Эволюция целенаправленных атак на банки

  • Published on
    10-Apr-2017

  • View
    114

  • Download
    8

Embed Size (px)

Transcript

  • 03.2016

  • GROUP-IB.RU

    2

    3

    : 5

    9

    11

    17

    19

    22

    24

    26

    http://www.group-ib.ru/

  • 2

    2016 .

    Anunak ( Carbanak), Corkow ( Metel), . Buhtrap, , , .

    , , - .

    Buhtrap : ,

    , .

    , , , , (DLP), .

    , , .

    GROUP-IB.RU

    http://www.group-ib.ru/media/release-2015/http://www.group-ib.ru/media/release-2015/http://www.group-ib.ru/media/anunak/http://www.group-ib.ru/media/corkow-metel/http://www.group-ib.ru/

  • 3

    Buhtrap 2014 , 2015 . . .

    600 (2016)

    25,6 (2015)

    143

    1 , 2016

    Buhtrap :

    62%

    2,5

    2015 2016 Buhtrap 13 1,8 . .

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 4

    Buhtrap , , . , .

    ( ). , , .

    , ( Corkow (Metel)) .

    2016 , . .

    . 28 , .

    GROUP-IB.RU

    http://www.group-ib.ru/media/corkow-metel/http://www.group-ib.ru/

  • 5

    20 2014 Bot-Trek Intelligence info@beeline-mail.ru N522375--14-115 (. 1). beeline-mail.ru 20 2014 .

    RTF-, CVE-2012-0158 MSCOMCTL.OCX. MS Word, 2003.

    21 2014 info@extern-kontur.ru (. 2), , .

    RTF- %User% ntxobj.exe, , NSIS (Nullsoft Scriptable Install System Microsoft Windows ) .

    7z, . .

    , , , , .

    :

    1.

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 6:

    , , , : iBank2, amicon, bifit bss, ibank, gpb, inist, mdm, Alad-din, Amicon, Signal-COM, bc.exe, intpro.exe, cfta, agava, R-Style, AKB, Perm AKB Perm, CLUNION.0QT, ELBA. , , (. . 7).

    pn_pack.exe . Yandex Punto () , -, .

    , Lite Manager.

    mimi.exe xtm.exe. Windows , ,

    RDP (Remote Desktop Protocol). .

    GROUP-IB.RU

    2.

    http://www.group-ib.ru/

  • 7:

    ip-client.exe, UpMaster.exe, client2.exe, client6.exe, quickpay.exe, rclaunch.exe,

    prclient.exe, rclient.exe, SGBClient.exe, clientbk.exe, clntstr.exe, retail.exe, retail32.exe,

    saclient.exe, el_cli.exe, clntw32.exe, translink.exe, unistream.exe,

    SRCLBClient.exe, MWClient32.exe, contactng.exe, Core.exe, uralprom.exe, w32mkde.exe,

    twawebclient.exe, ADirect.exe, cshell.exe, wclnt.exe, wfinist.exe,

    vegaClient.exe, BClient.exe, bc.exe, cyberterm.exe, winpost.exe, wupostagent.exe,

    dsstart.exe, ant.exe, arm.exe, client.exe, cncclient.exe, Zvit1DF.exe, BC_Loader.exe,

    dtpaydesk.exe, arm_mt.exe, bbclient.exe, Client2008.exe,

    eelclnt.exe, elbank.exe, ARMSH95.EXE, EximClient.exe, IbcRemote31.exe, _ftcgpk.exe,

    etprops.exe, eTSrv.exe, asbank_lite.exe, fcclient.exe, iscc.exe, scardsvr.exe, CL_1070002.exe,

    ibconsole.exe, bank.exe, bank32.exe, kabinet.exe, intpro.exe, Run.exe,

    kb_cli.exe, KLBS.exe, bbms.exe, bk.exe, SrCLBStart.exe, SGBClient.ex, sx_Doc_ni.exe,

    KlientBnk.exe, BK_KW32.EXE, srcbclient.exe, icb_c.exe, Client32.exe,

    lfcpaymentais.exe, bnk.exe, CB.exe, Upp_4.exe, BankCl.exe,

    loadmain.exe, lpbos.exe, cb193w.exe, cbank.exe, Bankline.EXE, ICLTransportSystem.exe,

    mebiusbankxp.exe, cbmain.ex, GeminiClientStation.exe, GPBClient.exe, CLMAIN.exe,

    mmbank.exe, CBSMAIN.exe, ClientBank.exe, ONCBCLI.exe, rmclient.exe,

    pcbank.exe, pinpayr.exe, CbShell.exe, clb.exe, ISClient.exe, cws.exe, RkcLoader.exe, CLBank3.exe,

    Pionner.exe, CliBank.exe, CLBANK.EXE, FColseOW.exe,

    pkimonitor.exe, CliBankOnlineEn.exe, IMBLink32.exe, productprototype.exe,

    pmodule.exe, pn.exe, CliBankOnlineRu.exe, cbsmain.dll,

    postmove.exe, CliBankOnlineUa.exe, GpbClientSftcws.exe,

    GROUP-IB.RU

    , BUHTRAP

    http://www.group-ib.ru/

  • 8:

    BUHTRAP

    1. , , .

