Backdoor.MSIL.SUNBURST.A
2020年12月14日
:
Trojan:MSIL/Solorigate.B!dha (Microsoft); Trj/Solorigate.A (Panda)
平台:
Windows
总體(tǐ)风险等级:
潜在破坏:
潜在分(fēn)布:
感染次数:
信息暴露:
恶意软件类型:
Backdoor
有(yǒu)破坏性?:
没有(yǒu)
加密?:
是的
In the Wild:
是的
概要
感染途徑: 从互联网上下载
它以其他(tā)恶意软件释放的文(wén)件或用(yòng)户访问恶意网站时不知不觉下载的文(wén)件的形式到达系统。它开始执行然后再删除。
技(jì )术详细信息
文(wén)件大小(xiǎo): 1,028,072 bytes
报告日期: DLL
内存驻留: 是的
初始樣本接收日期: 2020年12月14日
Payload: 连接到 URL/Ip, 窃取信息
新(xīn)病毒详细信息
它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。
后门例程
它执行遠(yuǎn)程恶意用(yòng)户的下列命令:
- Delete Registry Value
- Get Registry Subkey and Value Names
- Read Registry Value
- Set Registry Value
- Delete File
- Check if File Exists
- Get File Hash
- Get File System Entries
- Write File
- Get Process By Description
- Kill Task
- Run Task
- Set Time - Set delay time
- Upload System Description
- Reboot -> Reboots computer
- Idle -> no operation
- Exit -> exits the thread
- Collect System description (Collects Domain Name, Hostname, Username, OS Version, Total Days since execution, System Directory location, Network Adapter Configuration where Network Adapter Configuration contains the following):
- Description
- Mac Address
- DHCPEnabled
- DHCPServer
- DNSHostName
- DNSDomainSuffixSearchOrder
- IPAddress
- DNSServerSearchOrder
- IPSubnet
- DefaultIPGateway
信息窃取
它收集下列数据:
- Used to generate UserId:
- Domain Name
- Network Interfaces
- MachineGuid
- For checking blocklisted:
- List of all running processes
- List of drivers
- List of services
其他(tā)详细信息
该程序执行以下操作(zuò):
- Uses the following to regex to parse response body:
- "\"\{[0-9a-f-]{36}\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\""
- Checks the joined domain of the machine for the following patterns: (will terminate if matched):
- "(?i)([^a-z]|^)(test)([^a-z]|$)"
- "(?i)(solarwinds)"
- Checks DGA URLs for the following blocks of IP Addresses, enumerate services found in the malware configuration, changes the start value of those services, and will not proceed to C2 connection if found:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 224.0.0.0/3
- fc00:: - fe00::
- fec0:: - ffc0::
- ff00:: - ff00::
- 20.140.0.0/15
- 96.31.172.0/24
- 131.228.12.0/22
- 144.86.226.0/24
- Checks for the following conditions before proceeding to the backdoor routine:
- Process name hash should be 17291806236368054941 after hashing function (matches processname businesslayerhost.exe)
- Installation date should be 12 days or more
- Checks ReportWatcherRetry key in the config and if value is not 3 (Truncate)
- Checks if machine is joined in a domain
- Creates the following named pipe to ensure one instance is only running:
- 583da945-62af-10e8-4902-a8f205c72b2e
- Checks the DGA URLs for the following blocks of IP Addresses, and updates the status configuration of the malware:
- 41.84.159.0/255.255.255.0
- 71.114.24.0/255.255.248.0
- 154.118.140.0/255.255.255.0
- 217.163.7.0/255.255.255.0
- Checks DGA URLs for the following blocks of IP Addresses, and proceeds to backdoor routine if found:
- 8.18.144.0/255.255.254.0
- 18.130.0.0/255.255.0.0
- 71.152.53.0/255.255.255.0
- 99.79.0.0/255.255.0.0
- 87.238.80.0/255.255.248.0
- 199.201.117.0/255.255.255.0
- 184.72.0.0/255.254.0.0
解决方案
最小(xiǎo)扫描引擎: 9.800
First VSAPI Pattern File: 16.412.04
VSAPI 第一样式发布日期: 2020年12月14日
VSAPI OPR样式版本: 16.413.00
VSAPI OPR样式发布日期: 2020年12月15日
Step 1
对于Windows ME和XP用(yòng)户,在扫描前,请确认已禁用(yòng)系统还原功能(néng),才可(kě)全面扫描计算机。
Step 2
确定和终止Backdoor.MSIL.SUNBURST.A检测到的文(wén)件
[ 更多(duō) ]
- 对于Windows 98和ME用(yòng)户,Windows任務(wù)管理(lǐ)器可(kě)能(néng)不显示所有(yǒu)运行进程。在此情况下,请使用(yòng)第三方进程查看程序(推荐Process Explorer)终止恶意软件/灰色软件/间谍软件文(wén)件。您可(kě)以从处下载上述工(gōng)具(jù)。
- 如果检测到的文(wén)件出现在Windows任務(wù)管理(lǐ)器或Process Explorer中(zhōng)但不能(néng)删除,请重启计算机进入安(ān)全模式。请参阅该链接了解完整步骤。
- 如果检测到的文(wén)件未在Windows任務(wù)管理(lǐ)器或Process Explorer中(zhōng)出现,请继续下列步骤。
Step 3
使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机,并删除检测到的Backdoor.MSIL.SUNBURST.A文(wén)件 如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离,则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。