Kwiminyaka yakutshanje, iiTrojans ezihambayo ziye zathatha indawo yeTrojans kwiikhompyuter zobuqu, ngoko ke ukuvela kwe-malware entsha "yemoto" endala kunye nokusetyenziswa okusebenzayo ngabaphuli-mthetho, nangona kungathandekiyo, kusesisiganeko. Kutshanje, i-CERT Group-IB's 24/7 iziko lokuphendula lokhuseleko lolwazi lichonge i-imeyile engaqhelekanga yokukhohlisa eyayifihla i-malware entsha yePC edibanisa imisebenzi ye-Keylogger kunye ne-PasswordStealer. Ingqalelo yabahlalutyi yatsalwa kwindlela i-spyware engene ngayo kumatshini womsebenzisi- kusetyenziswa umthunywa welizwi odumileyo. Ilya Pomerantsev, ingcali yohlalutyo lwe-malware kwi-CERT Group-IB, ichaze indlela i-malware esebenza ngayo, kutheni iyingozi, kwaye ifumene umdali wayo kwi-Iraq ekude.
Ngoko, masihambe ngolungelelwano. Ngaphantsi kwesigqubuthelo sokuncamathisela, unobumba onjalo unomfanekiso, xa ucofa apho umsebenzisi athatyathwe khona kwindawo. cdn.discordapp.com, kwaye ifayile enobungozi yakhutshelwa apho.
Ukusebenzisa iDiscord, ilizwi lasimahla kunye nomyalezo wombhalo, ayiqhelekanga. Ngokuqhelekileyo, ezinye izithunywa ezikhawulezayo okanye iinethiwekhi zentlalo zisetyenziselwa ezi njongo.
Ngexesha lohlalutyo oluneenkcukacha ngakumbi, usapho lwe-malware ichongiwe. Kwavela ukuba ngumntu omtsha kwimakethi ye-malware - 404 Keylogger.
Isibhengezo sokuqala sokuthengiswa kwe-keylogger sithunyelwe ii-hackforums ngumsebenzisi phantsi kwesiteketiso "404 Coder" ngo-Agasti 8.
Indawo yevenkile ibhaliswe mva nje- nge-7 kaSeptemba 2019.
Njengoko abaphuhlisi bathi kwiwebhusayithi 404iiprojekthi[.]xyz, 404 sisixhobo esenzelwe ukunceda iinkampani zifunde malunga nemisebenzi yabathengi bazo (ngemvume yabo) okanye kwabo bafuna ukukhusela i-binary yabo kubunjineli obubuyela umva. Sijonge phambili, masithi ngomsebenzi wokugqibela 404 ngokuqinisekileyo ayinakumelana.
Sigqibe kwelokuba sijike enye yeefayile kwaye sijonge ukuba yintoni na "BEST SMART KEYLOGGER".
I-ecosystem ye-Malware
Umlayishi 1 (AtillaCrypter)
Ifayile yemvelaphi ikhuselwe usebenzisa EaxObfuscator kwaye yenza ukulayisha okumanyathelo amabini AtProtect ukusuka kwicandelo lemithombo. Ngethuba lokuhlalutya ezinye iisampuli ezifunyenwe kwi-VirusTotal, kwacaca ukuba eli nqanaba alinikezelwanga ngumthuthukisi ngokwakhe, kodwa longezwa ngumxhasi wakhe. Kamva kwagqitywa ukuba le bootloader yayiyi-AtillaCrypter.
I-Bootloader 2 (AtProtect)
Enyanisweni, lo mlayishi uyinxalenye ebalulekileyo ye-malware kwaye, ngokwenjongo yomphuhlisi, kufuneka athathe umsebenzi wokuhlalutya ukubala.
Nangona kunjalo, ekusebenzeni, iindlela zokukhusela zezakudala kakhulu, kwaye iinkqubo zethu zifumanisa ngempumelelo le malware.
Imodyuli engundoqo ilayishwa ngokusetyenziswa Franchy ShellCode iinguqulelo ezahlukeneyo. Nangona kunjalo, asibandakanyi ukuba ezinye iinketho bezinokusetyenziswa, umzekelo, Qhuba iPE.
