Ngalesi sihloko siqedela uchungechunge lokushicilelwe okunikelwe ekuhlaziyweni kwesoftware enonya. IN Senze ukuhlaziya okuningiliziwe kwefayela elinegciwane elatholwa yinkampani yaseYurophu ngeposi futhi sathola inhloli ye-AgentTesla lapho. Ku ichaze imiphumela yokuhlaziywa kwesinyathelo ngesinyathelo semojula ye-AgentTesla eyinhloko.
Namuhla u-Ilya Pomerantsev, uchwepheshe wokuhlaziya uhlelo olungayilungele ikhompuyutha kwa-CERT Group-IB, uzokhuluma ngesigaba sokuqala sokuhlaziya uhlelo olungayilungele ikhompuyutha - ukukhishwa okuzenzakalelayo kwamasampula e-AgentTesla esebenzisa isibonelo samacala amathathu amancane avela ekusebenzeni kochwepheshe be-CERT Group-IB.
Imvamisa, isigaba sokuqala sokuhlaziya uhlelo olungayilungele ikhompuyutha ukususwa kwesivikelo ngendlela yesipakishi, i-cryptor, isivikeli noma isilayishi. Ezimweni eziningi, le nkinga ingaxazululwa ngokusebenzisa uhlelo olungayilungele ikhompuyutha kanye nokulahla, kodwa kunezimo lapho le ndlela ingafaneleki khona. Isibonelo, uma uhlelo olungayilungele ikhompuyutha luyi-encryptor, uma luvikela izifunda zayo zenkumbulo ukuthi zingalahlwa, uma ikhodi iqukethe izindlela zokutholwa komshini obonakalayo, noma uma uhlelo olungayilungele ikhompuyutha luqala kabusha ngokushesha ngemva kokuqala. Ezimweni ezinjalo, okubizwa ngokuthi "i-semi-automatic" i-unpacking isetshenziswa, okungukuthi, umcwaningi unokulawula okuphelele phezu kwenqubo futhi angangenela nganoma yisiphi isikhathi. Ake sicabangele le nqubo sisebenzisa amasampula amathathu omndeni we-AgentTesla njengesibonelo. Lolu uhlelo olungayilungele ikhompuyutha olungenabungozi uma ukhubaza ukufinyelela kwayo kunethiwekhi.
Isampula No. 1
Ifayela elingumthombo liyidokhumenti ye-MS Word esebenzisa ubungozi be-CVE-2017-11882.
Ngenxa yalokho, umthwalo okhokhelwayo uyalandwa futhi uqaliswe.
Ukuhlaziywa kwesihlahla senqubo kanye nezimpawu zokuziphatha kukhombisa umjovo enqubweni RegAsm.exe.
Kukhona izimpawu zokuziphatha ze-AgentTesla.
Isampula elandiwe iyona esebenzisekayo .NET-ifayela elivikelwe ngumvikeli .NET Reactor.
Masiyivule kusisetshenziswa dnSpy x86 bese udlulela endaweni yokungena.
Ngokuya emcimbini I-DateTimeOffset, sizothola ikhodi yokuqalisa entsha .NET-module. Ake sibeke indawo yokuqaqa kulayini esinentshisekelo kuwo futhi sisebenzise ifayela.
Kwenye yamabhafa abuyisiwe ungabona isiginesha ye-MZ (0x4D 0x5A). Masiyigcine.
Ifayela elisebenzisekayo elahliwe liyilabhulali eguquguqukayo eyisilayishi, i.e. ikhipha umthwalo okhokhelwayo esigabeni sensiza futhi iwuqalise.
Ngesikhathi esifanayo, izinsiza ezidingekayo ngokwazo azikho endaweni yokulahla. Zikusampula yomzali.
Okusetshenziswayo I-dnSpy inokusebenza okubili okuwusizo kakhulu okuzosisiza ukuthi sakhe ngokushesha i-βFrankensteinβ kumafayela amabili ahlobene.
- Eyokuqala ikuvumela ukuthi "unamathisele" ilabhulali enamandla kusampula yomzali.
- Okwesibili ukubhala kabusha ikhodi yokusebenza endaweni yokungena ukuze ushayele indlela efiselekayo yelabhulali eguqukayo efakiwe.
Sigcina "i-Frankenstein" yethu, isethi indawo yokuqaqa emugqeni obuyisela isigcinalwazi esinezinsiza ezisuswe ukubethela, futhi sikhiqize ukulahla ngokufanisa nesigaba sangaphambilini.
Ukulahlwa kwesibili kubhalwe kuyo I-VB.NET ifayela elisebenzisekayo elivikelwe umvikeli esimjwayele I-ConfuserEx.
