Kusukela ekupheleni konyaka odlule, siqale ukulandelela umkhankaso omusha ononya wokusabalalisa iTrojan yasebhange. Abahlaseli bagxile ekufakeni engozini izinkampani zaseRussia, okungukuthi abasebenzisi bezinkampani. Umkhankaso ononya usebenze okungenani unyaka futhi, ngaphezu kweTrojan yasebhange, abahlaseli baphendukela ekusebenziseni amathuluzi esoftware ahlukahlukene. Lokhu kufaka phakathi isilayishi esikhethekile esipakishwe kusetshenziswa , kanye ne-spyware, efihlwe njengesofthiwe eyaziwayo esemthethweni ye-Yandex Punto. Uma abahlaseli sebekwazile ukufaka engozini ikhompuyutha yesisulu, bafaka i-backdoor bese befaka iTrojan yasebhange.
Kuhlelo olungayilungele ikhompuyutha, abahlaseli basebenzise izitifiketi zedijithali ezimbalwa ezivumelekile (ngaleso sikhathi) nezindlela ezikhethekile ukuze badlule imikhiqizo ye-AV. Umkhankaso ononya wawuqondise inani elikhulu lamabhange aseRussia futhi unesithakazelo esikhulu ngoba abahlaseli basebenzisa izindlela ezivame ukusetshenziswa ekuhlaselweni okuhlosiwe, okungukuthi ukuhlasela okungashukunyiswa ukukhwabanisa kwezezimali kuphela. Singaphawula ukufana okuthile phakathi kwalo mkhankaso ononya kanye nesigameko esikhulu esake saduma kakhulu ngaphambili. Sikhuluma ngeqembu lama-cybercriminal elisebenzisa iTrojan yasebhange /.
Abahlaseli bafake uhlelo olungayilungele ikhompuyutha kuphela kulawo makhompyutha asebenzise ulimi lwesiRashiya ku-Windows (ukwenza indawo) ngokuzenzakalelayo. Ivektha yokusabalalisa eyinhloko yeTrojan kwakuwumbhalo we-Word onokuxhashazwa. , ethunyelwe njengokunamathiselwe kudokhumenti. Izithombe-skrini ezingezansi zibonisa ukuvela kwamadokhumenti anjalo mbumbulu. Idokhumenti yokuqala inesihloko esithi "Invoyisi No. 522375-FLORL-14-115.doc", kanti eyesibili "kontrakt87.doc", ikhophi yenkontileka yokuhlinzekwa kwezinsizakalo zokuxhumana ngocingo ngu-opharetha weselula i-Megafon.
Ilayisi. 1. Idokhumenti yobugebengu bokweba imininingwane ebucayi.
Ilayisi. 2. Okunye ukuguqulwa kwedokhumenti yobugebengu bokweba imininingwane ebucayi.
Amaqiniso alandelayo abonisa ukuthi abahlaseli bebeqondise amabhizinisi aseRussia:
- ukusatshalaliswa kohlelo olungayilungele ikhompuyutha kusetshenziswa amadokhumenti angamanga esihlokweni esishiwo;
- amaqhinga abahlaseli namathuluzi anonya abawasebenzisayo;
- izixhumanisi zezinhlelo zokusebenza zebhizinisi kwamanye amamojula asebenzisekayo;
- amagama ezizinda ezinonya asetshenziswe kulo mkhankaso.
Amathuluzi esofthiwe akhethekile abahlaseli abawafaka kusistimu esengozini abavumela ukuthi bathole isilawuli kude sesistimu futhi baqaphe umsebenzi womsebenzisi. Ukwenza le misebenzi, bafaka i-backdoor baphinde bazame ukuthola iphasiwedi ye-akhawunti ye-Windows noma benze i-akhawunti entsha. Abahlaseli baphinde baphendukele ezinsizeni ze-keylogger (keylogger), isigebengu sebhodi lokunamathisela se-Windows, kanye nesofthiwe ekhethekile yokusebenza ngamakhadi ahlakaniphile. Leli qembu lizame ukufaka engozini amanye amakhompyutha abekunethiwekhi efanayo yendawo njengekhompuyutha yesisulu.
