Kunamaqembu amaningana aziwayo we-inthanethi asebenza ngokukhethekile ekuntshontsheni imali ezinkampanini zaseRussia. Sibone ukuhlaselwa kusetshenziswa izintuba zokuphepha ezivumela ukufinyelela kunethiwekhi yalowo oqondiwe. Uma sebekwazi ukufinyelela, abahlaseli bafunda ukwakheka kwenethiwekhi yenhlangano futhi bakhiphe amathuluzi abo ukuze bantshontshe imali. Isibonelo sakudala salo mkhuba amaqembu abaduni i-Buhtrap, i-Cobalt ne-Corkow.
Iqembu le-RTM lo mbiko ogxile kulo liyingxenye yalo mkhuba. Isebenzisa uhlelo olungayilungele ikhompuyutha oluklanywe ngokukhethekile olubhalwe eDelphi, esizolubheka kabanzi ezigabeni ezilandelayo. Imikhondo yokuqala yala mathuluzi ohlelweni lwe-telemetry lwe-ESET yatholwa ekupheleni kuka-2015. Ithimba lilayisha amamojula amasha ahlukahlukene kumasistimu angenwe yileli gciwane njengoba kudingeka. Lokhu kuhlasela kuqondiswe kubasebenzisi bezinhlelo zamabhange ezikude eRussia nakwamanye amazwe angomakhelwane.
1. Imigomo
Umkhankaso we-RTM uqondiswe kubasebenzisi bezinkampani - lokhu kubonakala ezinqubweni abahlaseli abazama ukuzibona ohlelweni olusengozini. Okugxilwe kakhulu ku-software ye-accounting yokusebenza nezinhlelo zamabhange ezikude.
Uhlu lwezinqubo ezithakaselwayo ku-RTM lufana nohlu oluhambisanayo lweqembu le-Buhtrap, kodwa amaqembu anama-vector ahlukene okutheleleka. Uma i-Buhtrap isebenzise amakhasi omgunyathi kaningi, i-RTM izosebenzisa ukuhlasela kokulayisha ngokushayela (ukuhlasela isiphequluli noma izingxenye zaso) kanye nogaxekile nge-imeyili. Ngokusho kwedatha ye-telemetry, usongo luhloselwe eRussia nasemazweni amaningana aseduze (Ukraine, Kazakhstan, Czech Republic, Germany). Kodwa-ke, ngenxa yokusetshenziswa kwezindlela zokusabalalisa ngobuningi, ukutholwa kohlelo olungayilungele ikhompuyutha ngaphandle kwezindawo okuhlosiwe akumangazi.
Inani eliphelele lokutholwa kwe-malware lincane uma kuqhathaniswa. Ngakolunye uhlangothi, umkhankaso we-RTM usebenzisa izinhlelo eziyinkimbinkimbi, okubonisa ukuthi ukuhlaselwa kuhloswe kakhulu.
Sithole amadokhumenti amaningana enkohliso asetshenziswa i-RTM, okuhlanganisa izinkontileka ezingekho, ama-invoyisi noma amadokhumenti okubalwa kwentela. Imvelo yezintambo, kuhlanganiswe nohlobo lwesofthiwe ehloswe ukuhlaselwa, ibonisa ukuthi abahlaseli "bangena" amanethiwekhi ezinkampani zaseRussia ngomnyango we-accounting. Iqembu lenze ngohlelo olufanayo ngo-2014-2015
Phakathi nocwaningo, sikwazile ukusebenzisana namaseva ambalwa e-C&C. Sizofaka uhlu olugcwele lwemiyalo ezigabeni ezilandelayo, kodwa okwamanje singasho ukuthi iklayenti lidlulisela idatha kusuka ku-keylogger ngqo kuseva ehlaselayo, lapho kwamukelwa khona imiyalo eyengeziwe.
Kodwa-ke, izinsuku lapho ubungavele uxhume kuseva yomyalo nokulawula futhi uqoqe yonke imininingwane obuyithanda zihambile. Sidale kabusha amafayela elogi angokoqobo ukuze sithole imiyalo efanele evela kuseva.
Esokuqala sazo isicelo ku-bot sokudlulisa ifayela 1c_to_kl.txt - ifayela lokuthutha le-1C: Uhlelo lwe-Enterprise 8, ukubukeka kwalo okuqashwe ngenkuthalo yi-RTM. I-1C isebenzisana namasistimu ebhange akude ngokulayisha idatha yezinkokhelo eziphumayo kufayela lombhalo. Okulandelayo, ifayela lithunyelwa kusistimu yebhange ekude ukuze kuzenzekele futhi kwenziwe umyalelo wokukhokha.
Ifayela liqukethe imininingwane yokukhokha. Uma abahlaseli beshintsha ulwazi mayelana nezinkokhelo eziphumayo, ukudluliselwa kuzothunyelwa kusetshenziswa imininingwane engamanga kuma-akhawunti abahlaseli.
