Kurekura VEILDrive: Abakinnyi bakangisha gukoresha serivisi za Microsoft kubuyobozi no kugenzura

Nabahiga Ikipe Axon

TL; DR

• Ikipe y'Abahigi AXON yamenye kandi ikomeje gukurikirana ubukangurambaga bukomeje gukorwa, bwiswe “ VEILDrive ”
• Ubukangurambaga bwamenyekanye nkigice cyo gusezerana AXON kugirango gikemure ibikorwa bibi byagaragaye muri kimwe mubikorwa remezo byabakiriya bacu
• Mu rwego rwiperereza, twagaragaje ibice bitandukanye bya Microsoft bigize ibikorwa remezo by’imiryango y’abahohotewe byangiritse kandi bikoreshwa n’igitero
• Igitero yakoresheje serivise zitandukanye za Microsoft SaaS hamwe na porogaramu mu rwego rwo kwiyamamaza, harimo Amakipe ya Microsoft, SharePoint, Byihuse, na OneDrive
• Igitero yakoresheje uburyo bwihariye bwa OneDrive bushingiye kuri Command & Control (C&C) mu rwego rwa malware iboneka mu bikorwa remezo by'uwahohotewe
• Dushingiye ku myanzuro yavuye mu iperereza ryacu, birashoboka cyane ko ubu bukangurambaga buturuka mu Burusiya
• Ikipe AXON yamenyesheje Microsoft ibyo yabonye kugira ngo ifashe mu guhagarika ibikorwa remezo by'abakinnyi
• Iri tsinda kandi ryageze ku bahohotewe benshi bagaragaye mu bushakashatsi bwacu

Incamake Nshingwabikorwa

Itsinda ry'Abahigi AXON ryavumbuye kandi rikurikiranira hafi ibikorwa by’iterabwoba bikomeje kwitwa "VEILDrive". Mu ntangiriro byavumbuwe mu iperereza ry’ibikorwa bibi byakozwe mu bikorwa remezo by’abakiriya, VEILDrive ikoresha sisitemu ya SaaS ya Microsoft - cyane cyane Amakipe, SharePoint, Umufasha wihuse, na OneDrive - kugeza kora amayeri yayo. Umwihariko, umukinnyi witerabwoba akoresha uburyo bwa OneDrive bushingiye kuri Command & Control (C&C) bwinjijwe muri malware yihariye ikoreshwa mubidukikije byangiritse, Isesengura ryacu ryerekana inkomoko y’Uburusiya kuri ubu bukangurambaga, kandi Team AXON imaze kubimenyesha byombi Microsoft hamwe n’imiryango yagize uruhare mu kugabanya ubundi buryo bwo gukoresha.

Ubushakashatsi bwacu bwatangiye muri Nzeri 2024 nyuma yo gusubiza igitero cyagabwe ku kigo gikomeye cy’ibikorwa remezo muri Amerika. Tekinike yo gutera VEILDrive itandukanye cyane nimyitwarire isanzwe. Bashingiye cyane kubikorwa remezo bya SaaS bya Microsoft kugirango bakwirakwize amacumu yo gutera amacumu no kubika software mbi. Izi ngamba zishingiye kuri SaaS zigora kumenya igihe nyacyo kandi zikarenga kwirwanaho bisanzwe.

Porogaramu mbi ifitanye isano na VEILDrive ni dosiye ishingiye kuri Java .jar idasanzwe ibura obfuscation, bigatuma isomwa bidasanzwe kandi yubatswe neza. Nuburyo bworoshye, malware yirinze gutahura igikoresho cyo murwego rwohejuru Endpoint Detection and Response (EDR) hamwe na moteri zose z'umutekano muri VirusTotal. Ibi byerekana ingaruka zikomeye: niyo kode idahwitse, kode itaziguye irashobora guhunga uburyo bugezweho bwo gutahura, byerekana ko hakenewe cyane gusubiramo ingamba zo gutahura ahantu hashobora guteza ibyago byinshi.

Iyi raporo itanga ibisobanuro ku buryo bwa VEILDrive hamwe n’imbogamizi z’uburyo bugezweho bwo gutahura kugira ngo urusheho guha ibikoresho umuryango w’umutekano wa interineti kurwanya iterabwoba rigenda ryiyongera.

Amavu n'amavuko

Muri Nzeri 2024, Itsinda AXON ryashubije ku kibazo cyibasiye sosiyete ikomeye y'ibikorwa remezo muri Amerika. Iperereza ryerekanye ubukangurambaga budasanzwe bw’iterabwoba, "VEILDrive", bwerekanaga amayeri adasanzwe, tekinike, hamwe n’uburyo budasanzwe (TTP) bwatandukiriye cyane n’ibisanzwe bigaragara mu bintu nk'ibi.

Dushingiye ku byo twabonye, turagereranya ko ubukangurambaga bwa VEILDrive bwatangiye mu ntangiriro za Kanama 2024 kandi bugakomeza gukora kugeza iyi raporo. Gukoresha serivisi za Microsoft SaaS-zirimo Amakipe, SharePoint, Byihuse Gufasha, na OneDrive - uwagabye igitero yakoresheje ibikorwa remezo byizewe by’imiryango yari yarahungabanye kugira ngo akwirakwize ibitero by’amacumu kandi abike malware. Izi ngamba zishingiye ku bicu zemereye umukinnyi w’iterabwoba kwirinda gutahurwa na sisitemu zisanzwe zo gukurikirana.

