Lesi sihloko siyingxenye yochungechunge lwe-Fileless Malware. Zonke ezinye izingxenye zochungechunge:
-
I-Adventures ye-Elusive Malware, Ingxenye I - Izigigaba ze-Elusive Malware, Ingxenye II: Imibhalo ye-VBA Efihliwe (silapha)
Ngingumlandeli wesayithi
Izibonelo ze-HA ezithathe ukunaka kwami ββzisebenzisa i-JavaScript enekhodi noma imibhalo ye-Visual Basic for Applications (VBA) eshumekwe njengamamakhro kumadokhumenti e-Word noma e-Excel futhi anamathiselwe kuma-imeyili obugebengu bokweba imininingwane ebucayi. Uma evulwa, lawa ma-macro aqala iseshini ye-PowerShell kukhompuyutha yesisulu. Izigebengu ze-inthanethi ngokuvamile zithumela imiyalo efakwe ikhodi ye-Base64 ku-PowerShell. Konke lokhu kwenzelwa ukwenza ukuhlasela kube nzima ukutholwa izihlungi zewebhu kanye nesofthiwe ye-antivirus ephendula amagama angukhiye athile.
Ngenhlanhla, i-HA inquma ngokuzenzakalelayo i-Base64 futhi ibonise yonke into ngefomethi efundekayo ngaso leso sikhathi. Empeleni, akumele ugxile endleleni le mibhalo esebenza ngayo ngoba uzokwazi ukubona umphumela ophelele womyalo wezinqubo ezisebenzayo esigabeni esihambisanayo se-HA. Bheka isibonelo ngezansi:
Ukuhlaziywa kweHybrid kunqamula imiyalo efakwe ikhodi ye-Base64 ethunyelwe ku-PowerShell:
...bese ikuhlehlisa wona. #ngomlingo
Π
I-PowerShell Empire ne-Reverse Shell
Enye yezinhloso zalo msebenzi ukukhombisa ukuthi (uma kuqhathaniswa) isigebengu singadlula kalula kanjani ukuzivikela kwe-perimeter yakudala kanye nama-antivirus. Uma i-blogger ye-IT engenawo amakhono okuhlela, njengami, ingakwenza ngobusuku obumbalwa
Futhi uma ungumhlinzeki wezokuphepha we-IT, kodwa umphathi wakho engayazi imiphumela engaba khona yalezi zinsongo, vele umbonise lesi sihloko.
Izigebengu ze-inthanethi ziphupha ngokufinyelela okuqondile kukhompuyutha ephathekayo yesisulu noma iseva. Lokhu kulula kakhulu ukukwenza: konke okufanele kwenziwe umgebenga ukuthola amafayela ambalwa ayimfihlo kukhompuyutha ephathekayo ye-CEO.
Ngandlela-thile vele
Empeleni iyithuluzi lokuhlola ukungena elisuselwe ku-PowerShell, phakathi kwezinye izici eziningi, elikuvumela ukuthi usebenzise igobolondo elihlehla kalula. Ungayifunda ngokuningiliziwe ku
Asenze ukuhlola okuncane. Ngimise indawo evikelekile yokuhlola uhlelo olungayilungele ikhompuyutha efwini le-Amazon Web Services. Ungalandela isibonelo sami ukuze ubonise ngokushesha nangokuphephile isibonelo esisebenzayo salokhu kuba sengcupheni (futhi ungaxoshwa ngenxa yokuqhuba amagciwane ngaphakathi komjikelezo webhizinisi).
Uma wethula ikhonsoli ye-PowerShell Empire, uzobona into efana nale:
Okokuqala uqala inqubo isilaleli kukhompyutha yakho hacker. Faka umyalo "umlaleli", futhi ucacise ikheli lasesizindeni se-inthanethi lesistimu yakho usebenzisa "setha Umsingathi". Bese uqala inqubo yomlaleli ngomyalo othi "khipha" (ngezansi). Ngakho-ke, ngakolunye uhlangothi, uzoqala ukulinda uxhumano lwenethiwekhi kusuka kugobolondo elikude:
Ngakolunye uhlangothi, uzodinga ukukhiqiza ikhodi ye-ejenti ngokufaka umyalo "wokuqalisa" (bona ngezansi). Lokhu kuzokhiqiza ikhodi ye-PowerShell ye-ejenti ekude. Qaphela ukuthi ifakwe ikhodi ku-Base64, futhi imele isigaba sesibili somthwalo okhokhelwayo. Ngamanye amazwi, ikhodi yami ye-JavaScript manje izodonsa le ejenti ukuthi isebenzise i-PowerShell esikhundleni sokuphrinta umbhalo ngokungenacala esikrinini, futhi ixhume kuseva yethu ekude ye-PSE ukuze isebenzise igobolondo elihlehlayo.