    2. , . , .

    3. .

    4. , .

    5. , . .

    6. , Lite Manager. , RDP .

    7. , .

    , , Anunak, .

    Buhtrap 40 , Anunak . , 2015 , .

    GROUP-IB.RU

    http://www.group-ib.ru/media/anunak/http://www.group-ib.ru/

  • 9

    , . Buhtrap.

    Buhtrap, , ,

    .

    (CVE-2012-0158, CVE-2013-3906 CVE-2014-1761), , (.3). Buhtrap.

    .

    3.

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 10

    Buhtrap 2015 . , . Buhtrap.

    , , , , .

    , Buhtrap , Corkow. , Niteris (.4), Corkow. , .

    Eset Nod32 Ammyy, Ammyy Admin. - , Buhtrap.

    , Ammyy Buhtrap, : Lurk, CoreBot, Ranbyus, Netwire RAT.

    GROUP-IB.RU

    4. Niteris ( CottonCastle)

    http://www.group-ib.ru/

  • 2014 2015 2016

    2015 2016

    11

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 12

    22 2015 Bot-Trek Intelligence support@cbr.ru.com (. 5). , .

    ZIP-, MS Office (. 6). , , - .

    GROUP-IB.RU

    5.

    http://www.group-ib.ru/

  • 13

    , ( LiteManager, Bu-htrap) .

    , , .

    GROUP-IB.RU

    6.

    http://www.group-ib.ru/

  • 14

    . Buhtrap . , . , .

    .

    18 2015 Buhtrap mironova.olga@gazprombank.com.ru : ! , (. 7). , gazprombank.com.ru.

    , , .

    , , , .

    GROUP-IB.RU

    7.

    http://www.group-ib.ru/

  • 15

    2016 , .

    29 2016 Bot-Trek Intelligence vakansiya@cbr.ru.net (. 8). MS Office _34.doc, . . .

    . ,

    , Buhtrap.

    LiteManager Guide, . , -. Guide .

    , , BuhTrapWorm. .

    GROUP-IB.RU

    8.

    http://www.group-ib.ru/

  • 16

    BUHTRAP

    1. , .

    2. Mimikatz .

    3. .

    4. , .

    5. , .

    Buhtrap , . , , .

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 17

    , .

    ( ) () .

    , .

    . .

    .cfg cfg , . XML , .

    :

    GROUP-IB.RU

    9.

    http://www.group-ib.ru/

  • 18

    , Group-IB, . , ( ), . :

    , , . . .

    . .

    , , .

    , , , , . : , , , .

    , . , . .

    10.

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 19

    2015 , Buhtrap, , , BuhtrapWorm.

    BUHTRAPWORM

    1. , . . lsass.exe ( Mimikatz). mailslot \\.\mailslot\46CA075C-165CBB2786. .

    2. ,

    -. \ADMIN$, \ipc$, \C$.

    3. , ( C:\WINDOWS) .

    4. , . , . .

    5. : .dat pipe ( ). .

    . , - .

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 20

    BUHTRAPWORM

    GROUP-IB.RU

    Buhtrap

    4 5

    1

    3

    2

    http://www.group-ib.ru/

  • 21

    , , , RDP . RDP.

    . , , BuhtrapWorm, .

    , . , .

    , , .

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 22

    05.02.2016 exploit.in Buhtrap (.11). , Buhtrap. , , . RAR- Sendspace.

    , Buhtrap 2015 . psexec, , .

    GROUP-IB.RU

    11. Buhtrap

    . , . .

    12. Buhtrap

    http://www.group-ib.ru/

  • 23

    :

    BHO Internet Explorer.

    kill_os MBR. . Damagewindow , MBR, .

    loaders NSIS- . .

    mimimod mimikatz, .

    ID .

    BSShide BSS. , .

    antidetekt , .

    UAC UAC.

    RDP .

    VNC .

    DLL Side-Loading . , - , . , .

    .

    .

    MWI. :

    CVE-2012-0158, CVE-2010-3333 CVE-2013-3906, CVE-2012-0158, CVE-2010-3333 CVE-2014-1761, CVE-2013-3906, CVE-2012-0158, CVE-2010-3333

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 24

    . , .