Ikigaragara ni uko VEILDrive yashyizeho uburyo bushya bwa OneDrive bushingiye kuri Command & Control (C&C) bwinjijwe muri Java ishingiye kuri malware ikoreshwa kubikoresho byangiritse. Malware ubwayo, dosiye ya .jar, yerekana ibintu bibiri bitangaje:

• Kode ya Transparency: Hamwe na zeru obfuscation hamwe na code yubatswe neza, iyi malware irwanya uburyo busanzwe bwo gushushanya kwibandaho, bigatuma bisomeka bidasanzwe kandi byoroshye.
• Gukora neza kwubujura: Nuburyo bworoshye, iyi malware yagumye itamenyekanye haba murwego rwohejuru rwohejuru rwa Endpoint Detection and Response (EDR) igisubizo cyakorewe mubantu bahohotewe hamwe na moteri zose z'umutekano muri VirusTotal (reba Ishusho 1 hepfo):

Ibi biranga byerekana ko nubwo hatabayeho ubuhanga buhanitse bwo guhunga, bwakozwe neza, malware idahwitse irashobora kwirinda kwirwanaho bigezweho. Iri perereza ryerekana itandukaniro riri hagati y’ingamba zo gutahura kandi rishimangira ko hakenewe kuba maso ku buryo budasanzwe bwo gutera.

Ikipe AXON yasangiye ibyavuye muri Microsoft n’imiryango yagize ingaruka, itanga ubwenge bufatika bwo kugabanya iri terabwoba rikomeje.

Inzira Yibitero VEILDrive

Mu ntangiriro za Nzeri 2024, umwe mu bakiriya b’Abahigi, bavuzwe haruguru nka "Org C", yasezeranye na Team AXON kugira ngo imufashe mu gukemura ikibazo gikomeye. Uru rubanza rwibanze ku gikoresho runaka muri Org C cyari cyarahungabanijwe binyuze mu buhanga bw’imibereho.

Igikorwa giteye inkeke cyateganijwe ku gikoresho cyumukozi wa Org C cyateye ubwoba, bituma iperereza rindi. Muguhuza ibiti no kuvugana numukoresha wagizweho ingaruka, itsinda ryasobanuye uburyo bwo kubona bwa mbere.

Hasi nigishushanyo cyibitero gitanga urwego rwo hejuru murwego rwo hejuru rwibitero:

Urukurikirane rw'ibyabaye byagaragaye ku buryo bukurikira:

Intambwe ya 1

Umukinnyi mubi yifashishije Amakipe ya Microsoft yoherereza abakozi bane batoranijwe muri Org C, usibye ko atari tekiniki ukurikije inshingano zabo, nta yandi masano yagaragaye. Igitero yiganye umwe mu bagize itsinda rya IT maze asaba ko yagera ku gikoresho cya buri mukozi akoresheje ibikoresho byihuse byifashishwa .

Aho gukoresha konti nshya yashizweho kugira ngo yigane, uwagabye igitero yakoresheje konti y’abakoresha yangiritse ku muntu ushobora kuba yarahohotewe, bavugwa hano nka "Org A."

M365 Igenzura ryakoreshejwe kugirango hamenyekane Amakipe ya Microsoft amacumu.

• Ibintu byinshi " Ubutumwa bwoherejwe " na " ChatCreated " byamenyekanye, byose byaturutse kubakoresha mbere Org A babangamiwe, bifitwe numukinnyi witerabwoba.

• Mugihe abakozi 4 baribasiwe, hamenyekanye igikorwa kimwe gusa " Umunyamuryango Wongeyeho " cyibasiye umukoresha wa Org A.

  
  

• Iki gikorwa cya " Umunyamuryango Wongeyeho " cyakozwe na konte imwe rukumbi y’abakoresha 4 bakoreshwa bemeye icyifuzo cy’abakinnyi baterwa ubwoba, bakora ikiganiro kuri umwe. Ibi bivuze ko uyu ukoresha ariwe wenyine wagize uruhare runini nubutumwa bwinjira.
• Aya makuru yahujwe namakuru yaturutse kuri televiziyo ya EDR yumuryango, yemeza ko uyikoresha atemeye icyifuzo gusa kandi ko yakiriye ubwo butumwa ahubwo yanatumye uwagabye igitero abasha kubona uburyo bwambere kubera iterambere ryimibereho myiza.

Ubushishozi bwavuzwe haruguru bwari bushishikaje kandi bufite agaciro, bugaragaza ubwiyongere bw’uburobyi binyuze mu makipe ya Microsoft hamwe n’ibikoresho by’itumanaho bisa. Gutandukanya ibizamini byatsinzwe byatsinzwe ukoresheje M365 yo kugenzura, hamwe no guhuza ibiti bya EDR, birashobora kuba ingirakamaro cyane mu iperereza.

Ubutumwa bwa Microsoft Amakipe yakiriwe nabakoresha intego ya Org C byashobokaga kubikorwa bya Microsoft Team " External Access " imikorere, yemerera itumanaho kumuntu umwe numuryango uwo ariwo wose wo hanze bitemewe.

Intambwe ya 2

Igitero cyashutse uwahohotewe na Org C kugirango akore igikoresho cyihuse cya Microsoft kandi abaha kode yo kwinjira binyuze mumakipe ya Microsoft. Ibi byatumye umukinnyi witerabwoba yinjira kuri mudasobwa yuwahohotewe.

Intambwe ya 3

Umukinnyi w’iterabwoba yahise asangiza imiyoboro yo gukuramo kuri SharePoint y’umuryango wihariye (uwahohotewe yari uwundi ukodesha ugereranije n’uwakoreshwaga mu kuroba binyuze mu kiganiro cya Microsoft Amakipe, tuzita 'Org B'). Ihuza ryarimo ijambo ryibanga ririnzwe .zip yitwa Client_v8.16L.zip, yarimo amadosiye atandukanye, muribo igikoresho cya RMM cyiyongereye.

Dosiye yakuweho, bishoboka binyuze muburyo bwo guhuza ibitekerezo, nigitero - kimaze kuba gifite ibikoresho bya kure - gikora murwego rwa explorer.exe, kibafasha gukanda kumurongo no gukuramo ibikoresho nkuko bikenewe.

