Kukho amaqela amaninzi aziwayo e-cyber agxile ekubiweni kwemali kwiinkampani zaseRashiya. Siye sabona uhlaselo kusetyenziswa izithuba zokhuseleko ezivumela ukufikelela kwinethiwekhi ekujoliswe kuyo. Nje ukuba bafikelele, abahlaseli bafunda ubume bothungelwano lombutho kwaye basebenzise izixhobo zabo zokuba imali. Umzekelo weklasiki walo mkhwa ngamaqela e-hacker Buhtrap, Cobalt kunye neCorkow.
Iqela le-RTM le ngxelo igxile kuyo yinxalenye yalo mkhwa. Isebenzisa i-malware eyilwe ngokukodwa ebhalwe eDelphi, esiya kuyijonga ngokubanzi kumacandelo alandelayo. Iimpawu zokuqala zezi zixhobo kwinkqubo ye-telemetry ye-ESET zifunyenwe ekupheleni kwe-2015. Iqela lilayisha iimodyuli ezintsha ezahlukeneyo kwiinkqubo ezosulelekileyo njengoko zifuneka. Uhlaselo lujolise kubasebenzisi beenkqubo zebhanki ezikude eRashiya nakwamanye amazwe angabamelwane.
1. Iinjongo
Iphulo le-RTM lijolise kubasebenzisi beenkampani - oku kucacile kwiinkqubo abahlaseli abazama ukuzibona kwinkqubo edibeneyo. Ingqwalasela ikwisoftware yobalo lokusebenza kunye neenkqubo zebhanki ezikude.
Uluhlu lweenkqubo zomdla kwi-RTM lufana noluhlu oluhambelanayo lweqela leBuhtrap, kodwa amaqela anee-vectors zosulelo ezahlukeneyo. Ukuba i-Buhtrap isebenzise amaphepha omgunyathi rhoqo, ngoko i-RTM isebenzise ukuhlaselwa ngokukhuphela (ukuhlaselwa kwisikhangeli okanye kumacandelo ayo) kunye ne-spamming nge-imeyile. Ngokutsho kwedatha ye-telemetry, isongelo sijolise eRashiya kunye namazwe amaninzi akufutshane (Ukraine, Kazakhstan, Czech Republic, eJamani). Nangona kunjalo, ngenxa yokusetyenziswa kweendlela zokusabalalisa ngobuninzi, ukufunyanwa kwe-malware ngaphandle kwemimandla ekujoliswe kuyo akumangalisi.
Inani lilonke lokufunyanwa kwe-malware lincinci. Ngakolunye uhlangothi, umkhankaso we-RTM usebenzisa iinkqubo ezinzima, ezibonisa ukuba uhlaselo lujoliswe kakhulu.
Sifumene amaxwebhu enkohliso asetyenziswa yi-RTM, kubandakanywa iikhontrakthi ezingekhoyo, ii-invoyisi okanye amaxwebhu okuchaza irhafu. Ubume bemibhobho, kunye nohlobo lwesofthiwe ejoliswe kuyo ekuhlaselweni, lubonisa ukuba abahlaseli "bangena" kwiinethiwekhi zeenkampani zaseRashiya ngokusebenzisa isebe le-accounting. Iqela lenze ngokwenkqubo efanayo ngo-2014-2015
Ngexesha lophando, sakwazi ukusebenzisana neeseva ezininzi zeC&C. Siza kuluhlu olupheleleyo lwemiyalelo kumacandelo alandelayo, kodwa ngoku sinokuthi umxhasi udlulisela idatha kwi-keylogger ngokuthe ngqo kumncedisi ohlaselayo, apho imiyalelo eyongezelelweyo ifunyenwe khona.
Nangona kunjalo, iintsuku apho unokuqhagamshela ngokulula kumyalelo kunye neseva yokulawula kwaye uqokelele yonke idatha obunomdla kuyo ayisekho. Siye saphinda sayila iifayile zelogi ezibambekayo ukuze sifumane imiyalelo efanelekileyo kumncedisi.
Eyokuqala kubo isicelo kwi-bot ukudlulisa ifayile 1c_to_kl.txt - ifayile yezothutho ye-1C: Inkqubo ye-Enterprise 8, ukubonakala kwayo esweni ngokusebenzayo yi-RTM. I-1C isebenzisana neenkqubo zebhanki ezikude ngokufaka idatha kwiintlawulo eziphumayo kwifayile yombhalo. Emva koko, ifayile ithunyelwa kwi-remote banking system ukwenzela ukuzenzekelayo kunye nokwenziwa komyalelo wentlawulo.
Ifayile iqulethe iinkcukacha zentlawulo. Ukuba abahlaseli batshintsha ulwazi malunga neentlawulo eziphumayo, ukudluliselwa kuya kuthunyelwa kusetyenziswa iinkcukacha zobuxoki kwiiakhawunti zabahlaseli.
