Re tsoela pele ka letoto la lingoloa tse etselitsoeng tlhahlobo ea malware. IN
Moemeli Tesla ke sesebelisoa sa bohloela sa modular se ajoang ho sebelisoa mofuta oa malware-as-a-service tlas'a boikaketsi ba sehlahisoa sa keylogger se molaong. Moemeli oa Tesla o khona ho hula le ho fetisetsa lintlha tsa mosebelisi ho tsoa ho libatli, bareki ba lengolo-tsoibila le bareki ba FTP ho seva ho bahlaseli, ho rekota data ea clipboard, le ho hapa skrineng sa sesebelisoa. Nakong ea tlhahlobo, websaeteng ea molao ea bahlahisi e ne e le sieo.
Faele ea tlhophiso
Tafole e ka tlase e thathamisa hore na ke ts'ebetso efe e sebetsang sampoleng eo u e sebelisang:
tlhaloso | boleng |
Folakha ea ts'ebeliso ea KeyLogger | 'nete |
Folakha ea tšebeliso ea ScreenLogger | bohata |
Letlapa la KeyLogger le romella nako ka metsotso | 20 |
ScreenLogger log e romella nako ka metsotso | 20 |
Folakha ea ho tšoara senotlolo sa backspace. Bohata - ho rema lifate feela. 'Nete - e hlakola senotlolo se fetileng | bohata |
Mofuta oa CNC. Likhetho: smtp, webpanel, ftp | smtp |
Letšoao la ts'ebetso ea khoele bakeng sa ho emisa lits'ebetso ho tsoa lenaneng la "%filter_list%" | bohata |
UAC thibela folakha | bohata |
Motsamaisi oa mosebetsi o tima folakha | bohata |
CMD e tima folakha | bohata |
Tlosa folakha ka fensetere | bohata |
Registry Viewer Tlosa folakha | bohata |
Tlosa folakha ea lintlha tsa sistimi | 'nete |
Phanele ea taolo e tima folakha | bohata |
MSCONFIG tima folakha | bohata |
Tlaleha ho tima menyu ea litaba ho Explorer | bohata |
Tšoaea folakha | bohata |
Tsela ea ho kopitsa mojule oa mantlha ha o o penya ho sistimi | % qala foldara% % foldara%%inname% |
Tšoaea bakeng sa ho beha litšobotsi tsa "System" le "Patiloeng" bakeng sa mojule o ka sehloohong o abetsoeng tsamaiso | bohata |
Tlaleha hore o qale hape ha o kentsoe tsamaisong | bohata |
Tlaleha bakeng sa ho tsamaisa mojule oa mantlha ho sephutheli sa nakoana | bohata |
UAC bypass folakha | bohata |
Sebopeho sa letsatsi le nako bakeng sa ho rema lifate | yyy-MM-dd HH:mm:ss |
Tlaleha bakeng sa ho sebelisa sefe ea lenaneo bakeng sa KeyLogger | 'nete |
Mofuta oa ho sefa lenaneo. 1 - lebitso la lenaneo le batlisisoa lihloohong tsa fensetere 2 - lebitso la lenaneo le batloa ka lebitso la ts'ebetso ea fensetere |
1 |
Sesefa sa lenaneo | "facebook" "twitter" "gmail" "instagram" "filimi" "skype" "porn" "hack" "whatsapp" "khahlano" |
Ho hokela module ea mantlha ho sistimi
Haeba folakha e tsamaellanang e behiloe, mojule o ka sehloohong o kopitsoa tseleng e boletsoeng ho config e le tsela e tla abeloa sistimi.
Ho itšetlehile ka boleng bo tsoang ho config, faele e fuoa litšobotsi tse "Patiloeng" le "System".
Autorun e fanoa ke makala a mabeli a ngoliso:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%inregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %inregname%
Kaha bootloader e kenella ts'ebetsong RegAsm, ho beha folakha e phehellang bakeng sa mojule oa mantlha ho lebisa litlamorao tse khahlisang haholo. Sebakeng sa ho ikopitsa, malware e ile ea hokela faele ea mantlha tsamaisong RegAsm.exe, nakong eo ente e ileng ea etsoa.