Twabibutsa ko mugihe cyiperereza, twahujije inyandiko zubugenzuzi M365, zitanga amakuru yukuri kubyerekeye URL zinjira mubutumwa bwamakipe ya Microsoft, hamwe na televiziyo ya EDR ya nyir'uwahohotewe kugirango twumve neza TTPs yibasiye.

Intambwe ya 4

Harageragejwe inshuro nyinshi gukora ibikorwa bibi byintoki hakoreshejwe uburyo bwa kure. Ibi bikorwa byibanze cyane kubikorwa byo gutsimbarara, nko gukora imirimo iteganijwe yo gukora inshuro nyinshi imwe muma dosiye yakuweho igitero - igikoresho cya RMM cyitwa LiteManager ("ROMServer.exe").

schtasks /Create /TN "Perfomance monitoring" /SC MINUTE /TR C:\ProgramData\500000003\ROMServer.exe

Intambwe ya 5

Kurikira ibikorwa byavuzwe haruguru, umukinnyi akuramo intoki indi dosiye .zip yitwa Cliento.zip.

Nkubwa mbere, ihuriro ryasangiwe mukiganiro hagati yuwahohotewe nuwakinnye iterabwoba. Iyi dosiye .zip yarimo ibyingenzi .JAR malware kimwe na Java Development Kit yose kugirango ikore malware .JAR.

Intambwe ya 6

Umukinnyi witerabwoba yishe porogaramu ya .JAR akoresheje ibi bikurikira: C:\\ProgramData\\Cliento\\jdk-22_windows-x64_bin\\jdk-22.0.2\\bin\\javaw.exe -jar C:\\ProgramData\\Cliento\\Cliento.jar

Intambwe 7

Ibikorwa byinshi byurusobe nibikorwa byateganijwe byagaragaye murwego rwa dosiye mbi .JAR, harimo:

• Benshi basohoka DNS Gusaba / Igikorwa cyurusobe kuri → safeshift390-my.sharepoint.com

• Benshi basohoka DNS Gusaba / Igikorwa cyurusobe kuri → graph.microsoft.com

• Benshi basohoka DNS Gusaba / Igikorwa cyurusobe kuri → kwinjira.microsoftonline.com

• Gushyira mu bikorwa amategeko yo kubara:

  • Shakisha sisitemu - Systeminfo
  • Shakisha igihe cyimashini amakuru - net time
  • Shaka UUID ya mashini ( ibuka iyi; tuzabiganiraho nyuma ) - Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
  • Ibarura ry'ibikoresho bya USB - {$_.interfacetype -eq \"USB\"}"

  
  

Ishusho ikurikira irerekana ibice byingenzi byibiti byerekeranye nibikorwa bibi:

Intambwe ya 8

Igitero kandi yongeyeho binary ya JAR mbi nka runkey muri rejisitiri kugirango ikomeze ikore malware ya Java.

Umurongo w'itegeko:

Set-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"current\" -Value \"C:\\ProgramData\\Cliento\\jdk-22_windows-x64_bin\\jdk-22.0.2\\bin\\javaw.exe -jar C:\\ProgramData\\Cliento\\Cliento.jar\" -ErrorAction Stop"

Guhagarika no kurandura ibyabaye byihuse kandi bigira ingaruka nziza, kandi nkurikije ibimenyetso by’ubucamanza twari dufite, nta kimenyetso cyerekana ko uwagabye igitero yashoboye kwangiza cyane uwahohotewe n’umuryango.

Ikintu kimwe cyingenzi cyaturutse kumurongo wigitero kirambuye hejuru ni uko uwagabye igitero yakoresheje serivisi zitandukanye zizwi kandi zikoreshwa cyane muri Microsoft mu rwego rwo kugaba igitero cye, haba mu kwihisha mu buryo bugaragara ndetse no mu buryo bworoshye.

Reka tuvuge muri make serivisi za Microsoft zikoreshwa n'umukinnyi w'iterabwoba ukoresheje imbonerahamwe ikurikira:

Kuri iki cyiciro, twari twabonye serivisi enye za Microsoft / porogaramu zavuzwe haruguru. Mugihe twasobanukiwe intego yibintu bitatu byambere, ibikorwa byerekanwe kuri Graph API ntibyasobanutse neza. Twari dufite ibitekerezo byinshi kubyerekeye intego yabyo, ariko mugusubiza ibyabaye, ibitekerezo byonyine ntibihagije, nibyo?

Gukusanya amakuru menshi no kumva neza porogaramu ya .JAR 'Cliento.jar' muri OneDrive / SharePoint - byombi kugirango dusuzume ibikorwa bishobora gukorwa nigitero ndetse no kumenya neza imigambi yabo - twakomeje gusesengura birambuye kuri malware.

“ODC2” Java Malware - OneDrive nk'Itegeko & Igenzura

Twifashishije Java Decompiler yitwa "JDGUI" kugirango twanduze porogaramu ya Client.jar (twise "ODC2").

Gusa duhereye ku rwego rwo hejuru tureba malware, dushobora guhita tuyihuza nibikorwa bya PowerShell twabonye mu iperereza ryibyabaye. Ibi biterwa no gushyiramo pake ya " jPowerShell " Java - igikoresho cya PowerShell kuri Java.

Mubyongeyeho, twashoboraga kubona paki zinyongera nka "amategeko," "guhuza," "gutangiza," "cyangwa guhuza," nibindi. Ibi byaduhaye gusobanukirwa kurwego rwo hejuru kumiterere ya malware.

1. Twatangiranye na Main.class munsi ya "launch" pack hanyuma dusanga urutonde rwibyangombwa-code byakoreshejwe na malware. Ibi byadutangaje gato, ariko birashimishije cyane.

