针对APT28 Zebrocy Delphi加载器后门最新变种的分析(V6.02到V7.00)
一、摘要
APT28,也称为Sofacy、Fancy Bear、STRONTIUM、Pawn Storm和Sednit,在2018年持续针对各国政府和政治实体开展攻击,并且活动非常活跃。在我们深入研究最新的Zebrocy样本之前,我强烈推荐首先阅读ESET的文章《Sednit: What's going on with Zebrocy?》以及Ralo Alto Unit 42的文章《Dear Joohn: The Sofacy Group’s Global Campaign》。
Zebrocy Delphi变种本质上是收集受害者信息的加载器和后门。部分变种会经过UPX加壳,并将它们的配置数据存储在“TForm1”类的“RCData”资源段中。作为一般规则,Delphi中的表单都由TForm类定义。在本文中,我们主要针对恶意软件的6.02和7.0版本进行对比分析。在升级后的版本中,对Timer对象、注册表项以及软件的信息收集方法进行了修改,可以用于扫描主机上的文档、压缩包、图像、数据库和配置文件。此外,还有一个值得注意的修改,TForm1的Icon.Data对象的十六进制表示方式发生了一些变化。
获取资源的Python代码如下:
'''
从二进制资源段提取APT28 Zebrocy TForm1 Delphi代码
@VK_Intel
'''
import pefile
pe = pefile.PE("<PATH_TO_ZEBROCY")
# store our tform1_struct
tform1_struct = ""
offset = 0x0
size = 0x0
for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
for entry in rsrc.directory.entries:
if entry.name is not None:
print(entry.name)
# search for TFORM1 resource
if entry.name.__str__() == "TFORM1":
offset = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
tform1_struct = pe.get_memory_mapped_image()[offset:offset+size]
print(tform1_struct)
代码输出结果如下:
DVCLAL L30 LIBEAY32 PACKAGEINFO PLATFORMTARGETS SSLEAY32 TFORM1 MAINICON b'TPF0\x06TForm1\x05Form1\x04Left\x02\x00\x03Top\x02\x00\x0cClientHeight\x03\x7f\x01\x0bClientWidth\x03\xc9\x01\x05Color\x07\tclBtnFace\x0cFont.Charset\x07\x0fDEFAULT_CHARSET...
值得注意的是,配置包含所有导入的必要SSL库LIBEAY32、SSLEAY32、DVCLAL、L30配置、包信息(包括Windows API实用程序代码)。最重要的是,其中包含TForm1 Delphi主代码。
TForm1资源时Windows设置和创建对象TLabel、TEdit和TMemo的主要处理器,它们描述了恶意软件的功能。
二、对Zebrocy Delphi恶意软件6.02版本的分析
举例来说,以下是设置Windows并创建主要受害者信息收集、击键记录和网络域解析器模块的代码,该代码来源于6.02版本的Zebrocy(0a6c1db916ac8ddf0ef67196279e12d163e07969d9cc68c0aed6b63d11f76d6c):
///////////////////////////////////////////////////
////// APT28 Zebrocy恶意软件TForm1类 /////////
///////////////////////////////////////////////////
object Form1: TForm1
Left = 0
Top = 0
ClientHeight = 358
ClientWidth = 509
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'Tahoma'
Font.Style = []
OldCreateOrder = False
PixelsPerInch = 96
TextHeight = 13
object c: TLabel
Left = 428
Top = 232
Width = 38
Height = 13
Caption = 'KEYLOG' // keylogger object
end
object Label2: TLabel
Left = 417
Top = 197
Width = 49
Height = 13
Caption = 'SYS_INFO' // machine system info object
end
object Memo3: TMemo
Left = 0
Top = 179
Width = 445
Height = 179 // network domain collector and parser object
Lines.Strings = (
'@ECHO OFF'
'FOR /F "tokens=1 delims=\ " %%n IN ('#39'net view^|FIND "\\"'#39') DO ('
' FOR /F "tokens=2 delims=[]" %%i IN ('#39'ping -a -n 1 -w 0 %%n^|FI' +
'ND "["'#39') DO ('
' ECHO %%i %%n>>1.txt'
' FOR /F "tokens=1,2,3,4 delims= " %%a IN ('#39'net view \\%%n^|FI' +
'ND " "'#39') DO ('
' IF "%%b"=="Disk" ('
' ECHO %%b: \\%%n\%%a>>1.txt'
' ) ELSE ('
