Eli nqaku yinxalenye yothotho lweFayileless Malware. Zonke ezinye iindawo zolu thotho:
- I-Adventures ye-Elusive Malware, iCandelo II: Izikripthi ze-VBA ezifihliweyo (silapha)
Ndingumntu othanda le ndawo (uhlalutyo oluxutyiweyo, emva koku HA). Olu luhlobo lwe-zoo ye-malware apho unokujonga ngokukhuselekileyo "amarhamncwa" asendle kumgama okhuselekileyo ngaphandle kokuhlaselwa. I-HA iqhuba i-malware kwiindawo ezikhuselekileyo, iirekhodi zeefowuni zenkqubo, iifayile ezenziwe kunye ne-intanethi ye-intanethi, kwaye ikunika zonke ezi ziphumo kwisampuli nganye ehlalutyayo. Ngale ndlela, akudingeki ukuba uchithe ixesha lakho kunye namandla uzama ukufumana ikhowudi edidayo ngokwakho, kodwa unokuqonda ngokukhawuleza zonke iinjongo ze-hackers.
Imizekelo ye-HA eyabamba ingqalelo yam isebenzisa i-JavaScript enekhowudi okanye i-Visual Basic for Applications (VBA) izikripthi ezifakwe njenge-macros kumaxwebhu eLizwi okanye e-Excel kwaye ziqhotyoshelwe kwii-imeyile ze-phishing. Xa zivulwa, ezi macros ziqala iseshoni yePowerShell kwikhompyuter yexhoba. IiHacker zihlala zithumela i-Base64 ekhowudiweyo yemiyalelo kwiPowerShell. Konke oku kwenziwa ukwenza uhlaselo lube nzima ukubhaqwa zizihluzi zewebhu kunye nesoftware ye-antivirus ephendula amagama athile aphambili.
Ngethamsanqa, i-HA icacisa ngokuzenzekelayo i-Base64 kwaye ibonise yonke into kwifomathi efundekayo ngoko nangoko. Ngokusisiseko, akufuneki ugxininise kwindlela ezi scripts zisebenza ngayo kuba uya kukwazi ukubona isiphumo esipheleleyo somyalelo weenkqubo ezisebenzayo kwicandelo elihambelanayo le-HA. Jonga umzekelo ongezantsi:
Uhlalutyo lweHybrid luthintela imiyalelo efakwe kwi-Base64 ethunyelwe kwi-PowerShell:
...kwaye ke ukukucacisela zona. #ngomlingo
Π Ndizenzele esam isikhongozeli seJavaScript esine-obfusified kancinci ukuze ndiqhube iseshoni yePowerShell. Iskripthi sam, njenge-malware esekwe kwi-PowerShell, emva koko ikhuphela i-PowerShell elandelayo kwiwebhusayithi ekude. Emva koko, njengomzekelo, ndilayishe i-PS engenabungozi eprinte umyalezo kwisikrini. Kodwa amaxesha ayatshintsha, kwaye ngoku ndicebisa ukuba ndidibanise imeko.
I-PowerShell Empire kunye neShell yokuReverse
Enye yeenjongo zalo msebenzi kukubonisa indlela (ngokomlinganiselo) ngokulula i-hacker inokudlula ukhuselo lweperimeter yakudala kunye ne-antivirus. Ukuba i-blogger ye-IT ngaphandle kwezakhono zokucwangcisa, njengam, ingayenza ngobusuku obunye (engabonwanga ngokupheleleyo, i-FUD), khawufane ucinge izakhono ze-hacker encinci enomdla kule nto!
Kwaye ukuba ungumboneleli wezokhuseleko lwe-IT, kodwa umphathi wakho akazi ngemiphumo enokwenzeka yezi zoyikiso, vele umbonise eli nqaku.
Abaduni baphupha ngokufumana ukufikelela ngokuthe ngqo kwilaptop yexhoba okanye kwiseva. Oku kulula kakhulu ukwenza: yonke into efunwa ngumxhasi kukufumana iifayile ezimbalwa eziyimfihlo kwilaptop yeCEO.
Ngandlela ithile sele malunga ne-PowerShell Empire emva kwexesha lokuvelisa. Masikhumbule ukuba yintoni na.
Sisixhobo sokuvavanya ukungena esekwe kwi-PowerShell, phakathi kwezinye izinto ezininzi, ikuvumela ukuba usebenzise iqokobhe elibuyela umva. Unokufunda ngakumbi kwi .
Masenze umfuniselo omncinci. Ndisete indawo ekhuselekileyo yovavanyo lwe-malware kwilifu leeNkonzo zeWebhu zeAmazon. Ungalandela umzekelo wam ngokukhawuleza nangokukhuselekileyo ubonise umzekelo osebenzayo wobu buthathaka (kwaye ungagxothwa ngokuqhuba iintsholongwane ngaphakathi kumda weshishini).
