传奇私服暗藏病毒劫持用户流量
近日,火绒安全工程师拦截到一款病毒正通过某传奇私服登录器进行传播。该病毒可通过C&C服务器下发任意恶意模块,还会将病毒服务器设置为代理服务器,通过篡改用户流量来推广病毒作者自家的传奇私服。当用户访问传奇相关的网页时,会被劫持到病毒作者自家传奇私服,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/5c68f8d21f2941ef91fd0d61a9c9fd64~tplv-tt-large.image?x-expires=1986207129&x-signature=24hnK9%2Fk7VUU2jdM7JwMPUDUS0k%3D
病毒作者自家传奇私服
火绒安全工程师分析称,该病毒可通过C&C服务器下发任意恶意模块,不排除后续下发其他恶意模块的可能。 被下发的恶意模块将长期驻留在中毒用户电脑中,并开机自启动,利用“白加黑”调用恶意代码模块以及注入系统进程的方式来执行恶意行为。
广大游戏玩家需要注意,私服登录器携带木马、后门及其他病毒的情况时有发生,玩家下载安装后,可能面临网页被劫持、个人隐私数据泄露等不同危害,严峻侵害用户隐私和资产安全。因此,火绒工程师提醒广大玩家提高警惕。
火绒安全产品可对以下传奇私服登录器携带的该病毒进行拦截查杀:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/fbba565aec5e4b3989310cc8acace291~tplv-tt-large.image?x-expires=1986207129&x-signature=PzC%2FimvnbXHcBBeHRrW9GSfedmM%3D
被植入该病毒的传奇私服登录器列表
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/026645c9a0cb47faa2dcca90998bd2c7~tplv-tt-large.image?x-expires=1986207129&x-signature=9bUlHUgFBJhLVbD45n7AEoOJTTg%3D
病毒查杀图
病毒的执行流程,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/09731a3fcbf94599b51c6a25ca2fb4e8~tplv-tt-large.image?x-expires=1986207129&x-signature=Wdo5JkGofohakojbEayycrqZZ2c%3D
病毒执行流程
以“梁山好汉=登陆器”为例进行分析:
一、样本分析
当进入游戏后,会释放并执行恶意模块 QQExternals.exe,火绒剑监控到的行为图,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/69233bbd77f8495997097e822d49c14b~tplv-tt-large.image?x-expires=1986207129&x-signature=PupLBsVrN7uSaF%2Bx3%2FyCqNynzrw%3D
火绒剑监控到的行为图
恶意模块QQExternals.exe会根据配置文件来加载远程恶意模块InstallCore.dll,相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/94bfc20dc0f14bcea8d2623684de19fe~tplv-tt-large.image?x-expires=1986207129&x-signature=H2z8aPFQfRNlb6gWSwZN7luo5kY%3D
远程加载恶意模块InstallCore.dll
恶意模块InstallCore.dll会释放QQExternal.exe(和第一个恶意模块相比少了一个s)和BugRpt.dll到C:\ProgramData\Microsoft\Setup\,其中 QQExternal.exe为带有腾讯签名的白文件,该病毒通过“白加黑”的方式来绕过杀毒软件查杀。QQExternal.exe签名信息,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/7f3fc849e4564e62bb964659476b5121~tplv-tt-large.image?x-expires=1986207129&x-signature=aWk7wPkPCB%2BzKYzz3uamp6s8sAQ%3D
QQExternal.exe签名信息
BugRpt.dll恶意模块的签名信息直接复制QQExternal.exe签名信息来进行伪装,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/6d8f1feb34544b769fc99911399e8940~tplv-tt-large.image?x-expires=1986207129&x-signature=P0pmCcvIsEI%2BLqueccl1wn%2BOE8M%3D
BugRpt.dll签名信息
恶意模块InstallCore.dll还会执行一系列操作来保证后续的恶意模块能正确被执行,如:添加证书、设置扫瞄器代理、持久化操作,相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/26e4c69cec45457cb2a29737777dc25f~tplv-tt-large.image?x-expires=1986207129&x-signature=wGcwHAS5WIS6TetnTSnMXGHYicI%3D
添加证书、设置扫瞄器代理、持久化操作
修改后的扫瞄器的配置信息,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/cb272121a40a4998991543d15f8aebf9~tplv-tt-large.image?x-expires=1986207129&x-signature=ia2oQDpzzxfZMzktBjnn5FtoTFw%3D