Cishe inyanga ngemva kokucela lawa mafayela kuseva yomyalo nokulawula, sabona i-plugin entsha, 1c_2_kl.dll, ilayishwa kusistimu eyonakele. Imojula (DLL) yakhelwe ukuhlaziya ngokuzenzakalelayo ifayela lokulanda ngokungena ezinqubweni zesoftware yokubala. Sizoyichaza ngokuningiliziwe ezigabeni ezilandelayo.
Kuyathakazelisa ukuthi i-FinCERT yeBhange LaseRussia ekupheleni kuka-2016 yakhipha isexwayiso mayelana nezigebengu ze-inthanethi ezisebenzisa amafayela okulayisha angu-1c_to_kl.txt. Onjiniyela abavela ku-1C nabo bayazi ngalolu hlelo; sebevele benze isitatimende esisemthethweni futhi baklelisa izinyathelo zokuphepha.
Amanye amamojula nawo alayishwa kuseva yomyalo, ikakhulukazi i-VNC (izinguqulo zayo ezingama-32 nezingu-64-bit). Ifana nemojula ye-VNC eyayisetshenziswa ngaphambilini ekuhlaselweni kwe-Dridex Trojan. Le mojula kuthiwa isetshenziselwa ukuxhuma ukude kukhompyutha enegciwane nokwenza ucwaningo olunemininingwane yohlelo. Okulandelayo, abahlaseli bazama ukuhambahamba kunethiwekhi, bekhipha amaphasiwedi omsebenzisi, baqoqe ulwazi futhi baqinisekise ukuba khona njalo kwe-malware.
2. Amagciwane okutheleleka
Isibalo esilandelayo sibonisa amagciwane okutheleleka atholwe ngesikhathi socwaningo somkhankaso. Iqembu lisebenzisa ama-vector anhlobonhlobo, kodwa ikakhulukazi ukuhlaselwa kokulanda kanye nogaxekile. Lawa mathuluzi alungele ukuhlaselwa okuhlosiwe, ngoba esimweni sokuqala, abahlaseli bangakhetha amasayithi avakashelwe izisulu ezingase zibe izisulu, futhi okwesibili, bangathumela i-imeyili enezinamathiselo ngqo kubasebenzi benkampani abayifunayo.
Uhlelo olungayilungele ikhompuyutha lusatshalaliswa ngamashaneli amaningi, okuhlanganisa i-RIG ne-Sundown yokuxhaphaza amakhithi noma ukuthunyelwa kogaxekile, okubonisa ukuxhumana phakathi kwabahlaseli nabanye abahlaseli be-inthanethi abanikeza lezi zinsizakalo.
2.1. I-RTM ne-Buhtrap zihlobene kanjani?
Umkhankaso we-RTM ufana kakhulu ne-Buhtrap. Umbuzo wemvelo uwukuthi: zihlobene kanjani komunye nomunye?
NgoSepthemba 2016, sabona isampula ye-RTM isatshalaliswa kusetshenziswa isilayishi se-Buhtrap. Ukwengeza, sithole izitifiketi ezimbili zedijithali ezisetshenziswe ku-Buhtrap naku-RTM.
Owokuqala, okusolwa ukuthi unikezwe inkampani e-DNister-M, kwakusetshenziselwa ukusayina ngedijithali Ifomu lesibili le-Delphi (SHA-1: 025CC718BA31E43DB1b87DC13E94c61CE) kanye ne-Buhtrap Dll (SHA-9338: 11: 1E1BB2642DBA454F2 F889D6).
Eyesibili, ekhishelwe i-Bit-Tredj, isetshenziselwe ukusayinda izilayishi ze-Buhtrap (SHA-1: 7C1B6B1713BD923FC243DFEC80002FE9B93EB292 kanye ne-B74F71560E48488D2153AE2FB51207TM kanye nokufaka i-R0A206), futhi ifake i-RB2EBACXNUMX.
Opharetha be-RTM basebenzisa izitifiketi ezivamile kweminye imindeni yohlelo olungayilungele ikhompuyutha, kodwa futhi banesitifiketi esihlukile. Ngokusho kwe-ESET telemetry, ikhishelwe ku-Kit-SD futhi yasetshenziswa kuphela ukusayina uhlelo olungayilungele ikhompuyutha lwe-RTM (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6).
I-RTM isebenzisa isilayishi esifanayo ne-Buhtrap, izingxenye ze-RTM zilayishwa kusukela kungqalasizinda ye-Buhtrap, ngakho amaqembu anezinkomba ezifanayo zenethiwekhi. Nokho, ngokwezilinganiso zethu, i-RTM ne-Buhtrap zingamaqembu ahlukene, okungenani ngoba i-RTM isatshalaliswa ngezindlela ezihlukene (hhayi kuphela ukusebenzisa umlandi βwangaphandleβ).
Naphezu kwalokhu, amaqembu ama-hacker asebenzisa izimiso zokusebenza ezifanayo. Baqondise amabhizinisi asebenzisa isofthiwe yokubala, ngokufanayo ukuqoqa ulwazi lwesistimu, ukucinga izifundi zamakhadi ahlakaniphile, nokusebenzisa uxhaxha lwamathuluzi anonya ukuze inhloli izisulu.
