Sarwent 惡意軟件更新命令功能持續發展

原文鏈接：Sarwent Malware Continues to Evolve With Updated Command Functions
譯者：知道創宇404實驗室翻譯組

Sarwent很少受到研究人員的關注，但是該后門惡意軟件仍在積極開發中，在持續更新命令并專注于RDP的研發。

Sarwent惡意軟件的更新表明，人們對后門功能（例如執行PowerShell命令）的興趣不斷增強；
其更新還顯示了使用RDP的偏好；
Sarwent被發現至少使用一個與TrickBot運算符相同的二進制簽名器。

背景

自2018年以來，Sarwent的使用率在不斷提高，但相關的研究報告卻很少。

相關建議

中端：

CommadLine="cmd /c ping localhost & regsvr32 /s *"

網絡：新的威脅中已經存在許多網絡規則，因此，我決定考慮添加一些當前可能未涵蓋的Suricata規則。

Suricata 規則

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent CMD response Post”; content:”POSt”; http_method; content:”/gate/cmd_exec”; http_uri; classtype:trojan-activity; sid:9000040; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent Powershell response Post”; content:”POST”; http_method; content:”/gate/powershell_exec”; http_uri; classtype:trojan-activity; sid:9000041; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent RDP exec response”; content:”GET”; http_method; content:”/gate/rdp_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000042; rev:1; metadata:author Jason Reaves;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Sarwent update exe response”; content:”GET”; http_method; content:”/gate/update_exec?command=”; http_uri; content:”&status=”; http_uri; classtype:trojan-activity; sid:9000043; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent update command”; content:”200″; http_stat_code; content:”fHVwZGF0ZX”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000044; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent download command”; content:”200″; http_stat_code; content:”fGRvd25sb2Fkf”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000045; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent powershell command”; content:”200″; http_stat_code; content:”fHBvd2Vyc2hlbGx8″; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000046; rev:1; metadata:author Jason Reaves;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Sarwent rdp command”; content:”200″; http_stat_code; content:”fHJkcH”; startswith; http_server_body; flow:to_client, established; classtype:trojan-activity; sid:9000047; rev:1; metadata:author Jason Reaves;)

IoCs

Download Location:

whatsmyhomeworthlondonontario[.]ca/wp-admin/version.exe
beurbn[.]com/install.exe

V2

Hash:
3f7fb64ec24a5e9a8cfb6160fad37d33fed6547c
Domains
seoanalyticsproj.xyz
seoanalyticsproewj.xyz
seoanalyticsp34roj.xyz
seoanalyticsptyrroj.xyz
seoanalyticsprojrts.xyz
seoanalyticspro32frghyj.xyz

Hash:
ab57769dd4e4d4720eedaca31198fd7a68b7ff80
Domains
vertuozoff.xyz
vertuozoff.club
vertuozofff.xyz
vertuozofff.com
vertuozofff.club
vertuozoffff.club

Hash:
d297761f97b2ead98a96b374d5d9dac504a9a134
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz

Hash:
3eeddeadcc34b89fbdd77384b2b97daff4ccf8cc
Domains
rabbot.xyz
terobolt.xyz
tebbolt.xyz
rubbolt.xyz
rubbot.xyz
treawot.xyz

Hash:
106f8c7ddbf265fc108a7501b6af292000dd5219
Domains
blognews-journal.com
startprojekt.pw
blognews-joural.com
blognews-joural.best
blognews-joural.info
startprojekt.pro

V1

Hash:
83b33392e045425e9330a7f009801b53e3ab472a
Domains
212.73.150.246(ZoomEye搜索結果)
softfaremiks.icu
shopstoregame.icu
shopstoregamese.icu

Hash:
2979160112ea2de4f4e1b9224085efbbedafb593
Domains
shopstoregame.icu
softfaremiks.icu
shopstoregamese.icu shopstoregamese.com shopstoregames.icu

參考鏈接

https://twitter.com/VK_Intel/status/1228833249536987138
https://twitter.com/James_inthe_box/status/1228788661006659584
https://twitter.com/VK_Intel/status/1242587625409609731
https://github.com/silence-is-best/c2db

Paper 本文由 Seebug Paper 發布，如需轉載請注明來源。本文地址：http://www.bjnorthway.com/1221/

Paper - 安全技術精粹

Sarwent 惡意軟件更新命令功能持續發展

目錄

背景

相關研究

相關建議

IoCs

V2

V1

參考鏈接

暫無評論