Wani sabon nau'in ransomware yana ɓoye fayiloli kuma yana ƙara ƙarin ".SaveTheQueen" zuwa gare su, yana yaduwa ta cikin babban fayil ɗin cibiyar sadarwar SYSVOL akan masu kula da yankin Active Directory.
Abokan cinikinmu sun ci karo da wannan malware kwanan nan. Mun gabatar da cikakken binciken mu, sakamakonsa da kuma ƙarshe a ƙasa.
Ganowa
Daya daga cikin abokan cinikinmu ya tuntube mu bayan sun ci karo da wani sabon nau'in kayan fansho wanda ke kara fadada ".SaveTheQueen" zuwa sabbin fayilolin rufaffiyar a muhallinsu.
A yayin bincikenmu, ko kuma a matakin neman hanyoyin kamuwa da cutar, mun gano cewa an gudanar da rarrabawa da bin diddigin wadanda suka kamu da cutar ta hanyar amfani da su. babban fayil na cibiyar sadarwa SYSVOL akan mai kula da yankin abokin ciniki.
SYSVOL babban babban fayil ne na kowane mai sarrafa yanki wanda ake amfani dashi don sadar da Abubuwan Manufofin Rukuni (GPOs) da rubutun tambari da tambari zuwa kwamfutoci a yankin. Abubuwan da ke cikin wannan babban fayil ana maimaita su ne tsakanin masu sarrafa yanki don daidaita wannan bayanan a cikin rukunin yanar gizon kungiyar. Rubutu zuwa SYSVOL yana buƙatar babban gata na yanki, duk da haka, da zarar an daidaita shi, wannan kadari ya zama kayan aiki mai ƙarfi ga maharan waɗanda za su iya amfani da shi don saurin yaɗa munanan ayyuka a kowane yanki.
Sarkar dubawa ta Varonis ta taimaka cikin sauri gano abubuwan da ke biyowa:
- Asusun mai amfani da cutar ya ƙirƙiri fayil mai suna "hourly" a cikin SYSVOL
- An ƙirƙiri fayilolin log da yawa a cikin SYSVOL - kowane mai suna tare da sunan na'urar yanki
- Yawancin adiresoshin IP daban-daban suna shiga cikin fayil ɗin "sa'a".
Mun kammala cewa an yi amfani da fayilolin log ɗin don bin tsarin kamuwa da cuta akan sabbin na'urori, kuma "sa'a" wani aiki ne da aka tsara wanda ke aiwatar da mummunan aiki akan sabbin na'urori ta amfani da rubutun Powershell - samfurori "v3" da "v4".
Wataƙila maharin ya samu kuma ya yi amfani da gatan mai gudanarwa na yanki don rubuta fayiloli zuwa SYSVOL. A kan runduna masu kamuwa da cuta, maharin ya gudanar da lambar PowerShell wanda ya ƙirƙiri aikin jadawali don buɗewa, yankewa, da gudanar da malware.
Yanke malware
Mun gwada hanyoyi da yawa don tantance samfuran ba a yi amfani ba:
Mun kusan kasance a shirye mu daina lokacin da muka yanke shawarar gwada hanyar "Magic" na ban mamaki
abubuwan amfani da GCHQ. Sihiri yana ƙoƙarin tantance ɓoyayyen fayil ta hanyar tursasa kalmomin shiga don nau'ikan ɓoye daban-daban da aunawa entropy.
Bayanin mai fassara Duba и . Wannan labarin da sharhi ba su ƙunshi tattaunawa a ɓangaren mawallafa na cikakkun bayanan hanyoyin da aka yi amfani da su a cikin wani ɓangare na uku ko na software na mallakar mallaka ba.
Magic ya ƙaddara cewa an yi amfani da fakitin GZip na base64, don haka mun sami damar rage fayil ɗin kuma mu gano lambar allura.
Dropper: “Akwai annoba a yankin! Gabaɗaya allurar rigakafi. Ciwon Qafa da Baki"
Mai sauke fayil ɗin NET ne na yau da kullun ba tare da wata kariya ba. Bayan karanta tushen code tare da mun fahimci cewa kawai manufarsa ita ce shigar da lambar shell a cikin tsarin winlogon.exe.
Shellcode ko rikitarwa masu sauƙi
Mun yi amfani da kayan aikin marubucin Hexacorn - domin a “harhada” lambar harsashi cikin fayil mai aiwatarwa don yin kuskure da bincike. Daga nan muka gano cewa yana aiki akan injinan 32 da 64 bit.
Rubuta ko da sauƙi mai sauƙi a cikin fassarar yaren taro na iya zama da wahala, amma rubuta cikakkiyar lambar harsashi wanda ke aiki akan nau'ikan tsarin guda biyu yana buƙatar ƙwarewar manyan mutane, don haka mun fara mamakin haɓakar maharin.
Lokacin da muka tantance harhada harsashi ta amfani da , mun lura yana lodawa NET Dynamic dakunan karatu , kamar cl.dll da mscoreei.dll. Wannan ya zama kamar baƙon abu a gare mu - yawanci maharan suna ƙoƙarin yin ƙarami kamar yadda zai yiwu ta hanyar kiran ayyukan OS na asali maimakon loda su. Me yasa kowa zai buƙaci shigar da ayyukan Windows a cikin lambar shell maimakon kiranta kai tsaye akan buƙata?