3. Ukuziphendukela kwemvelo
Kulesi sigaba, sizobheka izinguqulo ezihlukene zohlelo olungayilungele ikhompuyutha ezitholwe ngesikhathi socwaningo.
3.1. Inguqulo
I-RTM igcina idatha yokumisa esigabeni sokubhalisa, ingxenye ethakazelisa kakhulu isiqalo se-botnet. Uhlu lwawo wonke amanani esiwabonile kumasampula esiwafundile avezwa etafuleni elingezansi.
Kungenzeka ukuthi amanani angasetshenziswa ukurekhoda izinguqulo ze-malware. Nokho, asibonanga umehluko omkhulu phakathi kwezinguqulo ezifana ne-bit2 ne-bit3, 0.1.6.4 kanye ne-0.1.6.6. Ngaphezu kwalokho, esinye seziqalo besikhona kusukela ekuqaleni futhi siguqukile sisuka esizindeni esijwayelekile se-C&C saya kusizinda se-.bit, njengoba kuzoboniswa ngezansi.
3.2. Isheduli
Sisebenzisa idatha ye-telemetry, sidale igrafu yokuvela kwamasampuli.
4. Ukuhlaziywa kobuchwepheshe
Kulesi sigaba, sizochaza imisebenzi eyinhloko ye-RTM banking Trojan, okuhlanganisa izindlela zokumelana, inguqulo yayo ye-algorithm ye-RC4, umthetho olandelwayo wenethiwekhi, ukusebenza kokuhlola nezinye izici. Ikakhulukazi, sizogxila kumasampuli e-SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 kanye 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B.
4.1. Ukufakwa nokulondoloza
4.1.1. Ukuqaliswa
I-RTM core iyi-DLL, umtapo wolwazi ulayishwa kudiski kusetshenziswa i-.EXE. Ifayela elisebenzisekayo livamise ukupakishwa futhi liqukethe ikhodi ye-DLL. Uma yethuliwe, ikhipha i-DLL futhi iyisebenzise kusetshenziswa umyalo olandelayo:
rundll32.exe β%PROGRAMDATA%Winlogonwinlogon.lnkβ,DllGetClassObject host4.1.2. I-DLL
I-DLL eyinhloko ihlale ilayishwa kudiski njenge-winlogon.lnk kufolda ethi %PROGRAMDATA%Winlogon. Lesi sandiso sefayela ngokuvamile sihlotshaniswa nesinqamuleli, kodwa ifayela empeleni liyi-DLL ebhalwe e-Delphi, ebizwa ngokuthi core.dll ngunjiniyela, njengoba kuboniswe esithombeni esingezansi.
ΠΡΠΈΠΌΠ΅Ρ Π½Π°Π·Π²Π°Π½ΠΈΡ DLL F4C746696B0F5BB565D445EC49DD912993DE6361
Uma yethuliwe, iTrojan ivula indlela yayo yokumelana. Lokhu kungenziwa ngezindlela ezimbili ezihlukene, kuye ngokuthi isisulu sinamalungelo ohlelweni. Uma unamalungelo omlawuli, i-Trojan yengeza okufakiwe Kwesibuyekezo Se-Windows kusibhalisi se-HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun. Imiyalo equkethwe ku-Windows Update izosebenza ekuqaleni kweseshini yomsebenzisi.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Update [REG_SZ] = rundll32.exe β%PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host
I-Trojan iphinde izame ukwengeza umsebenzi ku-Windows Task Scheduler. Umsebenzi uzokwethula i-winlogon.lnk DLL ngamapharamitha afanayo nangenhla. Amalungelo omsebenzisi avamile avumela i-Trojan ukuthi yengeze okufakiwe Kwesibuyekezo Se-Windows ngedatha efanayo kusibhalisi se-HKCUSoftwareMicrosoftWindowsCurrentVersionRun:
rundll32.exe β%PROGRAMDATA%winlogon.lnkβ,DllGetClassObject host4.2. I-algorithm ye-RC4 eshintshiwe
Naphezu kokushiyeka kwayo okwaziwayo, i-algorithm ye-RC4 isetshenziswa njalo ababhali bohlelo olungayilungele ikhompuyutha. Kodwa-ke, abadali be-RTM bayiguqule kancane, mhlawumbe ukwenza umsebenzi wabahlaziyi begciwane ube nzima kakhulu. Inguqulo eguquliwe ye-RC4 isetshenziswa kabanzi kumathuluzi e-RTM anonya ukuze ubethele izintambo, idatha yenethiwekhi, ukumisa namamojula.
4.2.1. Umehluko
I-algorithm yoqobo ye-RC4 ihlanganisa izigaba ezimbili: ukuqaliswa kwe-s-block (okubizwa nangokuthi i-KSA - i-Key-Scheduling Algorithm) kanye nesizukulwane sokulandelana esingahleliwe (PRGA - Pseudo-Random Generation Algorithm). Isigaba sokuqala sibandakanya ukuqalisa i-s-box kusetshenziswa ukhiye, futhi esigabeni sesibili umbhalo womthombo ucutshungulwa kusetshenziswa u-s-box ukuze ubethelwe.
