Sarwent 恶意软件更新命令功能持续发展
2020-05-26 17:28:00 Author: paper.seebug.org(查看原文) 阅读量:555 收藏

原文链接:Sarwent Malware Continues to Evolve With Updated Command Functions
译者:知道创宇404实验室翻译组

Sarwent很少受到研究人员的关注,但是该后门恶意软件仍在积极开发中,在持续更新命令并专注于RDP的研发。

  • Sarwent恶意软件的更新表明,人们对后门功能(例如执行PowerShell命令)的兴趣不断增强;
  • 其更新还显示了使用RDP的偏好;
  • Sarwent被发现至少使用一个与TrickBot运算符相同的二进制签名器。

背景

自2018年以来,Sarwent的使用率在不断提高,但相关的研究报告却很少。

相关研究

过去,Sarwent功能一直围绕着如何成为装载程序而展开,下图显示其原始命令:

|download|
|update|
|vnc|

另外它的AV(防病毒)检查功能在持续更新。

防病毒检查

近期包括对C2 URI结构的更新

C2检查更新

最近还增加了许多在恶意软件中通常会看到的命令,而这些命令更多地关注点在后门或与RAT类似的功能。

|cmd|
|powershell|
|rdp|

这些更新都非常有趣,而网络犯罪集团目前试图利用更多的杠杆来赚钱,从最近销售访问系统的服务的激增中看出而RDP仍然是一个焦点。

cmdpowershell命令只需要进行引爆。

命令行爆炸

利用base64对结果进行编码,并通过匹配的URL路由将结果发送回C2。

Base64编码命令结果

用于发送响应的C2路由:

/gate/cmd_exec
/gate/powershell_exec

rdp命令有些不一样,从代码的执行内容来看,像是用来告诉机器人执行一系列任务:

  • 添加新用户
  • 列出组和用户
  • 在本地防火墙上打孔

添加新用户

列出网络组和用户

允许RDP端口上的防火墙连接

此命令和今后为RDP访问设置的系统有关。

相关建议

中端:

CommadLine="cmd /c ping localhost & regsvr32 /s *"

网络:新的威胁中已经存在许多网络规则,因此,我决定考虑添加一些当前可能未涵盖的Suricata规则。

Suricata 规则

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent CMD response Post”; content:”POSt”; http_method; content:”/gate/cmd_exec”; http_uri; classtype:trojan-activity; sid:9000040; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent Powershell response Post”; content:”POST”; http_method; content:”/gate/powershell_exec”; http_uri; classtype:trojan-activity; sid:9000041; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent RDP exec response”; content:”GET”; http_method; content:”/gate/rdp_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000042; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent update exe response”; content:”GET”; http_method; content:”/gate/update_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000043; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent update command”; content:”200″; http_stat_code; content:”fHVwZGF0ZX”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000044; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent download command”; content:”200″; http_stat_code; content:”fGRvd25sb2Fkf”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000045; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent powershell command”; content:”200″; http_stat_code; content:”fHBvd2Vyc2hlbGx8″; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000046; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent rdp command”; content:”200″; http_stat_code; content:”fHJkcH”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000047; rev:1; metadata:author Jason Reaves;)

IoCs

Download Location:

whatsmyhomeworthlondonontario[.]ca/wp-admin/version.exe
beurbn[.]com/install.exe

V2

Hash:
3f7fb64ec24a5e9a8cfb6160fad37d33fed6547c
Domains
seoanalyticsproj.xyz
seoanalyticsproewj.xyz
seoanalyticsp34roj.xyz
seoanalyticsptyrroj.xyz
seoanalyticsprojrts.xyz
seoanalyticspro32frghyj.xyz

Hash:
ab57769dd4e4d4720eedaca31198fd7a68b7ff80
Domains
vertuozoff.xyz
vertuozoff.club
vertuozofff.xyz
vertuozofff.com
vertuozofff.club
vertuozoffff.club

Hash:
d297761f97b2ead98a96b374d5d9dac504a9a134
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz

Hash:
3eeddeadcc34b89fbdd77384b2b97daff4ccf8cc
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz

Hash:
106f8c7ddbf265fc108a7501b6af292000dd5219
Domains
blognews-journal.com
startprojekt.pw
blognews-joural.com
blognews-joural.best
blognews-joural.info
startprojekt.pro

V1

Hash:
83b33392e045425e9330a7f009801b53e3ab472a
Domains
212.73.150.246
softfaremiks.icu
shopstoregame.icu
shopstoregamese.icu

Hash:
2979160112ea2de4f4e1b9224085efbbedafb593
Domains
shopstoregame.icu
softfaremiks.icu
shopstoregamese.icu shopstoregamese.com shopstoregames.icu

参考链接

  1. https://twitter.com/VK_Intel/status/1228833249536987138

  2. https://twitter.com/James_inthe_box/status/1228788661006659584

  3. https://twitter.com/VK_Intel/status/1242587625409609731

  4. https://github.com/silence-is-best/c2db


Paper 本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/1221/



文章来源: https://paper.seebug.org/1221/
如有侵权请联系:admin#unsafe.sh