Lesi sihloko siyingxenye yochungechunge lwe-Fileless Malware. Zonke ezinye izingxenye zochungechunge:
- Izigigaba ze-Elusive Malware, Ingxenye II: Imibhalo ye-VBA Efihliwe (silapha)
Ngingumlandeli wesayithi (ukuhlaziywa okuxubile, ngemuva kwalokhu HA). Lolu uhlobo lwe-zoo oluyi-malware lapho ungabona khona ngokuphephile βizilwane ezidla ezinyeβ ukude nebanga eliphephile ngaphandle kokuhlaselwa. I-HA isebenzisa uhlelo olungayilungele ikhompuyutha ezindaweni ezivikelekile, irekhoda izingcingo zesistimu, amafayela adaliwe kanye nethrafikhi ye-inthanethi, futhi ikunikeza yonke le miphumela ngesampuli ngayinye eyihlaziyayo. Ngale ndlela, akudingeki uchithe isikhathi namandla akho uzama ukuthola ikhodi edidayo ngokwakho, kodwa ungakwazi ukuqonda ngokushesha zonke izinhloso zabaduni.
Izibonelo ze-HA ezithathe ukunaka kwami ββzisebenzisa i-JavaScript enekhodi noma imibhalo ye-Visual Basic for Applications (VBA) eshumekwe njengamamakhro kumadokhumenti e-Word noma e-Excel futhi anamathiselwe kuma-imeyili obugebengu bokweba imininingwane ebucayi. Uma evulwa, lawa ma-macro aqala iseshini ye-PowerShell kukhompuyutha yesisulu. Izigebengu ze-inthanethi ngokuvamile zithumela imiyalo efakwe ikhodi ye-Base64 ku-PowerShell. Konke lokhu kwenzelwa ukwenza ukuhlasela kube nzima ukutholwa izihlungi zewebhu kanye nesofthiwe ye-antivirus ephendula amagama angukhiye athile.
Ngenhlanhla, i-HA inquma ngokuzenzakalelayo i-Base64 futhi ibonise yonke into ngefomethi efundekayo ngaso leso sikhathi. Empeleni, akumele ugxile endleleni le mibhalo esebenza ngayo ngoba uzokwazi ukubona umphumela ophelele womyalo wezinqubo ezisebenzayo esigabeni esihambisanayo se-HA. Bheka isibonelo ngezansi:
Ukuhlaziywa kweHybrid kunqamula imiyalo efakwe ikhodi ye-Base64 ethunyelwe ku-PowerShell:
...bese ikuhlehlisa wona. #ngomlingo
Π Ngizakhele esami isitsha se-JavaScript esifiphazwe kancane ukuze ngiqhube iseshini ye-PowerShell. Umbhalo wami, njengohlelo olungayilungele ikhompuyutha olususelwa ku-PowerShell, bese ulanda umbhalo we-PowerShell olandelayo kuwebhusayithi ekude. Bese, njengesibonelo, ngilayishe i-PS engenabungozi ephrinte umlayezo esikrinini. Kodwa izikhathi ziyashintsha, futhi manje ngiphakamisa ukuhlanganisa lesi simo.
I-PowerShell Empire ne-Reverse Shell
Enye yezinhloso zalo msebenzi ukukhombisa ukuthi (uma kuqhathaniswa) isigebengu singadlula kalula kanjani ukuzivikela kwe-perimeter yakudala kanye nama-antivirus. Uma i-blogger ye-IT engenawo amakhono okuhlela, njengami, ingakwenza ngobusuku obumbalwa (akubonwanga ngokugcwele, i-FUD), cabanga ngamakhono we-hacker osemusha onentshisekelo kulokhu!
Futhi uma ungumhlinzeki wezokuphepha we-IT, kodwa umphathi wakho engayazi imiphumela engaba khona yalezi zinsongo, vele umbonise lesi sihloko.
Izigebengu ze-inthanethi ziphupha ngokufinyelela okuqondile kukhompuyutha ephathekayo yesisulu noma iseva. Lokhu kulula kakhulu ukukwenza: konke okufanele kwenziwe umgebenga ukuthola amafayela ambalwa ayimfihlo kukhompuyutha ephathekayo ye-CEO.
Ngandlela-thile vele mayelana nesikhathi sokusebenza sangemuva kokukhiqizwa kwe-PowerShell Empire. Ake sikhumbule ukuthi kuyini.
Empeleni iyithuluzi lokuhlola ukungena elisuselwe ku-PowerShell, phakathi kwezinye izici eziningi, elikuvumela ukuthi usebenzise igobolondo elihlehla kalula. Ungayifunda ngokuningiliziwe ku .
Asenze ukuhlola okuncane. Ngimise indawo evikelekile yokuhlola uhlelo olungayilungele ikhompuyutha efwini le-Amazon Web Services. Ungalandela isibonelo sami ukuze ubonise ngokushesha nangokuphephile isibonelo esisebenzayo salokhu kuba sengcupheni (futhi ungaxoshwa ngenxa yokuqhuba amagciwane ngaphakathi komjikelezo webhizinisi).
