Abaduni be-Iran abasekela uhulumeni basenkingeni enkulu. Kuyo yonke intwasahlobo, abantu abangaziwa bashicilele "ukuvuza okuyimfihlo" kuTelegram - ulwazi mayelana namaqembu e-APT ahlotshaniswa nohulumeni wase-Iranian - I-OilRig и Amanzi Amanzi - amathuluzi abo, izisulu, ukuxhumana. Kodwa hhayi mayelana nawo wonke umuntu. Ngo-Ephreli, ochwepheshe beQembu-IB bathola ukuvuza kwamakheli e-imeyili enhlangano yaseTurkey i-ASELSAN A.Ş, ekhiqiza imisakazo yezempi ehlakaniphile nezinhlelo zokuvikela ngogesi zamabutho ahlomile aseTurkey. Anastasia Tikhonova, Iqembu le-IB Umholi Wethimba Lokucwaninga Okuthuthukile, kanye Nikita Rostovtsev, umhlaziyi osemncane ku-Group-IB, uchaze inkambo yokuhlaselwa kwe-ASELSAN A.Ş futhi wathola ongase abe umhlanganyeli. Amanzi Amanzi.
Ukukhanyisa ngeTelegram
Ukuvuza kwamaqembu e-Iranian APT kwaqala ngokuthi i-Lab Doukhtegan ethile amakhodi omthombo wamathuluzi ayisithupha e-APT34 (aka OilRig kanye ne-HelixKitten), aveze amakheli e-IP nezizinda ezihilelekile ekusebenzeni, kanye nedatha yezisulu ezingama-66 zabaduni, okuhlanganisa i-Etihad Airways ne-Emirates National Oil. I-Lab Doookhtegan iphinde yaputshuza imininingwane mayelana nokusebenza kweqembu okwedlule kanye nolwazi olumayelana nabasebenzi boMnyango Wezolwazi wase-Iranian kanye Nezokuphepha Kukazwelonke okusolwa ukuthi bahlobene nokusebenza kweqembu. I-OilRig iyiqembu le-APT elixhumene ne-Iran elikhona kusukela ngonyaka wezi-2014 futhi liqondise uhulumeni, izinhlangano zezezimali nezempi, kanye nezinkampani zamandla nezokuxhumana eMpumalanga Ephakathi naseChina.
Ngemuva kokudalulwa kwe-OilRig, ukuvuza kwaqhubeka - imininingwane mayelana nemisebenzi yelinye iqembu elisekela umbuso wase-Iran, i-MuddyWater, yavela ku-darknet naku-Telegram. Kodwa-ke, ngokungafani nokuvuza kokuqala, kulokhu kwakungewona amakhodi omthombo ashicilelwe, kodwa ukulahlwa, okuhlanganisa izithombe-skrini zamakhodi omthombo, amaseva okulawula, kanye namakheli e-IP wezisulu zangaphambili zabaduni. Kulokhu, abaduni beGreen Leakers bazibophezele ngokuputshuka kwe-MuddyWater. Bangabanikazi beziteshi zeTelegramu ezimbalwa nezingosi ze-darknet lapho bekhangisa futhi bathengise idatha ehlobene nokusebenza kwe-MuddyWater.
Izinhloli ze-Cyber ezivela eMpumalanga Ephakathi
Amanzi Amanzi yiqembu ebelisebenza kusukela ngo-2017 eMpumalanga Ephakathi. Isibonelo, njengoba ochwepheshe be-Group-IB bephawula, kusukela ngoFebhuwari kuya ku-Ephreli 2019, abagebengu basebenzise uchungechunge lwemiyalezo eyimfihlo eqondiswe kuhulumeni, izinhlangano zemfundo, izinkampani zezezimali, ezokuxhumana kanye nezokuvikela eTurkey, Iran, Afghanistan, Iraq nase-Azerbaijan.
Amalungu eqembu asebenzisa i-backdoor yentuthuko yawo esekelwe ku-PowerShell, ebizwa ngokuthi POWERSTATS. Angakwazi:
- ukuqoqa idatha mayelana nama-akhawunti endawo nawesizinda, amaseva atholakalayo wefayela, amakheli e-IP angaphakathi nangaphandle, igama nesakhiwo se-OS;
- ukwenza ikhodi ekude;
- layisha futhi ulande amafayela nge-C&C;
- bona ukuba khona kwezinhlelo zokulungisa iphutha ezisetshenziswa ekuhlaziyeni amafayela anonya;
- vala uhlelo uma izinhlelo zokuhlaziya amafayela anonya zitholakala;
- susa amafayela kumadrayivu endawo;
- thatha izithombe-skrini;
- khubaza izinyathelo zokuphepha emikhiqizweni ye-Microsoft Office.
