Nasarar hare-haren fansa a kan kungiyoyi a duniya yana haifar da ƙarin sabbin maharan shiga cikin wasan. Ɗaya daga cikin waɗannan sababbin 'yan wasa ƙungiya ce ta amfani da ProLock ransomware. Ya bayyana a cikin Maris 2020 a matsayin wanda zai gaje shirin PwndLocker, wanda ya fara aiki a ƙarshen 2019. Hare-haren fansa na ProLock da farko ana kai hari ga kungiyoyin kuɗi da na kiwon lafiya, hukumomin gwamnati, da kuma ɓangaren dillalai. Kwanan nan, masu gudanar da aikin ProLock sun yi nasarar kai hari ga ɗaya daga cikin manyan masana'antun ATM, Diebold Nixdorf.
A cikin wannan post Oleg Skulkin, babban kwararre na Laboratory Forensics Computer na Group-IB, ya ƙunshi mahimman dabaru, dabaru da hanyoyin (TTPs) waɗanda masu aiki na ProLock ke amfani da su. Labarin ya ƙare da kwatantawa da MITER ATT&CK Matrix, bayanan jama'a da ke tattara dabarun kai hari da ƙungiyoyin masu aikata laifuka daban-daban ke amfani da su.
Samun damar farko
Masu aiki na ProLock suna amfani da manyan ɓangarori biyu na sasantawa na farko: QakBot (Qbot) Trojan da sabar RDP marasa tsaro tare da kalmomin shiga masu rauni.
Yin sulhu ta hanyar uwar garken RDP mai samun damar waje ya shahara sosai a tsakanin masu aikin ransomware. Yawanci, maharan suna siyan damar shiga uwar garken da aka yi sulhu daga wasu ɓangarori na uku, amma kuma membobin rukuni na iya samun su da kansu.
Mafi ban sha'awa vector na daidaitawa na farko shine QakBot malware. A baya can, wannan Trojan yana da alaƙa da wani dangin ransomware - MegaCortex. Koyaya, yanzu masu aiki na ProLock suna amfani dashi.
Yawanci, ana rarraba QakBot ta kamfen ɗin phishing. Imel ɗin phishing na iya ƙunsar daftarin aiki na Microsoft Office ko hanyar haɗi zuwa fayil ɗin da ke cikin sabis ɗin ajiyar girgije, kamar Microsoft OneDrive.
Akwai kuma sanannun lokuta na QakBot ana loda shi tare da wani Trojan, Emotet, wanda ya shahara don shiga cikin kamfen ɗin da ke rarraba Ryuk ransomware.
Ayyuka
Bayan zazzagewa da buɗe takaddar da ta kamu da cutar, ana sa mai amfani don ƙyale macros suyi aiki. Idan an yi nasara, an ƙaddamar da PowerShell, wanda zai ba ku damar zazzagewa da gudanar da kayan aikin QakBot daga umarni da uwar garken sarrafawa.
Yana da mahimmanci a lura cewa iri ɗaya ya shafi ProLock: ana fitar da kaya daga fayil ɗin BMP ko JPG da kuma loda cikin ƙwaƙwalwar ajiya ta amfani da PowerShell. A wasu lokuta, ana amfani da aikin da aka tsara don fara PowerShell.
Rubutun tsari yana gudana ProLock ta hanyar mai tsara ɗawainiya:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batƘarfafawa a cikin tsarin
Idan zai yiwu a yi sulhu da uwar garken RDP da samun dama, to ana amfani da ingantattun asusu don samun damar shiga cibiyar sadarwa. QakBot yana da nau'ikan hanyoyin haɗin kai iri-iri. Mafi sau da yawa, wannan Trojan yana amfani da maɓallin rajista na Run kuma yana ƙirƙirar ayyuka a cikin mai tsarawa:
Sanya Qakbot zuwa tsarin ta amfani da maɓallin rajista na Run
A wasu lokuta, ana kuma amfani da manyan fayilolin farawa: an sanya gajeriyar hanya a wurin da ke nuna bootloader.
