Siqhubeka nochungechunge lwethu lwama-athikili anikelwe ekuhlaziyeni uhlelo olungayilungele ikhompuyutha. IN Ngokwengxenye, sitshele ukuthi u-Ilya Pomerantsev, uchwepheshe wokuhlaziya uhlelo olungayilungele ikhompuyutha e-CERT Group-IB, enze kanjani ukuhlaziya okuningiliziwe kwefayela elitholwe ngeposi kwenye yezinkampani zaseYurophu futhi wathola inhloli lapho. Umenzeli weTesla. Kulesi sihloko, u-Ilya unikeza imiphumela yokuhlaziywa kwesinyathelo ngesinyathelo semodyuli eyinhloko Umenzeli weTesla.
I-Agent Tesla iyisofthiwe yokuhlola eyimojuli esatshalaliswa kusetshenziswa imodeli ye-malware-as-a-service ngaphansi kwesicathulo somkhiqizo we-keylogger osemthethweni. Umenzeli u-Tesla uyakwazi ukukhipha nokudlulisa imininingwane yomsebenzisi kusuka kuziphequluli, amaklayenti e-imeyili namakhasimende e-FTP aziyise kuseva kubahlaseli, ukurekhoda idatha yebhodi lokunamathisela, nokuthwebula isikrini sedivayisi. Ngesikhathi sokuhlaziya, iwebhusayithi esemthethweni yonjiniyela ibingatholakali.
Ifayela lokucushwa
Ithebula elingezansi libonisa ukuthi yikuphi ukusebenza okusebenza kusampula oyisebenzisayo:
| Incazelo | Okushoyo |
| Ifulegi lokusetshenziswa kwe-KeyLogger | weqiniso |
| Ifulegi lokusetshenziswa kwe-ScreenLogger | bamanga |
| Ilogi ye-KeyLogger yokuthumela isikhawu ngemizuzu | 20 |
| Ilogi ye-ScreenLogger ithumela isikhawu ngemizuzu | 20 |
| Umaka wokuphatha ukhiye we-Backspace. Amanga - ukugawula kuphela. Iqiniso - isula ukhiye wangaphambilini | bamanga |
| Uhlobo lwe-CNC. Izinketho: smtp, webpanel, ftp | smtp |
| Umaka wokwenza kusebenze uchungechunge lokunqamula izinqubo ohlwini “%filter_list%” | bamanga |
| I-UAC ikhubaza ifulegi | bamanga |
| Isiphathi somsebenzi khubaza ifulegi | bamanga |
| I-CMD khubaza ifulegi | bamanga |
| Qalisa iwindi lokukhubaza ifulegi | bamanga |
| I-Registry Viewer Khubaza ifulegi | bamanga |
| Khubaza ifulegi lamaphoyinti okubuyisela isistimu | weqiniso |
| Iphaneli yokulawula khubaza ifulegi | bamanga |
| I-MSCONFIG khubaza ifulegi | bamanga |
| Hlaba umkhosi ukuze ukhubaze imenyu yokuqukethwe ku-Explorer | bamanga |
| Phina ifulegi | bamanga |
| Indlela yokukopisha imojuli eyinhloko lapho uyiphina ohlelweni | %startupfolder% %infolder%%inname% |
| Hlaba umkhosi ukuze usethe “Isistimu” kanye nezibaluli “Ezifihliwe” zemojuli eyinhloko eyabelwe isistimu | bamanga |
| Hlaba umkhosi ukuze uqalise kabusha lapho uphiniwe kusistimu | bamanga |
| Hlaba umkhosi ngokuhambisa imojuli eyinhloko kufolda yesikhashana | bamanga |
| Ifulegi lokudlula le-UAC | bamanga |
| Ifomethi yedethi nesikhathi sokungena | yyy-MM-dd HH:mm:ss |
| Hlaba umkhosi ngokusebenzisa isihlungi sohlelo se-KeyLogger | weqiniso |
| Uhlobo lokuhlunga uhlelo. 1 – igama lohlelo liseshwa ezihlokweni zewindi 2 - igama lohlelo libhekwa egameni lenqubo yewindi | 1 |
| Isihlungi sohlelo | "facebook" "twitter" "gmail" "instagram" "imuvi" "skype" "zocansi" "Hack" "whatsapp" "ukungezwani" |
Ukunamathisela imojuli eyinhloko ohlelweni
Uma ifulegi elihambisanayo lisethiwe, imojuli eyinhloko ikopishelwa endleleni ecaciswe ku-config njengendlela ezonikezwa uhlelo.