Ifayile yoqwalaselo
Ukudityaniswa kwenkqubo
Ukudityaniswa kwenkqubo kuqinisekiswa yi-bootloader AtProtect, ukuba iflegi ehambelanayo isetiwe.
- Ifayile ikhutshelwa ecaleni kwendlela %AppData%GFqaakZpzwm.exe.
- Ifayile yenziwe %AppData%GFqaakWinDriv.url, ukusungula Zpzwm.exe.
- Kumsonto HKCUSoftwareMicrosoftWindowsCurrentVersionRun iqhosha lokuqalisa lenziwa WinDriver.url.
Ukusebenzisana neC&C
Umlayishi AtProtect
Ukuba iflegi efanelekileyo ikhona, i-malware inokuqalisa inkqubo efihliweyo iexplorer kwaye ulandele ikhonkco elikhankanyiweyo ukwazisa umncedisi malunga nosulelo oluyimpumelelo.
DataStealer
Kungakhathaliseki ukuba yeyiphi indlela esetyenzisiweyo, unxibelelwano lwenethiwekhi luqala ngokufumana i-IP yangaphandle yexhoba usebenzisa isibonelelo [http]://checkip[.]dyndns[.]org/.
Ummeli woMsebenzisi: Mozilla/4.0 (iyahambelana; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Ulwakhiwo jikelele lomyalezo luyafana. Isihloko esikhoyo
|ββ- 404 Keylogger β {Uhlobo} ββ-|phi {uhlobo} ihambelana nohlobo lolwazi oluhanjiswayo.
Olu lulandelayo lulwazi malunga nesistim:
_______ + ULWAZI NGEVICTIM + _______
IP: {I-IP yangaphandle}
Igama loMnikazi: {Igama leKhompyutha}
Igama le-OS: {igama le-OS}
Uguqulelo lwe-OS: {Inguqulelo ye-OS}
I-OS PlatForm: {Iqonga}
Ubungakanani be-RAM: {ubungakanani be-RAM}
______________________________
Kwaye ekugqibeleni, idatha edlulisiweyo.
SMTP
Umxholo wale leta umi ngolu hlobo lulandelayo: 404 K | {Uhlobo lomyalezo} | Igama loMthengi: {Igama lomsebenzisi}.
Okubangela umdla kukuba, ukuhambisa iileta kumxhasi 404 Keylogger Iseva yeSMTP yabaphuhlisi iyasetyenziswa.
Oku kwenza ukuba ukuchonga abanye abathengi, kunye ne-imeyile yomnye wabaphuhlisi.
FTP
Xa usebenzisa le ndlela, ulwazi oluqokelelweyo lugcinwa kwifayile kwaye lufunde ngokukhawuleza ukusuka apho.
Ingqiqo emva kwesi senzo ayicacanga ngokupheleleyo, kodwa idala i-artifact eyongezelelweyo yokubhala imithetho yokuziphatha.
%HOMEDRIVE%%HOMEPATH%AmaxwebhuA{Inombolo engafanelekanga}.txt
I-Pastebin
Ngexesha lokuhlalutya, le ndlela isetyenziselwa kuphela ukudlulisa iiphasiwedi ezibiweyo. Ngaphezu koko, ayisetyenziswanga njengenye indlela kwezimbini zokuqala, kodwa ngokuhambelanayo. Umqathango lixabiso lokuhlala lilingana ne "Vavaa". Kuqikelelwa ukuba eli ligama lomxhasi.
Ukusebenzisana kwenzeka nge-https protocol nge-API i-pastebin. Intsingiselo api_paste_yabucala ngokulinganayo PASTE_UNLISTED, ethintela ukukhangela amaphepha anjalo kwi i-pastebin.
