腾讯安全御见威胁感知系统聚类出T-F-278915恶意家族,经分析该家族样本会窃取多种虚拟货币、窃取多国(包含中文、日文、希腊语)银行账户登录凭证,删除用户的浏览器信息,并利用用户电脑进行IQ虚拟货币挖矿等行为。
该木马感染后监测到用户进行网银、支付相关的操作时,会复制剪贴板信息、截屏、进行键盘记录,将中毒电脑隐私信息上传,通过创建任务计划、添加启动项实现开机自动加载,病毒在做这些操作时,顺便利用中毒机器的算力挖矿。
具体注入过程:把Framework目录下的RegSvcs.exe、aspnet_compiler.exe、RegAsm.exe、InstallUtil.exe拷贝到样本所在目录,从http://paste.ee/r/Jcre9、http://paste.ee/r/jeDt4、http://pastebin.com/raw/XMKKNkb0处下载经过base64加密的代码,这几处网址虽然已经失效,但从其中一处给出的参数"–neoscrypt -g 1 -I 8 -o stratum+tcp://hub.miningpoolhub.com:20510 -O pastet3i905hmi.workergpu:password"判断是IQ虚拟货币挖矿,代码如下:
把自身拷贝到C:\Users\Administrator\AppData\Local\_foldernamelocalappdata_\目录下,文件尾部追加guid;
credit card,tor browser,Adanced Cash,socks5,order complete,nixmoney,investing,free credit score,payment gateway,order summary,confirm id,confirm your id,payment confirm,confirm payment,deepweb,order status,remote desktop,mutual funds,paysafecard,credit rating,credit report,online trading,delivery status,qiwi,cryptocurrency exchange,moneypolo,online investing,registrar,e-pin,payroll service,checkout,add money,proof of id,ebay,banking services,paytm,payment,credit union,pay,banque,e-cheque,transaction,personal banking,domain services,id scan,webmoney,proof of address,e-wallet,moodle,trade bitcoin,prepaid,payment complete,dwolla,ftp://,identity scan,invoice,banking,internet bank,forgot password,carding,e-kzt,credit check,about tor,filezilla,shopping cart,ssh login,sell bitcoin,银行D,university,solidtrust pay,ftp details,neteller,domain name registration,add to balance,add funds,buy bitcoin,securecode,payment method,liqpay,paxum,web hosting services,hosting details,comdirect,unistream,okpay,epayments.com,merchant account,money voucher,payeer,college,domain management,paypal,completed pay,perfect money,domain name services,order details,ria money transfer,alipay,logmein,e-voucher,telephone banking,z-payment,visa qiwi,savings account,ewallet,τ¨®ρ?άπDε?ζ?α¨¢,photo id,admin panel,paymer,バ¤Dン¤¨®ク¤¡¥,chequing account,bill payment,yandex,money,cpanel,skrill,payza,idram,moneygram,pay stub,dark web,teamviewer,online banking,business banking,amazon workspace,bank of,putty,western union,deposit funds,internet banking,banco,account details,paysera,bank account,payment sent,bank,ssh session,payment succe,capitalist:,digital currency,investments,epese,deep web,epay global payment,epay.com,verified by visa,3d secure,debit card,verify,verification,card balance,account balance,hacked,carding,american express,imps transfer,bank transfer,cash deposit,moneypak,gofundme,crowdfunding,cashout,check balance,topup,top-up,recharge,top up,refill card,e-commerce,purchase tokens,available balance,payment info,jabber,icq,blockchain,coinbase,coinmama,localbitcoins,bitpay,digital signature,walmart,routing number,transit number
如有侵权请联系:admin#unsafe.sh