Malunga nenyanga emva kokucela ezi fayile kumncedisi womyalelo kunye nolawulo, saqaphela iplagin entsha, 1c_2_kl.dll, ilayishwa kwinkqubo esengozini. Imodyuli (i-DLL) yenzelwe ukuhlalutya ngokuzenzekelayo ifayile yokukhuphela ngokungena kwiinkqubo zesoftware yokubala. Siza kuyichaza ngokweenkcukacha kula macandelo alandelayo.
Okubangel 'umdla kukuba, i-FinCERT yeBhanki yaseRashiya ekupheleni kwe-2016 ikhuphe isilumkiso malunga nama-cybercriminals usebenzisa iifayile zokulayisha ze-1c_to_kl.txt. Abaphuhlisi abavela kwi-1C nabo bayazi malunga nesi sikimu;
Ezinye iimodyuli nazo zalayishwa kwiseva yomyalelo, ngakumbi iVNC (iinguqulelo zayo ezingama-32 kunye ne-64-bit). Ifana nemodyuli yeVNC eyayisetyenziswa ngaphambili kuhlaselo lweTrojan yeDridex. Le modyuli kucingelwa ukuba isetyenziselwa ukuqhagamshela ukude kwikhompyuter eyosulelekileyo kwaye iqhube uphononongo oluneenkcukacha lwenkqubo. Emva koko, abahlaseli bazama ukujikeleza inethiwekhi, bakhuphe amagama ayimfihlo omsebenzisi, baqokelele ulwazi kunye nokuqinisekisa ubukho obuqhubekayo be-malware.
2. IiVectors zosulelo
Eli nani lilandelayo libonisa iintsholongwane zosulelo ezichongiweyo ngexesha lophononongo lwephulo. Iqela lisebenzisa uluhlu olubanzi lwee-vectors, kodwa ngokukodwa ukuhlaselwa ngokukhuphela kunye nogaxekile. Ezi zixhobo zilungele ukuhlaselwa okujoliswe kuyo, ekubeni kwimeko yokuqala, abahlaseli banokukhetha iziza ezihanjelwe ngamaxhoba anokuthi, kwaye okwesibini, banokuthumela i-imeyile kunye nezinamathiselo ngokuthe ngqo kubasebenzi benkampani abayifunayo.
I-malware isasazwa ngeendlela ezininzi, kuquka i-RIG kunye ne-Sundown yokuxhaphaza izixhobo okanye ukuthunyelwa kwe-spam, ebonisa ukudibanisa phakathi kwabahlaseli kunye nabanye abahlaseli be-cyberattackers abanikezela ngezi nkonzo.
2.1. I-RTM kunye ne-Buhtrap zinxulumana njani?
Iphulo le-RTM lifana kakhulu neBuhtrap. Umbuzo wendalo ngulo: bazalana njani?
NgoSeptemba 2016, siye sabona isampula ye-RTM ihanjiswa kusetyenziswa umlayishi weBuhtrap. Ukongezelela, sifumene izatifikethi ezimbini zedijithali ezisetyenziswe kuzo zombini i-Buhtrap kunye ne-RTM.
Eyokuqala, ekutyholwa ukuba ikhutshwe kwinkampani i-DNISTER-M, yayisetyenziselwa ukusayina ifom yesibini ye-Delphi (SHA-1: 025C718BA31E43DB1B87DC13F94A61A9338C11CE) kunye ne-Buhtrap DLL (SHA-1: 1E2642B454B2D889D6D41116D83D6D2D4890DXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMXDXNUMX).
Eyesibini, ekhutshwe kwi-Bit-Tredj, isetyenziselwe ukusayina abalayishi be-Buhtrap (SHA-1: 7C1B6B1713BD923FC243DFEC80002FE9B93EB292 kunye ne-B74F71560E48488D2153AE2FB51207TM kunye ne-R0A206), ukukhuphela kunye nokufaka i-R2.
Abaqhubi be-RTM basebenzisa izatifikethi eziqhelekileyo kwezinye iintsapho ze-malware, kodwa banaso isatifikethi esisodwa. Ngokutsho kwe-ESET telemetry, yakhutshwa kwi-Kit-SD kwaye yayisetyenziselwa ukusayina i-malware ethile ye-RTM (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6).
I-RTM isebenzisa umlayishi ofanayo noBuhtrap, amacandelo e-RTM alayishwa kwi-infrastructure yaseBuhtrap, ngoko ke amaqela anezibonakaliso ezifanayo zenethiwekhi. Nangona kunjalo, ngokutsho kwethu, i-RTM kunye ne-Buhtrap ngamaqela ahlukeneyo, ubuncinane kuba i-RTM ihanjiswa ngeendlela ezahlukeneyo (kungekhona kuphela ukusebenzisa umkhupheli "wangaphandle").
Nangona kunjalo, amaqela e-hacker asebenzisa imigaqo efanayo yokusebenza. Bajolise kumashishini asebenzisa isoftware yokubala, ngokufanayo ukuqokelela ulwazi lwenkqubo, ukukhangela abafundi bamakhadi ahlakaniphile, kunye nokuhambisa uluhlu lwezixhobo ezinobungozi zokuhlola amaxhoba.
3. Indaleko
Kweli candelo, siza kujonga kwiinguqulelo ezahlukeneyo ze-malware ezifunyenwe ngexesha lophononongo.
