Kutshanje, umenzi waseYurophu wezixhobo zokufakelwa kombane uqhagamshelane neQela-IB - umqeshwa walo ufumene ileta ekrokrisayo ene-attachment enonya kwi-imeyile. Ilya Pomerantsev, ingcali yohlalutyo lwe-malware kwi-CERT Iqela-IB, iqhube uhlalutyo olucacileyo lwale fayile, yafumanisa i-spyware ye-AgentTesla apho kwaye yaxelela ukuba ulindele ntoni kwi-malware enjalo kwaye iyingozi njani.
Ngesi sithuba sivula uluhlu lwamanqaku malunga nendlela yokuhlalutya iifayile ezinokuthi zibe yingozi, kwaye silindele abanomdla kakhulu nge-5 kaDisemba kwi-webinar esebenzayo yamahhala ngesihloko. "Uhlahlelo lweMalware: Uhlahlelo lwamatyala okwenyani". Zonke iinkcukacha ziphantsi kokusikwa.
Indlela yokusasaza
Siyazi ukuba i-malware ifikelele kumatshini wexhoba nge-imeyile ezikhohlisayo. Umamkeli weleta mhlawumbi wayeyi-BCCed.
Uhlalutyo lweeheda lubonisa ukuba umthumeli wale leta waphangwa. Enyanisweni, ileta yahamba nayo vps56[.]oneworldhosting[.]com.
Uncamathiselo lwe-imeyile luqulethe i-WinRar yokugcina qoute_jpeg56a.r15 ngefayile esebenzisekayo enobungozi QUUTE_JPEG56A.exe ngaphakathi.
I-ecosystem ye-Malware
Ngoku makhe sibone ukuba injani i-ecosystem ye-malware ephantsi kophononongo. Umzobo ongezantsi ubonisa isakhiwo sayo kunye nezalathiso zokusebenzisana kwamacandelo.
Ngoku makhe sijonge kwicandelo ngalinye le-malware ngokweenkcukacha ngakumbi.
Umlayishi
Ifayile yoqobo QUUTE_JPEG56A.exe iqulunqwe I-AutoIt v3 umbhalo.
Ukufihla umbhalo wokuqala, i-obfuscator efana nayo I-PELock AutoIT-Obfuscator iimpawu.
I-deobfuscation yenziwa ngezigaba ezithathu:
- Ukususa i-obfuscation Kuba-ukuba
Inyathelo lokuqala kukubuyisela inkqubo yolawulo lwescript. Control Flow Flattening yenye yeendlela eziqhelekileyo zokukhusela isicelo ikhowudi yokubini ukusuka kuhlalutyo. Ukuguqulwa kokuphazamiseka kwandisa kakhulu ubunzima bokukhupha kunye nokuqaphela i-algorithms kunye nezakhiwo zedatha.
- Ukubuyisela umqolo
Imisebenzi emibini isetyenziselwa ukufihla imitya:
- gdorizabegkvfca-Yenza i-Base64-like decoding
- xgacyukcyzxz - i-byte-byte elula XOR yomtya wokuqala kunye nobude besibini
- gdorizabegkvfca-Yenza i-Base64-like decoding
- Ukususa i-obfuscation I-BinaryToString ΠΈ Phumeza
Umthwalo oyintloko ugcinwa kwifomu eyahlulwe kwi-directory imigca amacandelo efayile.
Umyalelo wokuncamathelisa ngolu hlobo lulandelayo: TIEQHCXWFG, EMI, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
Umsebenzi weWinAPI usetyenziselwa ukucima idatha ekhutshiweyo I-CryptDecrypt, kunye neqhosha leseshoni elenziwe ngokusekelwe kwixabiso lisetyenziswa njengesitshixo fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Ifayile ephunyeziweyo ekhutshiweyo ithunyelwa kwigalelo lomsebenzi Qhuba iPE, eyenza ProcessInject Π² RegAsm.exe usebenzisa eyakhelwe-ngaphakathi Ikhowudi yeShell (kwaziwa njenge Qhuba iShellCode). Ububhali bobomsebenzisi weforum yaseSpain indetectables[.]net phantsi kwegama lesiqhulo elithi Wardow.
Kuyafaneleka ukuba uqaphele ukuba kwenye yemisonto yale forum, i-obfuscator ye Ephahleni ezineempawu ezifanayo ezichongiweyo ngexesha lohlalutyo lwesampulu.
Nguye Ikhowudi yeShell ilula kakhulu kwaye itsala ingqalelo ebolekwe kuphela kwiqela le-hacker uAnunakCarbanak. API call hashing umsebenzi.
Siyazi kwakhona iimeko zokusetyenziswa Frenchy Shellcode iinguqulelo ezahlukeneyo.
