🥇 Penampilan gagal: kami mawa AgentTesla pikeun ngabersihan cai. Bagian 1

Anyar-anyar ieu, produsén Éropa alat pamasangan listrik ngahubungi Grup-IB - karyawanna nampi surat anu curiga kalayan lampiran jahat dina suratna. Ilya Pomerantsev, spesialis analisa malware di CERT Group-IB, ngalaksanakeun analisa lengkep ngeunaan file ieu, mendakan spyware AgentTesla di dinya sareng nyarioskeun naon anu diarepkeun tina malware sapertos kitu sareng kumaha bahayana.

Kalayan tulisan ieu kami muka séri tulisan ngeunaan cara nganalisis file anu berpotensi bahaya sapertos kitu, sareng kami ngantosan anu paling panasaran dina 5 Désémber pikeun webinar interaktif gratis ngeunaan topik éta. "Analisis Malware: Analisis Kasus Nyata". Sadaya detil aya di handapeun cut.

Mékanisme distribusi

Kami terang yén malware ngahontal mesin korban ngalangkungan email phishing. Panarima surat éta meureun BCCed.

Analisis lulugu nunjukkeun yén pangirim surat éta palsu. Kanyataanna, surat ditinggalkeun kalawan vps56[.]oneworldhosting[.]com.

Gagantel email ngandung arsip WinRar qoute_jpeg56a.r15 kalawan file laksana jahat QOUTE_JPEG56A.exe di jero.

Ékosistem malware

Ayeuna hayu urang tingali kumaha ékosistem malware anu ditaliti. Diagram di handap nembongkeun struktur sarta arah interaksi komponén.

Ayeuna hayu urang tingali unggal komponén malware sacara langkung rinci.

Pamuat

file aslina QOUTE_JPEG56A.exe mangrupa disusun AutoIt v3 naskah.

Pikeun obfuscate naskah aslina, hiji obfuscator kalawan sarupa PElock AutoIT-Obfuscator ciri.
Deobfuscation dilaksanakeun dina tilu tahap:

Ngaleungitkeun obfuscation Pikeun-Lamun
Hambalan munggaran nyaéta mulangkeun aliran kontrol naskah. Control Flow Flattening mangrupikeun salah sahiji cara anu paling umum pikeun ngajagaan kode binér aplikasi tina analisa. Transformasi ngabingungkeun sacara dramatis ningkatkeun pajeulitna ékstraksi sareng ngakuan algoritma sareng struktur data.
Pamulihan baris
Dua fungsi dipaké pikeun encrypt string:
- gdorizabegkvfca - Nedunan Base64-kawas decoding
- xgacyukcyzxz - XOR bait-bait basajan tina senar kahiji kalayan panjang kadua
Ngaleungitkeun obfuscation BinaryToString и ngeksekusi

Beban utama disimpen dina bentuk dibagi dina diréktori fon bagian sumberdaya file.

Urutan gluing nyaéta kieu: TIEQHCXWFG, EMI, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.

Fungsi WinAPI dipaké pikeun ngadekrip data sasari CryptoDecrypt, sarta konci sési dihasilkeun dumasar kana nilai dipaké salaku konci fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.

File laksana decrypted dikirim ka input fungsi RunPE, anu ngalaksanakeun ProcessInject в RegAsm.exe ngagunakeun diwangun-di ShellCode (ogé katelah RunPE ShellCode). Pangarang milik pamaké forum Spanyol teu katembong [.]net handapeun nickname Wardow.

Ogé sia noting yén dina salah sahiji threads forum ieu, hiji obfuscator pikeun Dina hateupna mibanda sipat sarupa dicirikeun salila analisis sampel.

nyalira ShellCode cukup basajan tur metot perhatian ngan injeuman ti grup hacker AnunakCarbanak. Fungsi hashing panggero API.

