Eminyakeni yamuva nje, ama-Trojan eselula abelokhu ematasa esikhundleni se-Trojan kumakhompyutha womuntu siqu, ngakho ukuvela kwe-malware entsha "yezimoto" ezindala ezinhle kanye nokusetshenziswa kwazo okusebenzayo yizigebengu ze-inthanethi, nakuba kungajabulisi, kusewumcimbi. Muva nje, isikhungo sokuphendula isigameko sokuvikeleka kolwazi se-CERT Group-IB sika-24/7 sithole i-imeyili yobugebengu bokweba imininingwane ebucayi ebifihle uhlelo olungayilungele ikhompuyutha olusha oluhlanganisa imisebenzi ye-Keylogger kanye ne-PasswordStealer. Ukunaka kwabahlaziyi kuye kwadonselwa ekutheni i-spyware ingene kanjani emshinini womsebenzisi - kusetshenziswa isigijimi sezwi esidumile. Ilya Pomerantsev, uchwepheshe wokuhlaziya uhlelo olungayilungele ikhompuyutha kwa-CERT Group-IB, uchaze ukuthi uhlelo olungayilungele ikhompuyutha lusebenza kanjani, kungani luyingozi, futhi lwaze lwathola nomdali walo e-Iraq ekude.
Ngakho-ke, masihambe ngokulandelana. Ngaphansi kwesithunzi sokunamathiselwe, uhlamvu olunjalo lwalunesithombe, lapho uchofoza lapho umsebenzisi ayiswe kusayithi. cdn.discordapp.com, futhi ifayela eliyingozi lalandwa lisuka lapho.
Ukusebenzisa i-Discord, izwi lamahhala nesigijimi sombhalo, akuvamile neze. Ngokuvamile, ezinye izithunywa ezisheshayo noma amanethiwekhi omphakathi asetshenziselwa lezi zinhloso.
Ngesikhathi sokuhlaziya okuningiliziwe, umndeni wohlelo olungayilungele ikhonjwe. Kuvele kwaba umusha emakethe ye-malware - 404 Keylogger.
Isikhangiso sokuqala sokuthengiswa kwe-keylogger sithunyelwe hackforums ngomsebenzisi ngaphansi kwesidlaliso esithi “404 Coder” ngo-Agasti 8.
Isizinda sesitolo sibhaliswe kamuva nje - ngoSepthemba 7, 2019.
Njengoba abathuthukisi besho kuwebhusayithi 404amaphrojekthi[.]xyz, 404 iyithuluzi eliklanyelwe ukusiza izinkampani zifunde mayelana nemisebenzi yamakhasimende azo (ngemvume) noma lalabo abafuna ukuvikela kanambambili yabo kubunjiniyela obuhlehlayo. Uma sibheka phambili, ake sikusho lokho ngomsebenzi wokugcina 404 nakanjani akuhambisani.
Sinqume ukuhlehlisa elinye lamafayela futhi sihlole ukuthi liyini i-“BEST SMART KEYLOGGER”.
Uhlelo olungayilungele ikhompuyutha
Isilayishi 1 (AtillaCrypter)
Ifayela elingumthombo livikelwe ngokusebenzisa I-EaxObfuscator futhi yenza ukulayisha okuzinyathelo ezimbili I-AtProtect kusukela esigabeni sezinsiza. Phakathi nokuhlaziywa kwamanye amasampula atholakala ku-VirusTotal, kwacaca ukuthi lesi sigaba asizange sinikezwe umthuthukisi ngokwakhe, kodwa sengezwe iklayenti lakhe. Kamuva kwatholakala ukuthi le bootloader kwakuyi-AtillaCrypter.
I-Bootloader 2 (AtProtect)
Eqinisweni, lesi silayishi siyingxenye ebalulekile yohlelo olungayilungele ikhompuyutha futhi, ngokwenhloso yonjiniyela, kufanele sithathe umsebenzi wokuhlaziya ukubala.
Kodwa-ke, empeleni, izindlela zokuvikela zindala kakhulu, futhi amasistimu ethu athola ngempumelelo lolu hlelo olungayilungele ikhompuyutha.
