Muva nje, umkhiqizi waseYurophu wemishini yokufaka ugesi uthinte i-Group-IB - isisebenzi sayo sithole incwadi esolisayo enonya eposini. Ilya Pomerantsev, uchwepheshe wokuhlaziya uhlelo olungayilungele ikhompuyutha kwa-CERT Group-IB, wenze ukuhlaziya okuningiliziwe kwaleli fayela, wathola inhloli ye-AgentTesla lapho futhi watshela ukuthi yini ongayilindela kuhlelo olungayilungele ikhompuyutha olunjalo nokuthi luyingozi kanjani.
Ngalokhu okuthunyelwe sivula uchungechunge lwama-athikili mayelana nendlela yokuhlaziya amafayela anjalo angaba yingozi, futhi silindele abanelukuluku lokwazi kakhulu ngoDisemba 5th ukuthola iwebhu yewebhu yamahhala esihlokweni. "Ukuhlaziywa Kwe-Malware: Ukuhlaziywa Kwezimo Zangempela". Yonke imininingwane ingaphansi kokusikwa.
Indlela yokusabalalisa
Siyazi ukuthi uhlelo olungayilungele ikhompuyutha lufinyelele emshinini wesisulu ngama-imeyili obugebengu bokweba imininingwane ebucayi. Umamukeli wencwadi kungenzeka ukuthi une-BCCed.
Ukuhlaziywa kwezihloko kubonisa ukuthi umthumeli wencwadi uphazanyiswe. Eqinisweni, incwadi yahamba nayo vps56[.]oneworldhosting[.]com.
Okunamathiselwe kwe-imeyili kuqukethe ingobo yomlando ye-WinRar qoute_jpeg56a.r15 ngefayela elisebenzisekayo elinonya QUUTE_JPEG56A.exe ngaphakathi.
Uhlelo olungayilungele ikhompuyutha
Manje ake sibone ukuthi i-ecosystem yohlelo olungayilungele ikhompuyutha engaphansi kocwaningo ibukeka kanjani. Umdwebo ongezansi ubonisa ukwakheka kwawo kanye nezinkomba zokusebenzisana kwezingxenye.
Manje ake sibheke ingxenye ngayinye ye-malware ngokuningiliziwe.
Isilayishi
Ifayela langempela QUUTE_JPEG56A.exe ihlanganiswe I-AutoIt v3 umbhalo.
Ukuze wenze isikripthi sangempela sibe nzima, i-obfuscator enezinto ezifanayo I-PELock AutoIT-Obfuscator izici.
I-Deobfuscation yenziwa ngezigaba ezintathu:
- Ukususa i-obfuscation Okwa-Uma
Isinyathelo sokuqala ukubuyisela ukugeleza kokulawula kweskripthi. I-Control Flow Flattening ingenye yezindlela ezivame kakhulu zokuvikela ikhodi kanambambili yohlelo lokusebenza ekuhlaziyweni. Ukuguqulwa okudidayo kukhulisa kakhulu ubunkimbinkimbi bokukhipha nokubona ama-algorithms nezakhiwo zedatha.
- Ukutholwa komugqa
Imisebenzi emibili isetshenziselwa ukubethela izintambo:
- I-gdorizabegkvfca - Yenza ukuqopha okufana ne-Base64
- xgacyukcyzxz - i-byte-byte elula ye-XOR yeyunithi yezinhlamvu yokuqala enobude besibili
- I-gdorizabegkvfca - Yenza ukuqopha okufana ne-Base64
- Ukususa i-obfuscation I-BinaryToString ΠΈ Yenza
Umthwalo oyinhloko ugcinwa ngendlela ehlukanisiwe ohlwini lwemibhalo Fonts izingxenye zensiza zefayela.
I-gluing order imi kanje: I-TIEQHCXWFG, I-IME, I-SPDGUHIMPV, KQJMWQQAQTKTFXTUOSW, AOCHKRWWSKWO, I-JSHMSJPS, NHHWXJBMTTSPXVN, BFUTIFWWXVE, HWJHO, AVZOUMVFRDWFLWU.
Umsebenzi weWinAPI usetshenziselwa ukususa ukubethela kwedatha ekhishiwe I-CryptDecrypt, futhi ukhiye weseshini owenziwe ngokusekelwe kunani usetshenziswa njengokhiye fZgFiZlJDxvuWatFRgRXZqmNCIyQgMYc.