3.1. Uguqulelo
I-RTM igcina idatha yoqwalaselo kwicandelo lobhaliso, eyona nxalenye inomdla yi-botnet-prefix. Uluhlu lwawo onke amaxabiso esiwabonileyo kwiisampulu esizifundileyo ziboniswe kwitheyibhile engezantsi.
Kuyenzeka ukuba amaxabiso angasetyenziselwa ukurekhoda iinguqulelo ze-malware. Nangona kunjalo, asizange siqaphele umahluko omkhulu phakathi kweenguqulelo ezifana ne-bit2 kunye ne-bit3, i-0.1.6.4 kunye ne-0.1.6.6. Ngaphezu koko, esinye sezimaphambili sele sikhona ukususela ekuqaleni kwaye siye savela kwi-domain ye-C & C eqhelekileyo ukuya kwi-.bit domain, njengoko kuya kuboniswa ngezantsi.
3.2. Ishedyuli
Ukusebenzisa idatha ye-telemetry, senze igrafu yokwenzeka kweesampuli.
4. Uhlalutyo lobugcisa
Kweli candelo, siza kuchaza imisebenzi ephambili ye-RTM banking Trojan, kuquka iindlela zokuxhathisa, uguqulelo lwayo lwe-algorithm ye-RC4, iprotocol yenethiwekhi, ukusebenza kokuhlola kunye nezinye iimpawu. Ngokukodwa, siya kugxininisa kwiisampuli ze-SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 kunye ne-48BC113EC8BA20B8B80CD5D4DA92051A19D1032B.
4.1. Ukufakela kunye nokugcina
4.1.1. Ukuphunyezwa
Undoqo we-RTM yi-DLL, ithala leencwadi lilayishwa kwidiski ngokusebenzisa i-.EXE. Ifayile ephunyeziweyo idla ngokupakishwa kwaye iqulethe ikhowudi yeDLL. Nje ukuba iqaliswe, ikhupha iDLL kwaye iyiqhube isebenzisa lo myalelo ulandelayo:
rundll32.exe β%PROGRAMDATA%Winlogonwinlogon.lnkβ,DllGetClassObject host4.1.2. DLL
I-DLL engundoqo isoloko ilayishwe kwidisk njenge winlogon.lnk kwi-% PROGRAMDATA% Winlogon isiqulathi seefayili. Olu lwandiso lwefayile ludla ngokudityaniswa nendlela emfutshane, kodwa ifayile eneneni yiDLL ebhalwe eDelphi, ebizwa ngokuba yi core.dll ngumphuhlisi, njengoko kubonisiwe kumfanekiso ongezantsi.
ΠΡΠΈΠΌΠ΅Ρ Π½Π°Π·Π²Π°Π½ΠΈΡ DLL F4C746696B0F5BB565D445EC49DD912993DE6361
Nje ukuba iqaliswe, iTrojan ivula indlela yayo yokumelana. Oku kunokwenziwa ngeendlela ezimbini ezahlukeneyo, kuxhomekeke kumalungelo exhoba kwinkqubo. Ukuba unamalungelo omlawuli, iTrojan yongeza ingeniso yoHlaziyo lweWindows kwiHKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry. Imiyalelo equlethwe kuHlaziyo lweWindows iya kuqhuba ekuqaleni kweseshoni yomsebenzisi.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Hlaziya [REG_SZ] = rundll32.exe β%PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host
ITrojan iphinda izame ukongeza umsebenzi kwi-Windows Task Scheduler. Umsebenzi uya kuqalisa i-winlogon.lnk DLL kunye neeparitha ezifanayo njengangentla. Amalungelo omsebenzisi aqhelekileyo avumela iTrojan ukuba yongeze uHlaziyo lweWindows ngedatha efanayo kwiHKCUSoftwareMicrosoftWindowsCurrentVersionRun registry:
rundll32.exe β%PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host4.2. I-algorithm ye-RC4 elungisiweyo
Ngaphandle kokusilela kwayo okwaziwayo, i-algorithm ye-RC4 isetyenziswa rhoqo ngababhali be-malware. Nangona kunjalo, abadali be-RTM bayiguqule kancinane, mhlawumbi ukwenza umsebenzi wabahlalutyi bentsholongwane ube nzima ngakumbi. Uguqulelo olulungisiweyo lwe-RC4 lusetyenziswa ngokubanzi kwizixhobo ze-RTM ezinobungozi zokufihla iintambo, idatha yenethiwekhi, uqwalaselo kunye neemodyuli.
4.2.1. Umahluko
I-algorithm ye-RC4 yasekuqaleni iquka izigaba ezibini: ukuqaliswa kwe-s-block (i-KSA - i-Key-Scheduling Algorithm) kunye ne-pseudo-random sequence generation (PRGA - Pseudo-Random Generation Algorithm). Inqanaba lokuqala libandakanya ukuqalisa s-ibhokisi usebenzisa isitshixo, kwaye kwinqanaba lesibini isicatshulwa somthombo sicutshungulwa kusetyenziswa i-s-ibhokisi yokufihla.