Ababhali be-RTM bangeze isinyathelo esiphakathi phakathi kokuqaliswa kwe-s-box nokubethela. Ukhiye owengeziwe uyashintshashintsha futhi usethwa ngesikhathi esifanayo nedatha ezobethelwa futhi isuswe ukubethela. Umsebenzi owenza lesi sinyathelo esengeziwe uboniswa esithombeni esingezansi.
4.2.2. Ukubethela kwentambo
Uma uthi nhlΓ‘, kunemigqa eminingana efundekayo ku-DLL eyinhloko. Okunye kubethelwe kusetshenziswa i-algorithm echazwe ngenhla, ukwakheka kwayo kuboniswe esithombeni esilandelayo. Sithole okhiye be-RC25 abahlukene abangaphezu kuka-4 bokubethela kweyunithi yezinhlamvu kumasampuli ahlaziyiwe. Ukhiye we-XOR uhlukile kumugqa ngamunye. Inani lemigqa ehlukanisayo yenkambu yezinombolo lihlala lithi 0xFFFFFFFF.
Ekuqaleni kokwenza, i-RTM isusa ukubethela kochungechunge kube okuguquguqukayo komhlaba wonke. Uma kudingekile ukuze ufinyelele iyunithi yezinhlamvu, i-Trojan ibala ngokushintshashintshayo ikheli leyunithi yezinhlamvu esuswe ukubethela ngokusekelwe ekhelini eliyisisekelo kanye ne-offset.
Izintambo ziqukethe ulwazi oluthakazelisayo mayelana nemisebenzi yohlelo olungayilungele ikhompuyutha. Amanye amayunithi ezinhlamvu ayisibonelo anikezwe eSigabeni 6.8.
4.3. Inethiwekhi
Indlela uhlelo olungayilungele ikhompuyutha ye-RTM exhumana ngayo neseva ye-C&C iyahlukahluka kuye ngenguqulo. Ukulungiswa kokuqala (ngo-Okthoba 2015 - Ephreli 2016) kusetshenziswe amagama esizinda esijwayelekile kanye nokuphakelayo kwe-RSS ku-livejournal.com ukubuyekeza uhlu lwemiyalo.
Kusukela ngo-April 2016, sibone ukushintshela ezizindeni ze-.bit kudatha ye-telemetry. Lokhu kuqinisekiswa usuku lokubhaliswa kwesizinda - isizinda sokuqala se-RTM fde05d0573da.bit sabhaliswa ngoMashi 13, 2016.
Wonke ama-URL esiwabonile ngenkathi siqapha umkhankaso abe nendlela efanayo: /r/z.php. Akuvamile futhi kuzosiza ukukhomba izicelo ze-RTM ekuhambeni kwenethiwekhi.
4.3.1. Isiteshi semiyalo nokulawula
Izibonelo zefa zisebenzise lesi siteshi ukuze zibuyekeze uhlu lwazo lwamaseva okulawula nokulawula. Ukusingathwa kutholakala ku-livejournal.com, ngesikhathi sokubhala umbiko kwahlala ku-URL hxxp://f72bba81c921(.)livejournal(.)com/ data/rss.
I-Livejournal yinkampani yaseRussia-American ehlinzeka ngenkundla yokubhuloga. Opharetha be-RTM bakha ibhulogi ye-LJ lapho bethumela khona indatshana enemiyalo enekhodi - bheka isithombe-skrini.
Imigqa yomyalo nokulawula ibhalwe ngekhodi kusetshenziswa i-algorithm ye-RC4 eguquliwe (Isigaba 4.2). Inguqulo yamanje (November 2016) yesiteshi iqukethe umyalo olandelayo namakheli eseva yokulawula:
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. .bit izizinda
Kumasampuli akamuva e-RTM, ababhali baxhuma ezizindeni ze-C&C basebenzisa isizinda sezinga eliphezulu se-.bit TLD. Ayikho ohlwini lwe-ICANN (Igama Lesizinda ne-Internet Corporation) lwezizinda eziphezulu. Kunalokho, isebenzisa uhlelo lwe-Namecoin, olwakhiwe phezu kobuchwepheshe be-Bitcoin. Ababhali bohlelo olungayilungele ikhompuyutha abavamisile ukusebenzisa i-.bit TLD ezizindeni zabo, nakuba isibonelo sokusetshenziswa okunjalo siye sabonwa ngaphambilini enguqulweni ye-Necurs botnet.
Ngokungafani ne-Bitcoin, abasebenzisi besizindalwazi esisabalalisiwe se-Namecoin banamandla okugcina idatha. Ukusetshenziswa okuyinhloko kwalesi sici isizinda sezinga eliphezulu se-.bit. Ungabhalisa izizinda ezizogcinwa kusizindalwazi esabalalisiwe. Okufakiwe okuhambisanayo kusizindalwazi kuqukethe amakheli e-IP axazululwe isizinda. Le TLD βayikwazi ukumelana nokucwaningaβ ngenxa yokuthi obhalisiwe kuphela ongashintsha ukulungiswa kwesizinda se-.bit. Lokhu kusho ukuthi kunzima kakhulu ukumisa isizinda esinonya usebenzisa lolu hlobo lwe-TLD.