Kuye ngenani elivela ku-config, ifayela linikezwa izimfanelo "ezifihliwe" kanye "nesistimu".
I-Autorun ihlinzekwa ngamagatsha amabili okubhalisa:
- I-HKCU SoftwareMicrosoftWindowsCurrentVersionRun%inregname%
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun %insregname%
Njengoba i-bootloader ingena kunqubo I-RegAsm, ukusetha ifulegi eliqhubekayo lemojuli eyinhloko kuholela emiphumeleni ethakazelisa kakhulu. Esikhundleni sokuzikopisha, uhlelo olungayilungele ikhompuyutha lunamathisele ifayela lokuqala ohlelweni RegAsm.exe, lapho umjovo wenziwa khona.
Ukusebenzisana ne-C&C
Kungakhathalekile ukuthi iyiphi indlela esetshenzisiwe, ukuxhumana kwenethiwekhi kuqala ngokuthola i-IP yangaphandle yesisulu kusetshenziswa insiza [.]amazonaws[.]com/.
Okulandelayo kuchaza izindlela zokusebenzisana zenethiwekhi ezethulwa kusofthiwe.
iphaneli yewebhu
Ukuxhumana kwenzeka ngephrothokholi ye-HTTP. Uhlelo olungayilungele ikhompuyutha lwenza isicelo se-POST ngezihloko ezilandelayo:
- Umenzeli Womsebenzisi: Mozilla/5.0 (Windows U Windows NT 6.1 ru rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
- Ukuxhuma: Gcina-Uphila
- Uhlobo Lokuqukethwe: isicelo/x-www-form-urlencoded
Ikheli leseva licaciswa inani %PostURL%. Umlayezo obethelwe uthunyelwa ngepharamitha «P». Indlela yokubhala ngemfihlo ichazwe esigabeni "I-Encryption Algorithms" (Indlela 2).
Umlayezo odlulisiwe ubukeka kanje:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nclient={8}nlink={9}nusername={10}npassword={11}nscreen_link={12}
Ipharamitha uhlobo ikhombisa uhlobo lomlayezo:
hwid - i-MD5 hashi irekhodwa kumanani we-serial number ye-motherboard kanye ne-ID yeprosesa. Kungenzeka ukuthi isetshenziswe njenge-ID Yomsebenzisi.
isikhathi — Isebenzela ukudlulisa isikhathi samanje nosuku.
pcname - kuchazwa ngokuthi <Igama lomsebenzisi>/<Igama lekhompyutha>.
logdata - idatha yokungena.
Lapho uthumela amaphasiwedi, umlayezo ubukeka kanje:
type={0}nhwid={1}ntime={2}npcname={3}nlogdata={4}nscreen={5}nipadd={6}nwebcam_link={7}nscreen_link={8}n[passwords]
Okulandelayo izincazelo zedatha eyebiwe ngefomethi nclient[]={0}nlink[]={1}igama lomsebenzisi[]={2}npassword[]={3}.
smtp
Ukuxhumana kwenzeka ngephrothokholi ye-SMTP. Incwadi edlulisiwe ikufomethi ye-HTML. Ipharamitha UMZIMBA inefomu:
Unhlokweni wencwadi unefomu elijwayelekile: <IGAMA LOMSEBENZISI>/<IGAMA LEKHOMPYUTHA> <UHLOBO LOKUQUKETHWE>. Okuqukethwe yincwadi, kanye nezinanyathiselwa zayo, akubetheliwe.