Ngemva kokukhipha isivikeli, sisebenzisa imithetho ye-YARA ebhalwe ngaphambili futhi siqinisekisa ukuthi uhlelo olungayilungele ikhompuyutha olungapakishiwe luyi-AgentTesla ngempela.
Isampula No. 2
Ifayela elingumthombo liyidokhumenti ye-MS Excel. Imakhro eyakhelwe ngaphakathi idala ukukhishwa kwekhodi enonya.
Ngenxa yalokho, iskripthi se-PowerShell sethulwa.
Umbhalo ususa ukubhala ikhodi ye-C# futhi udlulisele ukulawula kuyo. Ikhodi ngokwayo iyi-bootloader, njengoba ingabonakala futhi embikweni we-sandbox.
Umthwalo okhokhelwayo uyasebenziseka .NET-ifayela.
Ivula ifayela ku dnSpy x86, uyabona nje ukuthi kushubile. Ukususa i-obfuscation usebenzisa insiza de4dot futhi ubuyele ekuhlaziyeni.
Lapho uhlola ikhodi, ungathola umsebenzi olandelayo:
Imigqa ekhodiwe iyamangaza I-EntryPoint ΠΈ Kuncenge. Sibeka indawo yokuqaqa emgqeni wokuqala, gijima futhi ulondoloze inani lebhafa byte_0.
Ukulahlwa kuwuhlelo lokusebenza futhi .NET futhi ivikelwe I-ConfuserEx.
Sisusa i-obfuscation sisebenzisa de4dot bese ulayisha ku I-dnSpy. Kusukela encazelweni yefayela siyaqonda ukuthi sibhekene nayo Isilayishi se-CyaX-Sharp.
Lesi silayishi sinomsebenzi omkhulu wokulwa nokuhlaziya.
Lokhu kusebenza kufaka phakathi ukweqa izinhlelo zokuvikela ezakhelwe ngaphakathi ze-Windows, ukukhubaza i-Windows Defender, kanye nebhokisi lesihlabathi kanye nezindlela zokubona umshini obonakalayo. Kungenzeka ukulayisha umthwalo okhokhelwayo kusuka kunethiwekhi noma ukuwugcina esigabeni sensiza. Ukwethulwa kwenziwa ngokujova kwinqubo yayo, ibe yimpinda yenqubo yayo, noma ezinqubweni MSBuild.exe, vbc.exe ΠΈ RegSvcs.exe kuye ngepharamitha ekhethwe umhlaseli.
Nokho, kithi ababalulekile kangako I-AntiDump-umsebenzi owengezayo I-ConfuserEx. Ikhodi yayo yomthombo ingatholakala kokuthi .
Ukukhubaza ukuvikela, sizosebenzisa ithuba I-dnSpy, okukuvumela ukuthi uhlele IL-ikhodi.
Londoloza futhi ufake indawo yokuqaqa kulayini wokushayela umsebenzi wokukhipha ukubethela kokulayisha okukhokhelwayo. Itholakala kumakhi wesigaba esikhulu.
Sethula futhi silahle umthwalo okhokhelwayo. Sisebenzisa imithetho ye-YARA ebhalwe ngaphambilini, siyaqinisekisa ukuthi lena yi-AgentTesla.
Isampula No. 3
Ifayela elingumthombo yilona elisebenzisekayo I-VB Native PE32-ifayela.
Ukuhlaziywa kwe-Entropy kubonisa ukuba khona kocezu olukhulu lwedatha ebethelwe.
Lapho uhlaziya ifomu lesicelo ku I-VB Decompiler ungase uphawule ingemuva eliyinqaba eliyi-pixelated.
Igrafu ye-Entropy bmp-isithombe siyefana negrafu ye-entropy yefayela lokuqala, futhi usayizi ungama-85% wosayizi wefayela.
Ukubukeka okujwayelekile kwesithombe kubonisa ukusetshenziswa kwe-steganography.
Ake sinake ukubukeka kwesihlahla senqubo, kanye nokuba khona komaka womjovo.
Lokhu kukhomba ukuthi ukukhishwa kuyaqhubeka. Okwama-Visual Basic loaders (aka I-VBKrypt noma I-VBInjector) ukusetshenziswa okujwayelekile ishellcode ukuqalisa umthwalo wokukhokha, kanye nokwenza umjovo ngokwawo.
Ukuhlaziya ku I-VB Decompiler wakhombisa ukuba khona komcimbi Layisha efomini I-FegatassocAirballoon2.
Asambe siye I-IDA pro ekhelini elishiwo futhi ufunde umsebenzi. Ikhodi igxiliwe kakhulu. Isiqephu esisithakaselayo sinikezwe ngezansi.
