利用 CVE-2024-21412 进行窃密的攻击激增
2024-7-28 18:17:46 Author: www.freebuf.com(查看原文) 阅读量:12 收藏

freeBuf

主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

CVE-2024-21412 是 Microsoft Windows SmartScreen 中的一个安全漏洞,该漏洞源于处理恶意制作的文件时出现错误,远程攻击者可以利用此漏洞绕过 SmartScreen 安全警告对话框并传播恶意文件。在过去一年中,包括 Water Hydra、Lumma Stealer 和 Meduza Stealer 在内的多个恶意软件家族都启用了该漏洞。

研究人员观察到多个攻击者正在利用 CVE-2024-21412 下载恶意可执行文件。最初通过诱骗受害者点击精心设计的 URL 文件链接,再下载 LNK 文件。LNK 文件拉取包含 HTA 脚本的可执行文件,后续解码、解密 PowerShell 代码获取最终 URL、诱饵 PDF 文件与恶意代码。攻击者利用这些恶意代码,将窃密软件注入合法进程,将失陷主机的数据回传给 C&C 服务器。

攻击者针对不同地区(美国、西班牙、泰国等)设计了不同的恶意代码来逃避检测,并且使用不同的 PDF 文件。

1722161463_66a61937e45421a706085.png!small?1722161464263

攻击链

初始访问

攻击者构建指向远程服务器的恶意链接,获取以下内容的 URL 文件:

1722161479_66a619476a0dd71f62a96.png!small?1722161480089

URL 文件

LNK 文件使用 forfiles 命令调用 Powershell 脚本,执行 mshta 从远程服务器拉取可执行文件。

1722161493_66a6195597e35bb42192f.png!small?1722161494270

LNK 文件

调查过程中发现 LNK 文件都下载了类似的可执行文件,包含嵌入其中的 HTA 脚本。HTA 脚本均已被设置为 WINDOWSTATE="minimize"和 SHOWTASKBAR="no",执行其他恶意代码进行攻击下一阶段。

1722161505_66a61961c3cbe38faef87.png!small?1722161506280

HTA 脚本

在解码和解密脚本后,PowerShell 代码会将两个文件下载到 %AppData%文件夹。一个文件是诱饵 PDF 文件,另一个文件是注入恶意代码的可执行文件。

1722161519_66a6196fd660da3dd9776.png!small?1722161520433

部分代码

1722161534_66a6197e5610308b2268e.png!small?1722161534952

诱饵 PDF 文档

代码注入

攻击链中,研究人员一共发现了两种类型的注入工具。第一种注入工具利用图片文件获取注入代码,截至目前检出率仍然比较低。

1722161551_66a6198f20d747cc8ef5f.png!small?1722161551538

VirusTotal 检出结果

它开始从 Imghippo 网站(hxxps://i.imghippo[.]com/files/0hVAM1719847927[.]png)下载 JPG 文件,再利用名为 GdipBitmapGetPixel 的 Windows API 读取图片像素并解码字节以获取注入代码。

1722161562_66a6199a4bd67ca7f770b.png!small?1722161563324

PNG 文件

随后调用 dword ptr ss:[ebp-F4]跳转到注入代码的入口点。注入代码首先从 CRC32 哈希中获取所有 API,并将文件放入 %TEMP%文件夹中。根据加密数据的典型字节(\x49\x44\x41\x54\xC6\xA5\x79\xEA),可以判断释放的文件是 HijackLoader。

1722161574_66a619a6b6cdfcc7d95e9.png!small?1722161576168

入口点

1722161589_66a619b58ca3e7cc3ab61.png!small?1722161590748

CRC32 哈希值

1722161599_66a619bf7831cc02e9b9c.png!small?1722161600040

写入文件夹

1722161611_66a619cb1742c0286ff7a.png!small?1722161611569

释放 HijackLoader

另一个注入工具会从数据段中解密代码,利用一系列 Windows API 函数(NtCreateSection、NtMapViewOfSection、NtUnmapViewOfSection、NtMapViewOfSection 和 NtProtectVirtualMemory)进行代码注入。

