Поддержка
Круглосуточная поддержка

Позвоните

Бесплатно по России:
8-800-333-79-32

ЧаВо | Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Свяжитесь с нами Незакрытые запросы: 

Профиль

Профиль

Trojan.Siggen28.58279

Добавлен в вирусную базу Dr.Web: 2024-11-13

Описание добавлено:

  • sha256: 0ebdcedc0afeec0cfeb024ff14c30df57d5d05eb
  • sha256: 50e5ad854a8504f3202af9c05223766872859521
  • sha256: 574cae4767378b8e90df49bdd5182d63e893a35c
  • sha256: 77046282917539e33d61e7ea7ec01d6ae4df40f4
  • sha256: e99b52cfd83601de8ec144097c338e9aab654d02
  • sha256: ed4e00891f6688be21f872ae12e7dbd6872ff69c

Description

A malicious program for OS Windows and Linux written in Go and packed using the Garble packer. Classified as a Remote Access Trojan, it has several characteristic features: all exchanges with the C2-server are serialized using Protocol Buffers, the Linux version is bundled with two rootkits, and its configurations are encrypted and hosted on several public platforms (GitHub, GitLab and a Chinese blog).

Operating routine

Depending on the OS installed on the compromised machine, the attack chain has a different number of stages.

Windows version

Stage 1. Decrypting the program name that the trojan is masquerading as and the URL of the remote repository containing the configuration.

Stage 2. Collecting system information and checking whether the trojan is running in a virtual machine. System information is stored in the gMWASkoS_WinSystemInfo struct. The struct is populated by running the systeminfo.exe utility:


struct gMWASkoS_WinSystemInfo
{
  string HostName;
  string OSName;
  string OSVersion;
  string OSManufacturer;
  string OSConfiguration;
  string OSBuildType;
  string RegisteredOwner;
  string RegisteredOrganization;
  string ProductID;
  string OriginalInstallDate;
  string SystemBootTime;
  string SystemManufacturer;
  string SystemModel;
  string SystemType;
  _slice_string Processors;
  string BIOSVersion;
  string WindowsDirectory;
  string SystemDirectory;
  string BootDevice;
  string SystemLocale;
  string InputLocale;
  string TimeZone;
  string TotalPhysicalMemory;
  string AvailablePhysicalMemory;
  string VirtualMemoryMaxSize;
  string VirtualMemoryAvailable;
  string VirtualMemoryInUse;
  _slice_string PageFileLocations;
  string Domain;
  string LogonServer;
  _slice_string Hotfixs;
  _slice_string NetworkCards;
  string HyperVRequirements;
};

Stage 3. Downloading the configuration from a remote repository.

The configuration arrives as a hexadecimal string, encrypted using XOR. The key is embedded in the trojan code.

Stage 4. Receiving commands.

After the handshake, the trojan sends system information to the C2 server. It then waits for a packet containing the PONG command (all available commands are described in the table below). All commands are encrypted using the algorithm described above. After decryption, the packets are parsed using Protocol Buffers and then piped to the switch-case statement. The trojan waits for the arrival of commands until the Kill_Self command is delivered. After receiving the Kill_Self command, the trojan removes itself using the command-line interpreter.

Linux version

The trojan code has a number of functions; the main functionality is implemented in the main_setup() and main_start_networking() functions (names are arbitrary).

The main_setup() function

Stage 1. Checking the availability of the following encrypted strings

  • a list of URLs where the trojan configuration is hosted. Threat actors are using the CDNs of GitLab and GitHub
  • the name of the application the trojan is masquerading as (8_Bitrue_linux_amd64__console, linux-t, yundun, etc.)

Stage 2. Checking the boolean global static variable; if it is set to true, the trojan log will be written to the /tmp/3391 directory.

Stage 3. Checking the APACHESC variable. If it is not empty, its contents are executed as native shell code.

Stage 4. Collecting information about the system and filling the session_info struct:


struct session_info
{
  string os; //generic OS name, embedded in code ("linux")
  string arch; //CPU architecture name, embedded in executable
  string OSName; //OS name obtained by parsing NAME field in /etc/os-release
  string OSVersion; //OS version obtained by parsing VERSION field in /etc/os-release
  string OSKernel; //kernel version obtained by executing uname
  string OSHost; //host name obtained by executing uname
  string MachineId; //MD5 hash of the concatenation of the OSName+OSVersion+OSKernel+OSHost values
  string Networks;// list of network interfaces present in the system
  string Env; // shell context
  __int64 pid__h;
  string uid; //UUID
  string User; //username obtained by executing the uname command
  string ExeFile; //path to executable
  bool in_docker; //check whether trojan is launched in Docker by checking for presence of /.dockerenv file
  bool rootkits_loaded; //set in special cases
  string WinSySInfo;
};

Stage 5. Measuring function execution time as an anti-debugging technique.

Stage 6. Decrypting strings. At this stage, the trojan decrypts the URL containing the settings and the name of the application it is masquerading as. The cipher is an XOR. The key to the cipher is a string embedded in the trojan body.

Stage 7. Passing the URL to main_start_networking().

The main_start_networking() function

Stage 1. Obtaining and decrypting settings. The trojan accesses the server where its configuration is being stored and downloads the settings from there. The settings are encrypted hexadecimal values contained in the template_begin and template_end substrings. The decryption procedure is similar to the one described above.