Ababhali be-RTM bongeze inyathelo eliphakathi phakathi kokuqaliswa kwebhokisi ye-s kunye ne-encryption. Iqhosha elongezelelweyo liyaguquguquka kwaye libekwe ngexesha elifanayo njengedatha efihliweyo kwaye ikhutshwe. Umsebenzi owenza eli nyathelo elongezelelweyo uboniswe kumzobo ongezantsi.
4.2.2. Uguqulelo oluntsonkothileyo lomtya
Xa ujonga kuqala, kukho imigca emininzi efundekayo kwiDLL ephambili. Ezinye zifihliwe kusetyenziswa i-algorithm echazwe ngasentla, isakhiwo esiboniswe kulo mfanekiso ulandelayo. Sifumene ngaphezu kwe-25 yezitshixo ze-RC4 ezahlukeneyo zokubethelwa komtya kwiisampuli ezihlalutyiweyo. Iqhosha le-XOR lahlukile kumqolo ngamnye. Ixabiso lemigca yokwahlula ibala lamanani lihlala li-0xFFFFFFFF.
Ekuqaleni kokuphunyezwa, i-RTM ikhupha iintambo zibe yinguqu yehlabathi. Xa kuyimfuneko ukufikelela kumtya, iTrojan ibala ngokuguqukayo idilesi yeentambo ezikhutshiweyo ngokusekelwe kwidilesi yesiseko kunye ne-offset.
Imitya iqulethe ulwazi olunomdla malunga nemisebenzi ye-malware. Eminye imitya yomzekelo ibonelelwe kwiCandelo 6.8.
4.3. Inethiwekhi
Indlela i-RTM enxibelelana ngayo ne-malware ye-C&C iseva iyahluka ukusuka kwinguqulelo ukuya kwinguqulelo. Ukuguqulwa kokuqala (ngo-Oktobha 2015 - ngo-Aprili 2016) kusetyenziswe amagama e-domain yendabuko kunye ne-RSS feed kwi-livejournal.com ukuhlaziya uluhlu lwemiyalelo.
Ukususela ngo-Aprili 2016, siye sabona utshintsho kwi-.bit domains kwidatha ye-telemetry. Oku kuqinisekiswa ngumhla wokubhaliswa kwesizinda - indawo yokuqala ye-RTM fde05d0573da.bit yabhaliswa ngo-Matshi 13, 2016.
Zonke ii-URL esizibonileyo ngelixa sibeka iliso kwiphulo linendlela efanayo: /r/z.php. Ayiqhelekanga kwaye iya kunceda ukuchonga izicelo zeRTM kuthungelwano lokuqukuqela.
4.3.1. Umjelo wemiyalelo kunye nolawulo
Imizekelo yelifa isebenzise eli jelo ukuhlaziya uluhlu lwabo lomyalelo kunye nolawulo lweeseva. Ukusingatha kukwi livejournal.com, ngexesha lokubhalwa kwengxelo yahlala kwi-URL hxxp://f72bba81c921(.)livejournal(.)com/data/rss.
I-Livejournal yinkampani yaseRashiya-yaseMelika ebonelela ngeqonga lokubloga. Abaqhubi be-RTM benza iblogi ye-LJ apho bathumela khona inqaku elinemiyalelo enekhowudi - jonga umfanekiso weskrini.
Imigca yomyalelo kunye nolawulo ifakwe ngekhowudi usebenzisa i-algorithm ye-RC4 elungisiweyo (iCandelo 4.2). Inguqulelo yangoku (ngoNovemba 2016) yesitishi iqulethe lo myalelo ulandelayo kunye needilesi zeseva yokulawula:
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. imimandla yebit
Kwiisampuli zamva nje ze-RTM, ababhali baxhuma kwi-C&C domains besebenzisa i-.bit TLD ye-top-level domain. Ayikho kwi-ICANN (i-Domain Name kunye ne-Intanethi ye-Intanethi) uluhlu lweendawo ezikumgangatho ophezulu. Kunoko, isebenzisa inkqubo ye-Namecoin, eyakhiwe phezulu kweteknoloji yeBitcoin. Ababhali be-Malware abasoloko besebenzisa i-.bit TLD kwimimandla yabo, nangona umzekelo wokusetyenziswa okunjalo uye wabonwa ngaphambili kwinguqulelo ye-Necurs botnet.
Ngokungafaniyo ne-Bitcoin, abasebenzisi be-database ye-Namecoin esasazwayo banamandla okugcina idatha. Usetyenziso oluphambili lwalo mboniso yi-.bit top-level domain. Unokubhalisa imimandla eya kugcinwa kwi-database esasazwayo. Ungeniso oluhambelanayo kwisiseko sedatha luqulethe iidilesi ze-IP ezisonjululwe ngummandla. Le TLD "i-censorship-resistant" kuba kuphela obhalisiweyo unokutshintsha isisombululo se-.bit domain. Oku kuthetha ukuba kunzima kakhulu ukumisa i-domain enobungozi usebenzisa olu hlobo lwe-TLD.
