论坛 › 挖矿 › NewKernelCoreMiner 撑起百万收入的挖矿木马

西池 发表于 2024-4-26 13:22:22

NewKernelCoreMiner 撑起百万收入的挖矿木马

    <div style="text-align: left; margin-bottom: 10px;">
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;"><strong style="color: blue;">一：木马概述</strong></p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">近日 360安全中心接到用户反馈，用户在使用任务管理器查看电脑资源占用时候发现lsass.exe进程占用CPU异常高，而且居高不下。我们在提取用户电脑文件后发现这是一类新的驱动挖矿木马，将其命名为NewKernelCoreMiner，已经感染超过十万用户,并且保守估计收益超百万360安全卫士已经率先支持查杀该木马。</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;"><strong style="color: blue;">二：木马分析</strong></p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;"><strong style="color: blue;">1 驱动部分</strong></p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">驱动文件信息为:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101547490446aa7b3b~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=mSXXELM4p%2FTr6RJOFvLoWLYjAB4%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">驱动主要功能如下图:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153071015482856498a2490~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=jutI3%2Fg%2FqGHWUwD%2BAtBqInESrsc%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">然后我们从图中几部分对驱动进行详细分析。</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">入口点</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1530710154876e033e3e927~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=usXha75%2ByGm%2Fb%2B6y09%2F%2FzofvihQ%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">全局变量中保存操作系统和驱动信息:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101547581028ce57a9~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=XDhvTPJrDt%2FLyKTO2t0Rh4lz1po%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">检测内核调试器:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101547732ca2c23a06~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=vduAF0Qb0%2BfvZ6CF%2BKx5DhoVv3M%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">保存必要驱动信息，为以后随机化线程地址做准备:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101547561e838df877~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=vkQEIMEHLAocR5dQAP2sDwnjCrM%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">然后初始化下注入挖矿模块信息，该链表是可以随时由应用层更新传给驱动的</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">主要包含信息为要注入进程名字的Hash，注入模块大小，注入模块代码</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1530710154853c4c32998df~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=nyJbZXv48jR7M6jpN4UYNIdfuKc%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">这个链表可以由应用层随时更新的</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">挂钩NTFS 派遣函数:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101549153f98a4e9e7~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=Nz32TZjuCMHe6WkPb21%2F%2FFnk3y8%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">最后注册进程回调:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101548544c79ad694e~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=%2FF7ISWwT72os%2FaLP9%2FoxcG7pXaM%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">进程回调中判断进程 注入代码并且传递设备句柄用于交互，之前的设备名完全是随机的:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101549689928f38450~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=USA3eIyHUST4%2Fn%2Bdy1%2FCY3axnz4%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">填充各类有效信息到应用层全局变量:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101550486a4ff4aeb8~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=Crllxv9pg1h4Tcy45iK%2F1apst1I%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;"><strong style="color: blue;">2 应用层挖矿模块</strong></p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">驱动传来的信息存在全局变量中，继续填充该全局变量</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1530710154941aed13beb6d~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=R5EjVqVAbRkow9abZT7MxGvRzts%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">再次判断下注入进程名字信息，该模块为通用判断</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">如果是浏览器进程则挂钩LdrLoadDll:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153071015497506ddc50386~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=bESVpwF3Paq3Jjnw80N%2FQ6Dsms4%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">禁止以下模块加载：</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1530710154989237462a48f~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=%2BTqrMR63WfroKZgQ%2Fbzj%2ByYOBjA%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">也清理下之前的老版本文件，清理的列表文件:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101550283b903628d7~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=yvl%2FTKdsXrkFrr7HnD6MQ%2FuciKc%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">然后创建两个线程</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">线程1主要为打点收集用户信息</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">上传信息为:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101551409eec0abad3~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=qURf3qsxQF%2FjLGTddXSso624N04%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">拼接后:</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">tj.16610.com/api/_mcc_statu.php?STATUS=0&amp;DHS=00000000&amp;UHS=00000000&amp;RHS=00000000&amp;REV=0&amp;RC=0&amp;CID=9098&amp;UID=9098&amp;VER=20180423&amp;RM=NotAvailable&amp;DMJ=0&amp;DMN=0&amp;DBL=0&amp;UMJ=2&amp;UMN=9&amp;UBL=2976&amp;MID=&amp;BW=32&amp;NTMJ=5&amp;NTMN=1&amp;NTBL=2600&amp;NTSPMJ=3&amp;NTSPMN=0&amp;NP=4&amp;MM=2146869248&amp;OSTC=1396281&amp;SVSN=84C5D18C&amp;SVFS=NTFS</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">线程2为加载挖矿模块线程</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">真正的挖矿功能模块也是动态下载而来,下载地址为:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1530710155186c3d96c3d45~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=GBtYLdF3YfD6sders1hRhw0wgRU%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;"> 矿池配置信息:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1530710155144e0311a58bc~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=neH38cwLU5W2MIZl1oH3ctr6T4E%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">随机挑选地址格式化参数:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101551742f892ead12~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=UQAkA3HN0Zo47l%2Bjk9ezmR6S0vg%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">配置文件信息:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1530710155473ab49b132c8~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=nf7t0bLsC1YdtM5kWYuqSaL8GwQ%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">使用完成后开启线程删除配置文件</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153071015511285fda3653e~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=2sIiCm2UAdxiEpq%2FegIKHPRiFuI%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">然后传入配置信息进行挖矿。</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">注入后线程数量:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101552242b3f2db203~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=A0M5fvjVVodJi1XBdXAqIVoevpY%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">进程CPU占用:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153071015545573ca8475cf~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=Bc3e9hHy81dfBkgwfJ8UeXm1YgA%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">360安全卫士已经支持查杀:</p>
      <div style="text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15307101554108680df8068~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1713950302&amp;x-signature=OnsbiwxuyWMJnPqtVrUqJ7EmhFU%3D" style="width: 100%; margin-bottom: 20px;"></div>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;"><strong style="color: blue;">三：安全提醒</strong></p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">近期挖矿木马非常活跃，让人防不胜防。建议用户及时打上系统补丁,发现电脑卡慢、CPU占用过高等异常情况时使用安全软件扫描，同时注意保证安全软件的常开以进行防御，一旦受诱导而不慎中招，尽快使用360安全卫士查杀清除木马。</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">此外，360安全卫士已经推出了挖矿木马防护功能，全面防御从各种渠道入侵的挖矿木马。用户开启了该功能后，360安全卫士将会实时拦截各类挖矿木马的攻击，为用户计算机安全保驾护航。</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">下载地址:</p>
      <p style="font-size: 18px; line-height: 40px; text-align: left; margin-bottom: 30px;">http://down.360safe.com/inst.exe</p>
    </div>

查看完整版本: NewKernelCoreMiner 撑起百万收入的挖矿木马