-
-
[原创]关于双系统挖矿,新型AutoUpdate挖矿病毒的分析与讨论
-
发表于: 2021-7-12 20:23
-
前情概要
参考链接:006K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8X3E0K9c8i4S2D9d9U0j5J5e0q4k6b7e0$3I4#2k6X3E0#2M7X3S2n7K9Y4M7`.
上周末看到了深信服千里目的病毒分析报告,顿时眼睛一亮,这种集合了Windows&&Linux&&Web流量攻击的恶意程序既考察了分析人员的知识广度,又给目前安全形势带来了严峻的考验。同时也让我觉得其实二进制与web之间的关系又近了一步。全栈并不是那么遥不可及!
样本分析
攻击流程图
loader.sh模块(噩梦的开始)
废话不多说,功能就三点
- 1.结束保护进程
- 2.下载kworkers模块
- 3.跑起来干!
kworkers模块(熟悉环境,对症下药)
样本信息
分析流程
upx脱壳后,发现go样本,找到main函数,定位到网络连接
域名+请求文件全都明文存储在文件中
放样本跑起来,查看输出(该程序大概功能会检查恶意程序的相关模块,根据系统信息下载对应缺失模块)
请求文件,可以看到病毒作者很人性化,还为我们专门定制了双平台的攻击模块b54K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3#2Q4x3X3g2%4K9h3&6V1L8%4N6K6N6i4m8V1j5i4c8W2M7%4g2H3M7r3!0J5N6q4)9J5k6h3!0J5k6#2)9J5c8X3c8Q4x3V1k6%4K9h3&6V1L8%4N6K6N6i4m8V1j5i4c8W2N6U0q4Q4x3X3g2B7M7$3!0F1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
{ "linux": [{
"filename": "download",
"handle": "download",
"url": "/download",
"ver": "20210002"
},{
"filename": "dbus",
"handle": "downrun",
"url": "/dbus",
"ver": "20210002"
},{
"filename": "hideproc.sh",
"handle": "downrun",
"url": "/hideproc.sh",
"ver": "20210002"
},{
"filename": "sshkey.sh",
"handle": "downrun",
"url": "/sshkey.sh",
"ver": "20210002"
},{
"filename": "autoupdate",
"handle": "downrun",
"url": "/autoupdate",
"ver": "20210012"
},{
"filename": "kworkers",
"handle": "update",
"url": "/kworkers",
"ver": "20210008"
}
],
"windows": [{
"filename": "service.exe",
"handle": "update",
"url": "/service.exe",
"ver": "20210008"
},{
"filename": "inj.exe",
"handle": "download",
"url": "/inj.exe",
"ver": "20210003"
},{
"filename": "runtime.dll",
"handle": "download",
"url": "/runtime.dll",
"ver": "20210003"
},{
"filename": "autoupdate.exe",
"handle": "downrun",
"url": "/autoupdate.exe",
"ver": "20210012"
},{
"filename": "updater.exe",
"handle": "downrun",
"url": "/updater.exe",
"ver": "20210003"
}]
} |
我们以main函数中的网络请求之前下断,由此入手调试
地址下断b *0x6681ef,查看后续行为
不错!崩溃了(舰长,很有精神!),每次调试gdb都会崩溃。不浪费时间,换一种调试思路。(补充:下回试试 ltrace和strace)
tcpdump抓包,通过分析流量把该程序后续行为补全,导出http对象
好家伙都给老子下全了,剩下的我们逐个分析
download模块(虚晃一枪)
样本信息
(嚯,好家伙,ubuntu上给我下个pe,nbnb!!你是不是还得给我装个wine?)
样本分析
二话不多说,火绒剑&&procmon,对症下药
(哟!这程序莫不是被我吓坏了?在我淫威之下屈服了?那老子就看看,不进去)
拖入ida,提示我们缺失dll库(问号脸?_?)
找到动态调用该模块的地方
结论推测
- 本人环境问题,缺失该库文件(概率1%)
- 病毒作者问题,未捆绑或下载该库文件(概率99%)
- 该程序应该是个loader,通过加载恶意dll执行后续行为
dbus模块(夺命矿工)
样本信息
样本分析
根据以往经验,大概率挖矿程序都是魔改或梭哈的github开源项目,执行使用strings把字符串全dump出来,找到如下配置文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
"api": {
"id": null,
"worker-id": null
},
"http": {
"enabled": true,
"host": "127.0.0.1",
"port": 61254,
"access-token": null,
"restricted": true
},
"autosave": true,
"background": true,
"colors": true,
"title": true,
"randomx": {
"init": -1,
"init-avx2": -1,
"mode": "auto",
"1gb-pages": false,
"rdmsr": true,
"wrmsr": true,
"cache_qos": false,
"numa": true,
"scratchpad_prefetch_mode": 1
},
"cpu": {
"enabled": true,
"cpu-affinity":3,
"threads":3,
"huge-pages": true,
"huge-pages-jit": false,
"hw-aes": null,
"priority": null,
"memory-pool": false,
"yield": true,
"max-threads-hint": 50,
"asm": true,
"argon2-impl": null,
"astrobwt-max-size": 550,
"astrobwt-avx2": false,
"cn/0": false,
"cn-lite/0": false
},
"opencl": {
"enabled": false,
"cache": true,
"loader": null,
"platform": "AMD",
"adl": true,
"cn/0": false,
"cn-lite/0": false
},
"cuda": {
"enabled": false,
"loader": null,
"nvml": true,
"cn/0": false,
"cn-lite/0": false
},
"donate-level": 0,
"donate-over-proxy":0 ,
"log-file": null,
"pools": [
{
"algo": null,
"coin": null,
"url": "m.windowsupdatesupport.org:443",
"user": "x",
"pass": "x",
"rig-id": null,
"nicehash": true,
"keepalive": false,
"enabled": true,
"tls": true,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null,
"submit-to-origin": false
}
],
"print-time": 60,
"health-print-time": 60,
"dmi": true,
"retries": 5,
"retry-pause": 5,
"syslog": false,
"tls": {
"enabled": true,
"protocols": null,
"cert": null,
"cert_key": null,
"ciphers": null,
"ciphersuites": null,
"dhparam": null
},
"user-agent": null,
"verbose": 0,
"watch": true,
"pause-on-battery": false,
"pause-on-active": false
|
再从github上搜一搜,终于让我找到了宁的前身
6dbK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6^5L8i4u0A6k6#2)9J5c8Y4S2E0M7X3W2Y4
作者为了防止被认出,还专门把相关指纹替换了一遍(不错,真tm用心良苦)
实际上,xmmrig.com这个域名根本不存在!
该程序会帮宁安装挖矿所缺失的一切组件,真tm替客户着想!!!
结论
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