I-RTM Trojan ayizinzisi isoftware eyimfuneko yokufunda i-database ye-Namecoin esasaziweyo. Isebenzisa iiseva ze-DNS ezisembindini ezifana ne-dns.dot-bit.org okanye iiseva ze-OpenNic ukusombulula i-.bit domains. Ke ngoko, inokuqina okufanayo kunye neeseva ze-DNS. Siqaphele ukuba ezinye iindawo zeqela azizange zibonwe emva kokuba zikhankanyiwe kwiposti yebhlog.
Enye inzuzo ye-.bit TLD kubaduni yindleko. Ukubhalisa i-domain, abaqhubi kufuneka bahlawule kuphela i-0,01 NK, ehambelana ne-$ 0,00185 (ukususela ngoDisemba 5, 2016). Ukuthelekisa, i-domain.com ixabisa ubuncinane i-$ 10.
4.3.3. Umgaqo-nkqubo
Ukunxibelelana nomncedisi womyalelo kunye nokulawula, i-RTM isebenzisa izicelo ze-HTTP POST ngedatha efomathiweyo usebenzisa iprotocol yesiko. Ixabiso lomendo lisoloko li/r/z.php; I-arhente yomsebenzisi ye-Mozilla/5.0 (iyahambelana; i-MSIE 9.0; iWindows NT 6.1; i-Trident/5.0). Kwizicelo kumncedisi, idatha ifomathwe ngolu hlobo lulandelayo, apho amaxabiso e-offset abonakaliswa ngee-bytes:
Ii-bytes 0 ukuya ku-6 azikho khowudi; ii-bytes eziqala kwi-6 zifakwe kwikhowudi kusetyenziswa i-algorithm ye-RC4 elungisiweyo. Ubume bepakethi yempendulo ye-C&C ilula. Ii-bytes zifakwe kwikhowudi ukusuka kwi-4 ukuya kwisayizi yepakethi.
Uluhlu lwamaxabiso anokwenzeka e-byte aboniswe kwitheyibhile engezantsi:
I-malware ihlala ibala i-CRC32 yedatha efihliweyo kwaye ithelekise nento ekhoyo kwipakethi. Ukuba ziyahluka, iTrojan iwisa ipakethi.
Idatha eyongezelelweyo inokuthi iqulethe izinto ezahlukeneyo, kubandakanywa ifayile ye-PE, ifayile ekufuneka ikhangelwe kwisixokelelwano sefayile, okanye ii-URL zomyalelo omtsha.
4.3.4. Iphaneli
Siqaphele ukuba i-RTM isebenzisa iphaneli kwiiseva ze-C&C. Umfanekiso wekhusi ngezantsi:
4.4. Uphawu lophawu
I-RTM yiTrojan yebhanki eqhelekileyo. Akumangalisi ukuba abaqhubi bafuna ulwazi malunga nenkqubo yexhoba. Ngakolunye uhlangothi, i-bot iqokelela ulwazi jikelele malunga ne-OS. Kwelinye icala, ifumanisa ukuba ingaba inkqubo echaphazelekileyo iqulethe iimpawu ezinxulumene neenkqubo zebhanki ezikude zaseRashiya.
4.4.1. Ulwazi ngokubanzi
Xa i-malware ifakiwe okanye iqaliswe emva kokuqalisa ngokutsha, ingxelo ithunyelwa kumyalelo kunye neseva yolawulo equlethe ulwazi ngokubanzi kuquka:
- Ixesha lendawo;
- ulwimi lwesixokelelwano olungagqibekanga;
- iziqinisekiso zomsebenzisi ezigunyazisiweyo;
- umgangatho wenkqubo yemfezeko;
- Igama lomsebenzisi;
- igama lekhompyutha;
- Uguqulelo lwe-OS;
- iimodyuli ezongezelelweyo ezifakiweyo;
- inkqubo ye-antivirus efakiweyo;
- uluhlu lwabafundi bamakhadi ahlakaniphile.
4.4.2 Inkqubo yebhanki ekude
Ithagethi yeTrojan eqhelekileyo yinkqubo yebhanki ekude, kwaye i-RTM ayinjalo. Enye yeemodyuli zeprogram ibizwa ngokuba yi-TBdo, eyenza imisebenzi eyahlukeneyo, kuquka ukuskena iidiski kunye nembali yokukhangela.
Ngokuskena idiski, iTrojan ijonga ukuba isoftware yebhanki ifakwe kumatshini. Uluhlu olupheleleyo lweenkqubo ekujoliswe kuzo zikwitheyibhile engezantsi. Emva kokuba ifumene ifayile enomdla, inkqubo ithumela ulwazi kwiseva yomyalelo. Iintshukumo ezilandelayo zixhomekeke kwingqiqo echazwe liziko lomyalelo (C&C) algorithms.
