一、摘要
APT28,也称为Sofacy、Fancy Bear、STRONTIUM、Pawn Storm和Sednit,在2018年持续针对各国政府和政治实体开展攻击,并且活动非常活跃。在我们深入研究最新的Zebrocy样本之前,我强烈推荐首先阅读ESET的文章《Sednit: What's going on with Zebrocy?》以及Ralo Alto Unit 42的文章《Dear Joohn: The Sofacy Group’s Global Campaign》。
Zebrocy Delphi变种本质上是收集受害者信息的加载器和后门。部分变种会经过UPX加壳,并将它们的配置数据存储在“TForm1”类的“RCData”资源段中。作为一般规则,Delphi中的表单都由TForm类定义。在本文中,我们主要针对恶意软件的6.02和7.0版本进行对比分析。在升级后的版本中,对Timer对象、注册表项以及软件的信息收集方法进行了修改,可以用于扫描主机上的文档、压缩包、图像、数据库和配置文件。此外,还有一个值得注意的修改,TForm1的Icon.Data对象的十六进制表示方式发生了一些变化。
获取资源的Python代码如下:
''' 从二进制资源段提取APT28 Zebrocy TForm1 Delphi代码 @VK_Intel ''' import pefile pe = pefile.PE("<PATH_TO_ZEBROCY") # store our tform1_struct tform1_struct = "" offset = 0x0 size = 0x0 for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries: for entry in rsrc.directory.entries: if entry.name is not None: print(entry.name) # search for TFORM1 resource if entry.name.__str__() == "TFORM1": offset = entry.directory.entries[0].data.struct.OffsetToData size = entry.directory.entries[0].data.struct.Size tform1_struct = pe.get_memory_mapped_image()[offset:offset+size] print(tform1_struct)
代码输出结果如下:
DVCLAL L30 LIBEAY32 PACKAGEINFO PLATFORMTARGETS SSLEAY32 TFORM1 MAINICON b'TPF0\x06TForm1\x05Form1\x04Left\x02\x00\x03Top\x02\x00\x0cClientHeight\x03\x7f\x01\x0bClientWidth\x03\xc9\x01\x05Color\x07\tclBtnFace\x0cFont.Charset\x07\x0fDEFAULT_CHARSET...
值得注意的是,配置包含所有导入的必要SSL库LIBEAY32、SSLEAY32、DVCLAL、L30配置、包信息(包括Windows API实用程序代码)。最重要的是,其中包含TForm1 Delphi主代码。
TForm1资源时Windows设置和创建对象TLabel、TEdit和TMemo的主要处理器,它们描述了恶意软件的功能。
二、对Zebrocy Delphi恶意软件6.02版本的分析
举例来说,以下是设置Windows并创建主要受害者信息收集、击键记录和网络域解析器模块的代码,该代码来源于6.02版本的Zebrocy(0a6c1db916ac8ddf0ef67196279e12d163e07969d9cc68c0aed6b63d11f76d6c):
/////////////////////////////////////////////////// ////// APT28 Zebrocy恶意软件TForm1类 ///////// /////////////////////////////////////////////////// object Form1: TForm1 Left = 0 Top = 0 ClientHeight = 358 ClientWidth = 509 Color = clBtnFace Font.Charset = DEFAULT_CHARSET Font.Color = clWindowText Font.Height = -11 Font.Name = 'Tahoma' Font.Style = [] OldCreateOrder = False PixelsPerInch = 96 TextHeight = 13 object c: TLabel Left = 428 Top = 232 Width = 38 Height = 13 Caption = 'KEYLOG' // keylogger object end object Label2: TLabel Left = 417 Top = 197 Width = 49 Height = 13 Caption = 'SYS_INFO' // machine system info object end object Memo3: TMemo Left = 0 Top = 179 Width = 445 Height = 179 // network domain collector and parser object Lines.Strings = ( '@ECHO OFF' 'FOR /F "tokens=1 delims=\ " %%n IN ('#39'net view^|FIND "\\"'#39') DO (' ' FOR /F "tokens=2 delims=[]" %%i IN ('#39'ping -a -n 1 -w 0 %%n^|FI' + 'ND "["'#39') DO (' ' ECHO %%i %%n>>1.txt' ' FOR /F "tokens=1,2,3,4 delims= " %%a IN ('#39'net view \\%%n^|FI' + 'ND " "'#39') DO (' ' IF "%%b"=="Disk" (' ' ECHO %%b: \\%%n\%%a>>1.txt' ' ) ELSE (' ' IF "%%b"=="Print" ECHO %%b: \\%%n\%%a>>1.t' + 'xt' ' )' ' )' ' )' ')') TabOrder = 17 Visible = False End