I-RTM Trojan ayishumeki isofthiwe edingekayo ukuze ifunde isizindalwazi esisabalalisiwe se-Namecoin. Isebenzisa amaseva e-DNS amaphakathi njenge-dns.dot-bit.org noma amaseva e-OpenNic ukuze ixazulule izizinda ze-.bit. Ngakho-ke, inokuqina okufanayo namaseva e-DNS. Siqaphele ukuthi ezinye izizinda zeqembu azibange zisatholwa ngemva kokushiwo eposini lebhulogi.
Enye inzuzo ye-.bit TLD yabaduni yizindleko. Ukuze ubhalise isizinda, opharetha badinga ukukhokha kuphela i-0,01 NK, ehambelana no-$0,00185 (kusukela ngomhla ka-5 Disemba 2016). Ukuze uqhathanise, i-domain.com ibiza okungenani u-$10.
4.3.3. Iphrothokholi
Ukuze uxhumane nomyalo nokulawula iseva, i-RTM isebenzisa izicelo ze-HTTP POST enedatha efomethwe kusetshenziswa umthetho olandelwayo ngokwezifiso. Inani lendlela lihlala lithi /r/z.php; I-ejenti yomsebenzisi ye-Mozilla/5.0 (iyahambisana; i-MSIE 9.0; i-Windows NT 6.1; i-Trident/5.0). Ezicelweni kuseva, idatha ifomathwa kanje, lapho amanani e-offset avezwa ngamabhayithi:
Amabhayithi 0 kuya ku-6 awafakiwe ikhodi; amabhayithi aqala ku-6 abhalwe ngekhodi kusetshenziswa i-algorithm ye-RC4 eguquliwe. Isakhiwo sephakethe lempendulo ye-C&C silula. Amabhayithi abhalwe ngekhodi ukusuka ku-4 ukuya kusayizi wephakethe.
Uhlu lwamanani e-byte angenzeka anikezwe etafuleni elingezansi:
Uhlelo olungayilungele ikhompuyutha luhlala lubala i-CRC32 yedatha esusiwe futhi iyiqhathanise nalokho okukhona ephaketheni. Uma zihluka, iTrojan iwisa iphakethe.
Idatha eyengeziwe ingase iqukathe izinto ezihlukahlukene, okuhlanganisa ifayela le-PE, ifayela okufanele liseshwe ohlelweni lwefayela, noma ama-URL omyalo amasha.
4.3.4. Iphaneli
Siqaphele ukuthi i-RTM isebenzisa iphaneli kumaseva e-C&C. Isithombe-skrini ngezansi:
4.4. Uphawu lwesici
I-RTM iyiThrojani yasebhange ejwayelekile. Akumangazi ukuthi opharetha bafuna ulwazi mayelana nesistimu yesisulu. Ngakolunye uhlangothi, i-bot iqoqa ulwazi olujwayelekile mayelana ne-OS. Ngakolunye uhlangothi, ithola ukuthi uhlelo oluncishisiwe luqukethe izimfanelo ezihlobene nezinhlelo zamabhange ezikude zaseRussia.
4.4.1. Ulwazi olujwayelekile
Uma uhlelo olungayilungele ikhompuyutha lufakiwe noma lwethulwa ngemva kokuqalisa kabusha, umbiko uthunyelwa kumyalo nokulawula iseva equkethe ulwazi oluvamile oluhlanganisa:
- Indawo yesikhathi;
- ulimi lwesistimu oluzenzakalelayo;
- imininingwane yomsebenzisi egunyaziwe;
- izinga lobuqotho benqubo;
- Igama lomsebenzisi;
- igama lekhompyutha;
- Inguqulo ye-OS;
- amamojula angeziwe afakiwe;
- uhlelo lwe-antivirus olufakiwe;
- uhlu lwabafundi bamakhadi ahlakaniphile.
4.4.2 Uhlelo lwamabhange akude
I-Trojan target evamile iwuhlelo lwebhange olukude, futhi i-RTM injalo. Enye yamamojula ohlelo ibizwa nge-TBdo, eyenza imisebenzi eyahlukene, okuhlanganisa ukuskena amadiski nomlando wokuphequlula.
Ngokuskena idiski, iTrojan ihlola ukuthi isofthiwe yasebhange ifakiwe yini emshinini. Uhlu oluphelele lwezinhlelo okuhlosiwe lukuthebula elingezansi. Ngemva kokuthola ifayela elithakaselwayo, uhlelo luthumela ulwazi kuseva yomyalo. Izenzo ezilandelayo zincike kumqondo ocaciswe ama-algorithms esikhungo somyalo (C&C).