I-RTM ikwajonga iipateni ze-URL kwimbali yesikhangeli sakho kwaye uvule iithebhu. Ukongeza, inkqubo iphonononga ukusetyenziswa kwe-FindNextUrlCacheEntryA kunye nemisebenzi ye-FindFirstUrlCacheEntryA, kwaye ijonga ingeniso nganye ukuze itshatise i-URL kwenye yezi patheni zilandelayo:
Emva kokuba ibone iithebhu ezivuliweyo, iTrojan iqhagamshelana ne-Internet Explorer okanye iFirefox ngokusebenzisa iDynamic Data Exchange (DDE) indlela yokujonga ukuba ithebhu iyahambelana na nepateni.
Ukujonga imbali yakho yokukhangela kunye neethebhu ezivulekileyo zenziwa kwi-WHILE loop (i-loop ene-precondition) kunye nekhefu lesibini phakathi kweetshekhi. Enye idatha ebekwe esweni ngexesha langempela iya kuxoxwa kwicandelo 1.
Ukuba ipateni ifunyenwe, inkqubo ixela oku kumncedisi womyalelo usebenzisa uluhlu lwemitya kwitheyibhile ilandelayo:
4.5 Ukubeka iliso
Ngelixa iTrojan isebenza, ulwazi malunga neempawu zenkqubo esulelekileyo (kubandakanywa nolwazi malunga nobukho besoftware yebhanki) ithunyelwa kumyalelo kunye nomncedisi wolawulo. Ushicilelo lweminwe lwenzeka xa i-RTM iqala ukusebenzisa inkqubo yokubeka iliso ngokukhawuleza emva kokuskena kokuqala kwe-OS.
4.5.1. Ibhanki ekude
Imodyuli yeTBdo ikwanoxanduva lokubeka iliso kwiinkqubo ezinxulumene nebhanki. Isebenzisa utshintshiselwano lwedatha oluguquguqukayo ukujonga iithebhu kwiFirefox kunye ne-Internet Explorer ngexesha lokuskena kokuqala. Enye imodyuli ye-TSHell isetyenziselwa ukubeka esweni imiyalelo windows (Internet Explorer okanye File Explorer).
Imodyuli isebenzisa ujongano lweCOM IShellWindows, iWebBrowser, DWebBrowserEvents2 kunye neConnectionPointContainer ukujonga iifestile. Xa umsebenzisi ekhangela kwiphepha elitsha lewebhu, i-malware iphawula oku. Emva koko ithelekisa i-URL yephepha kunye neepateni ezingentla. Emva kokubona umdlalo, iTrojan ithatha iifoto-skrini ezintandathu ezilandelelanayo kunye nekhefu lemizuzwana emi-5 kwaye izithumela kwiseva yomyalelo we-C&S. Inkqubo ijonga amanye amagama efestile anxulumene nesoftware yebhanki - uluhlu olupheleleyo lungezantsi:
4.5.2. Ikhadi elihlakaniphile
I-RTM ikuvumela ukuba ubeke iliso kubafundi bekhadi elihlakaniphile eliqhagamshelwe kwiikhompyuter ezosulelekileyo. Ezi zixhobo zisetyenziswa kwamanye amazwe ukulungelelanisa iiodolo zokuhlawula. Ukuba olu hlobo lwesixhobo luncanyathiselwe kwikhompyuter, lunokubonisa kwiTrojan ukuba umatshini usetyenziselwa iitransekshini zebhanki.
Ngokungafaniyo nezinye iiTrojans zebhanki, i-RTM ayikwazi ukusebenzisana namakhadi anjalo ahlakaniphile. Mhlawumbi oku kusebenza kubandakanyiwe kwimodyuli eyongezelelweyo esingekayiboni okwangoku.
4.5.3. Keylogger
Inxalenye ebalulekileyo yokubeka iliso kwi-PC eyosulelekileyo kukubamba izitshixo. Kubonakala ngathi abaphuhlisi be-RTM abaphoswanga naluphi na ulwazi, kuba bengajongi kuphela izitshixo eziqhelekileyo, kodwa kunye nekhibhodi ebonakalayo kunye nebhodi eqhotyoshwayo.
Ukwenza oku, sebenzisa umsebenzi we-SetWindowsHookExA. Abahlaseli baloba izitshixo ezicinezelweyo okanye izitshixo ezihambelana nekhibhodi ebonakalayo, kunye negama kunye nomhla wenkqubo. Isithinteli sithunyelwa kwiseva yomyalelo yeC&C.
Umsebenzi weSetClipboardViewer usetyenziswa ukuthintela ibhodi eqhotyoshwayo. Abahlaseli baloga imixholo yebhodi eqhotyoshwayo xa idatha ibhaliweyo. Igama kunye nomhla zilogwe phambi kokuba isithinteli sithunyelwe kumncedisi.
4.5.4. Iifoto zekhusi
Omnye umsebenzi we-RTM yi-screenshot interception. Uphawu lusetyenziswa xa imodyuli yokubeka iliso yefestile ibona indawo okanye isoftwe yebhanki enomdla. Izikrini zithathwa kusetyenziswa ilayibrari yemifanekiso yegraphic kwaye idluliselwe kumncedisi womyalelo.