Imojula eyinhloko ilayishwa kusetshenziswa I-Franchy ShellCode izinguqulo ezahlukene. Kodwa-ke, asikushiyi ngaphandle ukuthi ezinye izinketho bezingasetshenziswa, isibonelo, RunPE.
Ifayela lokucushwa
Ukuhlanganiswa ohlelweni
Ukuhlanganiswa ohlelweni kuqinisekiswa yi-bootloader I-AtProtect, uma ifulegi elihambisanayo lisethiwe.
- Ifayela likopishwe endleleni %AppData%GFqaakZpzwm.exe.
- Ifayela liyadalwa %AppData%GFqaakWinDriv.url, ukwethula Zpzwm.exe.
- Emculweni HKCUSoftwareMicrosoftWindowsCurrentVersionRun ukhiye wokuqalisa uyadalwa WinDriv.url.
Ukusebenzisana ne-C&C
Loader AtProtect
Uma ifulegi elifanele likhona, uhlelo olungayilungele ikhompuyutha lungaqalisa inqubo efihliwe umabhebhana bese ulandela isixhumanisi esishiwo ukuze wazise iseva mayelana nokutheleleka okuyimpumelelo.
I-DataStealer
Kungakhathalekile ukuthi iyiphi indlela esetshenzisiwe, ukuxhumana kwenethiwekhi kuqala ngokuthola i-IP yangaphandle yesisulu kusetshenziswa insiza [http]://checkip[.]dyndns[.]org/.
Umenzeli Womsebenzisi: Mozilla/4.0 (iyahambisana; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Isakhiwo esijwayelekile somlayezo siyefana. Unhlokweni okhona
|——- 404 Keylogger — {Uhlobo} ——-|kuphi {uhlobo} ihambisana nohlobo lolwazi oludluliswayo.
Okulandelayo ulwazi mayelana nesistimu:
_______ + ULWAZI LWE-VICTIM + _______
I-IP: {I-IP yangaphandle}
Igama Lomnikazi: {Igama lekhompyutha}
Igama le-OS: {OS Name}
Inguqulo ye-OS: {OS Version}
I-OS PlatForm: {Platform}
Usayizi we-RAM: {usayizi we-RAM}
______________________________
Futhi ekugcineni, idatha ngocansi.
SMTP
Isihloko sencwadi simi kanje: 404K | {Uhlobo Lomlayezo} | Igama Leklayenti: {Igama lomsebenzisi}.
Ngokuthakazelisayo, ukuletha izincwadi kuklayenti 404 Keylogger Kusetshenziswa iseva ye-SMTP yonjiniyela.
Lokhu kwenze kwaba nokwenzeka ukuhlonza amaklayenti athile, kanye ne-imeyili yomunye wonjiniyela.
FTP
Uma usebenzisa le ndlela, ulwazi oluqoqiwe lugcinwa efayeleni futhi ngokushesha lufundwe kusukela lapho.
Umqondo walesi senzo awucacile ngokuphelele, kodwa udala i-artifact eyengeziwe yokubhala imithetho yokuziphatha.
%HOMEDRIVE%%HOMEPATH%DocumentsA{Inombolo engafanele}.txt
Pastebin
Ngesikhathi sokuhlaziya, le ndlela isetshenziswa kuphela ukudlulisa amaphasiwedi antshontshiwe. Ngaphezu kwalokho, ayisetshenziswanga njengenye indlela yezimbili zokuqala, kodwa ngokuhambisana. Isimo siyinani lenani elilinganayo nelithi “Vavaa”. Cishe leli igama leklayenti.
Ukusebenzisana kwenzeka ngephrothokholi ye-https nge-API i-pastebin. Incazelo api_paste_okuyimfihlo ngokulinganayo PASTE_UNLISTED, evimbela ukusesha amakhasi anjalo ku i-pastebin.
Ama-algorithms wokubethela
Ithola ifayela ezinsizeni
Umthwalo okhokhelwayo ugcinwa kuzinsiza ze-bootloader I-AtProtect ngesimo sezithombe ze-Bitmap. Ukukhipha kwenziwa ngezigaba eziningana:
- Uhlu lwamabhayithi lukhishwa esithombeni. Iphikseli ngalinye lithathwa njengokulandelana kwamabhayithi angu-3 nge-oda le-BGR. Ngemva kokukhipha, amabhayithi okuqala angu-4 ochungechunge agcina ubude bomlayezo, abalandelayo bagcina umlayezo ngokwawo.