I-RTM iphinda ibheke amaphethini e-URL kumlando wesiphequluli sakho kanye namathebhu avulekile. Ngaphezu kwalokho, uhlelo luhlola ukusetshenziswa kwemisebenzi ye-FindNextUrlCacheEntryA kanye ne-FindFirstUrlCacheEntryA, futhi luhlola okufakiwe ngakunye ukuze kufane ne-URL neyodwa yamaphethini alandelayo:
Ngemva kokuthola amathebhu avuliwe, i-Trojan ithinta i-Internet Explorer noma i-Firefox ngomshini we-Dynamic Data Exchange (DDE) ukuhlola ukuthi ithebhu iyahambisana yini nephethini.
Ukuhlola umlando wakho wokuphequlula namathebhu avuliwe kwenziwa nge-WHILE loop (iluphu enombandela wangaphambili) ngekhefu lesekhondi elingu-1 phakathi kokuhlola. Eminye imininingwane egadwa ngesikhathi sangempela izoxoxwa esigabeni 4.5.
Uma iphethini itholwa, uhlelo lubika lokhu kuseva yomyalo kusetshenziswa uhlu lwezintambo kusuka kuthebula elilandelayo:
4.5 Ukuqapha
Ngenkathi i-Trojan isebenza, ulwazi mayelana nezici zesistimu ethelelekile (kuhlanganise nolwazi mayelana nokuba khona kwesofthiwe yasebhange) ithunyelwa kumyalo nokulawula iseva. Izigxivizo zeminwe zenzeka lapho i-RTM iqala ukusebenzisa isistimu yokuqapha ngokushesha ngemva kokuskena kokuqala kwe-OS.
4.5.1. Ukubhanga kude
Imojula ye-TBdo nayo inesibopho sokuqapha izinqubo ezihlobene namabhange. Isebenzisa ukushintshaniswa kwedatha okunamandla ukuhlola amathebhu ku-Firefox ne-Internet Explorer ngesikhathi sokuskena kokuqala. Enye imojula ye-TSHell isetshenziselwa ukuqapha umyalo windows (Internet Explorer noma File Explorer).
Imojula isebenzisa i-COM interfaces IShellWindows, iWebBrowser, DWebBrowserEvents2 kanye ne-IConnectionPointContainer ukuqapha amawindi. Uma umsebenzisi ezulazulela ekhasini elisha lewebhu, uhlelo olungayilungele ikhompuyutha luyakuphawula lokhu. Ibese iqhathanisa i-URL yekhasi namaphethini angenhla. Ngemva kokuthola okufanayo, iTrojan ithatha izithombe-skrini eziyisithupha zilandelana ngesikhawu samasekhondi angu-5 futhi izithumela kuseva yomyalo we-C&S. Uhlelo luphinde luhlole amanye amagama amawindi ahlobene nesoftware yasebhange - uhlu olugcwele lungezansi:
4.5.2. Ikhadi elihlakaniphile
I-RTM ikuvumela ukuthi ugade izifundi zamakhadi ahlakaniphile axhunywe kumakhompyutha angenwe yileli gciwane. Lawa madivayisi asetshenziswa kwamanye amazwe ukuvumelanisa ama-oda okukhokha. Uma lolu hlobo lwedivayisi lunamathiselwe kukhompuyutha, lungabonisa kuTrojan ukuthi umshini usetshenziselwa imisebenzi yasebhange.
Ngokungafani namanye ama-Trojan asebhange, i-RTM ayikwazi ukusebenzisana namakhadi anjalo ahlakaniphile. Mhlawumbe lokhu kusebenza kufakwe kumojula eyengeziwe esingakayiboni.
4.5.3. Keylogger
Ingxenye ebalulekile yokuqapha i-PC ethelelekile ithatha ama-keystrokes. Kubonakala sengathi abathuthukisi be-RTM abaphuthelwa noma yiluphi ulwazi, njengoba bengaqapheli kuphela okhiye abavamile, kodwa futhi ikhibhodi ebonakalayo nebhodi lokunamathisela.
Ukuze wenze lokhu, sebenzisa umsebenzi we-SetWindowsHookExA. Abahlaseli balokha okhiye abacindezelwe noma okhiye abahambisana nekhibhodi ebonakalayo, kanye negama nosuku lohlelo. Ibhafa ibe isithunyelwa kuseva yomyalo ye-C&C.
Umsebenzi we-SetClipboardViewer usetshenziselwa ukunqamula ibhodi lokunamathisela. Izigebengu ze-inthanethi ziloga okuqukethwe ebhodini lokunamathisela lapho idatha ingumbhalo. Igama nosuku nakho kufakwe ngaphambi kokuthi isilondolozi sithunyelwe kuseva.
4.5.4. Izithombe-skrini
Omunye umsebenzi we-RTM ukucasha kwesithombe-skrini. Isici sisetshenziswa uma imojuli yokuqapha iwindi ithola isayithi noma isofthiwe yasebhange enentshisekelo kuyo. Izithombe-skrini zithathwa kusetshenziswa umtapo wezincwadi wezithombe eziyingcaca bese zidluliselwa kuseva yomyalo.