Ngesinye isikhathi, abahlaseli benza iphutha futhi abacwaningi abavela ku-ReaQta bakwazi ukuthola ikheli lokugcina le-IP, elaliseTehran. Njengoba kunikezwe izinhloso ezihlaselwe yiqembu, kanye nezinhloso zalo ezihlobene nobunhloli be-cyber, ochwepheshe baphakamise ukuthi leli qembu limele izintshisekelo zikahulumeni wase-Iran.
Izinkomba zokuhlaselaI-C&C:
- i-gladiyator[.]tk
- 94.23.148[.]194
- 192.95.21[.]28
- 46.105.84[.]146
- 185.162.235[.]182
Amafayela:
- 09aabd2613d339d90ddbd4b7c09195a9
- cfa845995b851aacdf40b8e6a5b87ba7
- a61b268e9bc9b7e6c9125cdbfb1c422a
- f12bab5541a7d8ef4bbca81f6fc835a3
- a066f5b93f4ac85e9adfe5ff3b10bc28
- 8a004e93d7ee3b26d94156768bc0839d
- 0638adf8fb4095d60fbef190a759aa9e
- eed599981c097944fa143e7d7f7e17b1
- 21aebece73549b3c4355a6060df410e9
- 5c6148619abb10bb3789dcfb32f759a6
I-Türkiye ihlaselwa
Ngomhla ziyi-10 kuMbasa, 2019, ochwepheshe beQembu-IB bathola ukuvuza kwamakheli e-imeyili enkampani yaseTurkey i-ASELSAN A.Ş, okuyinkampani enkulu kunazo zonke emkhakheni wezogesi wezempi eTurkey. Imikhiqizo yayo ihlanganisa i-radar ne-electronics, i-electro-optics, i-avionics, izinhlelo ezingenamuntu, umhlaba, imikhumbi, izikhali kanye nezinhlelo zokuvikela umoya.
Lapho befunda elinye lamasampula amasha ohlelo olungayilungele ikhompuyutha lwe-POWERSTATS, ochwepheshe beQembu-IB banqume ukuthi iqembu le-MuddyWater labahlaseli lisebenzise njengedokhumenti yokuyenga isivumelwano selayisense phakathi kuka-Koç Savunma, inkampani ekhiqiza izixazululo emkhakheni wolwazi nobuchwepheshe bezokuvikela, kanye ne-Tubitak Bilgem. , isikhungo socwaningo lokuvikela ulwazi kanye nobuchwepheshe obuthuthukile. Umuntu okwakuthintwa u-Koç Savunma kwakungu-Tahir Taner Tımış, owayebambe isikhundla sokuba uMphathi Wezinhlelo e-Koç Bilgi ve Savunma Teknolojileri A.Ş. kusukela ngoSepthemba 2013 kuya kuZibandlela wezi-2018. Kamuva waqala ukusebenza e-ASELSAN A.Ş.
Idokhumenti yesampula yenkohliso
Ngemuva kokuthi umsebenzisi enze kusebenze amamakhro anonya, i-backdoor ye-POWERSTATS ilayishwa ikhompuyutha yesisulu.
Ngenxa yemethadatha yale dokhumenti yokukhohlisa (MD5: 0638adf8fb4095d60fbef190a759aa9e) abacwaningi bakwazi ukuthola amasampula engeziwe amathathu aqukethe amanani afanayo, okuhlanganisa idethi yokudala nesikhathi, igama lomsebenzisi, nohlu lwamamakhro aqukethwe:
- ListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)
- i-asd.doc (21aebece73549b3c4355a6060df410e9)
- F35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)
Isithombe-skrini semethadatha efanayo yamadokhumenti enkohliso ahlukahlukene
Omunye wemibhalo etholakele enegama ListOfHackedEmails.doc iqukethe uhlu lwamakheli e-imeyili angama-34 angaphansi kwesizinda @aselsan.com.tr.
Ochwepheshe be-Group-IB bahlole amakheli e-imeyili ekuvuzeni okutholakala esidlangalaleni futhi bathola ukuthi angu-28 kubo abesengozini ekuvuzeni okutholwe ngaphambilini. Ukuhlola imiksi yokuvuza okutholakalayo kubonise ukungena ngemvume okuhlukile okungaba ngu-400 okuhlotshaniswa nalesi sizinda kanye namaphasiwedi akho. Kungenzeka ukuthi abahlaseli basebenzise le datha etholakala esidlangalaleni ukuze bahlasele i-ASELSAN A.Ş.