- Ukhiye ubalwa. Ukwenza lokhu, i-MD5 ibalwa ukusuka kunani elithi “ZpzwmjMJyfTNiRalKVrcSkxCN” elicaciswe njengephasiwedi. I-hashi ewumphumela ibhalwa kabili.
- Ukususa ukubethela kwenziwa kusetshenziswa i-algorithm ye-AES kumodi ye-ECB.
Ukusebenza okunonya
Umlandi
Yenziwe ku-bootloader I-AtProtect.
- Ngokuxhumana [activelink-repalce] Isimo seseva siyacelwa ukuze kuqinisekiswe ukuthi isilungele ukunikezela ngefayela. Iseva kufanele ibuye “VULE”.
- Xhumanisa [landa isixhumanisi-faka esikhundleni] Umthwalo okhokhelwayo ulandiwe.
- Ngosizo luka FranchyShellcode umthwalo okhokhelwayo ujovwa ohlelweni [faka esikhundleni].
Ngesikhathi sokuhlaziywa kwesizinda 404amaphrojekthi[.]xyz izimo ezengeziwe zikhonjwe ku-VirusTotal 404 Keylogger, kanye nezinhlobo eziningana zama-loaders.
Ngokuvamile, zihlukaniswe izinhlobo ezimbili:
- Ukulanda kwenziwa kusuka kusisetshenziswa 404amaphrojekthi[.]xyz.
Idatha ibhalwe ngekhodi ye-Base64 futhi i-AES ibethelwe. - Lolu khetho luqukethe izigaba ezimbalwa futhi cishe lusetshenziswa ngokuhambisana ne-bootloader I-AtProtect.
- Esigabeni sokuqala, idatha ilayishwa isuka i-pastebin futhi iqoshwe kusetshenziswa umsebenzi I-HexToByte.
- Esigabeni sesibili, umthombo wokulayisha yi- 404amaphrojekthi[.]xyz. Kodwa-ke, imisebenzi ye-decompression kanye ne-decoding ifana naleyo etholakala ku-DataStealer. Cishe kwakuhlelwe kwasekuqaleni ukusebenzisa ukusebenza kwe-bootloader kumojula eyinhloko.
- Kulesi sigaba, inkokhelo isivele iku-manifest yensiza ngendlela ecindezelwe. Imisebenzi efanayo yokukhipha iphinde yatholakala kumojula eyinhloko.
Abalandi batholakale phakathi kwamafayela ahlaziyiwe njRat, I-SpyGate kanye namanye ama-RAT.
I-Keylogger
Isikhathi sokuthumela ilogu: imizuzu engama-30.
Zonke izinhlamvu zisekelwa. Izinhlamvu ezikhethekile ziphunyukile. Kukhona ukucutshungulwa kokhiye be-BackSpace kanye no-Delete. Iyazwela kofeleba.
I-ClipboardLogger
Isikhathi sokuthumela ilogu: imizuzu engama-30.
Isikhathi sokuvota sebhafa: 0,1 amasekhondi.
Kweqa isixhumanisi.
I-ScreenLogger
Isikhathi sokuthumela ilogu: imizuzu engama-60.
Izithombe-skrini zilondolozwe %HOMEDRIVE%%HOMEPATH%Amadokhumenti404k404pic.png.
Ngemva kokuthumela ifolda 404k iyasuswa.