Umlingo wegobolondo elibuyela emuva. Lo myalo onekhodi we-PowerShell uzoxhuma kumlaleli wami bese uvula igobolondo elikude.
Ukuze ngikubonise lokhu kuhlolwa, ngithathe indima yokuba isisulu esingenacala futhi ngavula i-Evil.doc, ngaleyo ndlela ngethula i-JavaScript yethu. Khumbula ingxenye yokuqala? I-PowerShell ilungiselelwe ukuvimbela iwindi layo ukuthi lingaphumi, ngakho-ke isisulu ngeke siphawule lutho olungajwayelekile. Nokho, uma uvula I-Windows Task Manager, uzobona inqubo ye-PowerShell yasemuva engeke ibangele noma iyiphi i-alamu kubantu abaningi noma kunjalo. Ngoba i-PowerShell evamile nje, akunjalo?
Manje uma usebenzisa i-Evil.doc, inqubo engemuva efihliwe izoxhuma kuseva esebenzisa i-PowerShell Empire. Ngifake isigqoko sami se-pentester hacker, ngabuyela kukhonsoli ye-PowerShell Empire futhi manje ngibona umlayezo wokuthi i-ejenti yami ekude iyasebenza.
Ngabe sengifaka umyalo othi "xhumana" ukuze ngivule igobolondo ku-PSE - futhi ngilapho! Ngamafuphi, ngigqekeze iseva ye-Taco engazimisa kanye.
Engisanda kukubonisa kona akudingi umsebenzi ongaka ohlangothini lwakho. Ungakwenza kalula konke lokhu ngesikhathi sakho sekhefu lesidlo sasemini ihora elilodwa noma amabili ukuze uthuthukise ulwazi lwakho lokuvikela ulwazi. Futhi kuyindlela enhle yokuqonda ukuthi izigebengu ze-inthanethi zidlula kanjani umkhawulo wakho wokuphepha wangaphandle futhi zingene ngaphakathi kwamasistimu akho.
Abaphathi be-IT abacabanga ukuthi bazakhele ukuzivikela okungenakungeneka kunoma yikuphi ukugxambukela bazokuthola kufundisa - okungukuthi, uma ungabakholisa ukuthi bahlale nawe isikhathi eside ngokwanele.
Ake sibuyele eqinisweni
Njengoba bengilindele, ukugebenga kwangempela, okungabonakali kumsebenzisi ojwayelekile, kumane kuwukuhluka kwalokho engisanda kukuchaza. Ukuze ngiqoqe ukwaziswa kokushicilelwa okulandelayo, ngaqala ukufuna isampula ku-HA esebenza ngendlela efanayo nesibonelo sami engizisungulile. Futhi akuzange kudingeke ngiyibheke isikhathi eside - kunezinketho eziningi zendlela efanayo yokuhlasela esizeni.
I-malware engagcina ngiyitholile ku-HA kwakuyiskripthi se-VBA esasishumekwe kudokhumenti ye-Word. Okusho ukuthi, angidingi ngisho nokukhohlisa isandiso sedokhumenti, lolu hlelo olungayilungele ikhompuyutha luyidokhumenti ye-Microsoft Word ebukeka evamile. Uma uthanda, ngikhethe leli sampula elibizwa
Ngifunde ngokushesha ukuthi ngokuvamile awukwazi ukudonsa ngokuqondile imibhalo ye-VBA enonya uyikhiphe kudokhumenti. Izigebengu ze-inthanethi zicindezela futhi zizifihle ukuze zingabonakali kumathuluzi amakhro akhelwe ngaphakathi e-Word. Uzodinga ithuluzi elikhethekile ukuze ulisuse. Ngenhlanhla ngafica isithwebuli
Ngisebenzisa leli thuluzi, ngikwazile ukukhipha ikhodi ye-VBA efihlwe kakhulu. Bekubukeka kanjena:
I-obfuscation yenziwe ngabachwepheshe emkhakheni wabo. Ngahlabeka umxhwele!
Abahlaseli bahle ngempela ekuguquleni ikhodi, hhayi njengemizamo yami yokudala i-Evil.doc. Kulungile, engxenyeni elandelayo sizokhipha ama-debugger ethu e-VBA, singene sijule kancane kule khodi futhi siqhathanise ukuhlaziywa kwethu nemiphumela ye-HA.
Source: www.habr.com