Ukuxhumana kwenzeka ngephrothokholi ye-FTP. Ifayela elinegama lidluliselwa kuseva eshiwo <UHLOBO LOKUQUKETHWE>_<UMSEBENZISI IGAMA>-<I-COMPUTER NAME>_<IDETHI NESIKHATHI>.html. Okuqukethwe kwefayela akubetheliwe.
Ama-algorithms wokubethela
Leli cala lisebenzisa izindlela zokubethela ezilandelayo:
Indlela ye-1
Le ndlela isetshenziselwa ukubethela izintambo kumojuli eyinhloko. I-algorithm esetshenziselwa ukubethela ithi I-AES.
Okokufaka kuyinombolo yedesimali enezinhlamvu eziyisithupha. Ukuguqulwa okulandelayo kwenziwa kuyo:
f(x) = (((x >> 2 - 31059) ^ 6380) - 1363) >> 3
Inani eliwumphumela liyinkomba yohlu lwedatha eshumekiwe.
Isici ngasinye samalungu afanayo siwukulandelana I-DWORD. Uma uhlanganisa I-DWORD kutholwa amabhayithi amaningi: amabhayithi okuqala angu-32 angukhiye wokubethela, alandelwe amabhayithi angu-16 evektha yokuqalisa, futhi amabhayithi asele idatha ebethelwe.
Indlela ye-2
I-algorithm esetshenzisiwe 3DES kumodi I-ECB nge-padding ngamabhayithi aphelele (I-PKCS7).
Ukhiye ucaciswa ipharamitha %urlkey%, nokho, ukubethela kusebenzisa i-MD5 hash yayo.
Ukusebenza okunonya
Isampula elingaphansi kocwaningo lisebenzisa lezi zinhlelo ezilandelayo ukwenza umsebenzi walo onobungozi:
I-KeyLogger
Uma kukhona ifulegi elihambisanayo le-malware esebenzisa umsebenzi we-WinAPI Setha iWindowsHookEx inika isibambi sayo semicimbi yokucindezela ukhiye kukhibhodi. Umsebenzi wesibambi uqala ngokuthola isihloko sewindi elisebenzayo.
Uma ifulegi lokuhlunga uhlelo lokusebenza lisethiwe, ukuhlunga kwenziwa kuye ngohlobo olushiwo:
- igama lohlelo libhekwa ezihlokweni zewindi
- igama lohlelo libhekwa egameni lenqubo yewindi
Okulandelayo, irekhodi lengezwa kulogi ngolwazi mayelana newindi elisebenzayo ngefomethi:
Bese ulwazi mayelana nokhiye ocindezelwe luyarekhodwa:
| Ukhiye | Qopha |
| I-Backspace | Kuye ngefulegi lokucubungula ukhiye we-Backspace: Amanga – {BUYELA} Iqiniso - isula ukhiye wangaphambilini |
| I-CAPS LOCK | {I-CAPS LOCK} |
| ESC | {ESC} |
| IkhasiUp | {PageUp} |
| Down | ↓ |
| SUSA | {DEL} |
| " | " |
| F5 | {F5} |
| & | & |
| F10 | {F10} |
| I-TAB | {TAB} |
| < | < |
| > | > |
| Isikhala | |
| F8 | {F8} |
| F12 | {F12} |
| F9 | {F9} |
| ALT + ITHABULA | {ALT+TAB} |
| Ukuphela | {END} |
| F4 | {F4} |
| F2 | {F2} |
| CTRL | {CTRL} |
| F6 | {F6} |
| Right | → |
| Up | ↑ |
| F1 | {F1} |
| Kwesobunxele | ← |
| Ehla ngekhasi | {Ehla ngekhasi} |
| Faka | {Faka} |
| Win | {Wina} |
| INumlock | {NumLock} |
| F11 | {F11} |
| F3 | {F3} |
| IKHAYA | {IKHAYA} |
| ENTER | {ENTER} |
| I-ALT + F4 | {ALT+F4} |
| F7 | {F7} |
| Omunye ukhiye | Uhlamvu lungohlamvu oluphezulu noma oluncane kuye ngokuma kokhiye be-CapsLock no-Shift |
Ngokuvama okucacisiwe, ilogi eqoqiwe ithunyelwa kuseva. Uma ukudlulisa kungaphumeleli, ilogu igcinwa efayeleni %TEMP%log.tmp ngefomethi:
Lapho isibali sikhathi sivutha, ifayela lizodluliselwa kuseva.
