Re tsoela pele ka letoto la lingoloa tse etselitsoeng tlhahlobo ea malware. IN Karolong e 'ngoe, re boletse kamoo Ilya Pomerantsev, setsebi sa tlhahlobo ea malware ho CERT Group-IB, a entseng tlhahlobo e qaqileng ea faele e amohetsoeng ka lengolo ho tsoa ho e' ngoe ea lik'hamphani tsa Europe mme a sibolla spyware moo. MoemeliTesla. Sehloohong sena, Ilya o fana ka liphetho tsa tlhahlobo ea mohato ka mohato ea module e kholo MoemeliTesla.
Moemeli Tesla ke sesebelisoa sa bohloela sa modular se ajoang ho sebelisoa mofuta oa malware-as-a-service tlas'a boikaketsi ba sehlahisoa sa keylogger se molaong. Moemeli oa Tesla o khona ho hula le ho fetisetsa lintlha tsa mosebelisi ho tsoa ho libatli, bareki ba lengolo-tsoibila le bareki ba FTP ho seva ho bahlaseli, ho rekota data ea clipboard, le ho hapa skrineng sa sesebelisoa. Nakong ea tlhahlobo, websaeteng ea molao ea bahlahisi e ne e le sieo.
Faele ea tlhophiso
Tafole e ka tlase e thathamisa hore na ke ts'ebetso efe e sebetsang sampoleng eo u e sebelisang:
| tlhaloso | boleng |
| Folakha ea ts'ebeliso ea KeyLogger | 'nete |
| Folakha ea tšebeliso ea ScreenLogger | bohata |
| Letlapa la KeyLogger le romella nako ka metsotso | 20 |
| ScreenLogger log e romella nako ka metsotso | 20 |
| Folakha ea ho tšoara senotlolo sa backspace. Bohata - ho rema lifate feela. 'Nete - e hlakola senotlolo se fetileng | bohata |
| Mofuta oa CNC. Likhetho: smtp, webpanel, ftp | smtp |
| Letšoao la ts'ebetso ea khoele bakeng sa ho emisa lits'ebetso ho tsoa lenaneng la "%filter_list%" | bohata |
| UAC thibela folakha | bohata |
| Motsamaisi oa mosebetsi o tima folakha | bohata |
| CMD e tima folakha | bohata |
| Tlosa folakha ka fensetere | bohata |
| Registry Viewer Tlosa folakha | bohata |
| Tlosa folakha ea lintlha tsa sistimi | 'nete |
| Phanele ea taolo e tima folakha | bohata |
| MSCONFIG tima folakha | bohata |
| Tlaleha ho tima menyu ea litaba ho Explorer | bohata |
| Tšoaea folakha | bohata |
| Tsela ea ho kopitsa mojule oa mantlha ha o o penya ho sistimi | % qala foldara% % foldara%%inname% |
| Tšoaea bakeng sa ho beha litšobotsi tsa "System" le "Patiloeng" bakeng sa mojule o ka sehloohong o abetsoeng tsamaiso | bohata |
| Tlaleha hore o qale hape ha o kentsoe tsamaisong | bohata |
| Tlaleha bakeng sa ho tsamaisa mojule oa mantlha ho sephutheli sa nakoana | bohata |
| UAC bypass folakha | bohata |
| Sebopeho sa letsatsi le nako bakeng sa ho rema lifate | yyy-MM-dd HH:mm:ss |
| Tlaleha bakeng sa ho sebelisa sefe ea lenaneo bakeng sa KeyLogger | 'nete |
| Mofuta oa ho sefa lenaneo. 1 - lebitso la lenaneo le batlisisoa lihloohong tsa fensetere 2 - lebitso la lenaneo le batloa ka lebitso la ts'ebetso ea fensetere |
1 |
| Sesefa sa lenaneo | "facebook" "twitter" "gmail" "instagram" "filimi" "skype" "porn" "hack" "whatsapp" "khahlano" |
Ho hokela module ea mantlha ho sistimi
Haeba folakha e tsamaellanang e behiloe, mojule o ka sehloohong o kopitsoa tseleng e boletsoeng ho config e le tsela e tla abeloa sistimi.