Configuration example


{"url":"https://103.230.15.187:80/statics/css/",
"tls":true,"tcp_addr":"103.230.15.187:443",
"init_path":"88353","rpc_path":"51362",
"assets_path":"75139","header_user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36",
"template_begin":"8f11d77c1190d8",
"template_end":"2596aa623fce26cb1b072034ee07c3a050fbf64b9fcd76fc",
"sleep":15,"jitter":20}

Stage 2. Downloading and installing rootkits if the global boolean static variable is set.

  1. Downloading and installing eBPF loader and eBPF rootkit. For this purpose the following request is executed %URL_FROM_CONFIG%/%ASSETS_PATH_FROM_CONFIG/%HARCODED_FILENAME% with the header_user_agent parameter from the configuration.
  2. Setting variables _LANG_ID, X_LANG_BTF (optional btf file) and X_LANG_LIB (contains the path to the main eBPF executable file)
    • Starting the eBPF loader, which is an ELF file written with cgo. Its task is to read the path to the main executable from the X_LANG_LIB variable, which is implemented as a shared library (.so). It is run using the standard calls dlopen() and dlsym().
    • Loading the eBPF rootkit, which is a modified pidhide rootkit from the bad-bpf project. Its source code was modified to contain an array, which is a whitelist of process IDs that do not need to be hidden.

Stage 3. Installing the LKM rootkit. If the installation of the eBPF rootkit was successful, the Diamorphine LKM rootkit is downloaded. For this to happen, a Sec header is added to the HTTP request, the value of which is the encrypted version of the OS kernel. Attackers store on their C2 servers a set of rootkits compiled for different kernel versions. The rootkit is installed by executing the insmod command. The rootkit hides all files and directories prefixed with aclsmos_.

Rootkits for the following kernel versions have been observed:

  • 4.14.105 SMP mod_unload modversions
  • 4.15.0-143-generic SMP mod_unload modversions
  • 4.19.0-22-amd64 SMP mod_unload modversions
  • 4.4.0-21-generic SMP mod_unload modversions
  • 5.10.60-9.al8.x86_64 SMP mod_unload modversions
  • 5.13.5-1.el7.elrepo.x86_64 SMP mod_unload modversions
  • 5.15.0-50-generic SMP mod_unload modversions
  • 5.4.0-107-generic SMP mod_unload modversions
  • 6.1.23-36.46.amzn2023.x86_64 SMP preempt mod_unload modversions
  • 6.2.0-20-generic SMP preempt mod_unload modversions
  • 5.4.0-107-generic SMP mod_unload modversions
  • 5.4.0-107-generic SMP mod_unload modversions
  • 5.4.0-107-generic SMP mod_unload modversions

The final element of the infection chain is a remote access trojan that supports the following commands:

Command Code Windows Linux Parameters Description
PONG 9 + + Stub, used to confirm that the connection is operational
set_id 10 + + string ServerId Sets the server ID (used only when collecting system information)
Set_sleep 11 + + uint32 Sleep,
uint32 Jitter
Sets the interval between requests to the C2 server
switch_TCP 12 + + Enables the receipt of commands over TCP using the tcp_addr field from the configuration
TCP_Tunnel 13 + + string Target Implements a TCP tunnel
switch_HTTP 14 + + Disables the transfer of commands via TCP; communication with the C2 server continues using the default method, i.e., the URL from the configuration
ssh_tunnel 15 + + string Shell,
string Password,
string Env,
string PreCmd
Implements an SSH tunnel
Socks5_tunnel 16 + + string Target Implements an SOCK5 tunnel
RunCode 17 + + uint32 Checksum,
bytes Code
Checks the integrity of the payload, using CRC32
KillSelf 18 + + Terminates the trojan process
Reload_LKM 19 + + Reboots the rootkit; the Windows version sends system information to the C2 server
RunCmd 20 + + int64 CmdId,
int64 Timeout,
string Cmd,
string Args,
string Envs
Contains a shell script for execution and a CRC32 call to check the integrity of the script

Mitre matrix

Stage Technique
Defense evasion (TA0005) Virtualization/Sandbox evasion (T1497)
Discovery (TA0007) Query registry (T1012)
System information discovery (T1082)
Virtualization/Sandbox evasion (T1497)
Command and control (TA0011) Application layer protocol (T1071)
Non-application layer protocols (T1095)
Encrypted channel (T1573)
Protocol tunneling (T1572)

Indicators of compromise

Рекомендации по лечению

  1. В случае если операционная система способна загрузиться (в штатном режиме или режиме защиты от сбоев), скачайте лечащую утилиту Dr.Web CureIt! и выполните с ее помощью полную проверку вашего компьютера, а также используемых вами переносных носителей информации.
  2. Если загрузка операционной системы невозможна, измените настройки BIOS вашего компьютера, чтобы обеспечить возможность загрузки ПК с компакт-диска или USB-накопителя. Скачайте образ аварийного диска восстановления системы Dr.Web® LiveDisk или утилиту записи Dr.Web® LiveDisk на USB-накопитель, подготовьте соответствующий носитель. Загрузив компьютер с использованием данного носителя, выполните его полную проверку и лечение обнаруженных угроз.
Скачать Dr.Web

По серийному номеру

Выполните полную проверку системы с использованием Антивируса Dr.Web Light для macOS. Данный продукт можно загрузить с официального сайта Apple App Store.

На загруженной ОС выполните полную проверку всех дисковых разделов с использованием продукта Антивирус Dr.Web для Linux.

Скачать Dr.Web

По серийному номеру

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке