Octopus Scanner: malware ce wacce ke shafar NetBeans kuma tana ba da damar sanya bayan gida

Sanarwa cewa An gano wasu ayyukan kamuwa da cuta akan GitHub malware waɗanda aka miƙa su ga mashahurin IDE "NetBeans" kuma wanda ke amfani dashi a cikin aikin tattarawa don rarraba malware.

Binciken ya nuna hakan tare da taimakon malware da ake tambaya, wanda ake kira Octopus Scanner, bayan gida an ɓoye su a ɓoye cikin ayyukan buɗe wuta 26 tare da wuraren ajiya akan GitHub. Abubuwan farko na bayyanar Octopus Scanner suna kwanan watan Agusta 2018.

Tabbatar da sarkar wadatar kayan aiki babban aiki ne. Yana wucewa ta hanyar binciken tsaro ko kawai yin sabon CVEs. Tsaron sarkar kayan aiki shine game da amincin ɗaukacin ci gaban software da yanayin halittu. Daga sulhuntawa na lamba, zuwa yadda suke gudana ta cikin bututun CI / CD, zuwa ainihin isarwar saki, akwai yuwuwar asarar mutunci da al'amuran tsaro, a duk tsawon rayuwar.

Game da dorinar ruwa mai kama da Octopus

Wannan malware ya gano zaka iya gano fayiloli tare da ayyukan NetBeans kuma ƙara lambar ka don aiwatar da fayiloli da tattara fayilolin JAR.

Aikin algorithm shine neman kundin NetBeans tare da ayyukan mai amfani, sanya dukkan ayyukan cikin wannan kundin adireshi don samun damar sanya rubutun zalunci a cikin nbproject / cache.dat kuma yin canje-canje ga fayil din nbproject / build-impl.xml don kiran wannan rubutun duk lokacin da aka gina aikin.

A lokacin tattarawa, kwafin malware yana cikin fayilolin JAR da aka samu, wanda ya zama ƙarin tushen rarrabawa. Misali, an sanya fayilolin zalunci a cikin wuraren ajiyar ayyukan buɗe 26 da aka ambata, haka nan kuma a cikin wasu ayyukan daban-daban yayin sakewar sabbin abubuwa.

A ranar 9 ga Maris, mun karɓi saƙo daga wani mai bincike na tsaro wanda ke sanar da mu game da wasu ɗakunan ajiya da aka shirya akan GitHub waɗanda ke iya yiwuwa suna bautar malware ba da gangan ba. Bayan zurfin bincike game da ita kanta cutar, mun gano wani abu da ba mu taɓa gani ba a dandalinmu: malware da aka tsara don ƙididdige ayyukan NetBeans da sanyawa a bayan fage wanda ke amfani da tsarin ginin da abubuwan da ke haifar da yaduwar sa.

Lokacin lodawa da fara aiki tare da mummunan fayil ɗin JAR ta wani mai amfani, zagaye na bincike na gaba na NetBeans da gabatarwar muguwar lamba farawa a cikin tsarin ku, wanda ya dace da samfurin aiki na ƙwayoyin cuta masu yaɗa kai.

Baya ga ayyuka don rarraba kai, lambar ƙeta ta haɗa da ayyukan ƙofar baya don ba da damar nesa da tsarin. A lokacin da aka bincika abin da ya faru, masu kula da bayan fage (C & C) ba sa aiki.

Gabaɗaya, lokacin nazarin ayyukan da abin ya shafa, 4 nau'ikan kamuwa da cuta sun bayyana. A cikin ɗayan zaɓuɓɓukan don kunnawa ƙofar baya a cikin Linux, fayil na autorun «$ HOME / .config / autostart / octo.desktop » kuma akan windows an fara ayyukan ta schtasks don farawa.

Ana iya amfani da bayan fage don ƙara alamomi zuwa lambar haɓaka mai haɓakawa, tsara ɓataccen kode daga tsarin mallakar ta, satar bayanai masu mahimmanci, da kuma kama asusun.

Da ke ƙasa akwai bayyananniyar sifa ta aikin octopus scanner:

1. Gano adireshin NetBeans na mai amfani
2. Lissafa duk ayyukan a cikin kundin adireshin NetBeans
3. Loda lambar a cikin cache.datanbproject / cache.dat
4. Gyara nbproject / build-impl.xml don tabbatar da cewa an biya nauyin a duk lokacin da aka gina aikin NetBeans
5. Idan mummunar biyan kuɗi misali ne na hoton Octopus, sabon fayil ɗin JAR ya kamu da cutar.

Masu binciken GitHub ba su keɓe ba mummunan aiki ba'a iyakance ga NetBeans ba kuma akwai wasu nau'ikan bambancin Octopus Scanner wancan ana iya haɗa shi cikin tsarin ginawa dangane da Make, MsBuild, Gradle da sauran tsarin.

Ba a ambaci sunayen ayyukan da abin ya shafa ba, amma ana iya samunsu cikin sauƙi ta hanyar binciken GitHub don abin rufe fuska "CACHE.DAT".

Daga cikin ayyukan da aka gano alamun mummunan aiki: V2Mp3Player, JavaPacman, Kosim-Framework, 2D-Physics-the Simulations, PacmanGame, GuessTheAnimal, SnakeCenterBox4, CallCenter, ProyectoGerundio, pacman-java_ia, SuperMario-FR-.

Source: https://securitylab.github.com/