   
   

Mugukomeza gusesengura malware (nkuko byasobanuwe mubisesengura rirambuye hepfo), twasanze porogaramu yangiza ibyangombwa kugirango ikore "mu izina" ibyemezo bya Entra ID. Kugirango ukore iki cyemezo, icyuma-cyanditseho kugarura imbaraga cyakoreshejwe hamwe nindangamuntu yumukiriya hamwe n ibanga ryabakiriya kugirango basabe ikimenyetso cyo kwinjira.

Iyemezwa ryemereye malware kugera kuri OneDrive yabakoresha indangamuntu yihariye ya Entra, mubakodesha bivugwa ko ari iyumukinnyi, gukoresha nabi ubwo buryo kubwimpamvu za C2.

2. Mubikorwa nyamukuru bya Main.class dushobora kubona aho yinjira ubwayo, ikubiyemo insanganyamatsiko nyinshi. Harimo gukora imirimo "odThread1" na "mainThread1".

   
   

"OdThread1" ikubiyemo ishyirwa mubikorwa rya Mugenzuzi "odRun" ibona icyiciro cya mbere cyibyangombwa bikomeye (Refresh Token, nibindi) kugirango yemeze.

• Ikoresha "40.90.196.221" IP adresse ya "odRun" ihuza

• Aderesi ya “40.90.196.228” ya “Kwiruka” itangiza sock ya HTTPS kuri C2 yibasiye. Iyi IP ni IP ya Azure nayo, kandi birashoboka cyane ko ari imashini isanzwe. Uyu muyoboro wa C2, nkuko byasobanuwe hano hepfo, ni "classique" kandi biganisha ku bikorwa bya PowerShell

• Kugirango tubone ibisobanuro birambuye kubyerekeye aderesi ya IP, twagenzuye ibikoresho bizwi nka ipinfo.io hamwe na Tagi ya Service ya aderesi ya IP ya Azure IP yatangajwe na Microsoft, nkuko bigaragara ku ishusho hepfo:

  
  

  
  

• Twabibutsa kandi ko aderesi ya IP yongeyeho aderesi ya IP iboneka muri iyi porogaramu mbi (38.180.136.85) isa nkaho ari iy'undi mutanga serivisi kandi ifitanye isano na serivisi zakira. Ukurikije ubushishozi bwacu, iyi aderesi ya IP ntabwo yakoreshejwe cyane na malware. Turakeka ko byari bihari kubwimpamvu z'umurage (ibikorwa remezo bya C2 byabanje).

  
  

HTTPS Sock C2

3. Mugucukumbura cyane muri "mainThread1 ()" ikora imikorere ya "ctrl.run ()", turashobora kubona ko imikorere ya () igerageza gukora ihuza kandi igenzura buri gihe niba ihuza ari rizima. Iragerageza "gusesengura ibicuruzwa," igabanya ibice bidafite akamaro.

   
   

4. Iyi "run" imikorere ikoresha "guhuza ()" gushiraho / gusubiramo umurongo. Irema sock kuri aderesi ya IP ya kure twabonye hejuru - 40.90.196.228.

5. Iyi "run" imikorere ikoresha "CommandManager," ikubiyemo uburyo butandukanye bwubwoko butandukanye bwamabwiriza / ubushobozi iyi malware itanga, harimo kohereza dosiye kuva mubakiriya kugera kuri seriveri no kuva kuri seriveri kugeza kubakiriya, guhagarika dosiye, amashusho, gufunga imiyoboro ihuza, na, Birumvikana, gutegeka.

   
   

Igenzura niba itegeko ryakiriwe ari ubusa cyangwa niba itegeko nyirizina ryakiriwe muri seriveri ya C2.

6. Niba itegeko ryabonetse, rirabisobanura kandi rirarangiza. Irangizwa ryibanze murwego rwa PowerShell.

   
   

   Irangizwa ryitegeko ryinjira nka commande ya PowerShell irakorwa ukoresheje jPowerShell wrapper twavuze mbere.

OneDrive Itegeko & Igenzura

Mbere yo gucengera mumikorere yimikorere ya OneDrive C2, ni ngombwa kumenya ko ibice byingenzi bigize code ya malware bishingiye cyane cyane kubwoko butatu bwihariye bwa dosiye ya OneDrive: UUID, cf_UUID, na rf_UUID. Nkuko byagaragaye mu iperereza ryacu, itegeko Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID yarakozwe, ihishura UUID yibikoresho byibikoresho. Ikiranga kidasanzwe gikora gutandukanya buri wahohotewe muri gahunda ya VEILDrive.

Buri bwoko bwa dosiye bugira uruhare rutandukanye mubikorwa bya malware. Ishusho ikurikira itanga ingero ziyi dosiye ninshingano zabo zibanze mugukora malware.

Reka twibire mumikorere ya OneDrive C2 nuburyo izo dosiye za UUID zikoreshwa mubikorwa:

7. Usibye ubushobozi bwa kure bwo gusohora kure ya PowerShell, imikorere ya "odRun" ishinzwe indi nsanganyamatsiko ishingiye kuri "OneDrive" nkumuyoboro witumanaho. Iki nigice cyihariye cyiyi malware.

   
   

   "OdRun" nkuko tubibona, birashoboka ko yitiriwe "OneDrive" (OneDriveRun), kandi ikubiyemo gushiraho umurongo wa OneDrive ukoresheje imikorere ya "Odconnect" nkintambwe yambere:

   
   

8. Nkuko mubibona, ubanza umugozi wa "machineUUID" washyizweho nkumugozi wubusa. Bikurikiranye no kurangiza imikorere ya "getMachineUUID ()", aribyo, nkuko izina ryayo ribigaragaza, ibona Machine UUID yibikoresho byahohotewe:

   
   

9. Turashobora noneho kubona ko ihuza rya OneDrive rikorwa hifashishijwe imikorere ya "OdConnect" - ihuriro ririmo gukorwa "kwinjira". .