I-PasswordStealer
| Iziphequluli | Amaklayenti wemeyili | FTP amaklayenti |
|---|---|---|
| Chrome | Outlook | FileZilla |
| Firefox | Thunderbird | |
| SeaMonkey | Foxmail | |
| I-IceDragon | ||
| PaleMoon | ||
| I-Cyberfox | ||
| Chrome | ||
| I-BraveBrowser | ||
| Isiphequluli se-QQ | ||
| I-IridiumBrowser | ||
| XvastBrowser | ||
| I-Chedot | ||
| 360Isiphequluli | ||
| I-ComodoDragon | ||
| 360Chrome | ||
| I-SuperBird | ||
| CentBrowser | ||
| GhostBrowser | ||
| I-IronBrowser | ||
| Chromium | ||
| Vivaldi | ||
| SlimjetBrowser | ||
| I-Orbitum | ||
| I-CocCoc | ||
| Isibani | ||
| UCBrowser | ||
| Isiphequluli se-Epic | ||
| BliskBrowser | ||
| Opera |
Ukuphikisana nokuhlaziya okuguquguqukayo
- Ihlola ukuthi ngabe inqubo ingaphansi kokuhlaziywa
Kwenziwa kusetshenziswa inqubo yosesho umsebenzi, I-ProcessHacker, procexp64, procexp, procmon. Uma okungenani kutholwa eyodwa, uhlelo olungayilungele ikhompuyutha luyaphuma.
- Ihlola ukuthi usendaweni ebonakalayo yini
Kwenziwa kusetshenziswa inqubo yosesho vmtoolsd, VGAuthService, vmacthlp, I-VBoxService, I-VBoxTray. Uma okungenani kutholwa eyodwa, uhlelo olungayilungele ikhompuyutha luyaphuma.
- Ukulala imizuzwana emi-5
- Ukuboniswa kwezinhlobo ezahlukene zamabhokisi ezingxoxo
Ingasetshenziswa ukudlula amanye amabhokisi esihlabathi.
- Dlula i-UAC
Kwenziwe ngokuhlela ukhiye wokubhalisa EnableLUA kuzilungiselelo Zenqubomgomo Yeqembu.
- Isebenzisa isibaluli "Esifihliwe" kufayela lamanje.
- Ikhono lokususa ifayela lamanje.
Izici Ezingasebenzi
Ngesikhathi sokuhlaziywa kwe-bootloader kanye nemodyuli eyinhloko, imisebenzi yatholwa enesibopho sokusebenza okwengeziwe, kodwa ayisetshenziswa noma kuphi. Lokhu mhlawumbe kungenxa yokuthi uhlelo olungayilungele ikhompuyutha lusathuthukiswa futhi ukusebenza kuzonwetshwa maduze.
Loader AtProtect
Kutholwe umsebenzi onesibopho sokulayisha nokujova enqubweni msiexec.exe imodyuli engafanele.
I-DataStealer
- Ukuhlanganiswa ohlelweni
- I-Decompression kanye ne-decryption imisebenzi
Kungenzeka ukuthi ukubethela kwedatha ngesikhathi sokuxhumana kwenethiwekhi kuzoqaliswa maduze. - Inqamula izinqubo ze-antivirus
| zlclient | Dvp95_0 | I-Pavsched | avgserv9 |
| ethi | Injini | Pavw | i-avgserv9schedapp |
| i-bdagent | Ephephile | I-PCCIOMON | avgemc |
| npfmsg | I-Espwatch | PCCMAIN | ashwebsv |
| olydbg | F-Agnt95 | Pccwin98 | umlotha |
| i-anubis | Tholavir | I-Pcfwallicon | i-ashmaisv |
| i-wireshark | I-Fprot | Persfw | i-ashserv |
| avastui | I-F-Prot | I-POP3TRAP | i-aswUpdSv |
| _Avp32 | I-F-Prot95 | I-PVIEW95 | symwsc |
| vsmon | Fp-Win | I-Rav7 | Norton |
| mbam | Frw | Rav7win | I-Norton Auto-Protect |
| keyscrambler | F-Stopw | Rescue | norton_av |
| _Avpcc | Iamapp | I-Safeweb | i-nortonav |
| _Avpm | Iamserv | Skena32 | ccsetmgr |
| Ackwin32 | Ibmann | Skena95 | ccvtmgr |
| Ingaphandle | Ibmavsp | Scanpm | avadmin |
