Shikitega: Nyowani Stealth Malware Targeting Linux

Darkcrizt

5 maminitsi

Shikitega Operation Process Operation Process

Shikitega achitora akawanda-nhanho hutachiona cheni yekukanganisa endpoints uye IoT zvishandiso

Kusvikira munguva pfupi yapfuura, zvichienzaniswa neWindows, Vashandisi veLinux vaive nengano yaitenda nevakawanda, kuti muLinux makanga musina mavhairasi uye yakanga isingatambudzike kurwiswa.

Zvisinei, Itsva data inoratidza kuti maitiro mucyberattacks ari kuchinja. Zvinoenderana nedata rakaunzwa nechikwata cheAtlas VPN, huwandu hwemarware matsva eLinux akarova zvakanyanya muhafu yekutanga ya2022, nemasampuli angangoita miriyoni 1,7 akawanikwa. Vatsvagiri vakafumura rudzi rutsva rweLinux malware inozivikanwa nekubira uye kurongeka mukutapura echinyakare maseva uye diki Internet yeZvinhu zvishandiso.

Kuenzaniswa nenguva yakafanana gore rapfuura, pakawanikwa 226 samples, huwandu hweLinux malware itsva hwakakwira ne324%. Tichitarisa nhamba itsva yeLinux malware samples kota pamusoro pekota, muchikamu chekutanga chegore rino yakaderera 650% kubva pa2 muchikamu chechina che872,165 kusvika ku2021 muchikamu chekutanga che854,688. Muchikamu chechipiri, masampuli e malware yakawira zvakare, panguva ino ne2022%, kusvika 2,5.

Zita remadunhurirwa rekuti Shikitega neAT&T Alien Labs vaongorori vakazviwana, iyi malware inogoverwa kuburikidza nehutachiona hwehutachiona hwehuwandu pasos uchishandisa polymorphic encoding. Iyo inoshandisawo zviri pamutemo masevhisi egore kugamuchira kuraira uye kutonga maseva. Zvinhu izvi zvinoita kuti kuona kuve kwakaoma zvakanyanya.

"Vatambi vanotyisidzira vanoramba vachitsvaga nzira nyowani dzekuendesa malware kuti varambe vari pasi pe radar uye vadzivise kuonekwa," AT&T Alien Labs muongorori Ofer Caspi akanyora. "Shikitega malware inounzwa nenzira yakaomesesa, inoshandisa polymorphic encoder uye zvishoma nezvishoma inoburitsa mubhadharo wayo apo nhanho yega yega inoburitsa chikamu chemubhadharo wakakwana. Uyezve, iyo malware inoshandisa zvisizvo inozivikanwa yekutambira masevhisi kuitisa kuraira kwayo uye kutonga maseva. »

Iyo malware inodhawunirodha uye inomhanyisa metpreter "Mettle" kubva kuMetasploit kuti uwedzere kutonga kwako pamakina ane hutachiona;
shikitega kushandisa kusasimba kwehurongwa kuti uwane ropafadzo dzakakwirira, ramba uye mhanyisa crypto miner. Iyo malware inoshandisa polymorphic encoder kuita kuti zviome kune antivirus injini kuona. Shikitega inoshandisa zvisizvo zviri pamutemo cloud computing masevhisi kubata mamwe ekuraira kwayo uye kutonga (C&C) maseva.

Iyo yekuzvarwa kodhi yekumisikidzwa kweMeterpreter, yakagadzirirwa kutakurika, kubatanidzwa, uye yakaderera zviwanikwa kushandiswa. Inogona kumhanya pane diki kune yakanyanya kunyudzwa Linux zvinangwa, uye inotarisa Android, iOS, macOS, Linux, uye Windows, asi inogona kutakurwa kunenge chero POSIX-inoenderana nharaunda.

Nyowani malware seBotenaGo uye EnemyBot inoratidzira nzira iyo vanyori vemalware vari kukurumidza kubatanidza ichangobva kuwanikwa kusagadzikana kuti vawane vatsva vanobatwa uye kuwedzera kusvika kwavo. Shikitega inoshandisa-multi-layered utachiona cheni, yekutanga ine mazana mashoma mabyte, uye moduli yega yega ine basa rekuita, kubva pakurodha nekumhanyisa Metasploit meterpreter, kushandisa kusakwana kweLinux, kugadzirisa kushingirira kune vane hutachiona. muchina kusvikira cryptominer yatorwa uye yaitwa.