1722161621_66a619d57130c16239ad1.png!small?1722161622273

汇编代码

窃密木马

攻击者使用了 2.9 版本的 Meduza Stealer,其控制面板位于 hxxp://5[.]42[.]107[.]78/auth/login

1722161632_66a619e0cfd898df4b5ce.png!small?1722161633444

控制面板

HijackLoader 还可能会加载 ACR Stealer,通过 DDR 技术将 C&C 服务器地址隐藏在 Steam 社区中。

1722161646_66a619eee81f713431e09.png!small?1722161647656

隐藏 C&C 服务器

在 Steam 社区中通过搜索特定字符串 t6t可以找到 Steam 上其他 ACR Stealers 的 C&C 服务器地址。

1722161657_66a619f94eb7434a8da6b.png!small?1722161658013

隐藏 C&C 服务器

获取 C&C 服务器地址后,ACR Stealers 拼接构建完整的 URL。通过该 URL 从 C&C 服务器获取配置信息,并与 C&C 服务器保持通信。

1722161671_66a61a071cb3ebcf44386.png!small?1722161671980

配置信息

除了 Documents 和 Recent 路径下的文件外,ACR Stealers 也关注以下应用程序:

  • 浏览器: Google Chrome, Google Chrome SxS, Google Chrome Beta, Google Chrome Dev, Google Chrome Unstable, Google Chrome Canary, Epic Privacy Browser, Vivaldi, 360Browser Browser, CocCoc Browser, K-Melon, Orbitum, Torch, CentBrowser, Chromium, Chedot, Kometa, Uran, liebao, QIP Surf, Nichrome, Chromodo, Coowon, CatalinaGroup Citrio, uCozMedia Uran, Elements Browser, MapleStudio ChromePlus, Maxthon3, Amigo, Brave-Browser, Microsoft Edge, Opera Stable, Opera GX Stable, Opera Neon, Mozilla Firefox, BlackHawk, and TorBro
  • 加密货币钱包: Bitcoin, Binance, Electrum, Electrum-LTC, Ethereum, Exodus, Anoncoin, BBQCoin, devcoin, digitalcoin, Florincoin, Franko, Freicoin, GoldCoin (GLD), GInfinitecoin, IOCoin, Ixcoin, Litecoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Dogecoin, ElectronCash, MultiDoge, com.liberty.jaxx, atomic, Daedalus Mainnet, Coinomi, Ledger Live, Authy Desktop, Armory, DashCore, Zcash, Guarda, WalletWasabi, and Monero
  • 即时通信软件: Telegram, Pidgin, Signal, Tox, Psi, Psi+, and WhatsApp
  • FTP 客户端: FileZilla, GoFTP, UltraFXP, NetDrive, FTP Now, DeluxeFTP, FTPGetter, Steed, Estsoft ALFTP, BitKinex, Notepad++ plugins NppFTP, FTPBox, INSoftware NovaFTP, and BlazeFtp
  • 电子邮件客户端: Mailbird, eM Client, The Bat!, PMAIL, Opera Mail, yMail2, TrulyMail, Pocomail, and Thunderbird
  • VPN 客户端: NordVPN and AzireVPN
  • 密码管理器: Bitwarden, NordPass, 1Password, and RoboForm
  • 其他软件: AnyDesk, MySQL Workbench, GHISLER, Sticky Notes, Notezilla , To-Do DeskList, snowflake-ssh, and GmailNotifierPro

Chrome 浏览器的扩展也是攻击者关注的重点,如下:

nphplpgoakhhjchkkhmiggakijnkhfnd
apbldaphppcdfbdnnogdikheafliigcf
fldfpgipfncgndfolcbkdeeknbbbnhcc
ckdjpkejmlgmanmmdfeimelghmdfeobe
omaabbefbmiijedngplfjmnooppbclkk
iodngkohgeogpicpibpnaofoeifknfdo
afbcbjpbpfadlkmhmclhkeeodmamcflc
hnefghmjgbmpkjjfhefnenfnejdjneog
lodccjjbdhfakaekdiahmedfbieldgik
fpcamiejgfmmhnhbcafmnefbijblinff
hcflpincpppdclinealmandijcmnkbgn
egdddjbjlcjckiejbbaneobkpgnmpknp
bcopgchhojmggmffilplmbdicgaihlkp
nihlebdlccjjdejgocpogfpheakkpodb
fhmfendgdocmcbmfikdcogofphimnkno
ilbibkgkmlkhgnpgflcjdfefbkpehoom
kpfopkelmapcoipemfendmdcghnegimn
oiaanamcepbccmdfckijjolhlkfocbgj
fhbohimaelbohpjbbldcngcnapndodjp
ldpmmllpgnfdjkmhcficcifgoeopnodc
cnmamaachppnkjgnildpdmkaakejnhae
mbcafoimmibpjgdjboacfhkijdkmjocd
nlbmnnijcnlegkjjpcfjclmcfggfefdm
jbdpelninpfbopdfbppfopcmoepikkgk
amkmjjmmflddogmhpjloimipbofnfjih
onapnnfmpjmbmdcipllnjmjdjfonfjdm
cphhlgmgameodnhkjdmkpanlelnlohao
cfdldlejlcgbgollnbonjgladpgeogab
kncchdigobghenbbaddojjnnaogfppfj
ablbagjepecncofimgjmdpnhnfjiecfm
jojhfeoedkpkglbfimdfabpdfjaoolaf
fdfigkbdjmhpdgffnbdbicdmimfikfig
ffnbelfdoeiohenkjibnmadjiehjhajb
njojblnpemjkgkchnpbfllpofaphbokk
pdgbckgdncnhihllonhnjbdoighgpimk
hjagdglgahihloifacmhaigjnkobnnih
ookjlbkiijinhpmnjffcofjonbfbgaoc
pnlccmojcmeohlpggmfnbbiapkmbliob
mnfifefkajgofkcjkemidiaecocnkjeh
ljfpcifpgbbchoddpjefaipoiigpdmag
flpiciilemgh-bmfalicajoolhkkenfel
bhghoamapcdpbohphigoooaddinpkbai
jfdlamikmbghhapbgfoogdffldioobgl
gaedmjdfmmahhbjefcbgaolhhanlaolb
nkbihfbeogaeaoehlefnkodbefgpgknn
imloifkgjagghnncjkhggdhalmcnfklk
aiifbnbfobpmeekipheeijimdpnlpgpp
oeljdldpnmdbchonielidgobddffflal
aeachknmefphepccionboohckonoeemg
ilgcnhelpchnceeipipijaljkblbcobl
hpglfhgfnhbgpjdenjgmdgoeiappafln
nngceckbapebfimnlniiiahkandclblb
nknhiehlklippafakaeklbeglecifhad
oboonakemofpalcgghocfoadofidjkkk
dmkamcknogkgcdfhhbddcghachkejeap
fdjamakpfbbddfjaooikfcpapjohcfmg
jnmbobjmhlngoefaiojfljckilhhlhcj
fooolghllnmhmmndgjiamiiodkpenpbb
klnaejjgbibmhlephnhpmaofohgkpgkd
bfogiafebfohielmmehodmfbbebbbpei
ibnejdfjmmkpcnlpebklmnkoeoihofec
lfochlioelphaglamdcakfjemolpichk
ejbalbakoplchlghecdalmeeeajnimhm
hdokiejnpimakedhajhdlcegeplioahd
kjmoohlgokccodicjjfebfomlbljgfhk
naepdomgkenhinolocfifgehidddafch
fnjhmkhhmkbjkkabndcnnogagogbneec
bmikpgodpkclnkgmnpphehdgcimmided
nhnkbkgjikgcigadomkphalanndcapjk
nofkfblpeailgignhkbnapbephdnmbmn
hnfanknocfeofbddgcijnmhnfnkdnaad
jhfjfclepacoldmjmkmdlmganfaalklb
cihmoadaighcejopammfbmddcmdekcje
chgfefjpcobfbnpmiokfjjaglahmnded
bfnaelmomeimhlpmgjnjophhpkkoljpa
igkpcodhieompeloncfnbekccinhapdb
djclckkglechooblngghdinmeemkbgci
cfhdojbkjhnklbpkdaibdccddilifddb
jiidiaalihmmhddjgbnbgdfflelocpak
kmmkllgcgpldbblpnhghdojehhfafhro
lgmpc-pglpngdoalbgeoldeajfclnhafa
ibegklajigjlbljkhfpenpfoadebkokl
egjidjbpglichdcondbcbdnbeeppgdph
ijpdbdidkomoophdnnnfoancpbbmpfcn
flhbololhdbnkpnnocoifnopcapiekdi
llalnijpibhkmpdamakhgmcagghgmjab
kkhmbjifakpikpapdiaepgkdephjgnma
mjdmgoiobnbombmnbbdllfncjcmopfnc