Uguqulelo oluntsonkothileyo
Ukufumana kwakhona ifayile kwimithombo
Umthwalo wokuhlawula ugcinwa kwizixhobo zokuqalisa AtProtect ngendlela yemifanekiso yeBitmap. Ukukhutshwa kuqhutywa ngamanqanaba amaninzi:
- Uluhlu lwee-bytes lutsalwa kumfanekiso. Ipixel nganye iphathwa njengolandelelwano lwee-byte ezi-3 kwi-oda ye-BGR. Emva kokutsalwa, iibhayithi ezi-4 zokuqala zoluhlu zigcina ubude bomyalezo, ezi zilandelayo zigcina umyalezo ngokwawo.
- Isitshixo sibalwa. Ukwenza oku, i-MD5 ibalwa kwixabiso elithi "ZpzwmjMJyfTNiRalKVrcSkxCN" echazwe njengegama lokugqitha. I-hash enesiphumo ibhalwe kabini.
- I-Decryption yenziwa ngokusebenzisa i-algorithm ye-AES kwimodi ye-ECB.
Ukusebenza okungalunganga
Umxokozelo
Isetyenziswe kwi-bootloader AtProtect.
- Ngokuqhagamshelana [activelink-repalce] Ubume bomncedisi uyacelwa ukuba uqinisekise ukuba ukulungele ukukhonza ifayile. Umncedisi makabuye βVULEβ.
- Ikhonkco [download link-place] Umthwalo wokuhlawula ukhutshelwe.
- Ngo kunceda FranchyShellcode umthwalo wentlawulo ufakwa kwinkqubo [inj-replace].
Ngexesha lohlalutyo lwesizinda 404iiprojekthi[.]xyz iimeko ezongezelelweyo zachongwa kwiVirusTotal 404 Keylogger, kunye neendidi ezininzi zabalayishi.
Ngokwesiqhelo, zahlulwe zaba ziindidi ezimbini:
- Ukhuphelo lwenziwa kwisixhobo 404iiprojekthi[.]xyz.
Idatha yi-Base64 ekhowudiweyo kunye ne-AES efihliweyo. - Olu khetho luqulathe izigaba ezininzi kwaye luqhele ukusetyenziswa ngokudityaniswa nesilayishi sesiqalo AtProtect.
- Kwinqanaba lokuqala, idatha ilayishwa ukusuka i-pastebin kunye nekhowudi kusetyenziswa umsebenzi HexToByte.
- Kwinqanaba lesibini, umthombo wokulayisha ngu 404iiprojekthi[.]xyz. Nangona kunjalo, imisebenzi yokunciphisa kunye ne-decoding ifana naleyo ifunyenwe kwi-DataStealer. Mhlawumbi kwakucetywe ekuqaleni ukuphumeza umsebenzi wokulayisha kuqala kwimodyuli engundoqo.
- Kweli nqanaba, umthwalo sele ukwi-manifest yesixhobo kwifom ecinezelweyo. Imisebenzi efanayo yokutsalwa ifunyenwe kwimodyuli ephambili.
Abakhupheli bafunyenwe phakathi kweefayile ezihlalutyiweyo njRat, SpyGate kunye nezinye iiRAT.
Keylogger
Ixesha lokuthumela ilogi: imizuzu engama-30.
Bonke abalinganiswa bayaxhaswa. Abalinganiswa abakhethekileyo babalekile. Kukho ukuqhubekekiswa kwe-BackSpace kwaye Cima izitshixo. Case sensitive.
I-ClipboardLogger
Ixesha lokuthumela ilogi: imizuzu engama-30.
Buffer ixesha lokuvota: 0,1 imizuzwana.
Iphunyeziwe ikhonkco lokubaleka.
ScreenLogger
Ixesha lokuthumela ilogi: imizuzu engama-60.
Imifanekiso yekhusi igcinwa kuyo %HOMEDRIVE%%HOMEPATH%Amaxwebhu404k404pic.png.
Emva kokuthumela ifolda 404k iyacinywa.