Urang ogé sadar kasus pamakéan Frenchy Shellcode versi béda.
Salian fungsionalitas anu dijelaskeun, kami ogé ngaidentipikasi fungsi anu teu aktip:

Blocking prosés manual terminasi dina task manager
Balikan deui prosés anak nalika tamat
Bypass UAC
Nyimpen payload kana file
Demonstrasi tina jandela modal
Ngadagoan posisi kursor mouse robah
AntiVM sareng AntiSandbox
Ngancurkeun diri
Ngompa payload tina jaringan

Kami terang yén fungsionalitas sapertos kitu khas pikeun pelindung CypherIT, anu, katingalina, mangrupikeun bootloader anu dimaksud.

modul utama software

Salajengna, urang bakal ngajelaskeun sakeudeung modul utama malware, sarta mertimbangkeun leuwih jéntré dina artikel kadua. Dina hal ieu, éta mangrupa aplikasi dina .NET.

Salila analisa, kami mendakan yén obfuscator dianggo ConfuserEX.

IELlibrary.dll

perpustakaan disimpen salaku sumberdaya modul utama sarta mangrupakeun plugin well-dipikawanoh pikeun AgénTesla, nu nyadiakeun pungsionalitas pikeun extracting rupa informasi tina Internet Explorer jeung browser Edge.

Agen Tesla mangrupikeun parangkat lunak spionase modular anu disebarkeun nganggo modél malware-as-a-service dina kedok produk keylogger anu sah. Agén Tesla sanggup nimba sareng ngirimkeun kredensial pangguna tina browser, klien email sareng klien FTP ka server ka panyerang, ngarékam data clipboard, sareng nangkep layar alat. Dina waktos analisa, halaman wéb resmi pamekar henteu sayogi.

Titik éntri nyaéta fungsi GetSavedPasswords kelas InternetExplorer.

Sacara umum, palaksanaan kode linier sareng henteu ngandung panyalindungan ngalawan analisa. Ngan fungsi unrealized pantes perhatian GetSavedCookies. Tétéla, pungsionalitas plugin nu sakuduna dituju dilegakeun, tapi ieu pernah dipigawé.

Ngagantelkeun bootloader kana sistem

Hayu urang diajar kumaha bootloader napel kana sistem. Spésimén anu ditalungtik henteu ngalakukeun anchoring, tapi dina acara anu sami éta lumangsung dumasar kana skéma ieu:

Dina folder C: PamakéPublik naskah dijieun visual Basic
conto naskah:
Eusi file bootloader anu padded kalawan karakter null tur disimpen kana polder %Temp%<Ngaran folder custom><Ngaran koropak>
Hiji konci autorun dijieun dina pendaptaran pikeun file skrip HKCUSoftwareMicrosoftWindowsCurrentVersionRun<nami Aksara>

Janten, dumasar kana hasil bagian mimiti analisa, kami tiasa netepkeun nami kulawarga sadaya komponén malware anu ditaliti, nganalisa pola inféksi, sareng ogé kéngingkeun objék pikeun nyerat tanda tangan. Urang bakal neruskeun analisis objék ieu dina artikel salajengna, dimana urang bakal kasampak di modul utama dina leuwih jéntré AgénTesla. Ulah sono!

Ku jalan kitu, dina 5 Désémber kami ngajak sadaya pamiarsa kana webinar interaktif gratis dina topik "Analisis malware: analisa kasus nyata", dimana panulis tulisan ieu, spesialis CERT-GIB, bakal nunjukkeun online tahap mimiti analisis malware - semi-otomatis unpacking sampel ngagunakeun conto tilu nyata mini-kasus ti prakték, sarta anjeun bisa ilubiung dina analisis. Webinar cocog pikeun spesialis anu parantos gaduh pangalaman dina nganalisa file jahat. Pendaptaran sacara ketat tina email perusahaan: ngadaptar. Ngantosan anjeun!