   
   

10. Imikorere ya "AndikaFileToOneDrive" niyo ikurikira ihamagarwa, mugihe cyose nta dosiye yitwa nka mashini yahohotewe UUID muri mudasobwa igenewe, ishingiye kuri cheque yakozwe numurimo wa "checkFile".

• "CheckFile": Iyi mikorere igenzura niba hari dosiye yitwa == machineUUID mububiko bwurugo rwumukoresha wa none OneDrive

  
  

11. Niba nta dosiye nkiyi, "andikaFileToOneDrive ()" yinjira mumikino, hanyuma ikora dosiye yitwa nkuwahohotewe muri iki gihe Computer UUID nta prefix.

12. Igice gikurikira cya "odRun" nigikorwa cya "getFiles ()" kibona ibikubiye muri UUID.

Idosiye ya OneDrive yitiriwe imashiniUUID yigikoresho (idafite prefixes).

• Niba ibikubiye muri dosiye bidafite ubusa bireba niba bitangiranye nijambo "ohereza":
  • Ikora ibisanzwe mubirimo, ikabitegura kugenzura ubutaha - mukuraho umugozi "ohereza" no gusimbuza "\" "na" "(ntacyo) uzigama muri variable yitwa" filenameForDownload "
  • filenameForDownload iranyuzwa kugirango uboneFileDownloadUrl imikorere. Ibi bibona dosiye yo guhitamo uwateye. Igitero cyagaragaza izina rya dosiye nyuma yijambo "ohereza" muri dosiye ya UUID hanyuma ukayibika munzira yerekanwe kumashini yabahohotewe ari "umukoresha.urugo" \ gukuramo (ububiko bwo gukuramo).
  • Nyuma yibyo, imikorere ya " downloadFile " irahamagarwa, gukuramo dosiye ya kure kubikoresho byahohotewe, hashingiwe kubikorwa bya GetFileDownloadUrl .
  • Igitero kibona icyerekezo cyerekeye ishyirwa mu bikorwa rya dosiye ukoresheje " andikaFileToOneDrive " ikorwa nyuma gato nkigice cya "odRun" kugirango wandike "rf_" + "ohereza dosiye" + filenameForDownload + "byakozwe" → kugirango umenyeshe uwagabye igitero ko iyicwa ryakozwe. Ukurikije ibyo, hari irindi bikorwa rya "writeFileToOneDrive", aho indi dosiye, yitwa "cf_" + machineUUID yandikiwe OneDrive, nta biyirimo birimo.
• Niba ibikubiye muri dosiye bidafite ubusa ariko ntibitangire na "ohereza":

  • Ibiri muri dosiye ya cf_MachineUUID bizakorwa.

  • Bikurikiranye nanone wandika dosiye kuri OneDrive, ukoresheje " andikaFileToOneDrive ", ubanza "rf_" + machineUUID, hamwe nibikubiye mubisubizo byakozwe.

  • Ubundi buryo bwo gukoresha " andikaFileToOneDrive ", kugirango wandike kandi usige dosiye "cf_" irimo ubusa, ahanini ubuza ko irindi tegeko ryubahirizwa rimwe (kuva malware ikorera mumuzinga).

    
    

Kugirango tuvuge muri make, iyi malware isa nkaho ifite imiyoboro ibiri itandukanye ya C2 ishobora gukorana na:

• HTTPS Socket C2 : uburyo bwa kera cyane, kwakira amabwiriza kuva Azure VM ya kure no kuyashyira mubikorwa murwego rwa PowerShell.

• OneDrive ishingiye kuri C2 : ibi birihariye, kandi uburyo ikora biraruhije kandi bihanga. Harimo amadosiye atatu atandukanye, yose arimo UUID yibikoresho byahohotewe, bimwe bifite prefixes (rf_ na cf_). Kugirango byorohereze umukinnyi witerabwoba kohereza amategeko no kuyakira ukoresheje Microsoft Graph.

  
  

  Icyitonderwa : Ni ngombwa kuvuga ko iyi malware ifite ubushobozi bwinyongera usibye gutegekwa bisanzwe, harimo no kohereza dosiye. Ariko, amakuru arambuye hejuru yibanze kumabwiriza yo gukora gusa.

  
  

Serivisi za Microsoft / Porogaramu nkibikorwa Remezo byibitero

Kuri iyi ngingo, biragaragara ko iki gitero cyahujije ubuhanga bworoshye hamwe nubuhanga buhambaye, budasanzwe. Ikintu cyagaragaye kuva mu iperereza ryacu rya mbere ni ugukoresha cyane ibikorwa remezo na serivisi bya Microsoft byahujwe mu bukangurambaga.

Nyuma yo gusesengura malware no guhuza amakuru mashya nubushishozi bwacu bwo gukora iperereza, twabonye neza neza uwagabye igitero gukoresha serivisi zitandukanye nintego zabo. Twabonye ko gukoresha serivisi za Microsoft n'ibikorwa remezo byari binini cyane kuruta uko twabibonye mbere.

Reba imbonerahamwe ikurikira kugirango ubone incamake:

Ibipimo byubwumvikane (IOCS)

• Abakodesha bazwi ba Entra ID bafite nyirubwite:
  • C5f077f6-5f7e-41a3-8354-8e31d50ee4d
  • 893e5862-3e08-434b-9067-3289bec85f7d
• Porogaramu izwi 'yanditswe nindangamuntu yabakiriya:
  • B686e964-b479-4ff5-bef6-e360321a9b65
  • 2c73cab1-a8ee-4073-96fd-38245d976882
• Abakodesha indangamuntu ya Entra ikoreshwa nuwateye (Reba icyifuzo cya DNS gisohoka kuri izo domaine):
  • SafeShift390[.]onmicrosoft[.]com
  • GreenGuard036[.]onmicrosoft[.]com
• Dosiye IOC (SHA256) yasanze mu rwego rwiperereza:
  • ROMServer.exe a515634efa79685970e0930332233aee74ec95aed94271e674445712549dd254
  • HookDrv.dll 1040aede16d944be8831518c68edb14ccbf255feae3ea200c9401186f62d2cc4
  • ROMFUSClient.exe 7f61ff9dc6bea9dee11edfbc641550015270b2e8230b6196e3e9e354ff39da0e
  • AledensoftIpcServer.dll d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
  • ROMwln.dll 7f33398b98e225f56cd287060beff6773abb92404afc21436b0a20124919fe05
• Aderesi ya IP:
  • 40.90.196[.]221
  • 40.90.196[.]228
  • 38.180.136[.]85
  • 213.87.86[.]192