I-PasswordStealer
| Abakhangeli | Abaxhasi bemeyile | Abaxhasi beFTP |
|---|---|---|
| chrome | imbonakalo | FileZilla |
| Firefox | Thunderbird | |
| SeaMonkey | Foxmail | |
| I-IceDragon | ||
| PaleMoon | ||
| Unokonwaba | ||
| chrome | ||
| BraveBrowser | ||
| QQBrowser | ||
| Isikhangeli se-Iridium | ||
| XvastBrowser | ||
| Chedot | ||
| 360Ibhrawuza | ||
| ComodoDragon | ||
| 360Chrome | ||
| SuperBird | ||
| Isikhangeli Esiphakathi | ||
| Isikhangeli soMoya | ||
| IronBrowser | ||
| Chromium | ||
| Vivaldi | ||
| SlimjetBrowser | ||
| I-Orbitum | ||
| CocCoc | ||
| Ikhuni | ||
| UCBrowser | ||
| EpicBrowser | ||
| BliskBrowser | ||
| Opera |
Ukuchasana nohlalutyo oluguqukayo
- Ukujonga ukuba ngaba inkqubo iphantsi kohlalutyo
Yenziwe kusetyenziswa inkqubo yokukhangela uxanduva, ProcessHacker, inkqubop64, procexp, procmon. Ukuba ubuncinane enye ifunyenwe, i-malware iyaphuma.
- Ijonga ukuba ukwimeko-bume enenyani
Yenziwe kusetyenziswa inkqubo yokukhangela vmtoolsd, Inkonzo yeVGAuth, vmacthlp, Inkonzo yeVBox, VBoxTray. Ukuba ubuncinane enye ifunyenwe, i-malware iyaphuma.
- Ukulala imizuzwana emi-5
- Umboniso weentlobo ezahlukeneyo zeebhokisi zencoko
Ingasetyenziselwa ukugqitha ezinye iibhokisi zesanti.
- Yidlula i-UAC
Kwenziwe ngokuhlela iqhosha lobhaliso EnableLUA kwiisetingi zoMgaqo-nkqubo weQela.
- Ifaka uphawu "olufihliweyo" kwifayile yangoku.
- Ukukwazi ukucima ifayile yangoku.
Iimpawu ezingasebenziyo
Ngethuba lokuhlalutya i-bootloader kunye nemodyuli ephambili, imisebenzi yafunyanwa eyayijongene nomsebenzi owongezelelweyo, kodwa ayisetyenziswanga naphi na. Oku mhlawumbi kungenxa yokuba i-malware isekuphuhlisweni kwaye ukusebenza kuya kwandiswa kungekudala.
Umlayishi AtProtect
Kufunyenwe umsebenzi onoxanduva lokulayisha kunye nokutofa kwinkqubo msiexec.exe imodyuli engafanelekanga.
DataStealer
- Ukudityaniswa kwenkqubo
- Decompression and decryption imisebenzi
Kusenokwenzeka ukuba ufihlo lwedatha ngexesha lonxibelelwano lwenethiwekhi luya kuphunyezwa kungekudala. - Ukuphelisa iinkqubo ze-antivirus
| zlclient | Dvp95_0 | Pavsched | avgserv9 |
| egui | Injini | Pavw | avgserv9schedapp |
| bdagent | Ikhuselekile | PCCIOMON | avgemc |
| npfmsg | Espwatch | PCCMAIN | ashwebsv |
| olydbg | F-Agnt95 | Pccwin98 | i-ashdisp |
| i-anubis | Findvir | Pcfwallicon | ashmaisv |
| wireshark | Fprot | Persfw | ashserv |
| avastui | F-Prot | I-POP3TRAP | aswUpdSv |
| _Avp32 | F-Prot95 | PVIEW95 | symwsc |
| vsmon | Fp-Win | Rav7 | Norton |
| mbam | Frw | Rav7win | Norton Auto-Khusela |
| iscrambler | F-Stopw | U ku sindisa | norton_av |
| _Avpcc | Iamapp | I-Safeweb | nortonnav |
| _Avpm | Iamserv | Iskena32 | ccsetmgr |
| Ackwin32 | Ibmasn | Iskena95 | ccvtmgr |