Ho itšetlehile ka boleng bo tsoang ho config, faele e fuoa litšobotsi tse "Patiloeng" le "System".
Autorun e fanoa ke makala a mabeli a ngoliso:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%inregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %inregname%
Kaha bootloader e kenella ts'ebetsong RegAsm, ho beha folakha e phehellang bakeng sa mojule oa mantlha ho lebisa litlamorao tse khahlisang haholo. Sebakeng sa ho ikopitsa, malware e ile ea hokela faele ea mantlha tsamaisong RegAsm.exe, nakong eo ente e ileng ea etsoa.
Khokahano le C&C
Ho sa tsotellehe mokhoa o sebelisoang, puisano ea marang-rang e qala ka ho fumana IP e ka ntle ea phofu e sebelisang mohloli [.]amazonaws[.]com/.
Lintlha tse latelang li hlalosa mekhoa ea ho sebelisana le marang-rang e hlahisoang ho software.
webpanel
Tšebelisano e etsahala ka protocol ea HTTP. Malware e etsa kopo ea POST ka lihlooho tse latelang:
- Moemeli-Mosebelisi: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Khokahano: Boloka-Phela
- Mofuta-Mofuta: kopo/x-www-form-urlencoded
Aterese ea seva e hlalositsoe ke boleng %PostURL%. Molaetsa o kentsoeng o romelloa ka parameter «P». Mochine oa encryption o hlalositsoe karolong "Algorithms ea ho Encryption" (Mokhoa oa 2).
Molaetsa o fetisoang o shebahala tjena:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Parameter mofuta e bontša mofuta oa molaetsa:
hwid - MD5 hash e tlalehiloe ho tsoa ho boleng ba nomoro ea serial ea boardboard le ID ea processor. Hangata e sebelisoa joalo ka ID ea mosebelisi.
nako - e sebeletsa ho fetisa nako le letsatsi la hajoale.
pcname - e hlalosoa e le <Lebitso la mosebelisi>/<Lebitso la komporo>.
logdata - data ea log.
Ha o fetisa li-password, molaetsa o shebahala tjena:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Lintlha tse latelang ke litlhaloso tsa data e utsoitsoeng ka sebopeho nclient[]={0}nlink[]={1}username[]={2}npassword[]={3}.
smtp
Tšebelisano e etsahala ka protocol ea SMTP. Lengolo le fetisoang le ka sebopeho sa HTML. Paramethara BODY e na le foromo:
Hlooho ea lengolo e na le foromo e akaretsang: <LEBITSO LA MOSEBETSI>/<COMPUTER NAME> <MOFUTA WA DITENG>. Litaba tsa lengolo, hammoho le liphutheloana tsa lona, ha lia ngolisoa.
Tšebelisano e etsahala ka protocol ea FTP. Faele e nang le lebitso e fetisetsoa ho seva e boletsoeng <CONNTENT TYPE>_<USER NAME>-<COMPUTER NAME>_<DATE LE NAKO>.html. Litaba tsa faele ha lia ngolisoa.
Li-algorithms tsa encryption
Taba ena e sebelisa mekhoa e latelang ea encryption:
Mokhoa oa 1
Mokhoa ona o sebelisoa ho encrypt likhoele mojuleng o ka sehloohong. Algorithm e sebelisitsoeng ho encryption ke AES.
Kenyelletso ke nomoro ea decimal ea linomoro tse tšeletseng. Phetoho e latelang e etsoa ho eona:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Boleng ba sephetho ke index ea lethathamo la data le kentsoeng.
E 'ngoe le e 'ngoe ea likarolo ke tatellano DWORD. Ha o kopanya DWORD ho fumanoa mefuta e mengata ea li-byte: li-byte tsa pele tse 32 ke senotlolo sa ho ngolisa, se lateloa ke li-byte tse 16 tsa vector ea ho qala, 'me li-byte tse setseng ke data e patiloeng.