Ukuba uphehlelela ikhonsoli ye-PowerShell Empire, uya kubona into enje:
Okokuqala uqala inkqubo yomphulaphuli kwikhompyuter yakho ye-hacker. Ngenisa umyalelo "umphulaphuli", kwaye uchaze idilesi ye-IP yesixokelelwano sakho usebenzisa "set Host". Emva koko qalisa inkqubo yomphulaphuli ngomyalelo "wokwenza" (ngezantsi). Ke, kwicala lakho, uyakuqala ukulinda uqhagamshelo lwenethiwekhi ukusuka kwiqokobhe elikude:
Kwelinye icala, kuya kufuneka uvelise ikhowudi yearhente ngokufaka "umqalisi" umyalelo (jonga ngezantsi). Oku kuya kuvelisa ikhowudi ye-PowerShell ye-arhente ekude. Qaphela ukuba ifakwe kwi-Base64, kwaye imele isigaba sesibini somthwalo wokuhlawula. Ngamanye amagama, ikhowudi yam yeJavaScript ngoku iya kutsala le arhente ukuba iqhube i-PowerShell endaweni yokuprinta ngokungenampazamo isicatshulwa kwiscreen, kwaye iqhagamshele kwiseva yethu ekude yePSE ukuqhuba iqokobhe elibuyela umva.
Umlingo weqokobhe elibuyela umva. Lo myalelo unekhowudi yePowerShell uya kuqhagamshela kumphulaphuli wam kwaye uqalise iqokobhe elikude.
Ukukubonisa olu vavanyo, ndathatha indima yexhoba elimsulwa kwaye ndavula i-Evil.doc, ngaloo ndlela ndaqalisa iJavaScript yethu. Khumbula inxalenye yokuqala? I-PowerShell iqwalaselwe ukukhusela ifestile yayo ukuba ingaveli, ngoko ke ixhoba aliyi kuqaphela nantoni na engaqhelekanga. Nangona kunjalo, ukuba uvula iWindows Task Manager, uya kubona inkqubo yePowerShell yangasemva engayi kubangela nayiphi na ialam kubantu abaninzi. Kuba iyiPowerShell eqhelekileyo, akunjalo?
Ngoku xa uqhuba i-Evil.doc, inkqubo efihlakeleyo yangasemva iya kuqhagamshela kwiseva eqhuba i-PowerShell Empire. Ndifake umnqwazi wam omhlophe wepentester hacker, ndabuyela kwi-PowerShell Empire console kwaye ngoku ndibona umyalezo wokuba iarhente yam ekude iyasebenza.
Ndaye ndafaka umyalelo othi "interact" ukuvula iqokobhe kwi-PSE - kwaye ndikhona! Ngamafutshane, ndiqhekeze iseva yeTaco endizibeke yona kanye.
Le nto ndisandula ukuyibonisa ayifuni umsebenzi omninzi kwicala lakho. Unokwenza konke oku ngokulula ngexesha lakho lesidlo sasemini kwiyure enye okanye ezimbini ukuphucula ulwazi lwakho lokhuseleko lolwazi. Ikwayindlela entle yokuqonda indlela abahlaseli abadlula ngayo iperimeter yakho yokhuseleko lwangaphandle kwaye bangene ngaphakathi kwiinkqubo zakho.
Abaphathi be-IT abacinga ukuba bakhe ukhuselo olungenakungeneka kulo nakuphi na ukungenelela baya kukufumana kufundisa - oko kukuthi, ukuba unokubaqinisekisa ukuba bahlale nawe ixesha elide ngokwaneleyo.
Masibuyele kwinyani
Njengoko bendilindele, i-hack yokwenyani, engabonakaliyo kumsebenzisi oqhelekileyo, yinto nje eyahlukileyo yento endisandula ukuyichaza. Ukuqokelela imathiriyeli yopapasho olulandelayo, ndaqala ukukhangela isampuli kwi-HA esebenza ngendlela efanayo nomzekelo wam oyiliweyo. Kwaye akufuneki ndiyijonge ixesha elide-zininzi iinketho zendlela yokuhlasela efanayo kwindawo.
I-malware endiyifumene ekugqibeleni kwi-HA yayisiskripthi se-VBA esasifakwe kuxwebhu lweLizwi. Oko kukuthi, akufuneki nokuba ndifake inkohliso ulwandiso lwe-doc, le malware ngokwenene luxwebhu olujongeka njengesiqhelo lweMicrosoft Word. Ukuba unomdla, ndakhetha le sampuli ebizwa .
Ndiye ndafunda ngokukhawuleza ukuba amaxesha amaninzi awukwazi ukutsala ngokuthe ngqo izikripthi ze-VBA ezinobungozi kuxwebhu. IiHacker ziyabacinezela kwaye bazifihle ukuze zingabonakali kwi-Word's macros eyakhelwe-ngaphakathi izixhobo. Uya kufuna isixhobo esikhethekileyo sokusisusa. Ngethamsanqa ndadibana nescanner UFrank Baldwin. Enkosi, Frank.
Ndisebenzisa esi sixhobo, ndiye ndakwazi ukukhupha ikhowudi ye-VBA ene-obfuscated kakhulu. Yayijongeka ngolu hlobo:
I-obfuscation yenziwa ziingcali kwicandelo labo. Ndachukumiseka!
Abahlaseli balungile ngokwenene kwikhowudi yokufihla, hayi njengemizamo yam yokudala i-Evil.doc. Kulungile, kwinxalenye elandelayo siya kukhupha i-VBA debuggers yethu, singene kancinci kule khowudi kwaye sithelekise uhlalutyo lwethu kunye neziphumo ze-HA.
umthombo: www.habr.com