Lapha isikhala sekheli lenqubo siskenwa ukuze kutholwe isiginesha. Le ndlela iyabazisa kakhulu.
Okokuqala, ikheli liqala ukuskena 0x400100. Leli nani limile futhi alilungiswa lapho isisekelo sigudluzwa. Ezimweni ezifanele zokushisa ukushisa kuzobonisa ukuphela PE-inhlokweni yefayela elisebenzisekayo. Noma kunjalo, i-database ayishintshi, inani layo lingashintsha, futhi ukucinga ikheli langempela lesiginesha edingekayo, nakuba kungeke kubangele ukuchichima okuguquguqukayo, kungathatha isikhathi eside kakhulu.
Okwesibili, incazelo yesignesha iWGK. Ngicabanga ukuthi kusobala ukuthi amabhayithi angu-4 mancane kakhulu ukuqinisekisa ukuhluka. Futhi uma ucabangela iphuzu lokuqala, amathuba okwenza iphutha aphezulu kakhulu.
Eqinisweni, isiqeshana esidingekayo sinamathiselwe ekupheleni kokutholwe ngaphambilini bmp-Izithombe nge-offset 0xA1D0D.
Ukugcwaliseka Ikhodi Shell kwenziwa ngezigaba ezimbili. Esokuqala sichaza umzimba oyinhloko. Kulokhu, ukhiye unqunywa amandla anonya.
Lahla esuswe ukubethela Ikhodi Shell futhi ubheke imigqa.
Okokuqala, manje sesiwazi umsebenzi wokudala inqubo yengane: CreateProcessInternalW.
Okwesibili, siye saqaphela indlela yokulungiswa ohlelweni.
Ake sibuyele enqubweni yokuqala. Ake sibeke indawo yokuqaqa on CreateProcessInternalW futhi uqhubeke nokwenza. Okulandelayo sibona ukuxhumana NtGetContextThread/NtSetContextThread, okushintsha ikheli lesiqalo sokuqalisa ekhelini Ikhodi ye-Shell.
Sixhuma enqubweni edaliwe nge-debugger bese sivula umcimbi Misa okwesikhashana ekulayisheni/kwehliseni umtapo, qalisa kabusha inqubo bese ulinda ukulayishwa .NET-imitapo yolwazi.
Ukusebenzisa okwengeziwe I-ProcessHacker lahla izifunda eziqukethe okungapakishiwe .NET-uhlelo lokusebenza.
Simisa zonke izinqubo futhi sisuse ikhophi yohlelo olungayilungele ikhompuyutha eshumekwe ohlelweni.
Ifayela elahliwe livikelwe umvikeli .NET Reactor, engasuswa kalula kusetshenziswa insiza de4dot.
Sisebenzisa imithetho ye-YARA ebhalwe ngaphambili, siyaqinisekisa ukuthi lena yi-AgentTesla.
Ake sifingqa
Ngakho-ke, sibonise ngokuningiliziwe inqubo yokukhishwa kwesampula okuzenzakalelayo kusetshenziswa ama-mini-case amathathu njengesibonelo, futhi sahlaziya uhlelo olungayilungele ikhompuyutha ngokusekelwe ecaleni eligcwele, sithola ukuthi isampula esicwaningwayo yi-AgentTesla, esungula ukusebenza kwayo kanye ne-malware. uhlu oluphelele lwezinkomba zokuvumelana.
Ukuhlaziywa kwento enonya esiyenzile kudinga isikhathi esiningi nomzamo, futhi lo msebenzi kufanele wenziwe isisebenzi esikhethekile enkampanini, kodwa akuzona zonke izinkampani ezilungele ukuqasha umhlaziyi.
Enye yezinsiza ezihlinzekwa yi-Group-IB Laboratory ye-Computer Forensics kanye ne-Malicious Code Analysis ukuphendula izehlakalo ze-cyber. Futhi ukuze amakhasimende angachithi isikhathi ngokugunyaza amadokhumenti futhi axoxisane ngawo phakathi nokuhlaselwa kwe-cyber, i-Group-IB yethula Isigcini Sempendulo Yesigameko, isevisi yokuphendula isigameko sokubhaliselwe ngaphambilini ehlanganisa nesinyathelo sokuhlaziya uhlelo olungayilungele ikhompuyutha. Ulwazi olwengeziwe mayelana nalokhu lungatholakala .
Uma ufuna ukuphinda ufunde ukuthi amasampula e-AgentTesla akhishwa kanjani futhi ubone ukuthi uchwepheshe we-CERT Group-IB ukwenza kanjani, ungalanda ukurekhodwa kwewebhu kulesi sihloko. .
Source: www.habr.com