Siqhubeka nochungechunge lwethu lwamanqaku anikezelwe kuhlalutyo lwe-malware. IN Inxalenye, sixelele indlela u-Ilya Pomerantsev, ingcali yohlalutyo lwe-malware kwi-CERT Group-IB, enze uhlalutyo oluneenkcukacha lwefayile efunyenwe ngeposi evela kwenye yeenkampani zaseYurophu kwaye yafumanisa ispyware apho. UmmeliTesla. Kule nqaku, u-Ilya unikezela ngeziphumo zohlalutyo lwamanyathelo ngamanyathelo kwimodyuli ephambili UmmeliTesla.
I-Agent Tesla yi-software yokuhlola imodyuli esasazwa kusetyenziswa imodeli ye-malware-njenge-inkonzo phantsi kwemveliso ye-keylogger esemthethweni. I-Agent Tesla iyakwazi ukukhupha kunye nokudlulisa iziqinisekiso zomsebenzisi kwiiphequluli, abathengi be-imeyile kunye nabathengi be-FTP kumncedisi kubahlaseli, ukurekhoda idatha yebhodi eqhotyoshwayo, kunye nokubamba isikrini sesixhobo. Ngexesha lokuhlalutya, iwebhusayithi esemthethweni yabaphuhlisi yayingekho.
Ifayile yoqwalaselo
Itheyibhile engezantsi idwelisa ukuba yeyiphi imisebenzi esebenzayo kwisampulu oyisebenzisayo:
| inkcazelo | Nentsingiselo |
| KeyLogger ukusetyenziswa iflegi | oyinyaniso |
| Iflegi yokusetyenziswa kweScreenLogger | amanga |
| Ilog yokuthumela i-KeyLogger kwimizuzu | 20 |
| Ilog yeScreenLogger ithumela isithuba kwimizuzu | 20 |
| Iflegi yokuphatha iqhosha le-backspace. Bubuxoki β ukugawulwa kwemithi kuphela. Yinyani - icima iqhosha langaphambili | amanga |
| Uhlobo lwe-CNC. Ukhetho: smtp, webpanel, ftp | SMTP |
| Umsonto wokuvula iflegi yokuphelisa iinkqubo kuluhlu β% filter_list%β | amanga |
| UAC icima iflegi | amanga |
| Umphathi womsebenzi khubaza iflegi | amanga |
| CMD khubaza iflegi | amanga |
| Yenza iflegi ingasebenzi | amanga |
| IRegistry Viewer Khubaza iflegi | amanga |
| Khubaza isixokelelwano sokubuyisela iflegi yamanqaku | oyinyaniso |
| Iphaneli yokulawula ivala iflegi | amanga |
| I-MSCONFIG icima iflegi | amanga |
| Faka ifulegi ukuvala imenyu yomxholo kwi-Explorer | amanga |
| I-Pin iflegi | amanga |
| Indlela yokukhuphela imodyuli engundoqo xa uyicinezela kwisixokelelwano | % qalisa isiqulathi seefayili% %infolder%%inname% |
| Iflegi yokucwangcisa i "System" kunye "Efihliweyo" iimpawu zemodyuli engundoqo eyabelwe inkqubo | amanga |
| Faka ifulegi ukwenza uqalo ngokutsha xa ucinezelwe kwisixokelelwano | amanga |
| Yenza ifulegi lokusa imodyuli engundoqo kwisilawulo sexeshana | amanga |
| iflegi yokudlula ye-UAC | amanga |
| Umhla kunye nefomathi yexesha lokungena | yyyy-MM-dd HH:mm:ss |
| Iflegi yokusebenzisa isihluzo senkqubo ye-KeyLogger | oyinyaniso |
| Uhlobo lohluzo lwenkqubo. I-1 - igama leprogram likhangelwe kwizihloko zefestile 2 β igama lenkqubo likhangelwa kwigama lenkqubo yefestile |
1 |
| Isihluzi senkqubo | "facebook" "twitter" "gmail" "instagram" "imuvi" "skype" "amanyala" "Hack" "whatsapp" "ingxabano" |
Ukuqhoboshela imodyuli engundoqo kwisixokelelwano
Ukuba iflegi ehambelanayo iseti, imodyuli engundoqo ikhutshelwa kwindlela echazwe kuqwalaselo njengendlela eya kwabelwa inkqubo.