Ibibazo byo guhiga

Usibye IOC yihariye yavuzwe haruguru, twakoze ibibazo byinshi byo guhiga iterabwoba bishobora gukoreshwa mugutahura ibitero byaturutse kumukinnyi umwe, byakozwe mubukangurambaga bumwe, cyangwa gusangira ibintu bisa (TTP)

Icyitonderwa: Igihe cyagenwe cyo guhiga kuri VEILDrive ni guhera muri Nyakanga 2024.

GUHIGA IKIBAZO 1 : Javaw Gutanga Powershell ifite Ibendera ryihariye - Imyitwarire idasanzwe

• Ikibazo cyibibazo: Mugihe twasesenguye, twabonye ko Igikoresho cya kure (RAT) cyagabye igitero cyakoresheje Powershell kugirango kizane UUID yimashini murwego rwo kuyikora. Iki kibazo cyerekana ingero zidasanzwe za Powershell zatewe na javaw.exe hamwe nibendera ryumurongo wamabendera yihariye yakoreshejwe nuwakinnye iterabwoba.

• Ikibazo:

   SELECT EVENT_TIME, AGENT_ID, PARENT_PROCESS_NAME, PARENT_PROCESS_COMMANDLINE, INITIATING_PROCESS_NAME, INITIATING_PROCESS_COMMANDLINE, TARGET_PROCESS_NAME, TARGET_PROCESS_COMMANDLINE, TARGET_PROCESS_OS_PID FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS WHERE 1=1 AND PARENT_PROCESS_NAME ILIKE '%javaw%' AND INITIATING_PROCESS_NAME ILIKE '%cmd%' AND TARGET_PROCESS_NAME ILIKE '%powershell%' AND TARGET_PROCESS_COMMANDLINE ILIKE 'powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile %' AND EVENT_TIME > current_timestamp - interval '60d'

  
  

GUHIGA IKIBAZO 2: Igikoresho cya ROM Kwihangana ukoresheje Imirimo Yateganijwe

• Ikibazo cyibibazo: Iki kibazo kigaragaza ingero zumurimo uteganijwe kwiyandikisha hamwe nogukora igikoresho cya ROM cyakoreshejwe nuwashinzwe iterabwoba kugirango akomeze.

• Ikibazo:

   SELECT EVENT_TIME AS EVENT_TIME, AID AS AGENT_ID, CID AS COMPUTER_ID, EVENT_SIMPLE_NAME AS EVENT_NAME, RAW:TaskName AS TASK_NAME, RAW:TaskExecCommand AS TASK_EXEC_COMMAND, RAW:TaskAuthor AS TASK_AUTHOR, RAW:UserName AS USER_NAME --- Adjust according to your EDR of choice FROM RAW.CROWDSTRIKE_RAW_EVENTS WHERE EVENT_SIMPLE_NAME = 'ScheduledTaskRegistered' AND TASK_EXEC_COMMAND ILIKE '%romserver%' AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'

GUHIGA IKIBAZO CYA 3 : Abakoresha badafite amashyirahamwe bagabana amahuza kumurongo wa gatatu wa Sharepoint ukoresheje Amakipe ya Microsoft

• Ikibazo cyibibazo: Iki kibazo cyerekana ibibazo aho ihuza rya SharePoint risangiwe mukiganiro cyamakipe, ariko indangarubuga ya SharePoint ntabwo ari iy'umwe mubitabiriye ibiganiro. Ibi birashobora kwerekana kugerageza kugerageza cyangwa gushakisha amakuru, aho domaine yo hanze ikoreshwa mugusangira amadosiye cyangwa amakuru hamwe nabakoresha batabishaka mumuryango.
• Ikibazo:

 SET YOUR_ORGANIZATION_NAME = 'hunters'; SELECT EVENT_TIME, ORGANIZATION_ID AS ORG_ID, OPERATION AS EVENT_TYPE, SPLIT_PART(LOWER(SPLIT_PART(USER_ID, '@', 2)), '.', 1) AS SENDER_ORG_DOMAIN, RECORD_SPECIFIC_DETAILS:message_ur_ls AS MESSAGE_URLS, WORKLOAD AS WORKLOAD, USER_ID AS USER_ID, RECORD_SPECIFIC_DETAILS:chat_thread_id AS CHAT_THREAD_ID, RECORD_SPECIFIC_DETAILS:communication_type AS COMMUNICATION_TYPE, RECORD_SPECIFIC_DETAILS:members[0].DisplayName AS MEMBER_DISPLAY_NAME, RECORD_SPECIFIC_DETAILS:members[0].UPN AS MEMBER_UPN, RECORD_SPECIFIC_DETAILS:members[0] AS MEMBERS, RECORD_SPECIFIC_DETAILS:resource_tenant_id AS RESOURCE_TENANT_ID, RECORD_SPECIFIC_DETAILS FROM RAW.O365_AUDIT_LOGS WHERE NOT USER_ID ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%' AND (NOT (MESSAGE_URLS ILIKE '%' || SENDER_ORG_DOMAIN || '%') AND MESSAGE_URLS ILIKE '%sharepoint%') AND NOT MESSAGE_URLS ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%' AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'

GUHIGA IKIBAZO 4 : Amakipe ya Microsoft - Gutahura Uburobyi - DM nyinshi ziva muri Non-Common domaine

• Ikibazo cyibibazo: Ikibazo gikurikira cyerekana ubutumwa bwoherejwe mukiganiro kimwe kumuntu umwe nabakoresha hanze ba domaine zidasanzwe. Ikibazo cyungurura domeni yakoreshejwe cyane ishingiye kubikorwa byamateka kandi ikagaragaza abanyamuryango bo hanze bongerewe kubiganiro bashobora kuba bagaba ibitero byuburobyi.