| Indawo yokuphuma | Ibmavsp | Scanpm | avadmin |
| I-Anti-Trojan | Ifayile95 | Skrola | i-avcenter |
| I-ANTIVIR | I-Icloadnt | Inkonzo95 | Umgangatho |
| Apvxdwin | I-icmon | Smc | avguard |
| I-ATRACK | ICsup95 | SMCSERVICE | avnotify |
| Uzikhuphela phantsi | Icsupnt | Ukukhupha | avscan |
| Avconsol | Iface | Sphinx | guardgui |
| Ave32 | Iomon98 | Tshayela95 | nod32kr |
| Avgctrl | Jedi | I-SYMPROXYSVC | nod32kui |
| Avkserv | Lockdown2000 | Tbscan | iclamscan |
| Avnt | Jonga ngaphandle | Tca | iclamTray |
| Avp | Luall | Tds2-98 | clamWin |
| Avp32 | mcafee | Tds2-Nt | freshclam |
| Avpcc | Moolive | TermiNET | oladin |
| Avpdos32 | MPftray | Vet95 | isixhobo somqondiso |
| Avpm | N32scanw | Vettray | w9xpopen |
| Avptc32 | NAVAPSVC | Vscan40 | Vala |
| Avpupd | NAVAPW32 | Vsecomr | cmgrdian |
| Avsched32 | NAVLU32 | Vshwin32 | alogserv |
| I-AVSYNMGR | Navnt | Vsstat | mcshield |
| Avwin95 | NAVRUNR | Webscanx | vshwin32 |
| Avwupd32 | Navw32 | WEBTRAP | avconsol |
| Mnyama | Navwnt | Wfindv32 | vsstat |
| Umnyama | NeoWatch | indawo yealarm | avsynmgr |
| Cfiadmin | I-NISERV | THIXELO2000 | avcmd |
| Cfiaudit | Nisum | UKUHLALA32 | avconfig |
| I-Cfinet | Nmain | LUCOMSERVER | limgr |
| Cfinet32 | I-Normist | avgcc | ishedyuli |
| Claw95 | ENORTON | avgcc | preupd |
| Claw95cf | Uphuculo | avgamsvr | MsMpEng |
| Ucocekileyo | Nvc95 | avgupsvc | MSACui |
| Umcoci3 | Indawo yokuphuma | avgw | Avira.Systray |
| Defwatch | Padmin | avgcc32 | |
| Dvp95 | Pavcl | avgserv |
- Ukuzitshabalalisa
- Ilayisha idata kwimanifi yesixhobo esichaziweyo
- Ukukhuphela ifayile ecaleni kwendlela %Temp%tmpG[Umhla wangoku kunye nexesha kwi-milliseconds].tmp
Okubangela umdla kukuba, umsebenzi ofanayo ukhoyo kwi-AgentTesla malware. - Ukusebenza kwentshulube
I-malware ifumana uluhlu lwemidiya esusekayo. Ikopi ye-malware yenziwe kwingcambu yenkqubo yefayile yemidiya enegama Sys.exe. I-Autorun iphunyezwa ngokusebenzisa ifayile autorun.inf.
Iprofayile yomhlaseli
Ngethuba lokuhlalutya iziko lomyalelo, kwakunokwenzeka ukuseka i-imeyile kunye nesidlaliso somphuhlisi - uRazer, aka Brwa, Brwa65, HiDDen Person, 404 Coder. Emva koko, sifumene ividiyo enomdla kwiYouTube ebonisa ukusebenza nomakhi.
Oku kwenza ukuba kufumaneke itshaneli yomphuhlisi wokuqala.
Kwacaca ukuba unamava okubhala ii<em>cryptographer. Kukho amakhonkco kumaphepha kwiintanethi zentlalo, kunye negama lokwenene lombhali. Wabonakala engumhlali wase-Iraq.
Yile nto umphuhlisi we-404 Keylogger kuthiwa ujongeka ngayo. Ifoto evela kwiprofayile yakhe yobuqu kuFacebook.
I-CERT Group-IB ibhengeze isongelo esitsha - i-404 Keylogger - i-XNUMX-iyure yokubeka iliso kunye neziko lokuphendula kwiisongelo ze-cyber (SOC) e-Bahrain.
umthombo: www.habr.com