Ngokuxhomekeke kwixabiso elivela kwi-config, ifayile inikwe iimpawu "ezifihliweyo" kunye ne "System".
I-Autorun ibonelelwa ngamasebe amabini obhaliso:
- HKCU SoftwareMicrosoftWindowsCurrentVersionRun%insregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %insregname%
Ekubeni i-bootloader ingena kwinkqubo I-RegAsm, ukuseta iflegi eqhubekayo yemodyuli engundoqo ikhokelela kwiziphumo ezinomdla kakhulu. Esikhundleni sokuzikopa, i-malware incamathele ifayile yoqobo kwinkqubo RegAsm.exe, ngexesha apho inaliti yenziwa.
Ukusebenzisana neC&C
Kungakhathaliseki ukuba yeyiphi indlela esetyenzisiweyo, unxibelelwano lwenethiwekhi luqala ngokufumana i-IP yangaphandle yexhoba usebenzisa isibonelelo [.]amazonaws[.]com/.
Oku kulandelayo kuchaza iindlela zokusebenzisana zenethiwekhi ezinikezelwe kwisoftware.
iphaneli yewebhu
Unxibelelwano lwenzeka nge-HTTP protocol. I-malware yenza isicelo se-POST ngezi zihloko zilandelayo:
- Ummeli woMsebenzisi: Mozilla/5.0 (IWindows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Uqhagamshelwano: Gcina-Uphila
- Isiqulatho-Udidi: isicelo/x-www-form-urlencoded
Idilesi yomncedisi ixelwa lixabiso %PostURL%. Umyalezo ofihliweyo uthunyelwa kwiparameter Β«PΒ». Indlela yoguqulelo oluntsonkothileyo ichazwe kwicandelo "I-encryption algorithms" (Indlela yesi-2).
Umyalezo ogqithisiweyo ujongeka ngolu hlobo:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
IParamu uhlobo ibonisa uhlobo lomyalezo:
hwid -I-MD5 hash irekhodwa kumaxabiso enombolo yeserial yebhodi yomama kunye ne-ID yeprosesa. Eyona nto inokusetyenziswa njenge-ID yoMsebenzisi.
ixesha β isebenza ukuhambisa ixesha langoku kunye nomhla.
pcname - ichazwe njenge /.
logdata -log data.
Xa uthumela amagama ayimfihlo, umyalezo ujongeka ngolu hlobo:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Oku kulandelayo ziinkcazo zedatha ebiweyo kwifomathi nclient[]={0}nlink[]={1}username[]={2}npassword[]={3}.
SMTP
Unxibelelwano lwenzeka ngeprotocol ye-SMTP. Ileta ethunyelweyo ikwifomathi ye-HTML. Ipharamitha UMZIMBA inefomu:
Iheda yeleta inefomu ngokubanzi: / . Imixholo yeleta, kunye nezihlomelo zayo, azibhalwanga ngokuntsonkotha.
Unxibelelwano lwenzeka nge-FTP protocol. Ifayile enegama ikhutshelwa kwiseva ekhankanyiweyo _-_.html. Imixholo yefayile ayiguqulelwanga ngokuntsonkotha.
Uguqulelo oluntsonkothileyo
Le meko isebenzisa iindlela ezintsonkothileyo zilandelayo:
Indlela ye-1
Le ndlela isetyenziselwa ukufihla imitya kumnqongo oyintloko. I-algorithm esetyenziselwa uguqulelo oluntsonkothileyo ngu AES.
Igalelo linani lokugqibela elinamanani amathandathu. Olu tshintsho lulandelayo lwenziwa kuyo:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Ixabiso lesiphumo sisalathiso sedata elungisiweyo.
Isiqalelo ngasinye silandelelana DWORD. Xa kudityaniswa DWORD uluhlu lwee-bytes lufunyenwe: i-bytes yokuqala ye-32 yi-encryption key, ilandelwa yi-16 bytes ye-vector yokuqalisa, kunye ne-bytes eseleyo yidatha efihliweyo.
Indlela ye-2
I-algorithm esetyenziswayo 3DES kwimo ECB kunye neebhayithi ezipheleleyo (I-PKCS7).
Isitshixo sichazwe yiparameter %urlkey%, nangona kunjalo, i-encryption isebenzisa i-MD5 hash yayo.
Ukusebenza okungalunganga
Isampulu ephantsi kophononongo isebenzisa ezi nkqubo zilandelayo ukuphumeza umsebenzi wayo okhohlakeleyo:
Isitshixo
Ukuba kukho iflegi ehambelanayo ye-malware usebenzisa umsebenzi weWinAPI Seta iWindowsHookEx yabela isibambi sayo seziganeko zokucinezela isitshixo kwibhodi yezitshixo. Umsebenzi womphathi uqala ngokufumana isihloko sefestile esebenzayo.
Ukuba iflegi yokucoca isicelo isetiwe, ukuhluza kwenziwa ngokuxhomekeke kuhlobo olukhankanyiweyo:
- Igama lenkqubo likhangelwe kwizihloko zefestile
- Igama lenkqubo lijongwa kwigama lenkqubo yefestile
Okulandelayo, irekhodi yongezwa kwilogi ngolwazi malunga nefestile esebenzayo kwifomathi:
Emva koko ulwazi malunga neqhosha elicinezelweyo liyarekhodwa:
| Isitshixo | Ukurekhoda |
| Backspace | Kuxhomekeke kwisitshixo sokusetyenzwa kweflegi: Bubuxoki β {BUYELA} Yinyani - icima iqhosha langaphambili |
| I-CAPS LOCK | {I-CAPS LOCK} |
| I-ESC | {I-ESC} |
| Iphepha | {PageUp} |
| phantsi | β |
| SUSA | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| TAB | {TAB} |
| < | < |
| > | > |
| Isithuba | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + TAB | {ALT+TAB} |
| ISIPHELO | {ISIPHELO} |
| F4 | {F4} |
| F2 | {F2} |
| CTRL | {CTRL} |
| F6 | {F6} |
| Kunene | β |
| Up | β |
| F1 | {F1} |
| ekhohlo | β |
| Tyhilela ezantsi | {Tyhilela ezantsi} |
| Faka | {Faka} |
| Win | {Phumelela} |
| Inani | {Inum lock} |
| F11 | {F11} |
| F3 | {F3} |
| EKHAYA | {IKHAYA} |
| NGENA | {ENTER} |
| ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| Esinye isitshixo | Uphawu lukwimeko ephezulu okanye esezantsi ngokuxhomekeke kwindawo yeCapsLock kunye nezitshixo zeShift |
Ngexesha elichaziweyo, ilog eqokelelweyo ithunyelwa kumncedisi. Ukuba ugqithiso aluphumelelanga, ilogi igcinwa kwifayile %TEMP%log.tmp ngefomathi:
Xa isibali-xesha sivutha, ifayile iya kudluliselwa kumncedisi.
ScreenLogger
Ngexesha elichaziweyo, i-malware yenza umfanekiso weskrini kwifomathi Jpeg ngentsingiselo uphawu ilingana no 50 kwaye uyigcina kwifayile %APPDATA %.jpg. Emva kokudluliselwa, ifayile iyacinywa.
I-ClipboardLogger
Ukuba iflegi efanelekileyo iseti, utshintsho lwenziwa kwisicatshulwa esicatshulweyo ngokwetheyibhile engezantsi.
Emva koku, okubhaliweyo kufakwe kwilog:
I-PasswordStealer
I-malware inokukhuphela amagama ayimfihlo kwezi nkqubo zilandelayo:
| Abakhangeli | Abaxhasi bemeyile | FTP abathengi |
| chrome | imbonakalo | FileZilla |
| Firefox | Thunderbird | I-WS_FTP |
| IE/Edge | Foxmail | WinSCP |
| safari | Imeyile yeOpera | CoreFTP |
| Isikhangeli seOpera | IncrediMail | FTP Navigator |
| Yandex | Pocomil | IFlashFXP |
| Comodo | Eudora | SmartFTP |
| ChromePlus | TheBat | FTPCommander |
| Chromium | Ibhokisi yeposi | |
| Ikhuni | ClawsMail | |
| 7Star | ||
| Mhlobo | ||
| I-BraveSoftware | Abathengi beJabber | Abaxhasi beVPN |
| Isikhangeli Esiphakathi | Psi/Psi+ | Vula iVPN |
| Chedot | ||
| CocCoc | ||
| Elements Isikhangeli | Khuphela Abaphathi | |
| Umkhangeli wabucala we-Epic | Umphathi wokuLawula iInternet | |
| I-comet | I-JDownloader | |
| I-Orbitum | ||
| Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Isikhangeli somhlambi | ||
| Isiphequluli se-UC | ||
| BlackHawk | ||
| CyberFox | ||
| UK-Meleon | ||
| Ikati yomkhenkce | ||
| I-IceDragon | ||
| PaleMoon | ||
| I-WaterFox | ||
| Isikhangeli seFalkon |
Ukuchasana nohlalutyo oluguqukayo
- Ukusebenzisa umsebenzi ukulala. Ikuvumela ukuba ugqithe ezinye iibhokisi zesanti ngexesha lokuphuma
- Ukutshabalalisa umsonto Indawo. Ikuvumela ukuba ufihle inyani yokukhuphela ifayile kwi-Intanethi
- Kwiparameter % filter_list% ixela uluhlu lweenkqubo eziya kuthi zipheliswe yi-malware ngezithuba zomzuzwana omnye
- Khubaza UAC
- Ikhubaza umphathi womsebenzi
- Khubaza CMD
- Ivala ifestile "Baleka"
- Ikhubaza iPhaneli yoLawulo
- Ukuvala isixhobo Hlawula kwakhona
- Ukukhubaza amanqaku okubuyisela inkqubo
- Khubaza imenyu yomxholo kwi-Explorer
- Khubaza MSCONFIG
- Ukugqitha Athletic:
Iimpawu ezingasebenziyo zemodyuli ephambili
Ngethuba lokuhlalutya imodyuli ephambili, imisebenzi yachongwa eyayijongene nokusabalalisa kwinethiwekhi kunye nokulandelela indawo yemouse.
Isibilini
Iziganeko zokudibanisa imidiya esusekayo ibekwe esweni kumsonto owahlukileyo. Xa uqhagamshelwe, i-malware enegama ikhutshelwa kwingcambu yenkqubo yefayile scr.exe, emva koko ikhangela iifayile ezinolwandiso njl. Iqela lomntu wonke njl utshintsho kwi cmd.exe /c qala scr.exe&qalisa & uphume.
Uvimba weefayili ngamnye kwingcambu yemidiya unikwe uphawu "Ifihliwe" kwaye ifayile yenziwe kunye nolwandiso njl kunye negama lolawulo olufihliweyo kunye nomyalelo cmd.exe /c qala scr.exe&explorer /ingcambu,"%CD%" & phuma.
IMouseTracker
Indlela yokwenza i-interception iyafana naleyo isetyenziselwa ikhibhodi. Lo msebenzi usephantsi kophuhliso.
Umsebenzi wefayile
| Indlela | inkcazelo |
| %Temp%temp.tmp | Iqulethe ikhawuntara yeenzame ze-UAC zokudlula |
| I-%startupfolder%%infolder%%inname% | Indlela eya kwabelwa inkqubo ye-HPE |
| %Temp%tmpG{Ixesha langoku kwii-milliseconds}.tmp | Indlela yogcino lwemodyuli engundoqo |
| I-%Temp%log.tmp | Ifayile yelog |
| %AppData%{Ulandelelwano olungenamkhethe loonobumba abali-10}.jpeg | Izikrini |
| C:UsersPublic{Ulandelelwano olungenamkhethe loonobumba abali-10}.vbs | Indlela eya kwifayile ye-vbs enokuthi isetyenziswe ngumlayishi wekhompyutha ukuncamathela kwisixokelelwano |
| %Temp%{Igama lesiqulathi seefayili esilungiselelweyo}{Igama lefayile} | Umendo osetyenziswa sisilayishi sekhompyutha ukuzincamathela kwisixokelelwano |
Iprofayile yomhlaseli
Ndiyabulela kwi-hardcode yokuqinisekisa idatha, sakwazi ukufumana ukufikelela kwiziko lomyalelo.