Ifayela elisebenzisekayo elisuswe ukubethela lithunyelwa kokokufaka komsebenzi RunPE, owenza ProcessInject Π² RegAsm.exe usebenzisa eyakhelwe ngaphakathi Ikhodi ye-Shell (obeye aziwe njengo RunPE ShellCode). Ubunikazi bungobomsebenzisi wenkundla yeSpanishi okungatholakali[.]inethi ngaphansi kwesiteketiso sikaWardow.
Kuyaqapheleka futhi ukuthi kwenye yezintambo zalesi sithangami, i-obfuscator ye Ophahleni ezinezakhiwo ezifanayo ezikhonjwe phakathi nokuhlaziywa kwesampula.
Uqobo Ikhodi ye-Shell ilula kakhulu futhi iheha ukunaka okubolekwe kuphela eqenjini labaduni i-AnunakCarbanak. Umsebenzi we-API call hashing.
Siyazi futhi amacala okusetshenziswa I-Frenchy Shellcode izinguqulo ezahlukene.
Ngokungeziwe ekusebenzeni okuchaziwe, siphinde sahlonza imisebenzi engasebenzi:
- Ukuvimbela ukunqanyulwa kwenqubo mathupha kusiphathi somsebenzi
- Iqala kabusha inqubo yengane lapho iphela
- Dlula i-UAC
- Ilondoloza umthwalo okhokhelwayo efayelini
- Ukuboniswa kwamafasitela e-modal
- Ilinde indawo yekhesa yegundane ukuthi ishintshe
- I-AntiVM ne-AntiSandbox
- Ukuzibhubhisa
- Ukupompa umthwalo wenkokhelo kusuka kunethiwekhi
Siyazi ukuthi ukusebenza okunjalo kujwayelekile kumvikeli I-CypherIT, okuyinto, ngokusobala, i-bootloader okukhulunywa ngayo.
Imojula eyinhloko yesofthiwe
Okulandelayo, sizochaza kafushane imojula eyinhloko yohlelo olungayilungele ikhompuyutha, futhi siyicabangele kabanzi esihlokweni sesibili. Kulokhu, isicelo sivuliwe .NET.
Ngesikhathi sokuhlaziya, sithole ukuthi kusetshenziswe i-obfuscator I-ConfuserEX.
IELibrary.dll
Umtapo wolwazi ugcinwa njengesisetshenziswa semojuli eyinhloko futhi iyi-plugin eyaziwa kakhulu Umenzeli weTesla, ehlinzeka ngokusebenza kokukhipha imininingwane ehlukahlukene kuziphequluli ze-Internet Explorer kanye ne-Edge.
I-Agent Tesla iyisofthiwe yokuhlola eyimojuli esatshalaliswa kusetshenziswa imodeli ye-malware-as-a-service ngaphansi kwesicathulo somkhiqizo we-keylogger osemthethweni. Umenzeli u-Tesla uyakwazi ukukhipha nokudlulisa imininingwane yomsebenzisi kusuka kuziphequluli, amaklayenti e-imeyili namakhasimende e-FTP aziyise kuseva kubahlaseli, ukurekhoda idatha yebhodi lokunamathisela, nokuthwebula isikrini sedivayisi. Ngesikhathi sokuhlaziya, iwebhusayithi esemthethweni yonjiniyela ibingatholakali.
Indawo yokungena wumsebenzi I-GetSavedPasswords class InternetExplorer.
Ngokuvamile, ukusebenzisa ikhodi kumugqa futhi akuqukethe noma yikuphi ukuvikelwa ekuhlaziyweni. Umsebenzi ongafezeki kuphela ofanelwe ukunakwa I-GetSavedCookies. Ngokusobala, ukusebenza kwe-plugin bekufanele kunwetshwe, kodwa lokhu akuzange kwenziwe.
Ukunamathisela i-bootloader kusistimu
Ake sifunde ukuthi i-bootloader ixhunywe kanjani ohlelweni. Isifanekiso esingaphansi kocwaningo asigxili, kodwa ezenzakalweni ezifanayo senzeka ngokulandela uhlelo olulandelayo:
- Kufolda C:AbasebenzisiUmphakathi iskripthi siyakhiwa Visual Basic
Isibonelo sombhalo:
- Okuqukethwe kwefayela lesilayishi kuhlanganiswe nohlamvu olungenalutho futhi kugcinwe kufolda %Temp%<Igama lefolda yangokwezifiso><Igama lefayela>
- Ukhiye we-autorun udalwa kurejista yefayela lombhalo HKCUSoftwareMicrosoftWindowsCurrentVersionRun<Script name>
Ngakho-ke, ngokusekelwe emiphumeleni yengxenye yokuqala yokuhlaziya, sikwazile ukuthola amagama emindeni yazo zonke izingxenye zohlelo olungayilungele ikhompuyutha esacwaningwayo, sihlaziye iphethini yokutheleleka, futhi sithole nezinto zokubhala amasignesha. Sizoqhubeka nokuhlaziya kwethu le nto esihlokweni esilandelayo, lapho sizobheka khona imojula eyinhloko ngokuningiliziwe Umenzeli weTesla. Ungaphuthelwa!
Ngendlela, ngoDisemba 5 simema bonke abafundi ku-webinar esebenzayo yamahhala esihlokweni esithi "Ukuhlaziywa kwe-malware: ukuhlaziywa kwamacala wangempela", lapho umbhali wale ndatshana, uchwepheshe we-CERT-GIB, ezobonisa ku-inthanethi isigaba sokuqala ukuhlaziya uhlelo olungayilungele ikhompuyutha - ukukhishwa okuzenzakalelayo kwamasampuli kusetshenziswa isibonelo samacala amathathu angempela amancane okwenziwa kuwo, futhi ungabamba iqhaza ekuhlaziyeni. I-webinar ifanele ochwepheshe asebevele benolwazi lokuhlaziya amafayela anonya. Ukubhalisa kuvela kuma-imeyili ezinkampani kuphela: . Ngikulindile!
yara
rule AgentTesla_clean{
meta:
author = "Group-IB"
file = "78566E3FC49C291CB117C3D955FA34B9A9F3EEFEFAE3DE3D0212432EB18D2EAD"
scoring = 5
family = "AgentTesla"
strings:
$string_format_AT = {74 00 79 00 70 00 65 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 68 00 77 00 69 00 64 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 74 00 69 00 6D 00 65 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 63 00 6E 00 61 00 6D 00 65 00 3D 00 7B 00 33 00 7D 00 0D 00 0A 00 6C 00 6F 00 67 00 64 00 61 00 74 00 61 00 3D 00 7B 00 34 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 3D 00 7B 00 35 00 7D 00 0D 00 0A 00 69 00 70 00 61 00 64 00 64 00 3D 00 7B 00 36 00 7D 00 0D 00 0A 00 77 00 65 00 62 00 63 00 61 00 6D 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 37 00 7D 00 0D 00 0A 00 73 00 63 00 72 00 65 00 65 00 6E 00 5F 00 6C 00 69 00 6E 00 6B 00 3D 00 7B 00 38 00 7D 00 0D 00 0A 00 5B 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 73 00 5D 00}
$web_panel_format_string = {63 00 6C 00 69 00 65 00 6E 00 74 00 5B 00 5D 00 3D 00 7B 00 30 00 7D 00 0D 00 0A 00 6C 00 69 00 6E 00 6B 00 5B 00 5D 00 3D 00 7B 00 31 00 7D 00 0D 00 0A 00 75 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 5B 00 5D 00 3D 00 7B 00 32 00 7D 00 0D 00 0A 00 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 5B 00 5D 00 3D 00 7B 00 33 00 7D 00 00 15 55 00 52 00 4C 00 3A 00 20 00 20 00 20 00 20 00 20 00 20 00 00 15 55 00 73 00 65 00 72 00 6E 00 61 00 6D 00 65 00 3A 00 20 00 00 15 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 3A 00}
condition:
all of them
}
rule AgentTesla_obfuscated {
meta:
author = "Group-IB"
file = "41DC0D5459F25E2FDCF8797948A7B315D3CB075398D808D1772CACCC726AF6E9"
scoring = 5
family = "AgentTesla"
strings:
$first_names = {61 66 6B 00 61 66 6D 00 61 66 6F 00 61 66 76 00 61 66 79 00 61 66 78 00 61 66 77 00 61 67 6A 00 61 67 6B 00 61 67 6C 00 61 67 70 00 61 67 72 00 61 67 73 00 61 67 75 00}
$second_names = "IELibrary.resources"
condition:
all of them
}
rule AgentTesla_module_for_IE{
meta:
author = "Group-IB"
file = "D55800A825792F55999ABDAD199DFA54F3184417215A298910F2C12CD9CC31EE"
scoring = 5
family = "AgentTesla_module_for_IE"
strings:
$s0 = "ByteArrayToStructure"
$s1 = "CryptAcquireContext"
$s2 = "CryptCreateHash"
$s3 = "CryptDestroyHash"
$s4 = "CryptGetHashParam"
$s5 = "CryptHashData"
$s6 = "CryptReleaseContext"
$s7 = "DecryptIePassword"
$s8 = "DoesURLMatchWithHash"
$s9 = "GetSavedCookies"
$s10 = "GetSavedPasswords"
$s11 = "GetURLHashString"
condition:
all of them
}
rule RunPE_shellcode {
meta:
author = "Group-IB"
file = "37A1961361073BEA6C6EACE6A8601F646C5B6ECD9D625E049AD02075BA996918"
scoring = 5
family = "RunPE_shellcode"
strings:
$malcode = {
C7 [2-5] EE 38 83 0C // mov dword ptr [ebp-0A0h], 0C8338EEh
C7 [2-5] 57 64 E1 01 // mov dword ptr [ebp-9Ch], 1E16457h
C7 [2-5] 18 E4 CA 08 // mov dword ptr [ebp-98h], 8CAE418h
C7 [2-5] E3 CA D8 03 // mov dword ptr [ebp-94h], 3D8CAE3h
C7 [2-5] 99 B0 48 06 // mov dword ptr [ebp-90h], 648B099h
C7 [2-5] 93 BA 94 03 // mov dword ptr [ebp-8Ch], 394BA93h
C7 [2-5] E4 C7 B9 04 // mov dword ptr [ebp-88h], 4B9C7E4h
C7 [2-5] E4 87 B8 04 // mov dword ptr [ebp-84h], 4B887E4h
C7 [2-5] A9 2D D7 01 // mov dword ptr [ebp-80h], 1D72DA9h
C7 [2-5] 05 D1 3D 0B // mov dword ptr [ebp-7Ch], 0B3DD105h
C7 [2-5] 44 27 23 0F // mov dword ptr [ebp-78h], 0F232744h
C7 [2-5] E8 6F 18 0D // mov dword ptr [ebp-74h], 0D186FE8h
}
condition:
$malcode
}
rule AgentTesla_AutoIT_module{
meta:
author = "Group-IB"
file = "49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08C05B5E3BD36FD52668D196AF"
scoring = 5
family = "AgentTesla"
strings:
$packedexeau = {55 ED F5 9F 92 03 04 44 7E 16 6D 1F 8C D7 38 E6 29 E4 C8 CF DA 2C C4 E1 F3 65 48 25 B8 93 9D 66 A4 AD 3C 39 50 00 B9 60 66 19 8D FC 20 0A A0 56 52 8B 9F 15 D7 62 30 0D 5C C3 24 FE F8 FC 39 08 DF 87 2A B2 1C E9 F7 06 A8 53 B2 69 C3 3C D4 5E D4 74 91 6E 9D 9A A0 96 FD DB 1F 5E 09 D7 0F 25 FB 46 4E 74 15 BB AB DB 17 EE E7 64 33 D6 79 02 E4 85 79 14 6B 59 F9 43 3C 81 68 A8 B5 32 BC E6}
condition:
all of them
}
AmaHashi
| Igama | qoute_jpeg56a.r15 |
| MD5 | 53BE8F9B978062D4411F71010F49209E |
| SHA1 | A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| SHA256 | 2641DAFB452562A0A92631C2849B8B9CE880F0F8F
890E643316E9276156EDC8A |
| Uhlobo | Faka kungobo yomlando i-WinRAR |
| Usayizi | 823014 |
| Igama | QUUTE_JPEG56A.exe |
| MD5 | 329F6769CF21B660D5C3F5048CE30F17 |
| SHA1 | 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| SHA256 | 49F94293F2EBD8CEFF180EDDD58FA50B30DC0F08
C05B5E3BD36FD52668D196AF |
| Uhlobo | I-PE (I-AutoIt Script Ehlanganisiwe) |
| Usayizi | 1327616 |
| Igama Loqobo | Unknown |
| Isitembu Sosuku | 15.07.2019 |
| Isixhumanisi | I-Microsoft Linker(12.0)[EXE32] |
| MD5 | C2743AEDDADACC012EF4A632598C00C0 |
| SHA1 | 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| SHA256 | 37A1961361073BEA6C6EACE6A8601F646C5B6ECD
9D625E049AD02075BA996918 |
| Uhlobo | Ikhodi ye-Shell |
| Usayizi | 1474 |
Source: www.habr.com