Uhlelo lwethu lwe-telemetry lwe-ESET LiveGrid, olusivumela ukuthi silandele ngokushesha izibalo zokusabalalisa uhlelo olungayilungele ikhompuyutha, lisinikeze izibalo zendawo ezithokozisayo zokusatshalaliswa kohlelo olungayilungele ikhompuyutha olusetshenziswa abahlaseli emkhankasweni oshiwo.
Ilayisi. 3. Izibalo zokusatshalaliswa kwendawo yohlelo olungayilungele ikhompuyutha olusetshenziswa kulo mkhankaso ononya.
Ifaka uhlelo olungayilungele ikhompyutha
Ngemuva kokuthi umsebenzisi evule idokhumenti enonya ngokuxhashazwa kusistimu esengozini, isilandi esikhethekile esipakishwe kusetshenziswa i-NSIS sizodawunilodwa futhi sisetshenziswe lapho. Ekuqaleni komsebenzi walo, uhlelo luhlola imvelo ye-Windows ukuthi kukhona abalungisa iphutha lapho noma ukusebenza kumongo womshini obonakalayo. Iphinde ihlole ukwenziwa kwasendaweni kwe-Windows nokuthi umsebenzisi uwavakashele yini ama-URL asohlwini olungezansi kuthebula esipheqululini. Ama-API asetshenziselwa lokhu TholaFirst/I-NextUrlCacheEntry kanye nokhiye wokubhalisa we-SoftwareMicrosoftInternet ExplorerTypedURLs.
I-bootloader ihlola ubukhona bezinhlelo zokusebenza ezilandelayo ohlelweni.
Uhlu lwezinqubo luhlaba umxhwele ngempela futhi, njengoba ubona, aluhlanganisi izicelo zasebhange kuphela. Isibonelo, ifayela elisebenzisekayo elinegama elithi βscardsvr.exeβ lisho isofthiwe yokusebenza ngamakhadi ahlakaniphile (i-Microsoft SmartCard reader). I-Trojan yasebhange ngokwayo ihlanganisa ikhono lokusebenza ngamakhadi ahlakaniphile.
Ilayisi. 4. Umdwebo ojwayelekile wenqubo yokufaka uhlelo olungayilungele ikhompuyutha.
Uma konke ukuhlola kuqedwe ngempumelelo, isilayishi silanda ifayela elikhethekile (ingobo yomlando) kusuka kuseva ekude, equkethe wonke amamojula asebenzisekayo anonya asetshenziswa abahlaseli. Kuyathakazelisa ukuqaphela ukuthi kuye ngokwenziwa kokuhlola okungenhla, izingobo zomlando ezilandwe kusukela kuseva ye-C&C ekude zingase zehluke. Ingobo yomlando ingaba nenzondo noma ingabi nayo. Uma ingelona unya, ifakela Ibha yamathuluzi ye-Windows Live yomsebenzisi. Ngokunokwenzeka, abahlaseli baphendukela kumaqhinga afanayo ukuze bakhohlise izinhlelo zokuhlaziya ifayela ezizenzakalelayo nemishini ebonakalayo lapho kusetshenziswa khona amafayela asolisayo.
Ifayela elandwe umlandi we-NSIS liyingobo yomlando ye-7z equkethe amamojula ahlukahlukene ohlelo olungayilungele ikhompuyutha. Isithombe esingezansi sibonisa yonke inqubo yokufaka yalolu hlelo olungayilungele ikhompuyutha kanye namamojula ayo ahlukahlukene.
Ilayisi. 5. Uhlelo olujwayelekile lokuthi uhlelo olungayilungele ikhompuyutha lusebenza kanjani.
Yize amamojula alayishiwe enza izinjongo ezihlukile kubahlaseli, apakishwe ngokufanayo futhi amaningi awo asayinwe ngezitifiketi ezivumelekile zedijithali. Sithole izitifiketi ezinjalo ezisetshenziswe abahlaseli kusukela ekuqaleni komkhankaso. Kulandela isikhalazo sethu, lezi zitifiketi zihoxisiwe. Kuyathakazelisa ukuqaphela ukuthi zonke izitifiketi zanikezwa izinkampani ezibhaliswe eMoscow.