I-ScreenLogger
Ngokuvama okucacisiwe, uhlelo olungayilungele ikhompuyutha ludala isithombe-skrini ngefomethi I-Jpeg ngencazelo Quality elilingana no-50 futhi liyigcina efayelini %APPDATA %<Ukulandelana okungahleliwe kwezinhlamvu ezingu-10>.jpg. Ngemva kokudlulisa, ifayela liyasuswa.
I-ClipboardLogger
Uma ifulegi elifanele lisethiwe, ukushintshwa kwenziwa embhalweni obanjiwe ngokwethebula elingezansi.
Ngemva kwalokhu, umbhalo ushuthekwa kulogi:
I-PasswordStealer
Uhlelo olungayilungele ikhompuyutha lungadawuniloda amaphasiwedi ezinhlelweni ezilandelayo:
| Iziphequluli | Amaklayenti wemeyili | FTP amaklayenti |
| Chrome | Outlook | FileZilla |
| Firefox | Thunderbird | I-WS_FTP |
| IE/Edge | Foxmail | WinSCP |
| safari | Imeyili ye-Opera | I-CoreFTP |
| Isiphequluli se-Opera | IncrediMail | I-FTP Navigator |
| Yandex | I-Pocomail | I-FlashFXP |
| I-Comodo | Eudora | I-SmartFTP |
| I-ChromePlus | I-TheBat | FTPCommander |
| Chromium | Ibhokisi lokuposa | |
| Isibani | ClawsMail | |
| 7Star | ||
| Amigo | ||
| I-BraveSoftware | Amakhasimende weJabber | Amaklayenti we-VPN |
| CentBrowser | I-Psi/Psi+ | Vula i-VPN |
| I-Chedot | ||
| I-CocCoc | ||
| Isiphequluli Sezinto | Landa Abaphathi | |
| Isiphequluli Sobumfihlo se-Epic | Thwebula Manager Inthanethi | |
| Inkanyezi enomsila | JDownloader | |
| I-Orbitum | ||
| I-Sputnik | ||
| uCozMedia | ||
| Vivaldi | ||
| SeaMonkey | ||
| Isiphequluli Somhlambi | ||
| Isiphequluli se-UC | ||
| I-BlackHawk | ||
| I-CyberFox | ||
| K-meleon | ||
| I-IceCat | ||
| I-IceDragon | ||
| PaleMoon | ||
| I-WaterFox | ||
| Isiphequluli se-Falkon |
Ukuphikisana nokuhlaziya okuguquguqukayo
- Ukusebenzisa umsebenzi Sleep. Ikuvumela ukuthi udlule ama-sandbox athile ngesikhathi sokuvala
- Ukucekela phansi intambo Isihlonzi.Indawo. Ikuvumela ukuthi ufihle iqiniso lokulanda ifayela ku-inthanethi
- Kupharamitha %filtha_list% icacisa uhlu lwezinqubo uhlelo olungayilungele ikhompuyutha ezizozinqamula ngezikhathi zomzuzwana owodwa
- Ukuxhuma I-UAC
- Ikhubaza isiphathi somsebenzi
- Ukuxhuma I-CMD
- Ikhubaza iwindi "Gijima"
- Ikhubaza Iphaneli Yokulawula
- Ikhubaza ithuluzi RegEdit
- Ikhubaza amaphuzu okubuyisela esistimu
- Khubaza imenyu yokuqukethwe ku-Explorer
- Ukuxhuma MSCONFIG
- Ukudlula UAC:
Izici ezingasebenzi zemojuli eyinhloko
Phakathi nokuhlaziywa kwemojula eyinhloko, imisebenzi yahlonzwa eyayinesibopho sokusabalalisa inethiwekhi yonkana nokulandelela indawo yegundane.