4.6. Ukukhutshwa
Iseva yeC&C inokumisa i-malware ekusebenzeni kwaye icoce ikhompyuter yakho. Umyalelo ikuvumela ukuba ucoce iifayile kunye namangeniso obhaliso adalwe ngelixa i-RTM isebenza. I-DLL isetyenziselwa ukususa i-malware kunye nefayile ye-winlogon, emva koko umyalelo uvala ikhompyutha. Njengoko kubonisiwe kumfanekiso ongezantsi, i-DLL iyasuswa ngabaphuhlisi besebenzisa i-erase.dll.
Umncedisi angathumela iTrojan umyalelo owonakalisayo wokukhupha-tshixa. Kule meko, ukuba unamalungelo omlawuli, i-RTM iyakucima i-MBR icandelo lokuqalisa kwi-hard drive. Ukuba oku akusebenzi, iTrojan iya kuzama ukutshintsha icandelo le-MBR ye-boot kwicandelo elingahleliwe - ngoko ikhompyutha ayiyi kukwazi ukuqala i-OS emva kokuvala. Oku kunokukhokelela ekubuyiselweni ngokupheleleyo kwe-OS, oku kuthetha ukutshatyalaliswa kobungqina.
Ngaphandle kwamalungelo omlawuli, i-malware ibhala i-.EXE ekhowudiweyo kwi-RTM DLL ephantsi. Okuphunyeziweyo kuphumeza ikhowudi efunekayo ukuvala ikhompyutha kunye nokubhalisa imodyuli kwiqhosha lokubhalisa le-HKCUCurrentVersionRun. Ngalo lonke ixesha umsebenzisi eqala iseshoni, ikhompyuter iyacima kwangoko.
4.7. Ifayile yoqwalaselo
Ngokungagqibekanga, i-RTM phantse ayinayo ifayile yoqwalaselo, kodwa umyalelo kunye nomncedisi wolawulo unokuthumela amaxabiso oqwalaselo aya kugcinwa kubhaliso kwaye asetyenziswe yinkqubo. Uluhlu lwamaqhosha oqwalaselo lunikezelwe kwitheyibhile engezantsi:
Ubumbeko lugcinwe kwiSoftware[Pseudo-random string] iqhosha lokubhalisa. Ixabiso ngalinye lihambelana nomnye wemigca eboniswe kwitheyibhile yangaphambili. Amaxabiso kunye nedatha ifakwe ngekhowudi kusetyenziswa i-algorithm ye-RC4 kwi-RTM.
Idatha inesakhiwo esifanayo njengenethiwekhi okanye iintambo. Iqhosha le-XOR le-byte ezine longezwa ekuqaleni kwedatha ekhowudiweyo. Kumaxabiso oqwalaselo, iqhosha le XOR lahlukile kwaye lixhomekeke kubungakanani bexabiso. Inokubalwa ngolu hlobo lulandelayo:
xor_key = (len(config_value) << 24) | (len(config_value) << 16)
| len(config_value)| (len(config_value) << 8)
4.8. Eminye imisebenzi
Okulandelayo, makhe sijonge eminye imisebenzi exhaswa yiRTM.
4.8.1. Iimodyuli ezongezelelweyo
I-Trojan ibandakanya iimodyuli ezongezelelweyo, eziyifayile zeDLL. Iimodyuli ezithunyelwe kwi-server ye-C & C yomyalelo zinokwenziwa njengeenkqubo zangaphandle, ezibonakaliswe kwi-RAM kwaye ziqaliswe kwimicu emitsha. Ukugcina, iimodyuli zigcinwa kwiifayile ze-.dtt kwaye zifakwe ngekhowudi usebenzisa i-algorithm ye-RC4 kunye neqhosha elifanayo elisetyenziselwa unxibelelwano lwenethiwekhi.
Ukuza kuthi ga ngoku siye saqaphela ukufakwa kwemodyuli yeVNC (8966319882494077C21F66A8354E2CBCA0370464), imodyuli yokutsalwa kwedatha yesikhangeli (03DE8622BE6B2F75A364A275995C3411626C4D9F1C2D1F562C1D69F6FD) 58FBA88753B 7BE0D3B4EXNUMXCFAB).
Ukulayisha imodyuli yeVNC, iseva yeC&C ikhupha umyalelo ocela uqhagamshelo kwiseva yeVNC kwidilesi ethile ye-IP kwi-port 44443. Iplagin yokubuyisa idatha yomkhangeli zincwadi yenza iTBrowserDataCollector, enokufunda imbali yokukhangela ye-IE. Emva koko ithumela uluhlu olupheleleyo lwee-URL ezityelelweyo kwiseva yomyalelo weC&C.
Imodyuli yokugqibela efunyenweyo ibizwa ngokuba yi-1c_2_kl. Inokunxibelelana nephakheji yesoftware ye-1C Enterprise. Imodyuli ibandakanya iinxalenye ezimbini: inxalenye ephambili - i-DLL kunye nee-agent ezimbini (i-32 kunye ne-64 bit), eya kuthi ifakwe kwinkqubo nganye, ukubhalisa ukubopha kwi-WH_CBT. Emva kokuba yazisiwe kwinkqubo ye-1C, imodyuli ibophelela i-CreateFile kunye nemisebenzi ye-WritFile. Nanini na xa ubizwa ngokuba yi-CreateFile, imodyuli igcina umendo wefayile 1c_to_kl.txt kwinkumbulo. Emva kokuthintela umnxeba we-WritFile, ibiza umsebenzi we-WritFile kwaye ithumela umendo wefayile 1c_to_kl.txt kwimodyuli ye-DLL engundoqo, idlulisa umyalezo owenziweyo we-Windows WM_COPYDATA.