Iyo malware idiki kwazvo ELF faira, iyo saizi yavo yese inongoita 370 bytes, nepo saizi chaiyo yekodhi ingangoita 300 bytes.. Iyo malware inoshandisa iyo polymorphic XOR encoder Shikata Ga Nai yekuwedzera mhinduro, inova imwe yeanonyanya kufarirwa encoder anoshandiswa muMetasploit. Iine encoder iyi, iyo malware inopinda neakawanda decryption loops, apo imwe loop inobvisa iyo inotevera layer, kudzamara iyo yekupedzisira shellcode payload yabviswa uye kuurayiwa.

Mushure meakati wandei decryption zvishwe, iyo yekupedzisira payload shellcode ichave yakadzikwa uye kuurayiwa, sezvo iyo malware isingashandisi chero kunze, inoshandisa int 0x80 kuita yakakodzera system kufona. Sezvo iyo huru kodhi yeanodonhedza idiki kwazvo, iyo malware inodhawunirodha uye kuita mimwe mirairo kubva kune yayo kuraira uye kutonga nekufona 102 syscall ( sys_socketcall).

  1. Iyo C&C ichapindura nemamwe magomba mirairo yekuita.
  2. Iwo ekutanga akamakwa mabheti ndiwo magoko anoraira kuti iyo malware ichaita.
  3. Murairo wakagamuchirwa uchadhawunirodha mamwe mafaera kubva kune server ayo asingazochengetwe pane hard drive, asi anozoitwa chete mundangariro.
  4. Mune dzimwe shanduro dzemarware, inoshandisa iyo execve system kufona kuita /bin/sh nemurairo wakagamuchirwa kubva kuC&C.

Iro faira rinotevera rakadhawunirodwa uye rakaitwa imwe diki ELF faira (inenge 1 kB) yakavharidzirwa neShikata Ga Nai encoder. Iyo malware inobvisa murairo wegomba kuti uitwe nekudana syscall_execve ne'/bin/sh' separameter ine decrypted shell. Yechipiri nhanho inodonhedza decrypts uye inoita iyo shell mirairo. Iyo yakatemerwa shell command inodhawunirodha uye nekuita mamwe mafaera. Kuti umhanye iyo inotevera uye yekupedzisira nhanho inodonhedza, ichashandisa kusazvibata kuviri muLinux kushandisa ropafadzo: CVE-2021-4034 uye CVE-2021-3493.

Finalmente Kana iwe uchida kuziva zvakawanda nezvazvokana, unogona kutarisa ruzivo Mune inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   Diego reguero akadaro
    inoita 2 makore

    Zvakare tinovhiringidza mavhairasi nemamwe marudzi e-malware (gomba, Trojan).
    Hutachiona hunofanirwa kuve nerudzi rwekuzvidzokorora system pasina kupindira kwedu.

    Pindura Diego Reguero
  2.   Guille akadaro
    inoita 2 makore

    Mazwi mazhinji ehunyanzvi asi anoti komputa ine hutachiona, GNU/Linux inozvigadziridza zuva nezuva, sezvo pasina chikonzero chekubhadhara marezinesi nekuti munhu wese anayo zviri pamutemo uye nekuvandudza. Saka unobatwa sei? Uye ngativei zvakakomba, hazvisi kuti Linux haina mavhairasi, ndeyekuti yakanyanya kuoma kuparadzira nekuti haiite zvinhu zvehupenzi sekumhanyisa chero faira nekuwedzera kwayo, kumhanya zvirongwa kubva ku USB kana DVD nekungoiisa mukati. komputa, Microsoft inotora kanopfuura kaviri senguva yakareba kugadzirisa kusasimba kunoonekwa, pakutanga Linux ine ese asina kufanira madoko akavharwa, nezvimwe. Rudzi urwu rwenhau dzakagadzirwa kudyara kusahadzika uye kuti vanhu havaende kune iyo GNU/Linux nyika inoseka.

    Pindura Guille
  3.   Ezekiel Kuenda akadaro
    inoita 2 makore

    Uye ndeipi antivirus yelinux inokurudzirwa?

    Ndakanga ndine COMODO AV asi yakamira kugadzirisa dhatabhesi.

    Pindura Ezequiel Partida