    , , .

    , Microsoft. , , . . .

    , ,

    , , , .

    . Word, Excel, PowerPoint .

    . , , .

    , . , .

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 25

    , . , , , , . , , .

    , . , . IDS/IPS .

    , , , . Buhtrap .

    , .

    , , : , . , .

    GROUP-IB.RU

    http://www.group-ib.ru/

  • 26

    Buhtrap NSIShttp://playback.savefrom.biz/video/video_1.cab http://download.sendspace.biz/file/install.cab http://194.58.100.211/install.cabhttp://download.source-forge.name/file/program.cabhttp://cams.web-filecab.info/cams/video2.cab http://cache-datamart-windows.com/source/source.cab http://check-mate7.com/kliko/res1.cab http://new.pikabu-story.com/file/file2.cabhttp://game.sport-box.org/dcim/install.cabhttp://gazprombank.com.ru/dropi/baza_dropov.xls http://cbr.com.ru/vacansiy/_36.zip

    Buhtrap C&Chttp://google997.com/info/menu.phphttp://autopiter.biz/info/menu.phphttp://google9971.com/info/menu.phphttp://microsoft7751.com/info/menu.phphttp://compatexchange-cloudapp.net/help/menu.php http://mp3.ucrazy.org/music/index.php http://uchet.grandars.info/info/menu.phphttp://ndfl.pravcons.biz/info/menu.phphttp://rss.sport-express.biz/info/menu.phphttp://forum.ru-tracker.net/info/menu.phphttp://microsoft775.com/info/menu.phphttp://icq.chatovod.info/info/menu.phphttp://yaf.buhgalter911.biz/topics/menu.phphttp://forum.zaycev.biz/info/menu.php http://res.buhgalter911.info/info/menu.php

    http://football.championat.biz/info/menu.phphttp://tvit.live-journal.info/info/menu.phphttp://rs-term.org /res1/menu.php

    mail.cbr.ru.commail.cbr.ru.netcbr.ru.comcbr.com.rucbr.ru.netgazprombank.com.ru213.159.215.119

    LiteManager C&Cforum.buhgalt.netforum.buhnalog.orgforum.glavbukh.nettv.hdkinomax.orgrus-gazeta.bizsetting-sandbox-microsoft.com89.108.101.61193.124.17.22337.140.195.16537.143.12.1905.63.159.32194.58.97.249178.21.10.33151.248.125.251

    GROUP-IB.RU

    http://playback.savefrom.biz/video/video_1.cabhttp://download.sendspace.biz/file/install.cab http://194.58.100.211/install.cab http://download.source-forge.name/file/program.cabhttp://cams.web-filecab.info/cams/video2.cabhttp://cache-datamart-windows.com/source/source.cab http://check-mate7.com/kliko/res1.cab http://new.pikabu-story.com/file/file2.cabhttp://game.sport-box.org/dcim/install.cab http://gazprombank.com.ru/dropi/baza_dropov.xls http://cbr.com.ru/vacansiy/_36.zip http://google997.com/info/menu.phphttp://autopiter.biz/info/menu.php http://google9971.com/info/menu.phphttp://microsoft7751.com/info/menu.phphttp://compatexchange-cloudapp.net/help/menu.phphttp://mp3.ucrazy.org/music/index.php http://uchet.grandars.info/info/menu.php http://ndfl.pravcons.biz/info/menu.phphttp://rss.sport-express.biz/info/menu.php http://forum.ru-tracker.net/info/menu.phphttp://microsoft775.com/info/menu.php http://icq.chatovod.info/info/menu.phphttp://yaf.buhgalter911.biz/topics/menu.phphttp://forum.zaycev.biz/info/menu.php http://res.buhgalter911.info/info/menu.php http://football.championat.biz/info/menu.php http://tvit.live-journal.info/info/menu.php http://rs-term.org /res1/menu.php http://mail.cbr.ru.com http://mail.cbr.ru.net http://cbr.ru.com http://cbr.com.ru http://cbr.ru.net http://gazprombank.com.ru http://213.159.215.119 http://forum.buhgalt.net http://forum.buhnalog.org http://forum.glavbukh.net http://tv.hdkinomax.org http://rus-gazeta.biz http://setting-sandbox-microsoft.com http://89.108.101.61 http://193.124.17.223 http://37.140.195.165 http://37.143.12.190 http://5.63.159.32http://194.58.97.249 http://178.21.10.33http://151.248.125.251http://www.group-ib.ru/

  • 27

    group-ib.ru

    Bot-Trek Intelligence

    Bot-Trek TDS

    http://www.group-ib.ru/

    :

Recommended

View more >