4.6. Ukukhipha
Iseva ye-C&C ingamisa uhlelo olungayilungele ikhompuyutha ukuthi isebenze futhi ihlanze ikhompuyutha yakho. Umyalo ikuvumela ukuthi usule amafayela kanye nokufakiwe kokubhalisa okudalwe ngenkathi i-RTM isebenza. I-DLL ibe isisetshenziswa ukususa i-malware nefayela le-winlogon, ngemva kwalokho umyalo uvala ikhompuyutha. Njengoba kukhonjisiwe esithombeni esingezansi, i-DLL isuswa onjiniyela basebenzisa i-erase.dll.
Iseva ingathumela i-Trojan umyalo olimazayo wokukhipha-ukhiye. Kulokhu, uma unamalungelo omlawuli, i-RTM izosusa umkhakha wokuqalisa we-MBR ku-hard drive. Uma lokhu kwehluleka, iThrojani izozama ukushintsha umkhakha wokuqalisa we-MBR uwuyise emkhakheni ongahleliwe - khona-ke ikhompuyutha ngeke ikwazi ukuqalisa i-OS ngemva kokuvala shaqa. Lokhu kungaholela ekufakweni kabusha okuphelele kwe-OS, okusho ukucekelwa phansi kobufakazi.
Ngaphandle kwamalungelo omlawuli, uhlelo olungayilungele ikhompuyutha lubhala i-.EXE efakwe ikhodi ku-RTM DLL engaphansi. Okusebenzisekayo kusebenzisa ikhodi edingekayo ukuze kuvalwe ikhompuyutha futhi kubhaliswa imojuli kukhiye wokubhalisa we-HKCUCurrentVersionRun. Ngaso sonke isikhathi lapho umsebenzisi eqala isikhathi, ikhompuyutha iyacisha ngokushesha.
4.7. Ifayela lokumisa
Ngokuzenzakalelayo, i-RTM cishe ayinalo ifayela lokumisa, kodwa iseva yomyalo neyokulawula ingathumela amanani okumisa azogcinwa kurejista futhi asetshenziswe uhlelo. Uhlu lokhiye bokumisa bethulwa kuthebula elingezansi:
Ukulungiselelwa kugcinwa kukhiye wokubhalisa we-Software[uchungechunge lokungahleliwe]. Inani ngalinye lihambisana nowodwa wemigqa owethulwe kuthebula eledlule. Amanani nedatha kubhalwa ngekhodi kusetshenziswa i-algorithm ye-RC4 ku-RTM.
Idatha inokwakheka okufanayo njengenethiwekhi noma izintambo. Ukhiye we-XOR wamabhayithi amane wengezwa ekuqaleni kwedatha efakwe ikhodi. Ngamanani okumisa, ukhiye we-XOR uhlukile futhi uncike kusayizi yenani. Ingabalwa kanje:
xor_key = (len(config_value) << 24) | (len(config_value) << 16)
| len(config_value)| (len(config_value) << 8)
4.8. Eminye imisebenzi
Okulandelayo, ake sibheke eminye imisebenzi esekelwa yi-RTM.
4.8.1. Amamojula engeziwe
I-Trojan ihlanganisa amamojula engeziwe, okungamafayela e-DLL. Amamojula athunyelwe esuka kuseva yomyalo we-C&C angasetshenziswa njengezinhlelo zangaphandle, aboniswe ku-RAM futhi aqaliswe ngochungechunge olusha. Ukugcina, amamojula alondolozwa kumafayela we-.dtt futhi afakwe ikhodi kusetshenziswa i-algorithm ye-RC4 ngokhiye ofanayo osetshenziselwa ukuxhumana kwenethiwekhi.
Kuze kube manje siye sabona ukufakwa kwemojula ye-VNC (8966319882494077C21F66A8354E2CBCA0370464), imojula yokukhipha idatha yesiphequluli (03DE8622BE6B2F75A364A275995C3411626C4DEc9C1D2F) FC1FBA562 B1BE69D6B58E88753CFAB).
Ukuze kulayishwe imojuli ye-VNC, iseva ye-C&C ikhipha umyalo ocela ukuxhunywa kuseva ye-VNC ekhelini elithile le-IP kumbobo 44443. I-plugin yokubuyisa idatha yesiphequluli sisebenzisa i-TBrowserDataCollector, engafunda umlando wokuphequlula we-IE. Bese ithumela uhlu olugcwele lwama-URL avakashelwe kuseva yomyalo ye-C&C.
Imojula yokugcina etholakele ibizwa ngokuthi 1c_2_kl. Ingakwazi ukusebenzisana nephakheji yesofthiwe ye-1C Enterprise. Imojula ihlanganisa izingxenye ezimbili: ingxenye eyinhloko - i-DLL nama-ejenti amabili (32 kanye namabhithi angu-64), azojovwa enqubweni ngayinye, kubhaliswa ukubophezela ku-WH_CBT. Njengoba yethulwe kunqubo ye-1C, imojula ibopha imisebenzi ye-CreateFile kanye ne-WritFile. Noma nini lapho kubizwa umsebenzi wokubopha i-CreateFile, imojuli igcina indlela yefayela ethi 1c_to_kl.txt kumemori. Ngemva kokunqamula ucingo lwe-WritFile, ibiza umsebenzi we-WritFile bese ithumela indlela yefayela 1c_to_kl.txt kumojula ye-DLL eyinhloko, iwudlulisele umlayezo oklanywe we-Windows WM_COPYDATA.