Oku kusivumele ukuba sichonge i-imeyile yokugqibela yabahlaseli:
junaid[.]in***@gmail[.]com.
Igama lesizinda seziko lomyalelo libhaliswe kwi-imeyile sg***@gmail[.]com.
isiphelo
Ngexesha lohlalutyo olucacileyo lwe-malware esetyenzisiweyo kuhlaselo, siye sakwazi ukuseka ukusebenza kwayo kwaye safumana olona luhlu lupheleleyo lwezalathisi zokulalanisa ezihambelana neli tyala. Ukuqonda iindlela zokusebenzisana kwenethiwekhi phakathi kwe-malware kwenza kube lula ukunika iingcebiso zokulungelelanisa ukusebenza kwezixhobo zokhuseleko lolwazi, kunye nokubhala imithetho ezinzileyo ye-IDS.
Ingozi ephambili UmmeliTesla njengeDataStealer ekubeni ayifuni ukuzibophelela kwinkqubo okanye ulinde umyalelo wolawulo ukwenza imisebenzi yayo. Kanye kumatshini, iqala kwangoko ukuqokelela ulwazi lwabucala kwaye idlulisele kwi-CnC. Oku kuziphatha ndlongondlongo kuyafana nokuziphatha kwe-ransomware, kwaye umahluko kuphela kukuba le yokugqibela ayifuni kwaunxibelelwano lwenethiwekhi. Ukuba udibana nolu sapho, emva kokucoca inkqubo esulelekileyo kwi-malware ngokwayo, kuya kufuneka utshintshe ngokuqinisekileyo zonke iipassword ezinokuthi, okungenani ngokwethiyori, zigcinwe kwenye yezicelo ezidweliswe ngasentla.
Ukujonga phambili, masithi abahlaseli bayathumela UmmeliTesla, umlayishi wokuqala wesiqalo utshintshwa rhoqo. Oku kukuvumela ukuba uhlale ungaqatshelwanga ziskena ezimile kunye nabahlalutyi be-heuristic ngexesha lokuhlaselwa. Kwaye ukuthambekela kolu sapho ukuqala ngokukhawuleza imisebenzi yabo kwenza ukuba abahloli benkqubo bangabi namsebenzi. Indlela efanelekileyo yokulwa ne-AgentTesla kuhlalutyo lokuqala kwibhokisi yesanti.
Kwinqaku lesithathu lolu chungechunge siza kujonga ezinye ii-bootloaders ezisetyenzisiweyo UmmeliTesla, kwaye bafunde nenkqubo yokukhutshwa kwe-semi-automatic. Ungaphosi!
Hash
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
I-C & C.
| URL |
| sina-c0m[.]icu |
| smtp[.]sina-c0m[.]icu |
RegKey
| Registry |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Igama leSibhalo} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname% |
| HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%insregname% |
I-Mutex
Akukho zalathi.
iifayile
| Umsebenzi wefayile |
| %Temp%temp.tmp |
| I-%startupfolder%%infolder%%inname% |
| %Temp%tmpG{Ixesha langoku kwii-milliseconds}.tmp |
| I-%Temp%log.tmp |
| %AppData%{Ulandelelwano olungenamkhethe loonobumba abali-10}.jpeg |
| C:UsersPublic{Ulandelelwano olungenamkhethe loonobumba abali-10}.vbs |
| %Temp%{Igama lesiqulathi seefayili esilungiselelweyo}{Igama lefayile} |
Ulwazi lweisampulu
| igama | unknown |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| uhlobo | I-PE (.NET) |
| ubungakanani | 327680 |
| Igama lokuqala | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| Isitampu somhla | 01.07.2019 |
| Umhlanganisi | I-VB.NET |
| igama | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| uhlobo | I-PE (.NET DLL) |
| ubungakanani | 16896 |
| Igama lokuqala | IELibrary.dll |
| Isitampu somhla | 11.10.2016 |
| Umhlanganisi | I-Microsoft Linker(48.0*) |
umthombo: www.habr.com