ʻO ka kūleʻa o ka hoʻouka kaua ransomware i nā hui a puni ka honua ke koi nei i nā mea hoʻouka hou aʻe e komo i ka pāʻani. ʻO kekahi o kēia mau mea pāʻani hou he hui e hoʻohana ana i ka ProLock ransomware. Ua ʻike ʻia ma Malaki 2020 ma ke ʻano he mea pani i ka papahana PwndLocker, i hoʻomaka e hana ma ka hopena o 2019. ʻO ka hoʻouka ʻana o ProLock ransomware e kuhikuhi nui i nā hui kālā a me ka mālama olakino, nā keʻena aupuni, a me ka ʻoihana kūʻai. I kēia mau lā, ua hoʻouka maikaʻi nā mea hana ProLock i kekahi o nā mea hana ATM nui loa, ʻo Diebold Nixdorf.
Ma keia pou ʻO Oleg Skulkin, ka loea alakaʻi o ka Computer Forensics Laboratory o Group-IB, e uhi ana i nā loea kumu, nā ʻenehana a me nā kaʻina hana (TTPs) i hoʻohana ʻia e nā mea hana ProLock. Hoʻopau ka ʻatikala me ka hoʻohālikelike ʻana i ka MITER ATT&CK Matrix, kahi waihona lehulehu e hōʻuluʻulu ana i nā hana hoʻouka kaua i hoʻohana ʻia e nā hui cybercriminal like ʻole.
Loaʻa i ke komo mua
Hoʻohana nā mea hoʻohana ProLock i ʻelua mau vectors nui o ka hoʻopaʻapaʻa mua: ka QakBot (Qbot) Trojan a me nā kikowaena RDP pale ʻole me nā ʻōlelo huna nāwaliwali.
ʻO ka hoʻololi ʻana ma o kahi kikowaena RDP hiki i waho ke kaulana loa i waena o nā mea hoʻohana ransomware. ʻO ka maʻamau, kūʻai nā mea hoʻouka i ke komo i kahi kikowaena i hoʻopaʻa ʻia mai nā ʻaoʻao ʻekolu, akā hiki ke loaʻa iā ia e nā lālā o ka hui ma o lākou iho.
ʻO kahi vector hoihoi hou aʻe o ka hoʻopaʻapaʻa mua ʻo ia ʻo QakBot malware. Ma mua, ua pili kēia Trojan me kekahi ʻohana ransomware - MegaCortex. Eia naʻe, hoʻohana ʻia ia e nā mea hoʻohana ProLock.
ʻO ka maʻamau, hoʻolaha ʻia ʻo QakBot ma o nā hoʻolaha phishing. Loaʻa paha i ka leka uila phishing kahi palapala Microsoft Office i hoʻopili ʻia a i ʻole kahi loulou i kahi faila i loaʻa i kahi lawelawe mālama kapua, e like me Microsoft OneDrive.
Aia kekahi mau hihia i ʻike ʻia ʻo QakBot i hoʻouka ʻia me kekahi Trojan, ʻo Emotet, i ʻike nui ʻia no kona komo ʻana i nā hoʻolaha i hāʻawi i ka Ryuk ransomware.
Hana
Ma hope o ka hoʻoiho ʻana a me ka wehe ʻana i kahi palapala i maʻi ʻia, koi ʻia ka mea hoʻohana e ʻae i nā macros e holo. Inā kūleʻa, hoʻokuʻu ʻia ʻo PowerShell, kahi e hiki ai iā ʻoe ke hoʻoiho a holo i ka uku uku QakBot mai ke kikowaena kauoha a me ka mana.
He mea nui e hoʻomaopopo e pili ana ka like me ProLock: lawe ʻia ka uku mai ka faila ʻO Bmp ai ole ia, ʻO JPG a hoʻouka ʻia i ka hoʻomanaʻo me ka hoʻohana ʻana iā PowerShell. I kekahi mau hihia, hoʻohana ʻia kahi hana i hoʻonohonoho ʻia e hoʻomaka ai i PowerShell.
E holo ana ka palapala Batch ProLock ma o ka mea hoʻonohonoho hana:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batHoʻohui i ka ʻōnaehana
Inā hiki ke hoʻololi i ka server RDP a loaʻa ke komo, a laila hoʻohana ʻia nā moʻokāki kūpono e loaʻa ai ke komo i ka pūnaewele. Hōʻike ʻia ʻo QakBot e nā ʻano hana hoʻopili. ʻO ka pinepine, hoʻohana kēia Trojan i ke kī hoʻopaʻa inoa Run a hana i nā hana i ka mea hoʻonohonoho:
Hoʻopaʻa iā Qakbot i ka ʻōnaehana me ka hoʻohana ʻana i ke kī hoʻopaʻa inoa Run
I kekahi mau hihia, hoʻohana pū ʻia nā waihona hoʻomaka: kau ʻia kahi pōkole ma laila e kuhikuhi ana i ka bootloader.