Imojula ye-DLL eyinhloko ivula futhi ihlukanise ifayela ukuze inqume ama-oda okukhokha. Ibona inani nenombolo yokwenziwe equkethwe efayelini. Lolu lwazi luthunyelwa kuseva yomyalo. Sikholelwa ukuthi le mojula isathuthukiswa okwamanje ngenxa yokuthi iqukethe umlayezo wokulungisa iphutha futhi ayikwazi ukushintsha ngokuzenzakalelayo i-1c_to_kl.txt.
4.8.2. Ukukhula kwelungelo
I-RTM ingase izame ukukhuphula amalungelo ngokubonisa imilayezo yamaphutha angamanga. Uhlelo olungayilungele ikhompuyutha ilingisa ukuhlola kokubhalisa (bona isithombe ngezansi) noma lisebenzisa isithonjana somhleli wangempela wokubhalisa. Sicela uqaphele ukulinda okungapeliwe kahle - whait. Ngemva kwemizuzwana embalwa yokuskena, uhlelo lubonisa umlayezo wephutha ongamanga.
Umlayezo wamanga uzokhohlisa kalula umsebenzisi ojwayelekile, naphezu kwamaphutha ohlelo lolimi. Uma umsebenzisi achofoza kwesinye sezixhumanisi ezimbili, i-RTM izozama ukukhuphula amalungelo ayo ohlelweni.
Ngemva kokukhetha eyodwa yezinketho ezimbili zokutakula, iThrojani yethula i-DLL isebenzisa inketho ye-runas kumsebenzi we-ShellExecute onamalungelo omlawuli. Umsebenzisi uzobona ukwaziswa kwangempela kwe-Windows (bona isithombe ngezansi) ukuze kuphakame. Uma umsebenzisi enikeza izimvume ezidingekayo, i-Trojan izosebenza namalungelo omlawuli.
Kuye ngolimi olumisiwe olufakwe ohlelweni, iTrojan ibonisa imilayezo yephutha ngesiRashiya noma ngesiNgisi.
4.8.3. Isitifiketi
I-RTM ingakwazi ukwengeza izitifiketi Esitolo Se-Windows futhi iqinisekise ukwethembeka kwalokho okungeziwe ngokuchofoza ngokuzenzakalela inkinobho ethi βyeboβ ebhokisini lengxoxo le-csrss.exe. Lokhu kuziphatha akukusha, isibonelo, i-Trojan Retefe yasebhange nayo iqinisekisa ngokuzimela ukufakwa kwesitifiketi esisha.
4.8.4. Ukuhlehlisa ukuxhumana
Ababhali be-RTM baphinde bakha umhubhe we-Backconnect TCP. Asikasiboni lesi sici sisetshenziswa, kodwa siklanyelwe ukuqapha ukude ama-PC anegciwane.
4.8.5. Ukuphathwa kwefayela lokusingatha
Iseva ye-C&C ingathumela umyalo ku-Trojan ukuze ilungise ifayela lokusingatha i-Windows. Ifayela lomsingathi lisetshenziselwa ukudala izinqumo ze-DNS zangokwezifiso.
4.8.6. Thola bese uthumela ifayela
Iseva ingase icele ukusesha nokulanda ifayela ohlelweni oluthelelekile. Isibonelo, phakathi nocwaningo sithole isicelo sefayela elithi 1c_to_kl.txt. Njengoba kuchazwe ngaphambilini, leli fayela likhiqizwa i-1C: Enterprise 8 accounting system.
4.8.7. Buyekeza
Ekugcineni, ababhali be-RTM bangabuyekeza isofthiwe ngokuthumela i-DLL entsha ukuze ithathele inguqulo yamanje.
5. Isiphetho
Ucwaningo lwe-RTM lukhombisa ukuthi uhlelo lwamabhange lwaseRussia lusaheha abahlaseli be-inthanethi. Amaqembu afana ne-Buhtrap, i-Corkow ne-Carbanak aphumelele ukweba imali ezikhungweni zezimali kanye namakhasimende azo e-Russia. I-RTM ingumdlali omusha kulo mkhakha.
Amathuluzi e-RTM anonya abelokhu esetshenziswa kusukela okungenani ngasekupheleni kuka-2015, ngokusho kwe-ESET telemetry. Lolu hlelo lunekhono eligcwele lokuhlola, okuhlanganisa ukufunda amakhadi ahlakaniphile, ukubamba izinkinobho nokuqapha okwenziwayo ebhange, kanye nokusesha 1C: Enterprise 8 amafayela ezokuthutha.
Ukusetshenziswa kwesizinda sezinga eliphezulu le-.bit esihlukaniselwe izwe, esingahloliwe kuqinisekisa ingqalasizinda eqinile.
Source: www.habr.com