' IF "%%b"=="Print" ECHO %%b: \\%%n\%%a>>1.t' +
'xt'
' )'
' )'
' )'
')')
TabOrder = 17
Visible = False
End
恶意软件将删除这一批处理脚本,从而收集网络域信息,并将其保存在本地,以进行渗透。
我们观察到的TTimer计时器对象(启用、OnTimer、间隔参数)代码如下:
/////////////////////////////////////////////////// /// APT28 Zebrocy恶意软件Timer类////// /////////////////////////////////////////////////// object Timer_post: TTimer Enabled = False OnTimer = Timer_postTimer Left = 144 end object Timer_hello: TTimer Enabled = False Interval = 900000 // 900 seconds or 15 minutes interval OnTimer = Timer_helloTimer Left = 208 end object Timer_scan: TTimer Enabled = False OnTimer = Timer_scanTimer Left = 272 end object Timer_all: TTimer Enabled = False Interval = 6000 // 6 seconds interval OnTimer = Timer_allTimer Left = 328 end
我们观察到的所有唯一计时器对象如下:
Timer_FirstTimer -> 间隔5000毫秒 Timer_handlTimer -> 间隔5000毫秒 Timer_SCRTimer -> 间隔60000毫秒 Timer_keyTimer -> 间隔120000毫秒 Timer_dsetTimer -> 间隔10000毫秒 Timer_mainTimer -> 间隔60000毫秒 Timer_allTimer -> 间隔6000毫秒 Timer_helloTimer -> 间隔900000毫秒 Timer_postTimer Timer_scanTimer Timer_lodsbTimer Timer_downlTimer Timer_regTimer Timer_uplTimer Timer_LogsTimer Timer_DelTimer Timer_SCRLDTimer
POP3/SMTP机制如下:
/////////////////////////////////////////////////// /// APT28 Zebrocy Delphi SMTP/POP3/SSL类////// /////////////////////////////////////////////////// object IdPOP31: TIdPOP3 AutoLogin = True SASLMechanisms = <> Left = 272 Top = 112 end object IdSMTP1: TIdSMTP SASLMechanisms = <> Left = 328 Top = 112 end object IdSSLIOHandlerSocketOpenSSL1: TIdSSLIOHandlerSocketOpenSSL MaxLineAction = maException Port = 0 DefaultPort = 0 SSLOptions.Mode = sslmUnassigned SSLOptions.VerifyMode = [] SSLOptions.VerifyDepth = 0 Left = 272 Top = 168 end end
三、对Zebrocy Delphi恶意软件7.00版本的分析
Zebrocy 7.0版本(SHA-256:215f7c08c2e3ef5835c7ebc9a329b04b8d5215773b7ebfc9fd755d93451ce1ae)
最新的恶意软件版本可以用于Microsoft Word、Microsoft Excel、Microsoft PowerPoint、PDF、压缩包(.rar和.zip)以及图像文件(.jpg、.bmp和.tiff)的TLab扫描对象扫描。此外,它还会解析配置和数据库文件(例如:.dat、.json、.db)。
///////////////////////////////////////////////////
/// APT28 Zebrocy Delphi特殊文件搜索功能 ////
///////////////////////////////////////////////////
object scan1: TLabel
Left = 8
Top = 8
Width = 154
Height = 13
// Scanner for documents
Caption = 'scan {all} *.docx, *.xlsx, *.pdf,' // Scan for MS Word, Excel, PDF
end
object scan2: TLabel
Left = 168
Top = 8
Width = 129
Height = 13
// 扫描文档、压缩包和图像
Caption = '*.pptx, *.rar, *.zip, *.jpg,' // Scan for Powerpoint, archive, JPG image
end
object scan3: TLabel
Left = 8
Top = 27
Width = 68
Height = 13
// Scanner for images
Caption = '*.bmp, *.tiff /' // 扫描BMP和TIFF图像
end
...
object Label3: TLabel
Left = 8
Top = 46
Width = 147
Height = 13
// 用于配置和数据库文件的扫描程序
Caption = 'scan {all} *.dat, *.json, *.db /' // Scan for .DAT, .JSON, .db
end
...