Imodyuli ephambili yeDLL ivula kwaye icazulule ifayile ukumisela imiyalelo yentlawulo. Iqaphela imali kunye nenombolo yetransekshini equlethwe kwifayile. Olu lwazi luthunyelwa kwiseva yomyalelo. Sikholelwa ukuba le modyuli okwangoku iphantsi kophuhliso kuba inomyalezo wolungiso kwaye ayinakukwazi ukulungisa ngokuzenzekelayo i-1c_to_kl.txt.
4.8.2. Ukunyuka kwamalungelo
I-RTM inokuzama ukonyusa amalungelo ngokubonisa imiyalezo yemposiso yobuxoki. I-malware ilinganisa itshekhi yobhaliso (bona umfanekiso ongezantsi) okanye isebenzisa i-icon yomhleli wobhaliso lokwenyani. Nceda uqaphele ukupelwa kakubi linda - whait. Emva kwemizuzwana embalwa yokuskena, inkqubo ibonisa umyalezo wephutha lobuxoki.
Umyalezo wobuxoki uya kukhohlisa ngokulula umsebenzisi oqhelekileyo, nangona iimpazamo zegrama. Ukuba umsebenzisi ucofa kwelinye lamakhonkco amabini, i-RTM iya kuzama ukunyusa amalungelo ayo kwinkqubo.
Emva kokukhetha enye yeenketho ezimbini zokubuyisela, iTrojan isungula i-DLL isebenzisa i-runas ukhetho kwi-ShellExecute umsebenzi ngamalungelo omlawuli. Umsebenzisi uya kubona i-Windows yokwenyani ngokukhawuleza (jonga umfanekiso ongezantsi) ukwenzela ukuphakama. Ukuba umsebenzisi unika iimvume eziyimfuneko, iTrojan iyakusebenza ngamalungelo omlawuli.
Ngokuxhomekeke kulwimi olungagqibekanga olufakwe kwisistim, iTrojan ibonisa imiyalezo yempazamo ngesiRashiya okanye ngesiNgesi.
4.8.3. Isatifikethi
I-RTM inokongeza izatifikethi Windows kuGcino kwaye iqinisekise ukuthembeka kokongezwa ngokucofa ngokuzenzekelayo iqhosha elithi "ewe" kwibhokisi yencoko yababini ye-csrss.exe. Oku kuziphatha akukutsha; umzekelo, iTrojan Retefe yebhanki nayo iqinisekisa ngokuzimeleyo ukufakwa kwesatifikethi esitsha.
4.8.4. Reverse uxhumano
Ababhali be-RTM nabo badala i-Backconnect TCP tunnel. Asikayiboni into esetyenziswayo okwangoku, kodwa yenzelwe ukujonga ukude iiPC ezosulelekileyo.
4.8.5. Ulawulo lwefayile yokusingatha
Iseva yeC&C ingathumela umyalelo kwiTrojan ukuguqula ifayile yomamkeli weWindows. Ifayile yenginginya isetyenziselwa ukwenza izisombululo zeDNS zesiko.
4.8.6. Fumana kwaye uthumele ifayile
Umncedisi angacela ukukhangela kunye nokukhuphela ifayile kwindlela eyosulelekileyo. Umzekelo, ngexesha lophando sifumene isicelo sefayile 1c_to_kl.txt. Njengoko kuchaziwe ngaphambili, le fayile iveliswa yi-1C: Enterprise 8 system accounting.
4.8.7. Hlaziya
Ekugqibeleni, ababhali be-RTM banokuhlaziya isofthiwe ngokuthumela i-DLL entsha ukuze ithathe indawo yenguqu yangoku.
5. Isiphelo
Uphando lwe-RTM lubonisa ukuba inkqubo yebhanki yaseRashiya isatsala abahlaseli be-cyber. Amaqela afana neBuhtrap, iCorkow kunye neCarbanak ibambe ngempumelelo imali kumaziko emali kunye nabathengi babo eRashiya. I-RTM ngumdlali omtsha kweli shishini.
Izixhobo ze-RTM ezinobungozi bezisetyenziswa ukususela emva kwexesha lika-2015, ngokutsho kwe-ESET telemetry. Inkqubo inoluhlu olupheleleyo lwezakhono zokuhlola, kuquka ukufunda amakhadi e-smart, ukubamba i-keystrokes kunye nokubeka iliso kwintengiselwano yebhanki, kunye nokukhangela i-1C: Iifayile zezothutho ze-Enterprise 8.
Ukusetyenziswa kwe-domain ye-decentralized, engaxilwanga .bit top-level domain iqinisekisa iziseko zophuhliso oluphezulu.
umthombo: www.habr.com