Laipe, olupilẹṣẹ Yuroopu ti ohun elo fifi sori ẹrọ itanna kan si Ẹgbẹ-IB - oṣiṣẹ rẹ gba lẹta ifura kan pẹlu asomọ irira ninu meeli. Ilya Pomerantsev, alamọja itupalẹ malware kan ni CERT Group-IB, ṣe itupalẹ alaye ti faili yii, ṣe awari AgentTesla spyware nibẹ o sọ kini lati reti lati iru malware ati bii o ṣe lewu.
Pẹlu ifiweranṣẹ yii a n ṣii lẹsẹsẹ awọn nkan lori bii o ṣe le ṣe itupalẹ iru awọn faili ti o lewu, ati pe a n duro de iyanilenu julọ ni Oṣu kejila ọjọ 5 fun webinar ibanisọrọ ọfẹ lori koko-ọrọ naa “Onínọmbà Malware: Onínọmbà ti Awọn ọran Gidi”. Gbogbo awọn alaye wa labẹ gige.
Ilana pinpin
A mọ pe malware de ẹrọ olufaragba nipasẹ awọn imeeli aṣiri-ararẹ. Olugba lẹta naa jasi BCCed.
Onínọmbà ti awọn akọle fihan pe olufiranṣẹ ti lẹta naa jẹ spoofed. Ni otitọ, lẹta naa fi silẹ pẹlu vps56[.] oneworldhosting[.] com.
Asomọ imeeli ni ibi ipamọ WinRar kan qoute_jpeg56a.r15 pẹlu kan irira executable faili QOUTE_JPEG56A.exe inu.
Malware ilolupo
Bayi jẹ ki a wo kini ilolupo ti malware labẹ iwadi ṣe dabi. Aworan ti o wa ni isalẹ fihan ọna rẹ ati awọn itọnisọna ti ibaraenisepo ti awọn paati.
Bayi jẹ ki a wo ọkọọkan awọn paati malware ni awọn alaye diẹ sii.
Agberu
Faili atilẹba QOUTE_JPEG56A.exe jẹ akojọpọ AutoIt v3 akosile.
Lati obfuscate awọn atilẹba akosile, ohun obfuscator pẹlu iru PELock AutoIT-Obfuscator abuda.
Deobfuscation ni a ṣe ni awọn ipele mẹta:
- Yiyọ obfucation Fun-Ti o ba
Igbesẹ akọkọ ni lati mu pada sisan iṣakoso iwe afọwọkọ naa. Ṣiṣan ṣiṣan Iṣakoso jẹ ọkan ninu awọn ọna ti o wọpọ julọ lati daabobo koodu alakomeji ohun elo lati itupalẹ. Awọn iyipada idarudapọ bosipo pọ si idiju ti yiyo ati idanimọ awọn algoridimu ati awọn ẹya data.
- Imularada kana
Awọn iṣẹ meji ni a lo lati fi awọn gbolohun ọrọ pamọ:
- gdorizabegkvfca - Ṣe Base64-bi iyipada
- xgacyukcyzxz - o rọrun baiti-baiti XOR ti okun akọkọ pẹlu ipari ti keji
- gdorizabegkvfca - Ṣe Base64-bi iyipada
- Yiyọ obfucation BinaryToString и Ṣe
Awọn ifilelẹ ti awọn fifuye ti wa ni fipamọ ni a pin fọọmu ninu awọn liana Fonts awọn apakan orisun ti faili naa.
Ilana gluing jẹ bi atẹle: TIEQHCXWFG, EMI, SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
Iṣẹ WinAPI ni a lo lati yo data ti a fa jade CryptDecrypt, ati bọtini igba ti ipilẹṣẹ da lori iye ti a lo bi bọtini fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Faili iṣiṣẹ ti a ti pa akoonu ti firanṣẹ si titẹ sii iṣẹ naa RunPE, eyi ti o gbejade Abẹrẹ ilana в RegAsm.exe lilo-itumọ ti ShellCode (tun mọ bi RunPE ShellCode). Aṣẹ jẹ ti olumulo ti apejọ Spani intectables[.]net labẹ oruko apeso Wardow.
O ti wa ni tun ye ki a kiyesi wipe ninu ọkan ninu awọn awon ti yi forum, ohun obfuscator fun Ni orule pẹlu iru-ini damo nigba ayẹwo ayẹwo.
Ara Rẹ ShellCode o rọrun pupọ ati pe o ṣe ifamọra akiyesi nikan ti a ya lati ọdọ agbonaeburuwole AnunakCarbanak. API ipe hashing iṣẹ.
A tun mọ awọn ọran lilo Frenchy Shellcode o yatọ si awọn ẹya.
Ni afikun si iṣẹ ṣiṣe ti a ṣalaye, a tun ṣe idanimọ awọn iṣẹ aiṣiṣẹ:
- Idinamọ ilana ifopinsi ilana ni oluṣakoso iṣẹ
- Tun bẹrẹ ilana ọmọde nigbati o ba pari
- Fori UAC
- Fifipamọ fifuye isanwo si faili kan
- Afihan ti modal windows
- Nduro fun ipo kọsọ Asin lati yipada
- AntiVM ati AntiSandbox
- Iparun ara ẹni
- Fifupa sisanwo lati awọn nẹtiwọki
A mọ pe iru iṣẹ ṣiṣe jẹ aṣoju fun aabo CypherIT, eyi ti, nkqwe, ni bootloader ni ibeere.
Module akọkọ ti software
Nigbamii ti, a yoo ṣe apejuwe ni ṣoki module akọkọ ti malware, ki o si ṣe akiyesi rẹ ni apejuwe sii ni nkan keji. Ni idi eyi, o jẹ ohun elo lori .NET.
Lakoko itupalẹ, a ṣe awari pe a lo obfuscator ConfuserEX.
IELibrary.dll
Ile-ikawe ti wa ni ipamọ bi orisun module akọkọ ati pe o jẹ ohun itanna ti a mọ daradara fun Aṣoju Tesla, eyi ti o pese iṣẹ ṣiṣe fun yiyo orisirisi alaye lati Internet Explorer ati Edge aṣàwákiri.
Aṣoju Tesla jẹ sọfitiwia spying modular kan ti a pin kaakiri nipa lilo awoṣe malware-bi-iṣẹ kan labẹ irisi ọja keylogger ti o tọ. Aṣoju Tesla ni agbara lati yiyo ati gbigbe awọn iwe-ẹri olumulo lati awọn aṣawakiri, awọn alabara imeeli ati awọn alabara FTP si olupin si awọn ikọlu, gbigbasilẹ data agekuru, ati yiya iboju ẹrọ naa. Ni akoko itupalẹ, oju opo wẹẹbu osise ti awọn olupilẹṣẹ ko si.
Aaye titẹsi jẹ iṣẹ naa Gba Awọn ỌrọigbaniwọleSaved kilasi InternetExplorer.
Ni gbogbogbo, ipaniyan koodu jẹ laini ati pe ko ni aabo eyikeyi ninu si itupalẹ. Nikan iṣẹ ti a ko mọye yẹ akiyesi GbaSavedCookies. Nkqwe, iṣẹ-ṣiṣe ti ohun itanna yẹ ki o gbooro sii, ṣugbọn eyi ko ṣee ṣe.
So awọn bootloader si awọn eto
Jẹ ki a ṣe iwadi bii bootloader ṣe so mọ eto naa. Apeere ti o wa labẹ iwadi ko daduro, ṣugbọn ni awọn iṣẹlẹ ti o jọra o waye ni ibamu si ero atẹle:
- Ninu folda C: Awọn olumuloPublic akosile ti wa ni da visual Ipilẹ
Apẹẹrẹ iwe afọwọkọ:
- Awọn akoonu ti faili agberu ti wa ni fifẹ pẹlu ohun kikọ asan ati fipamọ si folda naa %Temp%Orukọ faili>
- Bọtini autorun ni a ṣẹda ninu iforukọsilẹ fun faili iwe afọwọkọ HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Nitorinaa, da lori awọn abajade ti apakan akọkọ ti itupalẹ, a ni anfani lati fi idi awọn orukọ ti awọn idile ti gbogbo awọn paati malware wa labẹ iwadi, ṣe itupalẹ ilana ikolu, ati tun gba awọn nkan fun awọn ibuwọlu kikọ. A yoo tẹsiwaju atunyẹwo wa ti nkan yii ni nkan atẹle, nibiti a yoo wo module akọkọ ni awọn alaye diẹ sii Aṣoju Tesla. Maṣe padanu!
Nipa ọna, ni Oṣu kejila ọjọ 5 a pe gbogbo awọn oluka si webinar ibaraenisepo ọfẹ lori koko-ọrọ “Onínọmbà ti malware: itupalẹ awọn ọran gidi”, nibiti onkọwe nkan yii, alamọja CERT-GIB, yoo ṣafihan lori ayelujara ni ipele akọkọ ti malware onínọmbà - ologbele-laifọwọyi unpacking ti awọn ayẹwo lilo awọn apẹẹrẹ ti mẹta gidi mini-igba lati iwa, ati awọn ti o le ya apakan ninu awọn onínọmbà. Webinar dara fun awọn alamọja ti o ti ni iriri tẹlẹ ni ṣiṣe ayẹwo awọn faili irira. Iforukọsilẹ jẹ muna lati imeeli ajọ: . Nduro fun o!
Egbo
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
Hashes
| Name | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890E643316E9276156EDC8A |
| iru | WinRAR Archive |
| iwọn | 823014 |
| Name | QOUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| iru | PE (Akojọpọ AutoIt Script) |
| iwọn | 1327616 |
| Orukọ atilẹba | Unknown |
| Ọjọ ontẹ | 15.07.2019 |
| Asopọ | Microsoft Linker (12.0)[EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| iru | ShellCode |
| iwọn | 1474 |
orisun: www.habr.com