Mokhoa oa 2
Algorithm e sebelisitsoeng 3DES ka mokhoa ECB ka padding ka li-byte tse felletseng (EA-7-PKCS).
Senotlolo se hlalosoa ke parameter %urlkey%, leha ho le joalo, encryption e sebelisa MD5 hash ea eona.
Ts'ebetso e mpe
Mohlala o ithutoang o sebelisa mananeo a latelang ho kenya tšebetsong ts'ebetso ea ona e mpe:
senotlolo sa senotlolo
Haeba ho na le folakha e tsamaisanang le malware e sebelisang ts'ebetso ea WinAPI Beha WindowsHookEx e abela setshwari sa yona bakeng sa diketsahalo tsa ho tobetsa konopo ho keyboard. Mosebetsi oa ho sebetsana le o qala ka ho fumana sehlooho sa fensetere e sebetsang.
Haeba folakha ea ho sefa ea kopo e behiloe, ho sefa ho etsoa ho latela mofuta o boletsoeng:
- lebitso la lenaneo le batloa ka litlotla lifensetere
- lebitso la lenaneo le shebeloa ka lebitso la ts'ebetso ea fensetere
Ka mor'a moo, rekoto e eketsoa ho log e nang le tlhahisoleseling mabapi le fensetere e sebetsang ka sebopeho:
Ebe tlhahisoleseling mabapi le konopo e hatisitsoeng e tla ngoloa:
| Senotlolo | Ho rekota |
| Backspace | Ho ipapisitsoe le folakha ea ts'ebetso ea senotlolo sa Backspace: Bohata - {BACK} 'Nete - e hlakola senotlolo se fetileng |
| SENOTLOLO SA LITLHAKU TSE KHOLO | {SENOTLOLO SA LITLHAKU TSE KHOLO} |
| ESC | {ESC} |
| Leqephe la leqephe | {LeqepheUp} |
| Down | ↓ |
| TLOHA | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| TAB | {TAB} |
| < | < |
| > | > |
| Sebaka | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + TAB | {ALT+TAB} |
| QETA | {QETA} |
| F4 | {F4} |
| F2 | {F2} |
| Ctrl | {CTRL} |
| F6 | {F6} |
| Right | → |
| Up | ↑ |
| F1 | {F1} |
| Ka ho le letšehali | ← |
| PageDown | {PageDown} |
| kenya | {Kenya} |
| Win | {Hlola} |
| Lipalo | {NumLock} |
| F11 | {F11} |
| F3 | {F3} |
| HOME | {LEHAE} |
| ENTER | {KENYA} |
| ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| Senotlolo se seng | Sebapali se maemong a holimo kapa a tlase ho latela maemo a likonopo tsa CapsLock le Shift |
Ka makhetlo a mangata, lenane le bokelitsoeng le romelloa ho seva. Haeba phetiso e sa atlehe, log e bolokoa faeleng %TEMP%log.tmp ka sebopeho:
Ha timer e chesa, faele e tla fetisetsoa ho seva.
ScreenLogger
Ka nako e boletsoeng, malware e etsa skrini ka sebopeho Jpeg e nang le moelelo Quality e lekanang le 50 mme e e boloka faeleng %APPDATA %<Tatelano e sa reroang ea litlhaku tse 10>.jpg. Kamora ho fetisa, faele e tla hlakoloa.
ClipboardLogger
Haeba folakha e loketseng e behiloe, ho nkeloa sebaka ka mongolo o amohetsoeng ho latela tafole e ka tlase.
Ka mor'a sena, mongolo o kenngoa ka har'a log:
PasswordStealer
Malware e ka khoasolla li-password lits'ebetsong tse latelang:
| Браузеры | Basebelisi ba mangolo | Basebelisi ba FTP |
| Chrome | Outlook | FileZilla |
| Firefox | Thunderbird | WS_FTP |
| IE/Edge | Foxmail | WinSCP |
| Safari | Lengolo la Opera | CoreFTP |
| Opera sebatli | IncrediMail | FTP Navigator |
| Yandex | Pocomail | FlashFXP |
| E khotsofatsang | Eudora | SmartFTP |
| ChromePlus | TheBat | FTPCommander |
| Chromium | Lebokose la poso | |
| Torch | ClawsMail | |
| 7Star | ||
| Motsoalle | ||
| BraveSoftware | Bareki ba Jabber | Basebelisi ba VPN |
| CentBrowser | Psi/Psi+ | Bula VPN |
| Chedot | ||
| CocCoc | ||
| Elements Browser | Download Batsamaisi | |
| Epic Sesebelisoa sa Lekunutu | Mookameli oa Inthaneteng oa Download | |
| Comet | yotong la | |
| orbitum | ||
| Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Mohlape Browser | ||
| Mohlahlobi oa UC | ||
| BlackHawk | ||
| CyberFox | ||
| K-meleon | ||
| katse ea leqhoa | ||
| icedragon | ||
| PaleMoon | ||
| phokojoe ea metsi | ||
| Sebatli sa Falkon |
Khahlano le tlhahlobo e matla
- Ho sebelisa ts'ebetso boroko bo. E u lumella hore u fete li-sandbox tse ling ka nako
- Ho senya khoele Sebaka. E u lumella ho pata taba ea ho khoasolla faele ho tsoa inthaneteng
- Ka parameter %filter_list% e totobatsa lenane la lits'ebetso tseo malware a tla li emisa ka nako ea motsotsoana
- Koala UAC
- Ho thibela mookameli oa mosebetsi
- Koala CMD
- Ho tima fensetere "Выполнить"
- Ho tima Panel ea Taolo
- Ho tima sesebelisoa Ingolisa
- Ho tima lintlha tsa ho khutlisa sistimi
- Tlosa menu ea moelelo ho Explorer
- Koala MSCONFIG
- Bypass UAC:
Likarolo tse sa sebetseng tsa mojule oa mantlha
Nakong ea tlhahlobo ea mochine o ka sehloohong, ho ile ha khetholloa mesebetsi e neng e ikarabella ho hasanya marang-rang le ho latela boemo ba mouse.
Worm
Liketsahalo tsa ho hokahanya mecha ea litaba e tlosoang li shejoa ka khoele e arohaneng. Ha e hokahane, malware e nang le lebitso e kopitsoa motso oa sistimi ea faele scr.exe, ka mor'a moo e batla lifaele tse nang le katoloso lnk. Sehlopha sa bohle lnk liphetoho ho cmd.exe /c qala scr.exe & qala <taelo ea pele> & tsoa.
Bukana e 'ngoe le e 'ngoe e motsong oa mecha ea litaba e fuoa tšobotsi "Patiloeng" mme faele e entsoe ka katoloso lnk ka lebitso la buka e patiloeng le taelo cmd.exe /c qala scr.exe&explorer /root,"%CD%<DIRECTORY NAME>" & tsoa.
MouseTracker
Mokhoa oa ho etsa interception o tšoana le o sebelisoang bakeng sa keyboard. Ts'ebetso ena e ntse e tsoela pele.
Mosebetsi oa faele
| Tsela | tlhaloso |
| %Temp%temp.tmp | E na le k'haonte bakeng sa liteko tsa UAC bypass |
| %ho qala foldara%%infolder%%inname% | Tsela e tla abeloa tsamaiso ea HPE |
| %Temp%tmpG{Nako ea hajoale ka milliseconds}.tmp | Tsela ea ho boloka mojule oa mantlha |
| %Temp%log.tmp | Log file |
| %AppData%{Tatelano e sa reroang ea litlhaku tse 10}.jpeg | Litšoantšo tsa skrini |
| C:UsersPublic{Tatelano e sa reroang ea litlhaku tse 10}.vbs | Tsela e eang faeleng ea vbs eo bootloader e ka e sebelisang ho hokela sistimi |
| %Temp%{Lebitso la foldara e iketselitsoeng}{Lebitso la faele} | Tsela e sebelisoang ke bootloader ho ikamahanya le sistimi |
Boemo ba mohlaseli
Ka lebaka la data ea netefatso e thata, re khonne ho fihlella setsing sa litaelo.
Sena se re lumelletse ho tseba lengolo-tsoibila la ho qetela la bahlaseli:
junaid[.]ka***@gmail[.]com.
Sebaka sa marang-rang sa setsi sa taelo se ngolisitsoe ho poso sg***@gmail[.]com.
fihlela qeto e
Nakong ea tlhahlobo e qaqileng ea malware e sebelisitsoeng tlhaselong, re khonne ho theha ts'ebetso ea eona le ho fumana lethathamo le felletseng la matšoao a ho sekisetsa a amanang le nyeoe ena. Ho utloisisa mekhoa ea tšebelisano ea marang-rang lipakeng tsa malware ho entse hore ho khonehe ho fana ka likhothaletso bakeng sa ho lokisa ts'ebetso ea lisebelisoa tsa ts'ireletso ea tlhahisoleseling, le ho ngola melao e tsitsitseng ea IDS.
Kotsi e ka sehloohong MoemeliTesla joalo ka DataStealer ka hore ha e hloke ho itlama ho sistimi kapa ho emela taelo ea taolo ho etsa mesebetsi ea eona. Ha e se e le mochining, hang-hang e qala ho bokella tlhahisoleseling ea lekunutu ebe e e fetisetsa ho CnC. Boitšoaro bona bo mabifi ka litsela tse ling bo tšoana le boits'oaro ba ransomware, 'me phapang feela ke hore ea morao-rao ha e hloke le khokahano ea marang-rang. Haeba u kopana le lelapa lena, ka mor'a ho hloekisa tsamaiso e nang le tšoaetso ho tsoa ho malware ka boeona, ka sebele u lokela ho fetola li-passwords tsohle tse ka khonang, bonyane ka khopolo, li bolokehe ho e 'ngoe ea likopo tse thathamisitsoeng ka holimo.
Ha re sheba pele, ha re re bahlaseli ba romela MoemeliTesla, bootloader ea pele e fetoloa hangata haholo. Sena se u lumella hore u lule u sa hlokomeloe ke li-scanner tse tsitsitseng le li-heuristic analyzers nakong ea tlhaselo. 'Me tloaelo ea lelapa lena ea ho qala hang-hang mesebetsi ea bona e etsa hore li-monitor tsa tsamaiso li se ke tsa sebetsa. Mokhoa o motle oa ho loants'a AgentTesla ke tlhahlobo ea pele ka lebokoseng la lehlabathe.
Sehloohong sa boraro sa letoto lena re tla sheba li-bootloader tse ling tse sebelisitsoeng MoemeliTesla, hape le ho ithuta mokhoa oa ho notlolla li-semi-automatic. Se ke oa fetoa!
Hash
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
C & C.
| URL |
| sina-c0m[.]icu |
| smtp[.]sina-c0m[.]icu |
RegKey
| Registry |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Script name} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname% |
| HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%inregname% |
limumu
Ha ho na matšoao.
Files
| Mosebetsi oa faele |
| %Temp%temp.tmp |
| %ho qala foldara%%infolder%%inname% |
| %Temp%tmpG{Nako ea hajoale ka milliseconds}.tmp |
| %Temp%log.tmp |
| %AppData%{Tatelano e sa reroang ea litlhaku tse 10}.jpeg |
| C:UsersPublic{Tatelano e sa reroang ea litlhaku tse 10}.vbs |
| %Temp%{Lebitso la foldara e iketselitsoeng}{Lebitso la faele} |
Mehlala Info
| lebitso | Unknown |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| Type | PE (.NET) |
| Size | 327680 |
| OriginalName | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| Setempe sa Letsatsi | 01.07.2019 |
| Moqapi | VB.NET |
| lebitso | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| Type | PE (.NET DLL) |
| Size | 16896 |
| OriginalName | IELibrary.dll |
| Setempe sa Letsatsi | 11.10.2016 |
| Moqapi | Microsoft Linker(48.0*) |
Source: www.habr.com