohlokoa ho hlokomela hore ho e 'ngoe ea likhoele tsa foramo ena, obfuscator bakeng sa Borulelong e nang le thepa e tšoanang e hloailoeng nakong ea tlhahlobo ea mohlala.
Eena ShellCode e bonolo ebile e hohela tlhokomelo e alimiloeng feela ho sehlopha sa barekisi ba AnunakCarbanak. API call hashing mosebetsi.
Re boetse re tseba ka linyeoe tsa tšebeliso Shellcode ea Frenchy mefuta e fapaneng.
Помимо описанного функционала мы также выявили неактивные функции:
- Блокировка ручного завершения процесса в менеджере задач
- Перезапуск дочернего процесса в случае его завершения
- Pheta UAC
- Ho boloka mojaro faeleng
- Pontšo ea lifensetere tsa modal
- E emetse hore boemo ba cursor ea mouse bo fetohe
- AntiVM и AntiSandbox
- Boiketsi ba ho senya
- Ho pompa moputso ho tsoa marang-rang
Rea tseba hore ts'ebetso e joalo e tloaelehile bakeng sa mosireletsi CypherIT, eo, ka ho hlakileng, ke bootloader eo ho buuoang ka eona.
Module o ka sehloohong oa software
Ka mor'a moo, re tla hlalosa ka bokhutšoanyane mojule oa mantlha oa malware, 'me re e hlahlobe ka botlalo sehloohong sa bobeli. Tabeng ena, ke kopo ka .NET.
В ходе анализа мы выявили, что использовался обфускатор ConfuserEX.
IELibrary.dll
Laeborari e bolokoa e le mohloli oa mantlha oa mojule mme ke plugin e tsebahalang bakeng sa MoemeliTesla, e fanang ka ts'ebetso ea ho hula lintlha tse fapaneng ho tsoa ho libatli tsa Internet Explorer le Edge.
Moemeli Tesla ke sesebelisoa sa bohloela sa modular se ajoang ho sebelisoa mofuta oa malware-as-a-service tlas'a boikaketsi ba sehlahisoa sa keylogger se molaong. Moemeli oa Tesla o khona ho hula le ho fetisetsa lintlha tsa mosebelisi ho tsoa ho libatli, bareki ba lengolo-tsoibila le bareki ba FTP ho seva ho bahlaseli, ho rekota data ea clipboard, le ho hapa skrineng sa sesebelisoa. Nakong ea tlhahlobo, websaeteng ea molao ea bahlahisi e ne e le sieo.
Sebaka sa ho kena ke mosebetsi GetSavedPasswords sehlopha sa InternetExplorer.
Ka kakaretso, ts'ebetso ea khoutu e na le linear ebile ha e na tšireletso khahlanong le tlhahlobo. Ke mosebetsi o sa phethahalang feela o lokelang ho hlokomeloa GetSavedCookies. Kamoo ho bonahalang kateng, ts'ebetso ea plugin e ne e lokela ho atolosoa, empa sena ha sea ka sa etsoa.
Закрепление загрузчика в системе
Ha re ithute hore na bootloader e hoketsoe joang tsamaisong. Mohlala o ithutoang ha o tiisehe, empa liketsahalong tse tšoanang o etsahala ho latela morero o latelang:
- Ka foldareng C:Basebelisi Phatlalatsa script e entsoe Visual Basic
Mohlala oa lengolo:
- Likahare tsa faele ea loader li na le litlhaku tse se nang letho 'me li bolokiloe foldareng %Temp%<Lebitso la foldara e ikhethileng>Lebitso la faele>
- Konopo ea autorun e entsoe ka har'a registry bakeng sa faele ea script HKCUSoftwareMicrosoftWindowsCurrentVersionRun<Имя скрипта>
Итак, по результатам первой части анализа нам удалось установить названия семейств всех компонентов изучаемого ВПО, разобрать схему заражения, а также получить объекты для написания сигнатур. Мы продолжим разбор этого объекта в следующей статье, где более детально рассмотрим основной модуль MoemeliTesla. Se ke oa fetoa!
Ka tsela, ka la 5 Tšitoe re memela babali bohle ho webinar ea mahala e sebetsanang le sehlooho se reng "Analysis ea malware: tlhahlobo ea linyeoe tsa 'nete", moo sengoli sa sengoloa sena, setsebi sa CERT-GIB, se tla bonts'a marang-rang mohato oa pele oa malware. tlhahlobo ea malware - ho notlolla lisampole ka mokhoa o iketsang ho sebelisoa mohlala oa linyeoe tse tharo tsa 'nete tse tsoang ts'ebetsong,' me u ka nka karolo tlhahlobisong. Webinar e loketse litsebi tse seng li ntse li e-na le phihlelo ea ho hlahloba lifaele tse kotsi. Ngoliso e tsoa ho lengolo-tsoibila la khoebo: . Emetse uena!
o yara
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
Li-hashes
| lebitso | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890E643316E9276156EDC8A |
| Type | Archive WinRAR |
| Size | 823014 |
| lebitso | QUUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| Type | PE (Compiled AutoIt Script) |
| Size | 1327616 |
| OriginalName | Unknown |
| Setempe sa Letsatsi | 15.07.2019 |
| Khokahano | Microsoft Linker(12.0)[EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| Type | ShellCode |
| Size | 1474 |
Source: www.habr.com