Worm
Imicimbi yokuxhuma imidiya ekhiphekayo igadwa ngochungechunge oluhlukile. Uma ixhunyiwe, uhlelo olungayilungele ikhompuyutha olunegama lukopishelwa kumsuka wesistimu yefayela scr.exe, ngemva kwalokho isesha amafayela anesandiso lnk. Iqembu lawo wonke umuntu lnk izinguquko ku cmd.exe /c qala scr.exe&qala <umyalo wangempela> & uphume.
Uhla lwemibhalo ngalunye kumsuka wemidiya lunikezwa isibaluli "Kufihliwe" futhi ifayela liyadalwa ngesandiso lnk negama lemibhalo efihliwe kanye nomyalo cmd.exe /c qala scr.exe&explorer /root,"%CD%<DIRECTORY NAME>" & phuma.
I-MouseTracker
Indlela yokwenza i-interception ifana naleyo esetshenziselwa ikhibhodi. Lokhu kusebenza kusathuthukiswa.
Umsebenzi wefayela
| Indlela | Incazelo |
| %Temp%temp.tmp | Iqukethe ikhawunta yemizamo yokudlula i-UAC |
| %startupfolder%%infolder%%inname% | Indlela ezonikezwa uhlelo lwe-HPE |
| %Temp%tmpG{Isikhathi samanje ngama-millisecond}.tmp | Indlela yokwenza ikhophi yasenqolobaneni yemojuli eyinhloko |
| %Temp%log.tmp | Ifayela lokungena |
| %AppData%{Ukulandelana okungahleliwe kwezinhlamvu ezingu-10}.jpeg | Izithombe-skrini |
| C:UsersPublic{Ukulandelana okungahleliwe kwezinhlamvu ezingu-10}.vbs | Indlela eya kufayela le-vbs i-bootloader engayisebenzisa ukunamathisela ohlelweni |
| %Temp%{Igama lefolda yangokwezifiso}{Igama lefayela} | Indlela esetshenziswa i-bootloader ukuze izinamathisele ohlelweni |
Iphrofayela yomhlaseli
Ngenxa yedatha yokuqinisekisa enekhodi eqinile, sikwazile ukuthola ukufinyelela esikhungweni somyalo.
Lokhu kusivumele ukuthi sikhombe i-imeyili yokugcina yabahlaseli:
junaid[.]ku***@gmail[.]com.
Igama lesizinda sesikhungo somyalo sibhaliswe ku-imeyili sg***@gmail[.]com.
isiphetho
Phakathi nokuhlaziywa okuningiliziwe kohlelo olungayilungele ikhompuyutha olusetshenziswe ekuhlaselweni, sikwazile ukuthola ukusebenza kwayo futhi sathola uhlu oluphelele kakhulu lwezinkomba zokonakala ezihambisana naleli cala. Ukuqonda izindlela zokusebenzelana kwenethiwekhi phakathi kwe-malware kwenze kwaba nokwenzeka ukunikeza izincomo zokulungisa ukusebenza kwamathuluzi okuvikela ulwazi, kanye nokubhala imithetho ezinzile ye-IDS.
Ingozi enkulu Umenzeli weTesla njenge-DataStealer ngokuthi ayidingi ukuzibophezela ohlelweni noma ukulinda umyalo wokulawula ukwenza imisebenzi yayo. Uma isisemshinini, iqala ngokushesha ukuqoqa imininingwane eyimfihlo bese iludlulisela ku-CnC. Lokhu kuziphatha okunolaka kufana ngezindlela ezithile nokuziphatha kwe-ransomware, umehluko kuphela ukuthi lena ayidingi ngisho nokuxhumeka kwenethiwekhi. Uma uhlangana nalo mndeni, ngemuva kokuhlanza uhlelo olunegciwane kuhlelo olungayilungele ikhompuyutha uqobo, kufanele nakanjani uguqule wonke amagama ayimfihlo okungenzeka, okungenani ngokwethiyori, alondolozwe kwesinye sezinhlelo zokusebenza ezibalwe ngenhla.