Khokahano le C&C
Ho sa tsotellehe mokhoa o sebelisoang, puisano ea marang-rang e qala ka ho fumana IP e ka ntle ea phofu e sebelisang mohloli
Lintlha tse latelang li hlalosa mekhoa ea ho sebelisana le marang-rang e hlahisoang ho software.
webpanel
Tšebelisano e etsahala ka protocol ea HTTP. Malware e etsa kopo ea POST ka lihlooho tse latelang:
- Moemeli-Mosebelisi: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Khokahano: Boloka-Phela
- Mofuta-Mofuta: kopo/x-www-form-urlencoded
Aterese ea seva e hlalositsoe ke boleng %PostURL%. Molaetsa o kentsoeng o romelloa ka parameter «P». Mochine oa encryption o hlalositsoe karolong "Algorithms ea ho Encryption" (Mokhoa oa 2).
Molaetsa o fetisoang o shebahala tjena:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Parameter mofuta e bontša mofuta oa molaetsa:
hwid - MD5 hash e tlalehiloe ho tsoa ho boleng ba nomoro ea serial ea boardboard le ID ea processor. Hangata e sebelisoa joalo ka ID ea mosebelisi.
nako - e sebeletsa ho fetisa nako le letsatsi la hajoale.
pcname - e hlalosoa e le <Lebitso la mosebelisi>/<Lebitso la komporo>.
logdata - data ea log.
Ha o fetisa li-password, molaetsa o shebahala tjena:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Lintlha tse latelang ke litlhaloso tsa data e utsoitsoeng ka sebopeho nclient[]={0}nlink[]={1}username[]={2}npassword[]={3}.
smtp
Tšebelisano e etsahala ka protocol ea SMTP. Lengolo le fetisoang le ka sebopeho sa HTML. Paramethara BODY e na le foromo:
Hlooho ea lengolo e na le foromo e akaretsang: <LEBITSO LA MOSEBETSI>/<COMPUTER NAME> <MOFUTA WA DITENG>. Litaba tsa lengolo, hammoho le liphutheloana tsa lona, ha lia ngolisoa.
Tšebelisano e etsahala ka protocol ea FTP. Faele e nang le lebitso e fetisetsoa ho seva e boletsoeng <CONNTENT TYPE>_<USER NAME>-<COMPUTER NAME>_<DATE LE NAKO>.html. Litaba tsa faele ha lia ngolisoa.
Li-algorithms tsa encryption
Taba ena e sebelisa mekhoa e latelang ea encryption:
Mokhoa oa 1
Mokhoa ona o sebelisoa ho encrypt likhoele mojuleng o ka sehloohong. Algorithm e sebelisitsoeng ho encryption ke AES.
Kenyelletso ke nomoro ea decimal ea linomoro tse tšeletseng. Phetoho e latelang e etsoa ho eona:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Boleng ba sephetho ke index ea lethathamo la data le kentsoeng.
E 'ngoe le e 'ngoe ea likarolo ke tatellano DWORD. Ha o kopanya DWORD ho fumanoa mefuta e mengata ea li-byte: li-byte tsa pele tse 32 ke senotlolo sa ho ngolisa, se lateloa ke li-byte tse 16 tsa vector ea ho qala, 'me li-byte tse setseng ke data e patiloeng.
Mokhoa oa 2
Algorithm e sebelisitsoeng 3DES ka mokhoa ECB ka padding ka li-byte tse felletseng (EA-7-PKCS).
Senotlolo se hlalosoa ke parameter %urlkey%, leha ho le joalo, encryption e sebelisa MD5 hash ea eona.
Ts'ebetso e mpe
Mohlala o ithutoang o sebelisa mananeo a latelang ho kenya tšebetsong ts'ebetso ea ona e mpe:
senotlolo sa senotlolo
Haeba ho na le folakha e tsamaisanang le malware e sebelisang ts'ebetso ea WinAPI Beha WindowsHookEx e abela setshwari sa yona bakeng sa diketsahalo tsa ho tobetsa konopo ho keyboard. Mosebetsi oa ho sebetsana le o qala ka ho fumana sehlooho sa fensetere e sebetsang.