此外,它还会向HKCU\Environment\UserInitMprLogonScript中添加键值,从而确保其自身的持久性。
/////////////////////////////////////////////////// /// APT28 Zebrocy Delphi HKCU注册表持久化 /// /////////////////////////////////////////////////// object Button2: TButton Left = 309 Top = 3 Width = 122 Height = 25 Caption = 'HKCU\Environment' TabOrder = 6 end object Button3: TButton Left = 310 Top = 34 Width = 122 Height = 25 Caption = 'UserInitMprLogonScript' Tab
我们观察到的所有唯一计时器对象如下(TTimer定时器对象,启用、OnTimer、间隔参数):
Timer_FirstTimer -> 间隔5000毫秒 Timer_taskTimer -> 间隔90000毫秒 Timer_sendTimer -> 间隔120000毫秒 Timer_SCRTimer -> 间隔120000毫秒 Timer_OTimer -> 间隔28800000毫秒 Timer_postTimer Timer_mainTimer
我们观察到,用于命令和控制通信及渗透的邮箱信息如下。
利用的邮件服务器:
ambcomission[.]com seznam[.]cz post[.]cz india[.]com
电子邮件帐户:
[email protected][.]com [email protected][.]com [email protected][.]com [email protected][.]com [email protected][.]cz [email protected][.]cz [email protected][.]com [email protected][.]com [email protected][.]com
四、Zebrocy TForm1配置
A. Zebrocy 6.02版本 TForm1配置(SHA-256:0a6c1db916ac8ddf0ef67196279e12d163e07969d9cc68c0aed6b63d11f76d6c)
KEYLOG
SYS_INFO
@ECHO OFF
FOR /F "tokens=1 delims=\ " %%n IN ('net view^|FIND "\\"')
DO (M FOR /F "tokens=2 delims=[]" %%i IN ('ping -a -n 1 -w 0 %%n^|FIND "["')
DO ( ECHO %%i %%n>>1.txt S FOR /F "tokens=1,2,3,4 delims= " %%a IN ('net view \\%%n^|FIND " "')
DO ( IF "%%b"=="Disk" (0 ECHO %%b: \\%%n\%%a>>1.txt )
ELSE (IF "%%b"=="Print"
ECHO %%b: \\%%n\%%a>>1.txt ) ) ))
ddr3
*\Software\Microsoft\Windows\CurrentVersion
C:\Users\Public\dset.ini
ProductId
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Run
libeay32.dll
ssleay32.dll
p.bin
v6.02
GET_NETWORK
B. Zebrocy 7.00版本 TForm1配置(SHA-256:215f7c08c2e3ef5835c7ebc9a329b04b8d5215773b7ebfc9fd755d93451ce1ae)
KEYLOG
SYS_INFO
!scan {all} *.docx, *.xlsx, *.pdf, *.pptx, *.rar, *.zip, *.jpg, *.bmp, *.tiff /
adr_for_scan
C:\Users\Public\officeexcp.bin
KLA
C:\Users\Public\kla.bin
scan {all} *.dat, *.json, *.db /
eg add
EG_EXPAND
eg delete
GET_NETWORK
HKCU\Environment\UserInitMprLogonScript
v7.00
libeay32.dll
ssleay32.dll
C. Zebrocy 7.00版本 TForm1配置(SHA-256:ae6326a8b0297dc6eff583f2305abaeab0347a3aef95fc51c5d76708cf32b73f)
SYS_INFO eg add EG_EXPAND eg delete C:\Users\Public\dset.ini p.bin v7.00 ssleay32.dll libeay32.dll C:\Users\Public\boot.ini UserInitMprLogonScript HKCU\Environment
与Zebrocy恶意软件(SHA-256:ae6326a8b0297dc6eff583f2305abaeab0347a3aef95fc51c5d76708cf32b73f)相关的另一个值得注意的变动,是Icon.Data {}对象的十六进制形式发生了改变。
五、Yara规则
rule apt28_win32_zebrocy_loader {
meta:
author = "@VK_Intel"
reference = "Detects Zebrocy Component"
date = "2018-12-14"
strings:
$s1 = "Timer_postTimer" fullword wide ascii
$s2 = "Timer_mainTimer" fullword ascii wide
$s3 = "Timer_FirstTimer" fullword ascii wide
$s4 = "UserInitMprLogonScript" fullword ascii wide
$s5 = "KEYLOG" fullword ascii wide
$s6 = "SYS_INFO" fullword ascii wide
$s7 = "EG_EXPAND" fullword ascii wide
$s8 = "HKCU\\Environment" fullword ascii wide
$s9 = "C:\\Users\\Public\\" fullword ascii wide
$s10 = "scan {all}" fullword ascii wide
$r0 = "L30" fullword ascii wide
$r1 = "LIBEAY32" fullword ascii wide
$r2 = "TFORM1" fullword ascii wide
$r3 = "SSLEAY32" fullword ascii wide
$r4 = "DVCLAL" fullword ascii wide
$r5 = "PACKAGEINFO" fullword ascii wide
condition:
( uint16(0) == 0x5a4d and
( all of them )
or ( 3 of ($s*) and 2 of ($r*) ) or ( all of ($r*) and 2 of ($s*) ) )
}