Uma wethula ikhonsoli ye-PowerShell Empire, uzobona into efana nale:
Okokuqala uqala inqubo isilaleli kukhompyutha yakho hacker. Faka umyalo "umlaleli", futhi ucacise ikheli lasesizindeni se-inthanethi lesistimu yakho usebenzisa "setha Umsingathi". Bese uqala inqubo yomlaleli ngomyalo othi "khipha" (ngezansi). Ngakho-ke, ngakolunye uhlangothi, uzoqala ukulinda uxhumano lwenethiwekhi kusuka kugobolondo elikude:
Ngakolunye uhlangothi, uzodinga ukukhiqiza ikhodi ye-ejenti ngokufaka umyalo "wokuqalisa" (bona ngezansi). Lokhu kuzokhiqiza ikhodi ye-PowerShell ye-ejenti ekude. Qaphela ukuthi ifakwe ikhodi ku-Base64, futhi imele isigaba sesibili somthwalo okhokhelwayo. Ngamanye amazwi, ikhodi yami ye-JavaScript manje izodonsa le ejenti ukuthi isebenzise i-PowerShell esikhundleni sokuphrinta umbhalo ngokungenacala esikrinini, futhi ixhume kuseva yethu ekude ye-PSE ukuze isebenzise igobolondo elihlehlayo.
Umlingo wegobolondo elibuyela emuva. Lo myalo onekhodi we-PowerShell uzoxhuma kumlaleli wami bese uvula igobolondo elikude.
Ukuze ngikubonise lokhu kuhlolwa, ngithathe indima yokuba isisulu esingenacala futhi ngavula i-Evil.doc, ngaleyo ndlela ngethula i-JavaScript yethu. Khumbula ingxenye yokuqala? I-PowerShell ilungiselelwe ukuvimbela iwindi layo ukuthi lingaphumi, ngakho-ke isisulu ngeke siphawule lutho olungajwayelekile. Nokho, uma uvula I-Windows Task Manager, uzobona inqubo ye-PowerShell yasemuva engeke ibangele noma iyiphi i-alamu kubantu abaningi noma kunjalo. Ngoba i-PowerShell evamile nje, akunjalo?
Manje uma usebenzisa i-Evil.doc, inqubo engemuva efihliwe izoxhuma kuseva esebenzisa i-PowerShell Empire. Ngifake isigqoko sami se-pentester hacker, ngabuyela kukhonsoli ye-PowerShell Empire futhi manje ngibona umlayezo wokuthi i-ejenti yami ekude iyasebenza.
Ngabe sengifaka umyalo othi "xhumana" ukuze ngivule igobolondo ku-PSE - futhi ngilapho! Ngamafuphi, ngigqekeze iseva ye-Taco engazimisa kanye.
Engisanda kukubonisa kona akudingi umsebenzi ongaka ohlangothini lwakho. Ungakwenza kalula konke lokhu ngesikhathi sakho sekhefu lesidlo sasemini ihora elilodwa noma amabili ukuze uthuthukise ulwazi lwakho lokuvikela ulwazi. Futhi kuyindlela enhle yokuqonda ukuthi izigebengu ze-inthanethi zidlula kanjani umkhawulo wakho wokuphepha wangaphandle futhi zingene ngaphakathi kwamasistimu akho.
Abaphathi be-IT abacabanga ukuthi bazakhele ukuzivikela okungenakungeneka kunoma yikuphi ukugxambukela bazokuthola kufundisa - okungukuthi, uma ungabakholisa ukuthi bahlale nawe isikhathi eside ngokwanele.
Ake sibuyele eqinisweni
Njengoba bengilindele, ukugebenga kwangempela, okungabonakali kumsebenzisi ojwayelekile, kumane kuwukuhluka kwalokho engisanda kukuchaza. Ukuze ngiqoqe ukwaziswa kokushicilelwa okulandelayo, ngaqala ukufuna isampula ku-HA esebenza ngendlela efanayo nesibonelo sami engizisungulile. Futhi akuzange kudingeke ngiyibheke isikhathi eside - kunezinketho eziningi zendlela efanayo yokuhlasela esizeni.
I-malware engagcina ngiyitholile ku-HA kwakuyiskripthi se-VBA esasishumekwe kudokhumenti ye-Word. Okusho ukuthi, angidingi ngisho nokukhohlisa isandiso sedokhumenti, lolu hlelo olungayilungele ikhompuyutha luyidokhumenti ye-Microsoft Word ebukeka evamile. Uma uthanda, ngikhethe leli sampula elibizwa .
Ngifunde ngokushesha ukuthi ngokuvamile awukwazi ukudonsa ngokuqondile imibhalo ye-VBA enonya uyikhiphe kudokhumenti. Izigebengu ze-inthanethi zicindezela futhi zizifihle ukuze zingabonakali kumathuluzi amakhro akhelwe ngaphakathi e-Word. Uzodinga ithuluzi elikhethekile ukuze ulisuse. Ngenhlanhla ngafica isithwebuli UFrank Baldwin. Ngiyabonga, Frank.
Ngisebenzisa leli thuluzi, ngikwazile ukukhipha ikhodi ye-VBA efihlwe kakhulu. Bekubukeka kanjena:
I-obfuscation yenziwe ngabachwepheshe emkhakheni wabo. Ngahlabeka umxhwele!
Abahlaseli bahle ngempela ekuguquleni ikhodi, hhayi njengemizamo yami yokudala i-Evil.doc. Kulungile, engxenyeni elandelayo sizokhipha ama-debugger ethu e-VBA, singene sijule kancane kule khodi futhi siqhathanise ukuhlaziywa kwethu nemiphumela ye-HA.
Source: www.habr.com