修改后的扫瞄器配置信息
被添加的任务计划,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/343b254f38de41eaa46637f49062004b~tplv-tt-large.image?x-expires=1986207129&x-signature=a8GGIWwgMfj4jIqq2Xjk2bZHNJg%3D
被添加的任务计划
利用服务启动白名单文件QQExternal.exe,再以“白加黑“的方式加载BugRpt.dll来执行恶意代码,相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/0b0f09d3aeea4c4684019eb2e29028fc~tplv-tt-large.image?x-expires=1986207129&x-signature=cLmIPm%2BDr9tDpY17jzHMakxaGGU%3D
通过服务启动QQExternal.exe
BugRpt.dll是以“白加黑“的形式被加载运行,当BugRpt.dll同目录下的QQExternal.exe(白文件)被运行时,会调用其导出函数“BR_UserInit”。相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/67bebb57df3e4a8d9e4c82ddcedd8b16~tplv-tt-large.image?x-expires=1986207129&x-signature=%2B4Nhhgpkds9P6vExBo4AVAFaUrg%3D
调用被劫持的函数
当BR_UserInit函数运行后会解密自身内部的”Puppet.dll”恶意模块并注入到系统进程WmiPrvSE中,相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/9cf26a7404a04ff99dbd72675a43fbd3~tplv-tt-large.image?x-expires=1986207129&x-signature=gYO3%2BTU0LqfTobddkA4xdomIOls%3D
注入WmiPrvSE
在恶意模块Puppet.dll中,根据服务器的配置来执行恶意模块PuppetLib.dll,相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/98cd4522bee44a27a2f5c14cd351b28a~tplv-tt-large.image?x-expires=1986207129&x-signature=5sGshvbXefwX%2FN8usWUvTrnSmWs%3D
加载远程恶意模块PuppetLib.dll
在恶意模块PuppetLib.dll中,防止证书被删除,每次启动都会检查证书是否存在,如果证书不存在,将重新添加证书,相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/d5ead34721404e2cba2b3f33e7ffd34a~tplv-tt-large.image?x-expires=1986207129&x-signature=GsUNpTbZDgAkZidgIJjW3IG0EQI%3D
添加证书
并且一直循环修改扫瞄器的代理设置,相关代码,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/e9d054957c734a03a535a3551636b2a3~tplv-tt-large.image?x-expires=1986207129&x-signature=eusmuHVH%2FKbjJk%2F0JtBUn50dfqs%3D
修改扫瞄器代理
修改后的扫瞄器设置,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/2f3b1c85e45f489593fd79fee9501f00~tplv-tt-large.image?x-expires=1986207129&x-signature=6acgDTKNhZ8MzWOj426LcD%2FZdOI%3D
修改后的扫瞄器设置
被劫持的域名均为其他传奇私服站点域名,当用户访问相关传奇私服时,会被劫持到107.148.49.141,该地址用来中转到病毒作者自家传奇私服,相关代理脚本,如下图所示:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/97d20e1ff2d94f11bc84524fce292c72~tplv-tt-large.image?x-expires=1986207129&x-signature=ZQztrh%2FBWMz%2BMxAgg%2Fimsrltnwo%3D
相关代理脚本
二、附录
C&C:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/40aff5ff624747d685d9344dac9b464a~tplv-tt-large.image?x-expires=1986207129&x-signature=Jw4IsdeMcA42KoxCt8tyO5%2FLQ%2Bg%3D
样本hash:
https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/bc78fc76de694b7ebb964d43c4318098~tplv-tt-large.image?x-expires=1986207129&x-signature=wQXTTd9SePhOJOA8TZUmYpVby%2Fo%3D
页:
[1]