Ilayisi. 6. Isitifiketi sedijithali esisetshenziswe ukusayina uhlelo olungayilungele ikhompuyutha.
Ithebula elilandelayo libonisa izitifiketi zedijithali ezisetshenziswe abahlaseli kulo mkhankaso ononya.
Cishe wonke amamojula anonya asetshenziswa abahlaseli anenqubo yokufaka efanayo. Zizikhiphela ngokwazo izingobo zomlando ze-7zip ezivikelwe ngephasiwedi.
Ilayisi. 7. Ucezu lwefayela leqoqo le-install.cmd.
Ifayela le-batch .cmd linomthwalo wemfanelo wokufaka uhlelo olungayilungele ikhompyutha kusistimu nokuqalisa amathuluzi abahlaseli ahlukahlukene. Uma ukubulawa kudinga amalungelo okuphatha angekho, ikhodi enonya isebenzisa izindlela ezimbalwa ukuze iwathole (idlula i-UAC). Ukuze usebenzise indlela yokuqala, kusetshenziswa amafayela amabili asebenzisekayo abizwa ngokuthi l1.exe kanye ne-cc1.exe, asebenza ngokukhethekile ekudluleni i-UAC kusetshenziswa i-. Amakhodi omthombo weCarberp. Enye indlela isuselwe ekusebenziseni ukuba sengozini kwe-CVE-2013-3660. Imojuli ngayinye yohlelo olungayilungele ikhompuyutha edinga ukukhushulwa kwelungelo iqukethe kokubili inguqulo ye-32-bit kanye ne-64-bit yokuxhashazwa.
Ngenkathi silandelela lo mkhankaso, sihlaziye izingobo zomlando ezimbalwa ezilayishwe umlandi. Okuqukethwe kwezingobo zomlando kuyehluka, okusho ukuthi abahlaseli bangajwayelanisa amamojula anonya ngezinjongo ezihlukile.
Ukuyekethisa komsebenzisi
Njengoba sishilo ngenhla, abahlaseli basebenzisa amathuluzi akhethekile ukuze bayekethise amakhompyutha abasebenzisi. Lawa mathuluzi ahlanganisa izinhlelo ezinamagama amafayela asebenzisekayo i-mi.exe ne-xtm.exe. Basiza abahlaseli ukuthi balawule ikhompuyutha yesisulu futhi bagxile ekwenzeni le misebenzi elandelayo: ukuthola/ukuthola amaphasiwedi ama-akhawunti e-Windows, ukunika amandla isevisi ye-RDP, ukudala i-akhawunti entsha ku-OS.
I-mimi.exe esebenzisekayo ihlanganisa inguqulo elungisiwe yethuluzi lomthombo ovulekile elaziwa kakhulu . Leli thuluzi likuvumela ukuthi uthole amaphasiwedi e-akhawunti yomsebenzisi we-Windows. Abahlaseli basuse ingxenye ku-Mimikatz enesibopho sokusebenzelana komsebenzisi. Ikhodi esebenzisekayo nayo ishintshiwe ukuze kuthi lapho yethulwa, i-Mimikatz isebenze nelungelo::susa iphutha kanye nemiyalo ye- sekurlsa:logonPasswords.
Elinye ifayela elisebenzisekayo, i-xtm.exe, liqala izikripthi ezikhethekile ezivumela isevisi ye-RDP ohlelweni, zama ukudala i-akhawunti entsha ku-OS, futhi uguqule izilungiselelo zesistimu ukuze uvumele abasebenzisi abaningana ukuba baxhume ngesikhathi esisodwa kukhompyutha eyonakele nge-RDP. Ngokusobala, lezi zinyathelo ziyadingeka ukuze uthole ukulawula okugcwele kwesistimu esengozini.
Ilayisi. 8. Imiyalo ekhishwe yi-xtm.exe kusistimu.
Abahlaseli basebenzisa elinye ifayela elisebenzisekayo elibizwa nge-impack.exe, elisetshenziselwa ukufaka isofthiwe ekhethekile ohlelweni. Le softhiwe ibizwa nge-LiteManager futhi isetshenziswa abahlaseli njenge-backdoor.
Ilayisi. 9. I-interface ye-LiteManager.
Uma isifakiwe kusistimu yomsebenzisi, i-LiteManager ivumela abahlaseli ukuthi baxhume ngokuqondile kuleyo sistimu futhi bayilawule bekude. Le software inemingcele yomugqa womyalo okhethekile wokufakwa kwayo okufihliwe, ukudalwa kwemithetho ekhethekile ye-firewall, nokwethula imojula yayo. Wonke amapharamitha asetshenziswa abahlaseli.
Imojula yokugcina yephakheji yohlelo olungayilungele ikhompuyutha esetshenziswa abahlaseli wuhlelo olungayilungele ikhompuyutha yasebhange (ibhange) elinegama lefayela elisebenzisekayo elithi pn_pack.exe. Ugxile ekuhloleni umsebenzisi futhi unesibopho sokusebenzelana neseva ye-C&C. Umnikazi webhange wethulwa kusetshenziswa isoftware ye-Yandex Punto esemthethweni. I-Punto isetshenziswa abahlaseli ukwethula imitapo yolwazi ye-DLL enonya (indlela ye-DLL Side-Loading). Uhlelo olungayilungele ikhompuyutha ngokwalo lungenza imisebenzi elandelayo:
- landelela okhiye bekhibhodi kanye nokuqukethwe kwebhodi lokunamathisela ukuze udlulisele kuseva ekude;
- bhala wonke amakhadi ahlakaniphile akhona ohlelweni;
- sebenzisana neseva ye-C&C ekude.
Imojuli yohlelo olungayilungele ikhompuyutha, enesibopho sokwenza yonke le misebenzi, iwumtapo wezincwadi we-DLL obethelwe. Ikhishwa ukubethela futhi ilayishwe kumemori ngesikhathi kukhishwa i-Punto. Ukuze wenze le misebenzi engenhla, ikhodi esebenzisekayo ye-DLL iqala imicu emithathu.
Iqiniso lokuthi abahlaseli bakhethe isofthiwe ye-Punto ngezinjongo zabo akusona isimanga: ezinye izinkundla zaseRussia zinikeza ngokukhululekile ulwazi oluningiliziwe ngezihloko ezinjengokusebenzisa amaphutha esofthiwe esemthethweni ukuze kwehliswe abasebenzisi.
Ilabhulali enonya isebenzisa i-algorithm ye-RC4 ukuze ibethele izintambo zayo, kanye naphakathi kokusebenzelana kwenethiwekhi neseva ye-C&C. Ithinta iseva njalo emizuzwini emibili futhi idlulisele lapho yonke idatha eyaqoqwa kusistimu esengozini phakathi nalesi sikhathi.
Ilayisi. 10. Isiqephu sokusebenzelana kwenethiwekhi phakathi kwe-bot neseva.
Ngezansi eminye yemiyalo yeseva ye-C&C engatholwa ilabhulali.
Ukuphendula ekutholeni imiyalelo evela kuseva ye-C&C, uhlelo olungayilungele ikhompuyutha luphendula ngekhodi yesimo. Kuyathakazelisa ukuqaphela ukuthi wonke amamojula asebhange esiwahlaziyile (elakamuva kakhulu elinedethi yokuhlanganiswa yangoJanuwari 18) aqukethe uchungechunge oluthi βTEST_BOTNETβ, oluthunyelwa kumlayezo ngamunye kuseva ye-C&C.
isiphetho
Ukuze bafake engozini abasebenzisi bezinkampani, abahlaseli esigabeni sokuqala bafaka engozini isisebenzi esisodwa senkampani ngokuthumela umlayezo wobugebengu bokweba imininingwane ebucayi ngokuxhaphaza. Okulandelayo, uma uhlelo olungayilungele ikhompuyutha selufakiwe ohlelweni, bazosebenzisa amathuluzi esoftware azobasiza ukuthi bakhulise igunya labo ohlelweni futhi benze imisebenzi eyengeziwe kulo: babeke engcupheni amanye amakhompyutha kunethiwekhi yezinkampani futhi bahlole umsebenzisi, kanjalo imisebenzi yasebhange ayenzayo.
Source: www.habr.com