Ukongeza ekusebenzeni okuchaziweyo, sikwachonge imisebenzi engasebenziyo:
- Ukuvala ukupheliswa kwenkqubo yesandla kumphathi womsebenzi
- Ukuqalisa kwakhona inkqubo yomntwana xa iphelile
- Yidlula i-UAC
- Ukugcina umvuzo kwifayile
- Ukuboniswa kweefestile zemodal
- Ilinde indawo yesalathisi se mouse ukuba itshintshe
- I-AntiVM kunye ne-AntiSandbox
- Ukuzitshabalalisa
- Ukumpompa umvuzo kwinethiwekhi
Siyazi ukuba ukusebenza okunjalo kuqhelekile kumkhuseli CypherIT, leyo, ngokucacileyo, yi-bootloader echaphazelekayo.
Imodyuli ephambili yesoftware
Okulandelayo, siza kuchaza ngokufutshane imodyuli ephambili ye-malware, kwaye siyiqwalasele ngakumbi kwinqaku lesibini. Kule meko, sisicelo kwi .NET.
Ngexesha lokuhlalutya, safumanisa ukuba kusetyenziswe i-obfuscator ConfuserEX.
IELibrary.dll
Ithala leencwadi ligcinwa njengomthombo wemodyuli ophambili kwaye iplagin eyaziwayo UmmeliTesla, ebonelela ngokusebenza kokukhupha ulwazi olwahlukeneyo kwi-Internet Explorer kunye nabaphequluli be-Edge.
I-Agent Tesla yi-software yokuhlola imodyuli esasazwa kusetyenziswa imodeli ye-malware-njenge-inkonzo phantsi kwemveliso ye-keylogger esemthethweni. I-Agent Tesla iyakwazi ukukhupha kunye nokudlulisa iziqinisekiso zomsebenzisi kwiiphequluli, abathengi be-imeyile kunye nabathengi be-FTP kumncedisi kubahlaseli, ukurekhoda idatha yebhodi eqhotyoshwayo, kunye nokubamba isikrini sesixhobo. Ngexesha lokuhlalutya, iwebhusayithi esemthethweni yabaphuhlisi yayingekho.
Indawo yokungena ngumsebenzi GetSavedPasswords iklasi InternetExplorer.
Ngokubanzi, ukuphunyezwa kwekhowudi kumgca kwaye akuqukethe naluphi na ukhuseleko lokuhlalutya. Kuphela ngumsebenzi ongafezekanga ofanelwe ingqalelo GetSavedCookies. Kuyabonakala ukuba, ukusebenza kweplagin bekufanele kwandiswe, kodwa oku akuzange kwenziwe.
Ukuqhoboshela isilayidi sokuqala kwisixokelelwano
Masifunde ukuba i-bootloader incamathele njani kwisistim. Lo mzekelo uphantsi kophononongo awuzinzisi, kodwa kwiziganeko ezifanayo yenzeka ngokwesikimu silandelayo:
- Kwifolda C:Abasebenzisi bakarhulumente iskripthi senziwe Visual Basic
Umzekelo weskripthi:
- Imixholo yefayile yomlayishi ikhuselwe ngonobumba ongenanto kwaye igcinwe kwifolda %Temp%Igama lefayile>
- Iqhosha le-autorun lenziwa kwirejista yefayile yeskripthi HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Ke, ngokusekwe kwiziphumo zenxalenye yokuqala yohlalutyo, sikwazile ukuseka amagama eentsapho zawo onke amacandelo e-malware ephantsi kophononongo, ukuhlalutya ipateni yosulelo, kwaye nokufumana izinto zokubhala utyikityo. Siza kuqhubeka nohlalutyo lwethu lwale nto kwinqaku elilandelayo, apho siza kujonga imodyuli ephambili ngokubanzi UmmeliTesla. Ungaphosi!
Ngendlela, nge-5 kaDisemba simema bonke abafundi kwi-webinar esebenzayo yamahhala kwisihloko esithi "Uhlalutyo lwe-malware: uhlalutyo lwamatyala okwenene", apho umbhali weli nqaku, ingcali ye-CERT-GIB, iya kubonisa kwi-intanethi inqanaba lokuqala uhlalutyo lwe-malware - ukukhutshwa kwe-semi-automatic yeesampuli usebenzisa umzekelo wamatyala amathathu okwenene amancinci ukusuka ekusebenzeni, kwaye unokuthatha inxaxheba kuhlalutyo. I-webinar ifanelekile kwiingcali esele zinamava ekuhlalutyeni iifayile ezinobungozi. Ubhaliso lusuka ngokungqongqo kwi-imeyile yoshishino: . Lindela wena!
Yara
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
Ukukhawuleza
| igama | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890E643316E9276156EDC8A |
| uhlobo | Gcina iWinRAR |
| ubungakanani | 823014 |
| igama | QUUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| uhlobo | I-PE (Iqulunqwe i-AutoIt Script) |
| ubungakanani | 1327616 |
| Igama lokuqala | unknown |
| Isitampu somhla | 15.07.2019 |
| Unxibelelaniso | I-Microsoft Linker(12.0)[EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| uhlobo | Ikhowudi yeShell |
| ubungakanani | 1474 |
umthombo: www.habr.com