• Ikibazo:

   SET YOUR_DOMAIN_NAME = 'hunters'; --- GET EXTERNAL TEAMS AND ONEDRIVE USERS OF THE LAST 3 MONTHS - TO CLEAN EXTENSIVELY USED DOMAINS WITH COMMONLY_USED_DOMAINS AS ( SELECT LOWER(SPLIT_PART(USER_ID , '@', 2)) AS DOMAIN_COMMONLY_USED, MIN(EVENT_TIME) AS MIN_EVENT_TIME, MAX(EVENT_TIME) AS MAX_EVENT_TIME, ARRAY_AGG(DISTINCT OPERATION) AS OPERATIONS, COUNT(*) AS COUNTER FROM RAW.O365_AUDIT_LOGS WHERE WORKLOAD IN ('MicrosoftTeams', 'OneDrive') AND EVENT_TIME > CURRENT_TIMESTAMP - interval '90d' AND USER_ID ILIKE '%@%' GROUP BY DOMAIN_COMMONLY_USED HAVING COUNTER > 20 ), ---- Get List of External Domains that recently communicated with our organization using Microsoft Teams LATEST_EXTERNAL_DOMAINS AS ( SELECT USER_ID AS LATEST_EXT_USERS, LOWER(SPLIT_PART(USER_ID , '@', 2)) AS USER_DOMAIN, MIN(EVENT_TIME) AS MIN_EVENT_TIME, MAX(EVENT_TIME) AS MAX_EVENT_TIME, ARRAY_AGG(DISTINCT OPERATION) AS OPERATIONS, ARRAY_AGG(DISTINCT RECORD_SPECIFIC_DETAILS:communication_type) AS COMMUNICATION_TYPE, COUNT(*) AS COUNTER FROM RAW.O365_AUDIT_LOGS WHERE EVENT_TIME > CURRENT_TIMESTAMP - interval '50d' AND NOT USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%' AND NOT USER_ID IN ('app@sharepoint') AND USER_ID ILIKE '%@%' -- CLEAN-UP OF EXTENSIVELY USED DOMAINS AND USER_DOMAIN NOT IN (SELECT DISTINCT DOMAIN_COMMONLY_USED FROM COMMONLY_USED_DOMAINS) AND OPERATION IN ('MemberAdded', 'ChatCreated') AND RECORD_SPECIFIC_DETAILS:communication_type = 'OneOnOne' GROUP BY USER_ID HAVING COUNT(*) > 5 ) SELECT EVENT_TIME, ORGANIZATION_ID AS ORG_ID, WORKLOAD AS WORKLOAD, OPERATION AS OPERATION, USER_ID AS USER_ID, LOWER(SPLIT_PART(USER_ID , '@', 2)) AS USER_DOMAIN, RECORD_SPECIFIC_DETAILS:chat_thread_id AS CHAT_THREAD_ID, RECORD_SPECIFIC_DETAILS:communication_type AS COMMUNICATION_TYPE, RECORD_SPECIFIC_DETAILS:members[0].DisplayName AS MEMBER_DISPLAY_NAME_0, RECORD_SPECIFIC_DETAILS:members[0].UPN AS MEMBER_UPN_0, RECORD_SPECIFIC_DETAILS:members[0] AS MEMBERS_0, RECORD_SPECIFIC_DETAILS:members[1].DisplayName AS MEMBER_DISPLAY_NAME_2, RECORD_SPECIFIC_DETAILS:members[1].UPN AS MEMBER_UPN_2, RECORD_SPECIFIC_DETAILS:members[1] AS MEMBERS_2, RECORD_SPECIFIC_DETAILS:resource_tenant_id AS RESOURCE_TENANT_ID, RECORD_SPECIFIC_DETAILS, RAW:ClientIP AS CLIENT_IP FROM RAW.O365_AUDIT_LOGS WHERE 1=1 AND RECORD_SPECIFIC_DETAILS:communication_type = 'OneOnOne' AND ( RECORD_SPECIFIC_DETAILS:members[0].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS) OR RECORD_SPECIFIC_DETAILS:members[1].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS) ) AND USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%' AND OPERATION = 'MemberAdded' AND EVENT_TIME > CURRENT_TIMESTAMP - interval '50d';

• Byimbitse kubibazo byabajijwe: Kubera ko iki kibazo ari gito, dore ibisobanuro byumvikana. Ubwa mbere, dukoresha ibiranga "CTE" biranga Snowflake kugirango twubake ibintu bibiri:

  1. BISANZWE_USED_DOMAINS:
     • Dukuramo amazina ya domaine mukoresha ID mugabanye umurongo nyuma ya '@'.
     • Kubara ibyabaye byose byakozwe na buri domeni muminsi 90 ishize
     • Komeza domaine ifite ibyabaye birenga 20 kandi ubifate nkibisanzwe. Urashobora kubihindura ukurikije ibyo ukeneye.
  2. LATEST_EXTERNAL_DOMAINS:
     • Kurungurura indangarugero imbere hamwe nibisanzwe bikoreshwa byamenyekanye muburyo bwambere uhereye kubyabaye byose muminsi 50 ishize
     • Baza domaine zose zifite ibintu birenga 5 birimo kohereza ubutumwa butaziguye no kongerera abanyamuryango mumakipe.