Uma sibheka phambili, ake sithi abahlaseli bayathumela Umenzeli weTesla, isilayishi sokuqala sokuqalisa sishintshwa kaningi. Lokhu kukuvumela ukuthi uhlale ungabonwa izikena ezimile kanye nabahlaziyi be-heuristic ngesikhathi sokuhlasela. Futhi ukuthambekela kwalo mndeni ukuqala ngokushesha imisebenzi yawo kwenza abaqaphi besistimu bangabi namsebenzi. Indlela engcono kakhulu yokulwa ne-AgentTesla ukuhlaziya kokuqala kubhokisi lesihlabathi.
Esihlokweni sesithathu salolu chungechunge sizobheka amanye ama-bootloader asetshenzisiwe Umenzeli weTesla, futhi bafunde nenqubo yokukhipha impahla yabo e-semi-automatic. Ungaphuthelwa!
Hash
| SHA1 |
| A8C2765B3D655BA23886D663D22BDD8EF6E8E894 |
| 8010CC2AF398F9F951555F7D481CE13DF60BBECF |
| 79B445DE923C92BF378B19D12A309C0E9C5851BF |
| 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
I-C & C.
| I-URL |
| sina-c0m[.]icu |
| smtp[.]sina-c0m[.]icu |
I-RegKey
| Registry |
| I-HKCUSoftwareMicrosoftWindowsCurrentVersionRun{Igama lesikripthi} |
| HKCUSoftwareMicrosoftWindowsCurrentVersionRun%inregname% |
| HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerStartupApprovedRun%inregname% |
I-Mutex
Azikho izinkomba.
Amafayela
| Umsebenzi wefayela |
| %Temp%temp.tmp |
| %startupfolder%%infolder%%inname% |
| %Temp%tmpG{Isikhathi samanje ngama-millisecond}.tmp |
| %Temp%log.tmp |
| %AppData%{Ukulandelana okungahleliwe kwezinhlamvu ezingu-10}.jpeg |
| C:UsersPublic{Ukulandelana okungahleliwe kwezinhlamvu ezingu-10}.vbs |
| %Temp%{Igama lefolda yangokwezifiso}{Igama lefayela} |
Ulwazi lwamasampula
| Igama | Unknown |
| MD5 | F7722DD8660B261EA13B710062B59C43 |
| SHA1 | 15839B7AB0417FA35F2858722F0BD47BDF840D62 |
| SHA256 | 41DC0D5459F25E2FDCF8797948A7B315D3CB0753 98D808D1772CACCC726AF6E9 |
| Uhlobo | I-PE (.NET) |
| Usayizi | 327680 |
| Igama Loqobo | AZZRIDKGGSLTYFUUBCCRRCUMRKTOXFVPDKGAGPUZI_20190701133545943.exe |
| Isitembu Sosuku | 01.07.2019 |
| Umhlanganisi | I-VB.NET |
| Igama | IELibrary.dll |
| MD5 | BFB160A89F4A607A60464631ED3ED9FD |
| SHA1 | 1C981EF3EEA8548A30E8D7BF8D0D61F9224288DD |
| SHA256 | D55800A825792F55999ABDAD199DFA54F3184417 215A298910F2C12CD9CC31EE |
| Uhlobo | I-PE (.NET DLL) |
| Usayizi | 16896 |
| Igama Loqobo | IELibrary.dll |
| Isitembu Sosuku | 11.10.2016 |
| Umhlanganisi | I-Microsoft Linker(48.0*) |
Source: www.habr.com