Kamar yadda ya fito, marubucin malware ba ya rubuta wannan hadadden lambar harsashi kwata-kwata - an yi amfani da software na musamman ga wannan aikin don fassara fayiloli da rubutun da za a iya aiwatarwa zuwa lambar shell.
Mun sami kayan aiki , wanda muka yi tunanin zai iya tattara irin wannan shellcode. Ga bayaninsa daga GitHub:
Donut yana haifar da x86 ko x64 shellcode daga VBScript, JScript, EXE, DLL (ciki har da .NET majalisai). Ana iya shigar da wannan lambar shela cikin kowane tsari na Windows don aiwatar da shi
randomwa memorywalwar shiga bazuwar
Don tabbatar da ka'idar mu, mun haɗa lambar mu ta amfani da Donut kuma muka kwatanta shi da samfurin - kuma ... a, mun gano wani ɓangaren kayan aikin da aka yi amfani da shi. Bayan wannan, mun riga mun sami damar cirewa da kuma bincika ainihin fayil ɗin aiwatarwa na NET.
Kariyar lambar
An toshe wannan fayil ta amfani da shi :
ConfuserEx shine buɗaɗɗen tushen aikin NET don kare lambar sauran abubuwan ci gaba. Wannan nau'in software yana ba masu haɓaka damar kare lambar su daga aikin injiniya na baya ta amfani da hanyoyi kamar maye gurbin hali, sarrafa kwararar umarni, da hanyar ɓoyewa. Marubutan Malware suna amfani da masu ɓoyewa don gujewa ganowa da kuma sanya aikin injiniyan baya da wahala.
Na gode mun buge lambar:
Sakamako - kaya
Sakamakon biyan kuɗin da aka samu shine ƙwayar cuta mai sauƙi na ransomware. Babu wata hanyar da za ta tabbatar da kasancewar a cikin tsarin, babu haɗin kai zuwa cibiyar umarni - kawai tsohuwar ɓoyewar asymmetric don sanya bayanan wanda aka azabtar ba za su iya karantawa ba.
Babban aikin yana zaɓar layin masu zuwa azaman sigogi:
- Fayil mai tsawo don amfani bayan ɓoyewa (SaveTheQueen)
- Imel ɗin marubuci don sanyawa cikin fayil ɗin bayanin kula na fansa
- Maɓallin jama'a ana amfani da shi don ɓoye fayiloli
Tsarin kanta yayi kama da haka:
- Malware yana bincika abubuwan tafiyar gida da haɗin kai akan na'urar wanda aka azabtar
- Neman fayiloli don ɓoyewa
- Yana ƙoƙarin ƙare tsarin da ke amfani da fayil ɗin da yake shirin ɓoyewa
- Yana sake suna fayil ɗin zuwa "OriginalFileName.SaveTheQueenING" ta amfani da aikin MoveFile kuma yana ɓoye shi.
- Bayan an rufaffen fayil ɗin tare da maɓallin jama'a na marubucin, malware ɗin ya sake sake sunansa, yanzu zuwa "Naman Fayil na asali.SaveTheQueen"
- Ana rubuta fayil tare da buƙatar fansa zuwa babban fayil guda
Dangane da amfani da aikin “CreateDecryptor” na asali, ɗaya daga cikin ayyukan malware yana bayyana yana ƙunshe a matsayin siga hanyar ɓoye bayanan da ke buƙatar maɓalli na sirri.
Ransomware virus BAYA rufaffen fayiloli, adana a cikin kundayen adireshi:
C: windows
C: Fayilolin Shirin
C: Fayilolin Shirin (x86)
C: Users\AppData
C: inetpub
Shi kuma BAYA rufaffen nau'ikan fayil masu zuwa:EXE, DLL, MSI, ISO, SYS, CAB.
Sakamako da ƙarshe
Kodayake ransomware da kanta ba ta ƙunshi wasu abubuwan da ba a saba gani ba, maharin da ƙirƙira ya yi amfani da Active Directory don rarraba dropper, kuma malware da kanta ya gabatar mana da abubuwan ban sha'awa, idan a ƙarshe ba shi da wahala, cikas yayin bincike.
Muna tsammanin cewa marubucin malware shine:
- Rubuta kwayar cutar fansa tare da ginanniyar allura a cikin tsarin winlogon.exe, haka kuma
boye-boye fayil da aikin decryption - An canza lambar qeta ta amfani da ConfuserEx, ya canza sakamakon ta amfani da Donut kuma ya ɓoye tushen 64 Gzip dropper.
- An sami manyan gata a cikin yankin wanda aka azabtar kuma yayi amfani da su don kwafi
ɓoyayyen malware da ayyukan da aka tsara zuwa babban fayil ɗin cibiyar sadarwar SYSVOL na masu sarrafa yanki - Gudanar da rubutun PowerShell akan na'urorin yanki don yada malware da rikodin ci gaban hari a cikin rajistan ayyukan SYSVOL
Idan kuna da tambayoyi game da wannan bambance-bambancen ƙwayoyin cuta na ransomware, ko duk wani binciken bincike da abin da ya faru na intanet wanda ƙungiyoyinmu suka yi, ko nema , inda muke amsa tambayoyi koyaushe a cikin zaman Q&A.
source: www.habr.com