Isithombe-skrini sombhalo ListOfHackedEmails.doc
Isithombe-skrini sohlu lwamapheya wokungena namaphasiwedi atholakele angaphezu kuka-450 ekuvuzeni okusesidlangalaleni
Phakathi kwamasampula atholakele bekukhona nombhalo onesihloko F35-Specifications.doc, kubhekiselwa kundiza yokulwa ye-F-35. Idokhumenti yokuyenga iwukucaciswa kwe-F-35 ye-fighter-bomber enezindima eziningi, ebonisa izici nenani lendiza. Isihloko salo mbhalo we-decoy sihlobene ngokuqondile nokwenqaba kwe-US ukuhlinzeka nge-F-35 ngemuva kokuthengwa kwe-Turkey kwezinhlelo ze-S-400 kanye nosongo lokudlulisela ulwazi mayelana ne-F-35 Lightning II eRussia.
Yonke imininingwane etholiwe ibonise ukuthi okuhlosiwe okuyinhloko kokuhlaselwa kwe-cyber ye-MuddyWater kwakuyizinhlangano ezitholakala eTurkey.
Obani u-Gladiyator_CRK no-Nima Nikjoo?
Phambilini, ngoMashi 2019, kwatholwa amadokhumenti anonya enziwe umsebenzisi oyedwa we-Windows ngaphansi kwesidlaliso esithi Gladiyator_CRK. Lawa madokhumenti aphinde asabalalisa i-backdoor ye-POWERSTATS futhi axhunywe kuseva ye-C&C enegama elifanayo i-gladiyator[.]tk.
Lokhu kungenzeka ukuthi kwenziwe ngemuva kokuthi umsebenzisi u-Nima Nikjoo ethumele ku-Twitter ngoMashi 14, 2019, ezama ukukhipha ikhodi engaqondakali ehlotshaniswa ne-MuddyWater. Emazwaneni ale tweet, umcwaningi uthe akakwazi ukwabelana ngezinkomba zokuthopha lolu hlelo olungayilungele ikhompuyutha, njengoba lolu lwazi luyimfihlo. Ngeshwa, okuthunyelwe sekuvele kususiwe, kodwa imikhondo yakho ihlala ku-inthanethi:
U-Nima Nikjoo ungumnikazi wephrofayela ye-Gladiyator_CRK kumasayithi okusingatha amavidiyo e-Iranian i-dieo.ir kanye ne-videoi.ir. Kule sayithi, ubonisa ukuxhashazwa kwe-PoC ukukhubaza amathuluzi e-antivirus kubathengisi abahlukahlukene kanye namabhokisi e-sandbox e-bypass. U-Nima Nikjoo ubhala ngaye ukuthi unguchwepheshe wezokuphepha kwenethiwekhi, kanye nonjiniyela obuyela emuva kanye nomhlaziyi we-malware osebenzela i-MTN Irancell, inkampani yezokuxhumana yase-Iranian.
Isithombe-skrini samavidiyo alondoloziwe emiphumeleni yosesho lwe-Google:
Kamuva, ngoMashi 19, 2019, umsebenzisi u-Nima Nikjoo enkundleni yezokuxhumana i-Twitter washintsha isiteketiso sakhe saba yi-Malware Fighter, waphinde wasusa nokuthunyelwe okuhlobene namazwana. Iphrofayela ka-Gladiyator_CRK ekusingatheni ividiyo i-dideo.ir nayo yasuswa, njengoba kwenzeka ku-YouTube, futhi iphrofayela ngokwayo yaqanjwa kabusha ngokuthi N Tabrizi. Kodwa-ke, cishe inyanga kamuva (ngo-Ephreli 16, 2019), i-akhawunti ye-Twitter yaqala ukusebenzisa igama elithi Nima Nikjoo futhi.
Ngesikhathi socwaningo, ochwepheshe be-Group-IB bathola ukuthi u-Nima Nikjoo wayesevele ekhulunyiwe mayelana nezenzo zobugebengu bamakhompuyutha. Ngo-Agasti 2014, ibhulogi yase-Iran Khabarestan yashicilela ulwazi mayelana nabantu abahlobene neqembu lama-cybercriminal e-Iranian Nasr Institute. Olunye uphenyo lweFireEye luveze ukuthi iNasr Institute iyinkontileka ye-APT33 futhi ibibandakanyeka ekuhlaselweni kwe-DDoS emabhange aseMelika phakathi kuka-2011 no-2013 njengengxenye yomkhankaso obizwa nge-Operation Ababil.