Ketare kariya
Ta hanyar sadarwa tare da umarni da uwar garken sarrafawa, QakBot lokaci-lokaci yana ƙoƙarin sabunta kansa, don haka don guje wa ganowa, malware na iya maye gurbin nasa na yanzu da sabon. Fayilolin da za a iya aiwatarwa suna sanya hannu tare da sa hannun da aka yi sulhu ko karya. Ana adana nauyin farko da PowerShell ya ɗora akan uwar garken C&C tare da kari PNG. Bugu da ƙari, bayan aiwatar da shi an maye gurbin shi da fayil na halal calc.exe.
Har ila yau, don ɓoye ayyukan ƙeta, QakBot yana amfani da dabarar shigar da lamba cikin matakai, ta amfani da explorer.exe.
Kamar yadda aka ambata, kayan aikin ProLock yana ɓoye a cikin fayil ɗin BMP ko JPG. Hakanan ana iya la'akari da wannan azaman hanyar ketare kariya.
Samun takaddun shaida
QakBot yana da aikin maɓalli. Bugu da kari, yana iya saukewa da gudanar da ƙarin rubutun, misali, Invoke-Mimikatz, sigar PowerShell na sanannen mai amfani da Mimikatz. Masu kai hari za su iya amfani da irin waɗannan rubutun don zubar da takaddun shaida.
Hanyoyin sadarwa
Bayan samun damar yin amfani da asusu masu gata, masu aiki na ProLock suna yin binciken hanyar sadarwa, wanda zai iya haɗawa da sikanin tashar jiragen ruwa da nazarin muhallin Active Directory. Baya ga rubutun daban-daban, maharan suna amfani da AdFind, wani kayan aiki da ya shahara tsakanin ƙungiyoyin ransomware, don tattara bayanai game da Active Directory.
Tallan cibiyar sadarwa
A al'adance, ɗayan shahararrun hanyoyin haɓaka cibiyar sadarwa shine ka'idar Lantarki ta Nesa. ProLock ba banda. Maharan har ma suna da rubutun a cikin arsenal don samun damar shiga ta hanyar RDP don kai hari ga runduna.
Rubutun BAT don samun dama ta hanyar ka'idar RDP:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
Don aiwatar da rubutun nesa, masu aiki na ProLock suna amfani da wani sanannen kayan aiki, mai amfani na PsExec daga Sysinternals Suite.
ProLock yana gudana akan runduna ta amfani da WMIC, wanda shine layin umarni don aiki tare da tsarin sarrafa kayan aikin Windows. Har ila yau, kayan aikin yana ƙara yin fice a tsakanin ma'aikatan ransomware.
Tarin bayanai
Kamar sauran masu gudanar da aikin fansa, ƙungiyar da ke amfani da ProLock tana tattara bayanai daga hanyar sadarwar da aka lalata don ƙara damarsu ta karɓar fansa. Kafin fitarwa, ana adana bayanan da aka tattara ta amfani da kayan aikin 7Zip.
Exfiltration
Don loda bayanai, masu aiki na ProLock suna amfani da Rclone, kayan aikin layin umarni da aka ƙera don aiki tare da fayiloli tare da ayyuka daban-daban na ajiyar girgije kamar OneDrive, Google Drive, Mega, da dai sauransu. Masu kai hari koyaushe suna sake suna fayil ɗin da za a iya aiwatarwa don sanya shi kama da fayilolin tsarin halal.
Ba kamar takwarorinsu ba, har yanzu ma'aikatan ProLock ba su da gidan yanar gizon su don buga bayanan sata na kamfanonin da suka ƙi biyan kuɗin fansa.
Cimma burin ƙarshe
Da zarar an fitar da bayanan, ƙungiyar za ta tura ProLock a cikin hanyar sadarwar kasuwanci. Ana fitar da fayil ɗin binary daga fayil tare da tsawo PNG ko JPG ta amfani da PowerShell da allura cikin ƙwaƙwalwar ajiya:
Da farko dai, ProLock yana ƙare hanyoyin da aka ƙayyade a cikin jerin abubuwan da aka gina (abin sha'awa, kawai yana amfani da haruffa shida na sunan tsari, kamar "winwor"), kuma yana ƙare ayyuka, gami da waɗanda ke da alaƙa da tsaro, kamar CSFalconService ( CrowdStrike Falcon) ta amfani da umarnin net tasha.