  Hanyuma, dukuramo amakuru arambuye kubyerekeye umukoresha hamwe na domaine bifitanye isano no kubaza ibisubizo byayunguruwe kuva LATEST_EXTERNAL_DOMAINS.

  
  

Isuku

Twakurikiranye ibijyanye no guhiga no gukora iperereza bijyanye nubuhanga bwinshi bwo gutera bwakoreshejwe nabakinnyi. Bumwe muri ubwo buryo nubuhanga bubi nabwo buzwiho gukoreshwa mubukangurambaga butandukanye.

Kurinda umuryango wawe ibyo bikangisho birashobora kugabanya cyane ibyago byibitero byibasiye ibice bitandukanye byibikorwa remezo byubuyobozi.

Hano haribintu bike byisuku bishobora gukoreshwa mukuzamura umutekano wawe:

1. Kugirango ugabanye amahirwe yo kwibasirwa nuburobyi ukoresheje Amakipe ya Microsoft, dore intambwe nke ushobora gutera:
   • Mubusanzwe, Amakipe ya Microsoft yemerera "Kwinjira hanze," yemerera kuganira kumuntu umwe hamwe nabandi bahuza. Niba ibi bidakenewe mumuryango wawe, tekereza guhagarika iyi nzira.
   • Niba itumanaho ryo hanze ari ngombwa, rigarukira kuri domaine yizewe gusa.
   • Ubundi buryo bwo kuvugana namashyaka yo hanze mumakipe ya Microsoft nukuyongera nkabashyitsi cyangwa abanyamuryango. Turasaba cyane kugabanya iyi miterere, twemerera gusa guhitamo, abakoresha-bafite amahirwe menshi yo kuyacunga.
2. Ubwiyongere bwibitero bya cyber ukoresheje ibikoresho byubuyobozi bwa kure bisaba gutandukanya neza ibikoresho byakoreshejwe byemewe n’ibikoreshwa n’abakora iterabwoba. Dore ibyifuzo bike:
   • Gabanya ibikoresho bya kure byubuyobozi kubisobanuro byihariye, byemewe bisabwa mubikorwa byubucuruzi. Ubufasha bwihuse burashobora gukururwa byoroshye mububiko bwa Microsoft; tekereza guhagarika imikoreshereze yayo niba itari kurutonde rwumuryango wawe. Urashobora kubuza kwinjira ukoresheje ingamba nka AppLocker, amategeko ya Windows Firewall, cyangwa ubuyobozi bwa MDM.
   • Kurikirana ibikoresho bisanzwe bikoreshwa mugucunga no kugenzura ibikoresho byose bidasanzwe cyangwa bitemewe. Kurugero, niba ubufasha bwihuse bwakoreshejwe kandi itsinda ryanyu rya IT ntirishingiye kuri infashanyo ya kure, igomba gutera impuruza.
3. Amahugurwa yo Kumenyekanisha Umutekano-Birashobora kumvikana nka cliche, ariko amakosa yabantu ahora nimwe mumpamvu nyamukuru zitera ibitero byikoranabuhanga. Amahugurwa yo kumenyekanisha umutekano arashobora kugira icyo ahindura muriki kibazo, akurinda icyuho gikurikira.
   • Turasaba ko byibanze kandi bifitanye isano niterabwoba rigaragara ku gasozi. Kurugero, ibibazo byo kwigana IT ukoresheje urubuga rwitumanaho nka Microsoft Amakipe, Slack, cyangwa telefone ya terefone isanzwe iriyongera. Nyamuneka reba neza ko abakozi bawe bazi kubikemura.

Umwanzuro

• VEILDrive ikomatanya ubworoherane nubuhanga. Byari bishimishije kwibonera ikoreshwa rya C2 biranga ibintu bisa na C2 hejuru ya OneDrive, kimwe no gukoresha uburyo bwa gahunda bwateganijwe bushingiye ku gutsimbarara hamwe no gukora malware EDR yo hejuru.

• Ibiranga byagaragaye nkigice cyiperereza nubushakashatsi bwiterabwoba byari bishimishije, kandi byadushoboje gusobanukirwa neza nuburyo uyu mukinnyi w’iterabwoba akora, serivisi zizwi zikoresha nabi, uko zibakoresha nabi, niyihe ntego.

• Uburyo OneDrive yahohotewe kubera itumanaho rya C2 muri VEILDrive yari ifite ibintu byihariye. Nyamara, igitekerezo rusange cyo gukoresha nabi OneDrive kubikorwa bya C2 cyagiye cyiyongera mumezi ashize, kandi nikintu ugomba kuzirikana.

• Kwinjira kwambere binyuze mumacumu-kuroba kurubuga rwitumanaho nka Amakipe ya Microsoft, Slack, na serivisi zisa ziragenda zimenyekana.

• Turateganya ko bizarushaho kuba byinshi uko ibihe bizagenda bisimburana. Niyo mpamvu, ingamba z’isuku n’imyifatire zijyanye niyi ngingo (nkuko byavuzwe muri Nuggets yisuku hejuru) ni ngombwa.

• Ibikoresho byubuyobozi bwa kure bimaze kumenyekana cyane mubakina iterabwoba. Uburyo butandukanye burashobora gufatwa kugirango ugabanye ubushobozi bwo kwinjira utabifitiye uburenganzira ukoresheje ibikoresho nkibi. Dukurikije uko tubibona, uburyo bwasabwe muri kano karere ni urutonde (kwemerera) hamwe no gukurikirana neza.

• Turateganya ko ubukangurambaga bwinshi bwiyi kamere buzagaragara, dukoresheje uburyo busa nibiranga. Kubwibyo, gukomeza gukurikirana no guhiga iterabwoba kuri ubu bwoko bwiterabwoba birasabwa cyane.

  
  

Kugirango ukomeze kugezwaho ubushakashatsi-guhiga iterabwoba, ibikorwa, nibibazo, kurikiza konte ya X / Twitter ya Team Axon ( @team__axon ).