原文链接:Sarwent Malware Continues to Evolve With Updated Command Functions
译者:知道创宇404实验室翻译组
Sarwent很少受到研究人员的关注,但是该后门恶意软件仍在积极开发中,在持续更新命令并专注于RDP的研发。
- Sarwent恶意软件的更新表明,人们对后门功能(例如执行PowerShell命令)的兴趣不断增强;
- 其更新还显示了使用RDP的偏好;
- Sarwent被发现至少使用一个与TrickBot运算符相同的二进制签名器。
背景
自2018年以来,Sarwent的使用率在不断提高,但相关的研究报告却很少。
相关研究
过去,Sarwent功能一直围绕着如何成为装载程序而展开,下图显示其原始命令:
|download|
|update|
|vnc|另外它的AV(防病毒)检查功能在持续更新。
近期包括对C2 URI结构的更新
最近还增加了许多在恶意软件中通常会看到的命令,而这些命令更多地关注点在后门或与RAT类似的功能。
|cmd|
|powershell|
|rdp|这些更新都非常有趣,而网络犯罪集团目前试图利用更多的杠杆来赚钱,从最近销售访问系统的服务的激增中看出而RDP仍然是一个焦点。
cmd和powershell命令只需要进行引爆。
利用base64对结果进行编码,并通过匹配的URL路由将结果发送回C2。
用于发送响应的C2路由:
/gate/cmd_exec
/gate/powershell_execrdp命令有些不一样,从代码的执行内容来看,像是用来告诉机器人执行一系列任务:
- 添加新用户
- 列出组和用户
- 在本地防火墙上打孔
此命令和今后为RDP访问设置的系统有关。
相关建议
中端:
CommadLine="cmd /c ping localhost & regsvr32 /s *"
网络:新的威胁中已经存在许多网络规则,因此,我决定考虑添加一些当前可能未涵盖的Suricata规则。
Suricata 规则
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent CMD response Post”; content:”POSt”; http_method; content:”/gate/cmd_exec”; http_uri; classtype:trojan-activity; sid:9000040; rev:1; metadata:author Jason Reaves;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent Powershell response Post”; content:”POST”; http_method; content:”/gate/powershell_exec”; http_uri; classtype:trojan-activity; sid:9000041; rev:1; metadata:author Jason Reaves;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent RDP exec response”; content:”GET”; http_method; content:”/gate/rdp_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000042; rev:1; metadata:author Jason Reaves;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent update exe response”; content:”GET”; http_method; content:”/gate/update_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000043; rev:1; metadata:author Jason Reaves;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent update command”; content:”200″; http_stat_code; content:”fHVwZGF0ZX”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000044; rev:1; metadata:author Jason Reaves;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent download command”; content:”200″; http_stat_code; content:”fGRvd25sb2Fkf”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000045; rev:1; metadata:author Jason Reaves;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent powershell command”; content:”200″; http_stat_code; content:”fHBvd2Vyc2hlbGx8″; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000046; rev:1; metadata:author Jason Reaves;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent rdp command”; content:”200″; http_stat_code; content:”fHJkcH”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000047; rev:1; metadata:author Jason Reaves;)IoCs
Download Location:
whatsmyhomeworthlondonontario[.]ca/wp-admin/version.exe
beurbn[.]com/install.exe
V2
Hash:
3f7fb64ec24a5e9a8cfb6160fad37d33fed6547c
Domains
seoanalyticsproj.xyz
seoanalyticsproewj.xyz
seoanalyticsp34roj.xyz
seoanalyticsptyrroj.xyz
seoanalyticsprojrts.xyz
seoanalyticspro32frghyj.xyz
Hash:
ab57769dd4e4d4720eedaca31198fd7a68b7ff80
Domains
vertuozoff.xyz
vertuozoff.club
vertuozofff.xyz
vertuozofff.com
vertuozofff.club
vertuozoffff.club
Hash:
d297761f97b2ead98a96b374d5d9dac504a9a134
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz
Hash:
3eeddeadcc34b89fbdd77384b2b97daff4ccf8cc
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz
Hash:
106f8c7ddbf265fc108a7501b6af292000dd5219
Domains
blognews-journal.com
startprojekt.pw
blognews-joural.com
blognews-joural.best
blognews-joural.info
startprojekt.pro
V1
Hash:
83b33392e045425e9330a7f009801b53e3ab472a
Domains
212.73.150.246
softfaremiks.icu
shopstoregame.icu
shopstoregamese.icu
Hash:
2979160112ea2de4f4e1b9224085efbbedafb593
Domains
shopstoregame.icu
softfaremiks.icu
shopstoregamese.icu shopstoregamese.com shopstoregames.icu
参考链接
本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/1221/