Hi,
ich habe es mir anders überlegt, ehrlich gesagt bin ich im Moment (!) zu beschäftigt, um den Kaspersky-Report zu übersetzen und dann hier zusammenzufassen.
Daher hier ein paar Auszüge, die mir besonders bemerkenswert vorkamen.
Den ganzen hochtechnischen Kram lasse ich weg, das könnt Ihr beide (M-K-D-B und cosinus) Euch ja mal in Ruhe durchlesen (und natürlich auch jeder andere hier, den es interessiert).
Let's go:
Zitat:
|
All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager. It is stored inside the efi\microsoft\boot\en-us\ directory, with the name consisting of hexadecimal characters. This directory contains two more files: the Winlogon Injector and the Trojan Loader. Both of them are encrypted with RC4. The decryption key is the EFI system partition GUID, which differs from one machine to another.
|
Zitat:
|
Once the original bootloader is located, it is loaded into memory, patched and launched.
|
Zitat:
The victim downloads a Trojanized application and executes it.
During its normal course of operation the application connects to a C2 server, downloads and then launches a non-persistent component called the Pre-Validator. The Pre-Validator ensures that the victim machine is not used for malware analysis.
The Pre-Validator downloads Security Shellcodes from the C2 server and executes them. In total, it deploys more than 30 shellcodes. Each shellcode collects specific system information (e.g. the current process name) and uploads it back to the server.
In case a check fails, the C2 server terminates the infection process. Otherwise, it continues sending shellcodes.
If all security checks pass, the server provides a component that we call the Post-Validator. It is a persistent implant likely used to ensure that the victim is the intended one. The Post-Validator collects information that allows it to identify the victim machine (running processes, recently opened documents, screenshots) and sends it to a C2 server specified in its configuration.
Depending on the information collected, the C2 server may command the Post-Validator to deploy the full-fledged Trojan platform or remove the infection. |
Zitat:
Throughout our research, we identified numerous legitimate applications backdoored with FinSpy. Examples include software installers (e.g. TeamViewer, VLC Media Player, WinRAR) as well as portable applications.
All observed backdoored application samples have their original digital signature. It is invalid, which indicates that the application has been patched.
|
Zitat:
|
When the backdoored application launches, it runs as normal, i.e. the inserted obfuscated code does not impact the application workflow. At some point the application executes a jump instruction that redirects execution to the obfuscated trampoline in the .text section. This instruction appears to be placed randomly in the code.
|
Zitat:
This trampoline is protected with an obfuscator that we dubbed FinSpy Mutator. It launches a code that:
Decrypts and launches a slightly modified Metasploit Reverse HTTPS stager. |
Zitat:
The Pre-Validator is a shellcode obfuscated with FinSpy Mutator. On startup, it:
Hooks the NtTerminateProcess and ExitProcess functions to make sure the Pre-Validator continues working if the backdoored application is closed. The hooked functions close all the application’s windows but do not terminate its process.
|
Zitat:
|
The nature of these shellcodes indicates that they are used to fingerprint the system and verify that it is not used for malware analysis. It is important to highlight that the shellcodes only collect the data, all the checks are performed server-side. In case a shellcode uploads suspicious execution results (e.g. the Pre-Validator is running on a virtual machine), the server provides a shellcode that terminates the Pre-Validator. |
Zitat:
|
The Post-Validator Loader is a huge (3-9 MB) obfuscated DLL. The Task Scheduler launches it at system startup through regsvr32.exe. Its main function is several megabytes in size, but despite that, its purpose is simple: read and execute a shellcode that is stored in the same directory as the Post-Validator Loader.
|
Zitat:
|
The Installer creates the working directory (path: %localappdata%\Microsoft\<two concatenated English words>) and sets it as being accessed, modified and created a year earlier. |
Zitat:
The Windows version of the Trojan consists of the following components:
The Hider, the first launched component. It starts the Orchestrator and conceals memory areas that contain the Trojan components’ code and data.
The Orchestrator, a DLL which is responsible for managing installed plugins and preparing data to be sent to the C2 server
Plugins, DLL modules that perform malicious activities on the victim machine
The virtual file system (VFS) which allows the Orchestrator and other plugins to seamlessly interact with plugins and their configurations
The ProcessWorm module which intercepts system activity. Similar to a network worm which infects machines in the local network, the ProcessWorm is injected into all running processes. Once a process is infected, the ProcessWorm spreads to its children.
The Communicator module which sends data to the C2 server and receives replies
|
Sobald ich Zeit habe, werde ich vielleicht noch etwas dazu auf Deutsch posten.
Ab und zu infiziere ich ja mal eine meiner VMs mit Malware, aber dieses Ding würde ich mir nie absichtlich in eine VM installieren (wer weiß...).
Ich würde den Dreck zu gerne mal in Aktion sehen, aber dafür braucht man ein air-gapped System, das man danach wegschmeißen kann (und selbst dann wird es nicht klappen, denn das Ding will ja gar nicht analysiert werden).
Das überlasse ich lieber den Profis.
X.
30.09.2021, 15:52
zudem hast du das Thema ja erstellt! 
Linear-Darstellung