Haeba folakha ea ho sefa ea kopo e behiloe, ho sefa ho etsoa ho latela mofuta o boletsoeng:
- lebitso la lenaneo le batloa ka litlotla lifensetere
- lebitso la lenaneo le shebeloa ka lebitso la ts'ebetso ea fensetere
Ka mor'a moo, rekoto e eketsoa ho log e nang le tlhahisoleseling mabapi le fensetere e sebetsang ka sebopeho:
Ebe tlhahisoleseling mabapi le konopo e hatisitsoeng e tla ngoloa:
Senotlolo | Ho rekota |
Backspace | Ho ipapisitsoe le folakha ea ts'ebetso ea senotlolo sa Backspace: Bohata - {BACK} 'Nete - e hlakola senotlolo se fetileng |
SENOTLOLO SA LITLHAKU TSE KHOLO | {SENOTLOLO SA LITLHAKU TSE KHOLO} |
ESC | {ESC} |
Leqephe la leqephe | {LeqepheUp} |
Down | ↓ |
TLOHA | {DEL} |
" | " |
F5 | {F5} |
& | & |
F10 | {F10} |
TAB | {TAB} |
< | < |
> | > |
Sebaka | |
F8 | {F8} |
F12 | {F12} |
F9 | {F9} |
ALT + TAB | {ALT+TAB} |
QETA | {QETA} |
F4 | {F4} |
F2 | {F2} |
Ctrl | {CTRL} |
F6 | {F6} |
Right | → |
Up | ↑ |
F1 | {F1} |
Ka ho le letšehali | ← |
PageDown | {PageDown} |
kenya | {Kenya} |
Win | {Hlola} |
Lipalo | {NumLock} |
F11 | {F11} |
F3 | {F3} |
HOME | {LEHAE} |
ENTER | {KENYA} |
ALT + F4 | {ALT+F4} |
F7 | {F7} |
Senotlolo se seng | Sebapali se maemong a holimo kapa a tlase ho latela maemo a likonopo tsa CapsLock le Shift |
Ka makhetlo a mangata, lenane le bokelitsoeng le romelloa ho seva. Haeba phetiso e sa atlehe, log e bolokoa faeleng %TEMP%log.tmp ka sebopeho:
Ha timer e chesa, faele e tla fetisetsoa ho seva.
ScreenLogger
Ka nako e boletsoeng, malware e etsa skrini ka sebopeho Jpeg e nang le moelelo Quality e lekanang le 50 mme e e boloka faeleng %APPDATA %<Tatelano e sa reroang ea litlhaku tse 10>.jpg. Kamora ho fetisa, faele e tla hlakoloa.
ClipboardLogger
Haeba folakha e loketseng e behiloe, ho nkeloa sebaka ka mongolo o amohetsoeng ho latela tafole e ka tlase.
Ka mor'a sena, mongolo o kenngoa ka har'a log:
PasswordStealer
Malware e ka khoasolla li-password lits'ebetsong tse latelang:
Браузеры | Basebelisi ba mangolo | Basebelisi ba FTP |
Chrome | Outlook | FileZilla |
Firefox | Thunderbird | WS_FTP |
IE/Edge | Foxmail | WinSCP |
Safari | Lengolo la Opera | CoreFTP |
Opera sebatli | IncrediMail | FTP Navigator |
Yandex | Pocomail | FlashFXP |
E khotsofatsang | Eudora | SmartFTP |
ChromePlus | TheBat | FTPCommander |
Chromium | Lebokose la poso | |
Torch | ClawsMail | |
7Star | ||
Motsoalle | ||
BraveSoftware | Bareki ba Jabber | Basebelisi ba VPN |
CentBrowser | Psi/Psi+ | Bula VPN |
Chedot | ||
CocCoc | ||
Elements Browser | Download Batsamaisi | |
Epic Sesebelisoa sa Lekunutu | Mookameli oa Inthaneteng oa Download | |
Comet | yotong la | |
orbitum | ||
Sputnik | ||
uCozMedia | ||
Vivaldi | ||
SeaMonkey | ||
Mohlape Browser | ||
Mohlahlobi oa UC | ||
BlackHawk | ||
CyberFox | ||
K-meleon | ||
katse ea leqhoa | ||
icedragon | ||
PaleMoon | ||
phokojoe ea metsi | ||
Sebatli sa Falkon |
Khahlano le tlhahlobo e matla
- Ho sebelisa ts'ebetso boroko bo. E u lumella hore u fete li-sandbox tse ling ka nako
- Ho senya khoele Sebaka. E u lumella ho pata taba ea ho khoasolla faele ho tsoa inthaneteng
- Ka parameter %filter_list% e totobatsa lenane la lits'ebetso tseo malware a tla li emisa ka nako ea motsotsoana
- Koala UAC
- Ho thibela mookameli oa mosebetsi
- Koala CMD
- Ho tima fensetere "Выполнить"
- Ho tima Panel ea Taolo
- Ho tima sesebelisoa Ingolisa
- Ho tima lintlha tsa ho khutlisa sistimi
- Tlosa menu ea moelelo ho Explorer
- Koala MSCONFIG
- Bypass UAC:
Likarolo tse sa sebetseng tsa mojule oa mantlha
Nakong ea tlhahlobo ea mochine o ka sehloohong, ho ile ha khetholloa mesebetsi e neng e ikarabella ho hasanya marang-rang le ho latela boemo ba mouse.
Worm
Liketsahalo tsa ho hokahanya mecha ea litaba e tlosoang li shejoa ka khoele e arohaneng. Ha e hokahane, malware e nang le lebitso e kopitsoa motso oa sistimi ea faele scr.exe, ka mor'a moo e batla lifaele tse nang le katoloso lnk. Sehlopha sa bohle lnk liphetoho ho cmd.exe /c qala scr.exe & qala <taelo ea pele> & tsoa.
Bukana e 'ngoe le e 'ngoe e motsong oa mecha ea litaba e fuoa tšobotsi "Patiloeng" mme faele e entsoe ka katoloso lnk ka lebitso la buka e patiloeng le taelo cmd.exe /c qala scr.exe&explorer /root,"%CD%<DIRECTORY NAME>" & tsoa.
MouseTracker
Mokhoa oa ho etsa interception o tšoana le o sebelisoang bakeng sa keyboard. Ts'ebetso ena e ntse e tsoela pele.
Mosebetsi oa faele
Tsela | tlhaloso |
%Temp%temp.tmp | E na le k'haonte bakeng sa liteko tsa UAC bypass |
%ho qala foldara%%infolder%%inname% | Tsela e tla abeloa tsamaiso ea HPE |
%Temp%tmpG{Nako ea hajoale ka milliseconds}.tmp | Tsela ea ho boloka mojule oa mantlha |
%Temp%log.tmp | Log file |
%AppData%{Tatelano e sa reroang ea litlhaku tse 10}.jpeg | Litšoantšo tsa skrini |
C:UsersPublic{Tatelano e sa reroang ea litlhaku tse 10}.vbs | Tsela e eang faeleng ea vbs eo bootloader e ka e sebelisang ho hokela sistimi |
%Temp%{Lebitso la foldara e iketselitsoeng}{Lebitso la faele} | Tsela e sebelisoang ke bootloader ho ikamahanya le sistimi |
Boemo ba mohlaseli
Ka lebaka la data ea netefatso e thata, re khonne ho fihlella setsing sa litaelo.
Sena se re lumelletse ho tseba lengolo-tsoibila la ho qetela la bahlaseli:
junaid[.]ka***@gmail[.]com.
Sebaka sa marang-rang sa setsi sa taelo se ngolisitsoe ho poso sg***@gmail[.]com.
fihlela qeto e
Nakong ea tlhahlobo e qaqileng ea malware e sebelisitsoeng tlhaselong, re khonne ho theha ts'ebetso ea eona le ho fumana lethathamo le felletseng la matšoao a ho sekisetsa a amanang le nyeoe ena. Ho utloisisa mekhoa ea tšebelisano ea marang-rang lipakeng tsa malware ho entse hore ho khonehe ho fana ka likhothaletso bakeng sa ho lokisa ts'ebetso ea lisebelisoa tsa ts'ireletso ea tlhahisoleseling, le ho ngola melao e tsitsitseng ea IDS.
Kotsi e ka sehloohong MoemeliTesla joalo ka DataStealer ka hore ha e hloke ho itlama ho sistimi kapa ho emela taelo ea taolo ho etsa mesebetsi ea eona. Ha e se e le mochining, hang-hang e qala ho bokella tlhahisoleseling ea lekunutu ebe e e fetisetsa ho CnC. Boitšoaro bona bo mabifi ka litsela tse ling bo tšoana le boits'oaro ba ransomware, 'me phapang feela ke hore ea morao-rao ha e hloke le khokahano ea marang-rang. Haeba u kopana le lelapa lena, ka mor'a ho hloekisa tsamaiso e nang le tšoaetso ho tsoa ho malware ka boeona, ka sebele u lokela ho fetola li-passwords tsohle tse ka khonang, bonyane ka khopolo, li bolokehe ho e 'ngoe ea likopo tse thathamisitsoeng ka holimo.
Ha re sheba pele, ha re re bahlaseli ba romela MoemeliTesla, bootloader ea pele e fetoloa hangata haholo. Sena se u lumella hore u lule u sa hlokomeloe ke li-scanner tse tsitsitseng le li-heuristic analyzers nakong ea tlhaselo. 'Me tloaelo ea lelapa lena ea ho qala hang-hang mesebetsi ea bona e etsa hore li-monitor tsa tsamaiso li se ke tsa sebetsa. Mokhoa o motle oa ho loants'a AgentTesla ke tlhahlobo ea pele ka lebokoseng la lehlabathe.
Sehloohong sa boraro sa letoto lena re tla sheba li-bootloader tse ling tse sebelisitsoeng MoemeliTesla, hape le ho ithuta mokhoa oa ho notlolla li-semi-automatic. Se ke oa fetoa!
Hash
SHA1 |
A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
8010CC2AF398F9F951555F7D481CE13DF60BBECF |
79B445DE923C92BF378B19D12A309C0E9C5851BF |
15839B7AB0417FA35F2858722F0BD47BDF840D62 |
1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
C & C.
URL |
sina-c0m[.]icu |
smtp[.]sina-c0m[.]icu |
RegKey
Registry |
HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Script name} |
HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname% |
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%inregname% |
limumu
Ha ho na matšoao.
Files
Mosebetsi oa faele |
%Temp%temp.tmp |
%ho qala foldara%%infolder%%inname% |
%Temp%tmpG{Nako ea hajoale ka milliseconds}.tmp |
%Temp%log.tmp |
%AppData%{Tatelano e sa reroang ea litlhaku tse 10}.jpeg |
C:UsersPublic{Tatelano e sa reroang ea litlhaku tse 10}.vbs |
%Temp%{Lebitso la foldara e iketselitsoeng}{Lebitso la faele} |
Mehlala Info
lebitso | Unknown |
MD5 | F7722DD8660B261EA13B710062B59C43 |
SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
Type | PE (.NET) |
Size | 327680 |
OriginalName | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
Setempe sa Letsatsi | 01.07.2019 |
Moqapi | VB.NET |
lebitso | IELibrary.dll |
MD5 | BFB160A89F4A607A60464631ED3ED9FD |
SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
Type | PE (.NET DLL) |
Size | 16896 |
OriginalName | IELibrary.dll |
Setempe sa Letsatsi | 11.10.2016 |
Moqapi | Microsoft Linker(48.0*) |
Source: www.habr.com