恶意软件将删除这一批处理脚本,从而收集网络域信息,并将其保存在本地,以进行渗透。
我们观察到的TTimer计时器对象(启用、OnTimer、间隔参数)代码如下:
/////////////////////////////////////////////////// /// APT28 Zebrocy恶意软件Timer类////// /////////////////////////////////////////////////// object Timer_post: TTimer Enabled = False OnTimer = Timer_postTimer Left = 144 end object Timer_hello: TTimer Enabled = False Interval = 900000 // 900 seconds or 15 minutes interval OnTimer = Timer_helloTimer Left = 208 end object Timer_scan: TTimer Enabled = False OnTimer = Timer_scanTimer Left = 272 end object Timer_all: TTimer Enabled = False Interval = 6000 // 6 seconds interval OnTimer = Timer_allTimer Left = 328 end
我们观察到的所有唯一计时器对象如下:
Timer_FirstTimer -> 间隔5000毫秒 Timer_handlTimer -> 间隔5000毫秒 Timer_SCRTimer -> 间隔60000毫秒 Timer_keyTimer -> 间隔120000毫秒 Timer_dsetTimer -> 间隔10000毫秒 Timer_mainTimer -> 间隔60000毫秒 Timer_allTimer -> 间隔6000毫秒 Timer_helloTimer -> 间隔900000毫秒 Timer_postTimer Timer_scanTimer Timer_lodsbTimer Timer_downlTimer Timer_regTimer Timer_uplTimer Timer_LogsTimer Timer_DelTimer Timer_SCRLDTimer
POP3/SMTP机制如下:
/////////////////////////////////////////////////// /// APT28 Zebrocy Delphi SMTP/POP3/SSL类////// /////////////////////////////////////////////////// object IdPOP31: TIdPOP3 AutoLogin = True SASLMechanisms = <> Left = 272 Top = 112 end object IdSMTP1: TIdSMTP SASLMechanisms = <> Left = 328 Top = 112 end object IdSSLIOHandlerSocketOpenSSL1: TIdSSLIOHandlerSocketOpenSSL MaxLineAction = maException Port = 0 DefaultPort = 0 SSLOptions.Mode = sslmUnassigned SSLOptions.VerifyMode = [] SSLOptions.VerifyDepth = 0 Left = 272 Top = 168 end end
三、对Zebrocy Delphi恶意软件7.00版本的分析
Zebrocy 7.0版本(SHA-256:215f7c08c2e3ef5835c7ebc9a329b04b8d5215773b7ebfc9fd755d93451ce1ae)
最新的恶意软件版本可以用于Microsoft Word、Microsoft Excel、Microsoft PowerPoint、PDF、压缩包(.rar和.zip)以及图像文件(.jpg、.bmp和.tiff)的TLab扫描对象扫描。此外,它还会解析配置和数据库文件(例如:.dat、.json、.db)。
/////////////////////////////////////////////////// /// APT28 Zebrocy Delphi特殊文件搜索功能 //// /////////////////////////////////////////////////// object scan1: TLabel Left = 8 Top = 8 Width = 154 Height = 13 // Scanner for documents Caption = 'scan {all} *.docx, *.xlsx, *.pdf,' // Scan for MS Word, Excel, PDF end object scan2: TLabel Left = 168 Top = 8 Width = 129 Height = 13 // 扫描文档、压缩包和图像 Caption = '*.pptx, *.rar, *.zip, *.jpg,' // Scan for Powerpoint, archive, JPG image end object scan3: TLabel Left = 8 Top = 27 Width = 68 Height = 13 // Scanner for images Caption = '*.bmp, *.tiff /' // 扫描BMP和TIFF图像 end ... object Label3: TLabel Left = 8 Top = 46 Width = 147 Height = 13 // 用于配置和数据库文件的扫描程序 Caption = 'scan {all} *.dat, *.json, *.db /' // Scan for .DAT, .JSON, .db end ...