ekkhlihjnlmjenikbgmhgjkknoelfped
dlcobpjiigpikoobohmabehhmhfoodbb
jngbikilcgcnfdbmnmnmnleeomffciml
jnlgamecbpmbajjfhmmmlhejkemejdma
hcjginnbdlkdnnahogchmeidnmfckjom
kbdcddcmgoplfockflacnnefaehaiocb
ogphgbfmhodmnmpnaadpbdadldbnmjji
kgdijkcfiglijhaglibaidbipiejjfdp
hhmkpbimapjpajpicehcnmhdgagpfmjc
epapihdplajcdnnkdeiahlgigofloibg
ojhpaddibjnpiefjkbhkfiaedepjheca
mgffkfbidihjpoaomajlbgchddlicgpn
fmhjnpmdlhokfidldlglfhkkfhjdmhgl
ebfidpplhabeedpnhjnobghokpiioolj
gjhohodkpobnogbepojmopnaninookhj
dngmlblcodfobpdpecaadgfbcggfjfnm
hmglflngjlhgibbmcedpdabjmcmboamo
ldinpeekobnhjjdofggfgjlcehhmanlj
eklfjjkfpbnioclagjlmklgkcfmgmbpg
mdjmfdffdcmnoblignmgpommbefadffd
jbkfoedolllekgbhcbcoahefnbanhhlh
aflkmfhebedbjioipglgcbcmnbpgliof
mcohilncbfahbmgdjkbpemcciiolgcge
dmjmllblpcbmniokccdoaiahcdajdjof
jbdaocneiiinmjbjlgalhcelgbejmnid
lnnnmfcpbkafcpgdilckhmhbkkbpkmid
blnieiiffboillknjnepogjhkgnoapac
odpnjmimokcmjgojhnhfcnalnegdjmdn
cjelfplplebdjjenllpjcblmjkfcffne
bopcbmipnjdcdfflfgjdgdjejmgpoaab
fihkakfobkmkjojpchpfgcmhfjnmnfpi
cpmkedoip-cpimgecpmgpldfpohjplkpp
kkpllkodjeloidieedojogacfhpaihoh
khpkpbbcccdmmclmpigdgddabeilkdpd
nanjmdknhkinifnkgdcggcfnhdaammmj
mcbigmjiafegjnnogedioegffbooigli
nkddgncdjgjfcddamfgcmfnlhccnimig
fiikommddbeccaoicoejoniammnalkfa
acmacodkjbdgmoleebolmdjonilkdbch
heefohaffomkkkphnlpohglngmbcclhi
phkbamefinggmakgklpkljjmgibohnba
ocjdpmoallmgmjbbogfiiaofphbjgchh
efbglgofoippbgcjepnhiblaibcnclgk
hmeobnfnfcmdkdcmlblgagmfpfboieaf
lpfcbjknijpeeillifnkikgncikgfhdo
kfdniefadaanbjodldohaedphafoffoh
ejjladinnckdgjemekebdpeokbikhfci
kmhcihpebfmpgmihbkipmjlmmioameka
opcgpfmipidbgpenhmajoajpbobppdil
gafhhkg-hbfjjkeiendhlofajokpaflmk
aholpfdialjgjfhomihkjbmgjidlcdno
kglcipoddmbniebnibibkghfijekllbl
onhogfjeacnfoofkfgppdlbmlmnplgbn
iokeahhehimjnekafflcihljlcjccdbe
mopnmbcafieddcagagdcbnhejhlodfdd
idnnbdplmphpflfnlkomgpfbpcgelopg
fijngjgcjhjmmpcmkeiomlglpeiijkld
kmphdnilpmdejikjdnlbcnmnabepfgkh
hifafgmccdpekplomjjkcfgodnhcellj
cgeeodpfagjceefieflmdfphplkenlfk
ijmpgkjfkbfhoebgogflfebnmejmfbm
pdadjkfkgcafgbceimcpbkalnfnepbnk
lkcjlnjfpbikmcmbachjpdbijejflpcm
odbfpeeihdkbihmopkbjmoonfanlbfcl
onofpnbbkehpmmoabgpc-pmigafmmnjh
fhilaheimglignddkjgofkcbgekhenbh
dkdedlpgdmmkkfjabffeganieamfklkm
aodkkagnadcbobfpggfnjeongemjbjca
nlgbhdfgdhgbiamfdfmbikcdghidoadd
dngmlblcodfobpdpecaadgfbcggfjfnm
infeboajgfhgbjpjbeppbkgnabfdkdaf
lpilbniiabackdjcionkobglmddfbcjo
ppbibelpcjmhbdihakflkdcoccbgbkpo
bhhhlbepdkbapadjdnnojkbgioiodbic
klghhnkeealcohjjanjjdaeeggmfmlpl
jnkelfanjkeadonecabehalmbgpfodjm
enabgbdfcbaehmbigakijjabdpdnimlg
jgaaimajipbpdogpdglhaphldakikgef
mmmjbcfofconkannjonfmjjajpllddbg
kppfdiipphfccemcignhifpjkapfbihd
bifidjkcdpgfnlbcjpdkdcnbiooooblg
loinekcabhlmhjjbocijdoimmejangoa
nebnhfamliijlghikdgcigoebonmoibm
anokgmphncpekkhclmingpimjmcooifb
fcfcfllfndlomdhbehjjcoimbgofdncg
cnncmdhjacpkmjmkcafchppbnpnhdmon
ojggmchlghnjlapmfbnjholfjkiidbch
mkpegjkblkkefacfnmkajcjmabijhclg