| I-Anti-Trojan | I-Icload95 | Skena | i-avcenter |
| ISITHOMBE | I-Icloadnt | I-Serv95 | maphakathi |
| I-Apvxdwin | I-Icmon | Smc | i-avguard |
| I-ATRACK | I-Icsup95 | I-SMCSERVICE | avnotify |
| Yehla ngokuzenzakalelayo | Icsupnt | Snort | avscan |
| I-Avconsol | Iface | sphinx | unogada |
| Ave32 | I-Iomon98 | Shanela95 | nxa 32kr |
| Avgctrl | Jedi | I-SYMPROXYSVC | nxa32ku |
| Avkserv | I-Lockdown2000 | Tbscan | i-clamscan |
| Avnt | Qapha | I-Tca | i-clamTray |
| Avp | Luall | Tds2-98 | i-clamWin |
| Avp32 | I-MCAFEE | Tds2-Nt | i-freshclam |
| Avpcc | I-Moolive | I-TermiNET | oladin |
| Avpdos32 | MPftray | Vet95 | ithuluzi |
| Avpm | I-N32 scan | I-Vettray | w9xpopen |
| Avptc32 | I-NAVAPSVC | I-Vscan40 | Vala |
| I-Avpupd | I-NAVAPW32 | I-Vsecomr | cmgrdian |
| Avsched32 | NAVLU32 | Vshwin32 | alogserv |
| I-AVSYNMGR | Navnt | I-Vsstat | mcshield |
| Avwin95 | NAVRUNR | Webscanx | vshwin32 |
| Avwupd32 | Navw32 | WEBTRAP | i-avconsol |
| Umnyama | Navwnt | I-Wfindv32 | vsstat |
| Umnyama | I-NeoWatch | I-Zonealarm | avsynmgr |
| Cfiadmin | I-NISERV | LOCKDOWN2000 | avcmd |
| I-Cfiaudit | Nisum | I-RECUE32 | avconfig |
| I-Cfinet | Nmain | LUCOMSERVER | limgr |
| I-Cfinet32 | I-Normist | avgcc | okuhleliwe |
| Claw95 | E-NORTON | avgcc | preupd |
| Claw95cf | Thuthukisa | i-avgamsvr | MsMpEng |
| Cleaner | Nvc95 | avgupsvc | MSACui |
| Ukuhlanza3 | Ingaphandle | avgw | I-Avira.Systray |
| I-Defwatch | I-Padmin | avgcc32 | |
| I-Dvp95 | I-Pavcl | avgserv |
- Ukuzibhubhisa
- Ilayisha idatha kusuka ku-manifest yensiza eshiwo
- Ikopisha ifayela endleleni %Temp%tmpG[Idethi yamanje nesikhathi ngama-millisecond].tmp
Kuyathakazelisa ukuthi umsebenzi ofanayo ukhona kuhlelo olungayilungele ikhompuyutha lwe-AgentTesla. - Ukusebenza kwezikelemu
Uhlelo olungayilungele ikhompuyutha luthola uhlu lwemidiya ekhiphekayo. Ikhophi yohlelo olungayilungele ikhompuyutha idaliwe empandeni yesistimu yefayela lemidiya enegama Sys.exe. I-Autorun isetshenziswa kusetshenziswa ifayela kumusic.inf.
Iphrofayela yomhlaseli
Ngesikhathi sokuhlaziywa kwesikhungo somyalo, kube nokwenzeka ukusungula i-imeyili nesidlaliso sonjiniyela - Razer, aka Brwa, Brwa65, HiDDen PerSON, 404 Coder. Okulandelayo, sithole ividiyo ethokozisayo ku-YouTube ebonisa ukusebenza nomakhi.
Lokhu kwenze kwaba nokwenzeka ukuthola isiteshi sikanjiniyela sokuqala.
Kwaba sobala ukuthi wayenolwazi lokubhala ama-cryptographer. Kukhona futhi izixhumanisi zamakhasi ezinkundleni zokuxhumana, kanye negama langempela lombhali. Kwavela ukuthi uyisakhamuzi sase-Iraq.
Yile ndlela umthuthukisi we-404 Keylogger okuthiwa ubukeka ngayo. Isithombe esivela kuphrofayela yakhe siqu ye-Facebook.
I-CERT Group-IB isimemezele usongo olusha - i-404 Keylogger - isikhungo sokuqapha nokuphendula samahora angama-XNUMX ngezinsongo ze-cyber (SOC) e-Bahrain.
Source: www.habr.com