压在透明的玻璃上c-国产精品国产一级A片精品免费-国产精品视频网-成人黄网站18秘 免费看|www.tcsft.com

Windows惡意軟件BazarLoader分析

責編:gltian |2021-10-29 15:07:22

BazarLoader是基于Windows的惡意軟件,主要通過電子郵件等方式傳播。犯罪分子通過惡意軟件后門訪問受感染的主機,并對目標域網絡環境進行探測,部署Cobalt Strike,繪制網絡拓撲圖。如果為高價值目標,犯罪分子就會開始橫向拓展,部署Conti、Ryuk等勒索軟件。

BazarLoader傳播方式

2021年夏天,研究人員發現攻擊者通過電子郵件傳播BazarLoader惡意軟件。目前發現三個攻擊活動中使用了該惡意軟件:

“BazarCall”中使用含有BazarLoader的電子郵件作為初始攻擊手段,誘導受害者點擊含有惡意軟件的文件;
七月初,以侵權為主題的“Sleet Images Evidence.ZIP”中包含了BazarLoader;
7月底,TA551(Shathak)開始通過英語電子郵件傳播BazarLoader。

除了這三個主要攻擊活動外,研究人員還發現了含有BazarLoader的Excel電子表格,其傳播感染方式如下:

Chain of events from BazarLoader infection on Aug. 19, 2021. Excel file with .xlsb file extension, enable macros, web traffic for BazarLoader, BazarLoader, Bazar C2 traffic, Cobalt Strike, Cobalt Strike traffic, ADfind and batch file, Cobalt Strike and Bazar C2 traffic continues

惡意Excel表格

惡意Excel電子表格在8月18日被首次發現的,其最后一次修改日期為8月17日。文件后綴為‘.xlsb’,此文件中包含BazarLoader。下圖為惡意Excel截圖:

A malicious Excel template that attempts to instill confidence by taking advantage of the DocuSign brand name and image.

攻擊者試圖通過利用DocuSign來迷惑受害者。受害者Windows主機上啟用惡意宏后,表格中會出現新的sheet,如下圖所示:

A fake invoice that appears on a malicious Excel spreadsheet. The red arrow indicates a new tab that appears after enabling macros.

此時惡意代碼已經執行,釋放出BazarLoader。

BazarLoader分析

惡意文件會從‘hxxps://pawevi[.]com/lch5.dll’中下載BazarLoader的DLL文件,并保存到‘C:\Users\[username]\tru.dll’。

BazarLoader DLL is saved to the infected user's home directory. The black arrow indicates where it appears in the screenshot.

BazarLoader DLL會復制到另一個位置,并修改Windows注冊表。

BazarLoader DLL persistent on the infected host, as shown in the screenshot.

Bazar C2流量

樣本BazarLoader通過443端口從104.248.174.225下載BazarBackdoor。BazarBackdoor通過443端口使用HTTPS生成C2活動,傳輸至104.248.166.170。

Traffic from the BazarLoader infection filtered in Wireshark. One black arrow indicates the section that represents Bazar C2 traffic. Another arrow indicates traffic for BazarLoader DLL.

Cobalt Strike惡意活動

BazarLoader感染大約41分鐘后,受感染Windows主機通過https與gojihu[.]com和yuxicu[.]com下載運行Cobalt Strike,如下圖:

Wireshark activity. The black arrows indicate where the Cobalt Strike activity begins.

通過Bazar C2獲得Cobalt Strike DLL文件,保存到AppData\Roaming目錄下,下圖為正在運行的Cobalt Strike:

Cobalt Strike started approximately 43 minutes after the BazarLoader infection, as illustrated in these screenshots from Process Hacker.

Reconnaissance惡意活動

Cobalt Strike運行兩分鐘后,環境信息采集工具會下載到受感染主機上‘C:\ProgramData\AdFind.exe’。
AdFind是一個命令行工具,攻擊者通過批處理文件來運行該工具。下圖顯示了AdFind位置、批處理文件以及采集結果文件。

Network enumeration after Cobalt Strike.

Bat腳本內容如下:

Commands used for AdFind.exe, displayed in a screenshot of Notepad.

adfind.exe -f “(objectcategory=person)” > ad_users.txt
adfind.exe -f “objectcategory=computer” > ad_computers.txt
adfind.exe -f “(objectcategory=organizationalUnit)” > ad_ous.txt
adfind.exe -sc trustdmp > trustdmp.txt
adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
adfind.exe -f “(objectcategory=group)” > ad_group.txt
adfind.exe -gcb -sc trustdmp > trustdmp.txt

IOC

BazarLoader Excel SHA256 hash:
8662d511c7f1bef3a6e4f6d72965760345b57ddf0de5d3e6eae4e610216a39c1
Malicious DLL for BazarLoader , SHA256 hash:?
caa03c25583ea24f566c2800986def73ca13458da6f9e888658f393d1d340ba1
Online location: hxxps://pawevi[.]com/lch5.dll
Initial saved location: C:\Users\[username]\tru.dll
Final location: C:\Users\[username]\AppData\Local\Temp\Damp\kibuyuink.exe
Run method: regsvr*.exe /s [filename]
Malicious DLL for Cobalt Strike, SHA256 hash:?
73b9d1f8e2234ef0902fca1b2427cbef756f2725f288f19edbdedf03c4cadab0
File location: C:\Users\[username]\AppData\Roaming\nubqabmlkp.iowd
Run method: rundll32.exe [filename],Entrypoint

上一篇:全國移動App第三季度安全研究報告

下一篇:如何使用ppmap檢測和利用XSS漏洞