结论

攻击者大量利用 CVE-2024-21412 传播 LNK 文件,后续下载嵌入 HTA 脚本的可执行文件。HTA 脚本可以悄无声息地运行,不弹出任何窗口。继续下载诱饵 PDF 文档与注入代码的可执行文件,为后续窃密做准备。

IOC

62[.]133[.]61[.]26
62[.]133[.]61[.]43
5[.]42[.]107[.]78
21centuryart[.]com
scratchedcards[.]com
proffyrobharborye[.]xyz
answerrsdo[.]shop
pcvcf[.]xyz
pcvvf[.]xyz
pdddk[.]xyz
pdddj[.]xyz
pddbj[.]xyz
pbpbj[.]xyz
pbdbj[.]xyz
ptdrf[.]xyz
pqdrf[.]xyz
e15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb-50949
547b6e08b0142b4f8d024bac78eb1ff399198a8d8505ce365b352e181fc4a544
bd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078
982338768465b79cc8acd873a1be2793fccbaa4f28933bcdf56b1d8aa6919b47
bc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d
59d2c2ca389ab1ba1fefa4a06b14ae18a8f5b70644158d5ec4fb7a7eac4c0a08
8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497
4043aa37b5ba577dd99f6ca35c644246094f4f579415652895e6750fb9823bd9
0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19
8c6d355a987bb09307e0af6ac8c3373c1c4cbfbceeeb1159a96a75f19230ede6
de6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f
6c779e427b8d861896eacdeb812f9f388ebd43f587c84a243c7dab9ef65d151c
08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671
abc54ff9f6823359071d755b151233c08bc2ed1996148ac61cfb99c7e8392bfe
643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2

参考来源

Fortinet

本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022


文章来源: https://www.freebuf.com/articles/network/407168.html
如有侵权请联系:admin#unsafe.sh