Bojong

rule AgentTesla_clean{
meta:
    author = "Group-IB"
    file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
    scoring = 5
    family = "AgentTesla"
strings:
    $string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
    $web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
     all of them
}

rule  AgentTesla_obfuscated {
meta:
    author = "Group-IB"
    file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
    scoring = 5
    family = "AgentTesla"
strings:
    $first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
    $second_names = "IELibrary.resources"
condition:
     all of them
}

rule AgentTesla_module_for_IE{
meta:
    author = "Group-IB"
    file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
    scoring = 5
    family = "AgentTesla_module_for_IE"
strings:
    $s0 = "ByteArrayToStructure" 
    $s1 = "CryptAcquireContext" 
    $s2 = "CryptCreateHash" 
    $s3 = "CryptDestroyHash" 
    $s4 = "CryptGetHashParam" 
    $s5 = "CryptHashData"
    $s6 = "CryptReleaseContext" 
    $s7 = "DecryptIePassword" 
    $s8 = "DoesURLMatchWithHash" 
    $s9 = "GetSavedCookies" 
    $s10 = "GetSavedPasswords" 
    $s11 = "GetURLHashString"  
condition:
     all of them
}

rule RunPE_shellcode {
meta:
    author = "Group-IB"
    file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
    scoring = 5
    family = "RunPE_shellcode"
strings:
    $malcode = {
      C7 [2-5] EE 38 83 0C // mov     dword ptr [ebp-0A0h], 0C8338EEh
      C7 [2-5] 57 64 E1 01 // mov     dword ptr [ebp-9Ch], 1E16457h
      C7 [2-5] 18 E4 CA 08 // mov     dword ptr [ebp-98h], 8CAE418h
      C7 [2-5] E3 CA D8 03 // mov     dword ptr [ebp-94h], 3D8CAE3h
      C7 [2-5] 99 B0 48 06 // mov     dword ptr [ebp-90h], 648B099h
      C7 [2-5] 93 BA 94 03 // mov     dword ptr [ebp-8Ch], 394BA93h
      C7 [2-5] E4 C7 B9 04 // mov     dword ptr [ebp-88h], 4B9C7E4h
      C7 [2-5] E4 87 B8 04 // mov     dword ptr [ebp-84h], 4B887E4h
      C7 [2-5] A9 2D D7 01 // mov     dword ptr [ebp-80h], 1D72DA9h
      C7 [2-5] 05 D1 3D 0B // mov     dword ptr [ebp-7Ch], 0B3DD105h
      C7 [2-5] 44 27 23 0F // mov     dword ptr [ebp-78h], 0F232744h
      C7 [2-5] E8 6F 18 0D // mov     dword ptr [ebp-74h], 0D186FE8h
      }
condition:
    $malcode 
}

rule AgentTesla_AutoIT_module{
meta:
    author = "Group-IB"
    file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
    scoring = 5
    family = "AgentTesla"
strings:                                    
    $packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
     all of them
}

Hashes

nami	qoute_jpeg56a.r15
MD5	53BE8F9B978062D4411F71010F49209E
SHA1	A8C2765B3D655BA23886D663D22BDD8EF6E8E894
SHA256	2641DAFB452562A0A92631C2849B8B9CE880F0F8F 890E643316E9276156EDC8A
ngetik	Arsip WinRAR
ukuran	823014

nami	QOUTE_JPEG56A.exe
MD5	329F6769CF21B660D5C3F5048CE30F17
SHA1	8010CC2AF398F9F951555F7D481CE13DF60BBECF
SHA256	49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08 C05B5E3BD36FD52668D196AF
ngetik	PE (Skrip AutoIt Disusun)
ukuran	1327616
Ngaran Asli	teu dikenal
DateStamp	15.07.2019
Panyambung	Microsoft Linker(12.0)[EXE32]

MD5	C2743AEDDADACC012EF4A632598C00C0
SHA1	79B445DE923C92BF378B19D12A309C0E9C5851BF
SHA256	37A1961361073BEA6C6EACE6A8601F646C5B6ECD 9D625E049AD02075BA996918
ngetik	ShellCode
ukuran	1474

sumber: www.habr.com

Turnout gagal: hayu urang ngalaan AgentTesla kana cai bersih. Bagian 1