Backdoor.Win32.DEVILSHADOW.THEAABO 後門程式在瀏覽惡意網站時會下載惡意檔案至電腦上

風險等級: 低度威脅
摘要: 網絡犯罪分子利用視訊軟體Zoom的普及,在偽造的Zoom安裝程式中植入此後門程式,利用在瀏覽惡意網站時在未發覺情形下載惡意檔案。

建議您勿瀏覽可疑或惡意網站以及開啟任何可疑的檔案或郵件,定期備份重要檔案,為應用軟體和作業系統安裝修補程式,將其更新至最新版本,與安裝防毒軟體且更新至最新病毒碼來降低受駭風險。

影響系統:
  • Windows
解決辦法:

若不慎已感染此病毒,建議處理方式如下:

1、阻擋所有外部可疑連線
2、使用密碼將檔案加密
3、不要給予使用者與程式過高的權限來執行工作
4、取消自動撥放 (AutoPlay) 避免在網路上自動執行檔案
5、關閉藍芽與檔案分享功能,如需要則使用權限控管名單 (Access Control List) 或 密碼 (password) 來存取:
6、一旦有電腦被感染,立刻將其隔離
7、如果以上步驟仍無法順利清除病毒,建議您參考以下防毒廠商提供之步驟處理:

細節描述:

該後門程式以其他惡意軟體丟棄的文件或用戶訪問惡意站點時在不知不覺中下載的文件的形式到達系統。

安裝它會放置下列檔案:

    • %User Temp%\pyclient.cmd → Detected as
      Backdoor.BAT.DEVILSHADOW.THEAABO
    • %User Temp%\cmd_shell.exe → Detected
      as?Trojan.Win32.DEVILSHADOW.THEAABO
    • %User Profile%\boot-startup.vbs → Detected as
      Trojan.BAT.DEVILSHADOW.THEAABO
    • %User Profile%\new_script.txt → Detected as
      Trojan.JS.DEVILSHADOW.THEAABO
    • %User Profile%\shell.bat → Detected as
      Trojan.BAT.DEVILSHADOW.THEAABO
    • %User Temp%\zoom.exe → Legitimate Zoom Installer
    • %User Profile%\node.exe → Legitimate node.exe
    • %System Root%\botnet\client_id_file → contains generated_id
    • %System Root%\botnet\bot_id_{Generated ID} {Hostname} {IP
      Address} {Client} → Client Identifier
    • %System Root%\botnet\botnet_start.vbs
    • %System Root%\botnet\wget.js
    • %System Root%\botnet\pyclient.cmd → Copy of the one in
      %User Temp%
    • %System Root%\botnet\scexec-win32.exe
    • %System Root%\botnet\scexec-win64.exe
    • %System Root%\botnet\Rar.exe
    • %System Root%\botnet\K7firewall.exe
    • %System Root%\botnet\unzip.exe
    • %System Root%\botnet\webcam.exe
    • %System Root%\botnet\execute.vbs
    • %User Temp%\av → contains result of Anti-Virus Query
    • 它會新增下列處理程序:
    • %System%\cmd.exe /c %User Temp%\pyclient.cmd
    • %System%\cmd.exe /c %User Temp%\cmd_shell.exe
    • %System%\cmd.exe /c %User Temp%\zoom.exe
    • %System%\cmd.exe /c cd %userprofile% & attrib +s +h +a
      *.vbs & attrib +s +h +a *.bat & reg add
      Hkey_CURRENT_USER\software\microsoft\windows\currentversion\run /v
      bootstartup /t reg_sz /d %userprofile%\boot-startup.vbs /f &
      shell.bat
    • %System%\cmd.exe /c “Tasklist /FI WINDOWTITLE eq D3ViL
      ShaDow”
    • %System%\cmd.exe /c “Tasklist /FI WINDOWTITLE eq
      Administrator: D3ViL ShaDow”
    • %System%\cmd.exe attrib +s +h +a %System Root%\botnet
    • %System%\cmd.exe copy /y %User Temp%\pyclient.cmd %System
      Root%\botnet\pyclient.cmd
    • %System%\cmd.exe reg add
      hkcu\software\microsoft\windows\currentversion\run /v botnet /t reg_sz
      /d C:\botnet\botnet_start.vbs /f
    • %System%\cmd.exe ping www.google.com -n 1
    • %System&\cmd.exe unzip.exe -ox python_client.zip
    • %System%\cmd.exe %System%\WScript.exe %System
      Root%\botnet\botnet_start.vbs
    • %System%\cmd.exe copy /y %System%\cmd.exe
      %Public%\explorer.exe
    • %System%\cmd.exe %User Profile%\node.exe new_script.txt
    • %Public%\explorer.exe
    • %System&\cmd.exe wmic /namespace:\root\securitycemter2
      path antivirusproduct GET displayName, productState,
      pathToSignedProductExe
    • 它會建立下列資料夾:
    • %System Root%\botnet
    • 自動啟動技術它會新增下列登錄項目,使其在每次系統啟動時自動執行:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runbootstartup
      = %User Profile%\boot-startup.vbs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runbotnet
      = %System Root%\botnet\botnet_start.vbs
    • 後門程式程序它會執行遠端惡意使用者指定的下列命令:
    • Update/Reset/Terminate Client (Self)
    • Load Client Modules (Self)
    • Log Keystrokes
    • Take Screenshots
    • Record Desktop
    • Operate Webcam
    • Operate CMD
    • Install Programming Languages
    • Download/Upload/Execute Files
    • Install and Operate Ngrok
    • Install and Operate WinVNC
    • List and Modify AutoStart Registries
    • List, Add and Start Scheduled Tasks
    • Check and Elevate User Privileges
    • Execute Shellcode and Scripts
    • Harvest the Following Information:
    • Process List
    • Drive List
    • Directories and Files List
    • System Info
    • Startup Items
    • AntiVirus Info
    • Locally Stored Credentials
    • 它會連線至下列網站以傳送和接收資訊:
    • https://hosting303.{BLOCKED}hostapp.com
    • madleets.{BLOCKED}s.net:4444
    • 下載程序它會存取下列網站以下載檔案:
  • https://raw.{BLOCKED}usercontent.com/DevilBot000/Tools/master/unzip.exe
    → %System Root%\botnet\unzip.exe
  • https://raw.{BLOCKED}usercontent.com/DevilBot000/Tools/master/python_client.zip
    → %System Root%\botnet\python_client.zip
參考
資訊:
trendmicro (2020/05/21)