Sannan, kamar yadda yake da sauran iyalai na ransomware, maharan suna amfani da su vssadmin don share kwafin inuwar Windows kuma a iyakance girmansu don kada a ƙirƙiri sababbin kwafi:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedProLock yana ƙara tsawo .proLock, .pr0 Kulle ko .proL0ck zuwa kowane fayil ɗin da aka ɓoye kuma sanya fayil ɗin [YADDA AKE SAMUN FILES].TXT zuwa kowane babban fayil. Wannan fayil ɗin yana ƙunshe da umarni kan yadda ake ɓata fayilolin, gami da hanyar haɗi zuwa rukunin yanar gizo inda dole ne wanda aka azabtar ya shigar da ID na musamman kuma ya karɓi bayanin biyan kuɗi:
Kowane misali na ProLock ya ƙunshi bayanai game da adadin kuɗin fansa - a wannan yanayin, bitcoins 35, wanda ya kai kusan $ 312.
ƙarshe
Yawancin ma'aikatan ransomware suna amfani da hanyoyi iri ɗaya don cimma burinsu. A lokaci guda, wasu fasahohin sun keɓanta ga kowane rukuni. A halin yanzu, ana samun karuwar kungiyoyin masu aikata laifuka ta yanar gizo masu amfani da ransomware a yakinsu. A wasu lokuta, masu aiki iri ɗaya na iya shiga cikin hare-hare ta amfani da iyalai daban-daban na ransomware, don haka za mu ƙara ganin zoba a cikin dabaru, dabaru da hanyoyin da ake amfani da su.
Yin taswira tare da taswirar MITER ATT&CK
Dabarar
m
Samun Farko (TA0001)
Sabis na Nesa na Waje (T1133), Haɗe-haɗe na Spearphishing (T1193), Haɗin Magana (T1192)
Kisa (TA0002)
Powershell (T1086), Rubutun (T1064), Mai amfani (T1204), Kayan Gudanar da Windows (T1047)
Dagewa (TA0003)
Maɓallai Gudun Rijista / Jaka ta farawa (T1060), Ayyukan da aka tsara (T1053), Lissafi masu inganci (T1078)
Kaucewa Tsaro (TA0005)
Shiga Code (T1116), Deobfuscate/Yanke Fayiloli ko Bayani (T1140), Kashe Kayan aikin Tsaro (T1089), Share Fayil (T1107), Masquerading (T1036), Allurar Tsari (T1055)
Samun Takaddun shaida (TA0006)
Zubar da Takaddun shaida (T1003), Ƙarfin Ƙarfi (T1110), Shigar da Shiga (T1056)
Gano (TA0007)
Gano Asusu (T1087), Gano Amintaccen Domain (T1482), Gano Fayil da Darakta (T1083), Binciken Sabis na Sadarwa (T1046), Gano Rarraba hanyar sadarwa (T1135), Gano Tsarin Nesa (T1018)
Motsi na baya (TA0008)
Ka'idar Lantarki Mai Nisa (T1076), Kwafin Fayil Mai Nisa (T1105), Rarraba Masu Gudanar da Windows (T1077)
Tarin (TA0009)
Bayanai daga Tsarin Gida (T1005), Bayanai daga Drive Shared Network (T1039), Data Staged (T1074)
Umurni da Sarrafa (TA0011)
Port ɗin da Akafi Amfani da shi (T1043), Sabis na Yanar Gizo (T1102)
Exfiltration (TA0010)
Data matsa (T1002), Canja wurin bayanai zuwa Cloud Account (T1537)
Tasiri (TA0040)
Rufaffen bayanai don Tasiri (T1486), Hana farfadowa da na'ura (T1490)
source: www.habr.com