此外,它还会向HKCU\Environment\UserInitMprLogonScript中添加键值,从而确保其自身的持久性。
/////////////////////////////////////////////////// /// APT28 Zebrocy Delphi HKCU注册表持久化 /// /////////////////////////////////////////////////// object Button2: TButton Left = 309 Top = 3 Width = 122 Height = 25 Caption = 'HKCU\Environment' TabOrder = 6 end object Button3: TButton Left = 310 Top = 34 Width = 122 Height = 25 Caption = 'UserInitMprLogonScript' Tab
我们观察到的所有唯一计时器对象如下(TTimer定时器对象,启用、OnTimer、间隔参数):
Timer_FirstTimer -> 间隔5000毫秒 Timer_taskTimer -> 间隔90000毫秒 Timer_sendTimer -> 间隔120000毫秒 Timer_SCRTimer -> 间隔120000毫秒 Timer_OTimer -> 间隔28800000毫秒 Timer_postTimer Timer_mainTimer
我们观察到,用于命令和控制通信及渗透的邮箱信息如下。
利用的邮件服务器:
ambcomission[.]com seznam[.]cz post[.]cz india[.]com
电子邮件帐户:
[email protected][.]com [email protected][.]com [email protected][.]com [email protected][.]com [email protected][.]cz [email protected][.]cz [email protected][.]com [email protected][.]com [email protected][.]com
四、Zebrocy TForm1配置
A. Zebrocy 6.02版本 TForm1配置(SHA-256:0a6c1db916ac8ddf0ef67196279e12d163e07969d9cc68c0aed6b63d11f76d6c)
KEYLOG SYS_INFO @ECHO OFF FOR /F "tokens=1 delims=\ " %%n IN ('net view^|FIND "\\"') DO (M FOR /F "tokens=2 delims=[]" %%i IN ('ping -a -n 1 -w 0 %%n^|FIND "["') DO ( ECHO %%i %%n>>1.txt S FOR /F "tokens=1,2,3,4 delims= " %%a IN ('net view \\%%n^|FIND " "') DO ( IF "%%b"=="Disk" (0 ECHO %%b: \\%%n\%%a>>1.txt ) ELSE (IF "%%b"=="Print" ECHO %%b: \\%%n\%%a>>1.txt ) ) )) ddr3 *\Software\Microsoft\Windows\CurrentVersion C:\Users\Public\dset.ini ProductId SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Software\Microsoft\Windows\CurrentVersion\Run libeay32.dll ssleay32.dll p.bin v6.02 GET_NETWORK
B. Zebrocy 7.00版本 TForm1配置(SHA-256:215f7c08c2e3ef5835c7ebc9a329b04b8d5215773b7ebfc9fd755d93451ce1ae)
KEYLOG SYS_INFO !scan {all} *.docx, *.xlsx, *.pdf, *.pptx, *.rar, *.zip, *.jpg, *.bmp, *.tiff / adr_for_scan C:\Users\Public\officeexcp.bin KLA C:\Users\Public\kla.bin scan {all} *.dat, *.json, *.db / eg add EG_EXPAND eg delete GET_NETWORK HKCU\Environment\UserInitMprLogonScript v7.00 libeay32.dll ssleay32.dll
C. Zebrocy 7.00版本 TForm1配置(SHA-256:ae6326a8b0297dc6eff583f2305abaeab0347a3aef95fc51c5d76708cf32b73f)
SYS_INFO eg add EG_EXPAND eg delete C:\Users\Public\dset.ini p.bin v7.00 ssleay32.dll libeay32.dll C:\Users\Public\boot.ini UserInitMprLogonScript HKCU\Environment
与Zebrocy恶意软件(SHA-256:ae6326a8b0297dc6eff583f2305abaeab0347a3aef95fc51c5d76708cf32b73f)相关的另一个值得注意的变动,是Icon.Data {}对象的十六进制形式发生了改变。
五、Yara规则
rule apt28_win32_zebrocy_loader { meta: author = "@VK_Intel" reference = "Detects Zebrocy Component" date = "2018-12-14" strings: $s1 = "Timer_postTimer" fullword wide ascii $s2 = "Timer_mainTimer" fullword ascii wide $s3 = "Timer_FirstTimer" fullword ascii wide $s4 = "UserInitMprLogonScript" fullword ascii wide $s5 = "KEYLOG" fullword ascii wide $s6 = "SYS_INFO" fullword ascii wide $s7 = "EG_EXPAND" fullword ascii wide $s8 = "HKCU\\Environment" fullword ascii wide $s9 = "C:\\Users\\Public\\" fullword ascii wide $s10 = "scan {all}" fullword ascii wide $r0 = "L30" fullword ascii wide $r1 = "LIBEAY32" fullword ascii wide $r2 = "TFORM1" fullword ascii wide $r3 = "SSLEAY32" fullword ascii wide $r4 = "DVCLAL" fullword ascii wide $r5 = "PACKAGEINFO" fullword ascii wide condition: ( uint16(0) == 0x5a4d and ( all of them ) or ( 3 of ($s*) and 2 of ($r*) ) or ( all of ($r*) and 2 of ($s*) ) ) }