Welcome to Tencent cloud community, get more Tencent mass technology practice dry goods oh ~

Cocoyan, Odaywang

Waterhole attack is a common advanced attack method. The computer butler security Awareness system recently captured a case, which is analyzed below.

“Under the bridge in front of the door, swim past a group of ducks come quickly come quickly count, two four six seven eight…”

“Duck?”

“No, Hacker!”

“Hacker?”

“Yes, Hacker! “

0x1 Overview of the story

The story goes like this:

Perhaps in order to play Roblox and Discord for free, or to show off their skills, a large number of people have studied the hacking videos posted on Youtube by Harioboy (Network ID) and downloaded the tools faithfully. Anxious to show their skills on their computer, kung fu paid off they cracked successfully. Humming a tune, playing a game…

At this moment, Harioboy behind the scenes is also humming a tune, happily staring at the data on the screen: two four six seven eight…

(a game player is not happy to play, as everyone knows, your game was hacker screenshots back)

0x2 Story prototype

There is no fiction in the story; if there is any similarity, it is a pure coincidence.

In fact, Tencent Anti-virus Lab traced the Agent Tesla series APT attack cases, and noticed a hacker or hacker organization with the network ID of Harioboy. Harioboy guided victims to download and execute their customized Agent Tesla by using waterhole attack, and then controlled the victim’s computer.

Early estimates suggest that hundreds of thousands of Hacker machines have fallen prey to Harioboy.

As of the week before writing, there are still 1K+ multiple victims turning into “fresh meat” for Harioboy.

According to the background uploads of Harioboy, most of the compromised machines are experienced game players and some small hackers. Some of the machines were found to be equipped with hacking tools such as Visio Studio development environment and Cheat Engin.

Sensitive information such as game accounts, online banking information and Bitcoin on the victim’s computer can be sent back to the C&C server by Harioboy, exposing the victim’s property to serious security threats.

0x3 Event Inventory

[Poison hacking tools]

For example, Harioboy offers free access to Cracked RC7 and Discord. It also has Youtube videos that teach users how to Cracked RC7 and Discord, and then wait for victims to fall into the hole.

Victims found videos through search engines or roblox(RC7 Cracked) or Discord cracking tools, downloaded and executed malicious code, which was downloaded and executed on the victim’s computer. The hackers used Agent Tesla C&C server to monitor and control the victim’s computer.

【 Agent Tesla 】

Based on Youtube videos, Agent Tesla has been around since at least 2014, originally a simple Keylogger that records user keystrokes and sends them back to hacker servers. After two or three years of development, the Malicious program development team of Agent Tesla kept iterating new functions, evolved Agent Tesla from a simple keylogger into a modular spyware, and sold Agent Tesla through the Internet. Buyers can purchase Agent Tesla modules on demand, and then deploy and utilize Agent Tesla Trojan easily.

The most common attack method of Agent Tesla is to use phishing emails to carry out spear attacks, which contain malicious files. Once the user opens it and allows the program to execute, the malicious file automatically downloads and installs Agent Tesla. However, with the continuous occurrence of targeted attacks, people’s awareness of phishing emails is gradually increasing, and the success rate of phishing email attacks is bound to be affected.

[Harioboy Puddle attack]

Harioboy doesn’t seem to be affected. Instead of phishing emails, Harioboy uses the idea of puddle-shaped attacks, targeting gamers, hackers or hackeraficionados. First, Harioboy deploys a hacking tool that implants malicious code on the Internet and publishes tutorials on how to use it via Youtube. Victims will actively download and run this hacking tool under the guidance of relevant Youtube videos, and then suffer from Harioboy’s APT attack.

Once running on the victim’s computer, the hacker tool will execute the malicious code implanted by Harioboy and then download the Agent Tesla Trojan customized by Harioboy. Harioboy is like a lion lurking by a puddle, enjoying the “throwing” of prey (victim). Harioboy communicated with the victim’s computer through Agent Tesla C&C server, monitored and controlled the victim’s computer, and even stole the victim’s bank account, game account, bitcoin and other sensitive information and sent it back to the C&C server.

The hackers used the Agent Tesla Trojan to send a large number of victim account information back to the C&C server.

0x4 Trojan Horse Hazards

Trojan retain the function of remote control, can be performed by accepting instructions sent for C&C server to download any malicious code At the same time, the Trojan will collect all kinds of software information, system information, files, information, and through the Trojan custom FTP client, the browser data theft, email account information, coin purse, such as data privacy, software/client has hundreds of models:

[Trojan running process]

The Trojan decrypts Shellcode from the resource to load & execute

1. Shellcode will debug and detect the time difference of instruction by GetTickCount and mouse movement by GetCursorPos. If the Trojan program is considered to be debugged, Shellcode will enter an infinite loop and never execute the subsequent code.

2. Create a process with the same name using the “borrowed” method, and then use ZwUnmapViewOfSection, ZwWriteVirtualMemory to re-decrypt the malicious code into the new process.

3. Use GetThreadContext, SetThreadContext, ZwResumeThread to resume target process execution. This completes the creation of the zombie process, which then executes the injection of malicious code.

4. Malicious code can contain hundreds of functions to steal information at the same time. Each function can steal information for one or a class of software.

① Steal Safari account passwords

Keychain-plist stores account and password information recorded in Safari.

Convert keychchain. plist into AN XML file and use Windows DPAPI to decrypt the encrypted account password.

The command line for converting XML is as follows:


plutil.exe -convert xml1  -s  -o c:\keychain.xml "c:\users\administrator\appdata\roaming\apple computer\preferences\keychain.plist"Copy the code

Steal Chorme browser password storage

Sensitive information is obtained by searching for files and indexing database entries.

③ Steal the Password of the FileZilla account

FileZilla is an FTP software that contains both a server and a client. Marko obtained the account information by searching the XML file related to FileZilla.

Steal OutLook email information

Obtain mailbox information by querying the registry.

⑤ Stealing account information of PokerStars

PokerStars is currently the largest online poker room in the world.

You can search for the users.ini file in a specific folder to decrypt the PWD field or other fields.

⑥ Stealing bitcoin information

Bitcoin wallet wallet. Dat file for bitcoin accounts is very important, the file contains private key information, if not through strict encryption, is completely possible to cause private key leakage, bitcoin theft.

0x5 Transmission Trend

Analysis of screenshots uploaded by C&C servers revealed that most of the victims were hobbyists who enjoyed researching game cracking, or “Script kiddies”.

One or more tools including on-screen video streaming, game development engine, auto-click mouse, memory editing, DLL injection, and some Steam games were found on the victim’s computer:

In terms of regional distribution, the INFECTION in the United States and Some European countries is more obvious. In Asia, the infection is mainly concentrated in Southeast Asia, which is closely related to where Roblox and Discord are published.

Recommended reading

Use Django to customize fields to encrypt data

Has been authorized by the author tencent cloud community released, reproduced please indicate the article source The original link: cloud.tencent.com/community/a…