Ngakho-ke kubhulogi efanayo, u-Nima Nikju-Nikjoo kushiwo, owayethuthukisa uhlelo olungayilungele ikhompuyutha ukuze ahlole abantu base-Irani, kanye nekheli lakhe le-imeyili: gladiyator_cracker@yahoo[.]com.
Isithombe-skrini sedatha ephathelene nezigebengu ze-inthanethi ezivela ku-Iranian Nasr Institute:
Ukuhunyushelwa kombhalo ogqanyisiwe kusiRashiya: U-Nima Nikio - Unjiniyela Wezinhloli - I-imeyili:.
Njengoba kubonakala kulolu lwazi, ikheli le-imeyili lihlotshaniswa nekheli elisetshenziswe ekuhlaselweni kanye nabasebenzisi i-Gladiyator_CRK kanye no-Nima Nikjoo.
Ukwengeza, i-athikili yangoJuni 15, 2017 yathi u-Nikjoo ubenganakile ngandlela thize ekuthumeleni izithenjwa ze-Kavosh Security Center ekuqaliseni kwakhe kabusha. Yidla ukuthi Isikhungo Sezokuphepha se-Kavosh sisekelwa umbuso wase-Iran ukuxhasa ngezimali izigebengu ezisekela uhulumeni.
Ulwazi mayelana nenkampani lapho u-Nima Nikjoo asebenza khona:
Umsebenzisi we-Twitter wephrofayela ye-LinkedIn ka-Nima Nikjoo ibala indawo yakhe yokuqala yokuqashwa njenge-Kavosh Security Center, lapho asebenza khona kusukela ngo-2006 kuya ku-2014. Ngesikhathi somsebenzi wakhe, wafunda i-malware ehlukahlukene, futhi wabhekana nomsebenzi ohlobene ne-reverse kanye ne-obfuscation.
Ulwazi mayelana nenkampani uNima Nikjoo ayisebenzelayo ku-LinkedIn:
MuddyWater kanye nokuzethemba okuphezulu
Kuyathakazelisa ukuthi iqembu le-MuddyWater liqapha ngokucophelela yonke imibiko nemilayezo evela kochwepheshe bezokuphepha bolwazi eshicilelwe ngabo, futhi baze bashiya ngamabomu amafulegi amanga ekuqaleni ukuze balahle abacwaningi ephunga. Isibonelo, ukuhlasela kwabo kokuqala kwadukisa ochwepheshe ngokuthola ukusetshenziswa kwe-DNS Messenger, eyayivame ukuhlotshaniswa neqembu le-FIN7. Kokunye ukuhlasela, bafaka izintambo zesiShayina kukhodi.
Ngaphezu kwalokho, leli qembu liyathanda ukushiyela abacwaningi imiyalezo. Isibonelo, abakuthandanga ukuthi i-Kaspersky Lab ibeke i-MuddyWater endaweni yesi-3 esilinganisweni sayo sosongo sonyaka. Ngaso leso sikhathi, othile - mhlawumbe iqembu le-MuddyWater - ulayishe i-PoC yokuxhashazwa ku-YouTube ekhubaza isivikeli magciwane se-LK. Baphinde bashiya ukuphawula ngaphansi kwesihloko.
Izithombe-skrini zevidiyo ekukhubazeni i-antivirus ye-Kaspersky Lab kanye namazwana angezansi:
Kusenzima ukwenza isiphetho esicacile mayelana nokubandakanyeka kwe-"Nima Nikjoo". Ochwepheshe beqembu-IB bacubungula izinguqulo ezimbili. U-Nima Nikjoo, ngempela, kungenzeka ukuthi ungumgebengu weqembu le-MuddyWater, owavela ngenxa yokunganaki kwakhe kanye nomsebenzi owandisiwe kunethiwekhi. Okwesibili okukhethwa kukho ukuthi "wadalulwa" ngamabomu ngamanye amalungu eqembu ukuze asuse izinsolo kubo. Kunoma yikuphi, i-Group-IB iyaqhubeka nocwaningo lwayo futhi izobika imiphumela yayo nakanjani.
Ngokuqondene nama-APT ase-Iranian, ngemva kochungechunge lokuvuza nokuvuza, cishe azobhekana “nenkulumo-mpikiswano” engathi sína - abaduni bazophoqeleka ukuthi bashintshe amathuluzi abo ngokungathi sína, bahlanze amathrekhi abo futhi bathole “ama-moles” angaba khona ezinhlwini zabo. Ochwepheshe abazange banqume ukuthi bazothatha isikhathi sokuvala, kodwa ngemva kwekhefu elifushane, ukuhlasela kwe-Iranian APT kwaqhubeka futhi.
Source: www.habr.com