Palena bypass
Ma ke kamaʻilio ʻana me ke kikowaena kauoha a me ka mana, hoʻāʻo ʻo QakBot e hoʻohou iā ia iho, no laila i mea e pale aku ai i ka ʻike, hiki i ka malware ke hoʻololi i kāna mana ponoʻī me kahi mea hou. Hoʻopaʻa inoa ʻia nā faila hiki ke hoʻokō ʻia me kahi pūlima i hoʻopaʻa ʻia a hoʻopunipuni ʻia. Mālama ʻia ka uku mua i hoʻouka ʻia e PowerShell ma ka kikowaena C&C me ka hoʻonui PNG. Eia kekahi, ma hope o ka hoʻokō ʻia ua hoʻololi ʻia me kahi faila kūpono calc.exe.
Eia kekahi, e hūnā i ka hana ʻino, hoʻohana ʻo QakBot i ke ʻano o ka injecting code i nā kaʻina hana, me ka hoʻohana ʻana explorer.exe.
E like me ka mea i ʻōlelo ʻia, hūnā ʻia ka uku uku ProLock i loko o ka faila ʻO Bmp ai ole ia, ʻO JPG. Hiki ke noʻonoʻo ʻia ke ʻano o ka pale ʻana i ka pale.
Loaʻa i nā palapala hōʻoia
Loaʻa iā QakBot ka hana keylogger. Eia hou, hiki iā ia ke hoʻoiho a holo i nā palapala hou, no ka laʻana, Invoke-Mimikatz, kahi mana PowerShell o ka pono Mimikatz kaulana. Hiki ke hoʻohana ʻia ia mau palapala e nā mea hoʻouka e hoʻolei i nā hōʻoia.
ʻIke pūnaewele
Ma hope o ka loaʻa ʻana o ka loaʻa ʻana i nā moʻokāki ponoʻī, hana nā mea hoʻokele ProLock i ka ʻike ʻana i ka ʻoihana pūnaewele, hiki ke komo i ka nānā ʻana i ke awa a me ka nānā ʻana o ka Active Directory environment. Ma kahi o nā palapala like ʻole, hoʻohana nā mea hoʻouka iā AdFind, kahi mea hana ʻē aʻe i kaulana i waena o nā hui ransomware, e hōʻiliʻili i ka ʻike e pili ana i Active Directory.
Hoʻolaha pūnaewele
ʻO ka mea maʻamau, ʻo kekahi o nā ala kaulana loa o ka hoʻolaha pūnaewele ʻo ka Remote Desktop Protocol. ʻAʻole ʻokoʻa ʻo ProLock. Loaʻa i nā mea hoʻouka nā palapala i kā lākou arsenal e kiʻi i kahi mamao mamao ma o RDP i nā mea hoʻokipa.
ʻO ka palapala BAT no ka loaʻa ʻana ma o ka protocol RDP:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
No ka hoʻokō mamao ʻana i nā palapala, hoʻohana nā mea hoʻohana ProLock i kahi mea hana kaulana ʻē aʻe, ka pono PsExec mai ka Sysinternals Suite.
Holo ʻo ProLock ma luna o nā pūʻali me ka hoʻohana ʻana iā WMIC, ʻo ia ka laina kauoha no ka hana ʻana me ka Windows Management Instrumentation subsystem. Ke ulu nui nei kēia mea hana ma waena o nā mea hoʻohana ransomware.
ʻOhi ʻikepili
E like me nā mea hana ransomware ʻē aʻe, ʻo ka hui e hoʻohana ana iā ProLock e hōʻiliʻili i ka ʻikepili mai kahi pūnaewele i hoʻopaʻa ʻia e hoʻonui i ko lākou manawa e loaʻa ai kahi pānaʻi. Ma mua o ka exfiltration, mālama ʻia ka ʻikepili i hōʻiliʻili ʻia me ka hoʻohana ʻana i ka pono 7Zip.
Exfiltration
No ka hoʻouka ʻana i ka ʻikepili, hoʻohana nā mea hoʻohana ProLock iā Rclone, kahi mea hana laina kauoha i hoʻolālā ʻia e hoʻonohonoho i nā faila me nā lawelawe mālama kapuaʻi like ʻole e like me OneDrive, Google Drive, Mega, etc.
ʻAʻole like me kā lākou mau hoa, ʻaʻole i loaʻa i nā mea hoʻohana ProLock kā lākou pūnaewele ponoʻī e hoʻolaha i ka ʻikepili i ʻaihue ʻia e nā hui i hōʻole i ka uku.
Loaʻa i ka pahuhopu hope
Ke hoʻopau ʻia ka ʻikepili, hoʻopuka ka hui iā ProLock ma ka pūnaewele ʻoihana. Lawe ʻia ka faila binary mai kahi faila me ka hoʻonui PNG ai ole ia, ʻO JPG me ka hoʻohana ʻana iā PowerShell a hoʻokomo ʻia i loko o ka hoʻomanaʻo:
ʻO ka mea mua, hoʻopau ʻo ProLock i nā kaʻina hana i hōʻike ʻia ma ka papa inoa i kūkulu ʻia (ka mea hoihoi, hoʻohana wale ia i nā leka ʻeono o ka inoa kaʻina, e like me "winwor"), a hoʻopau i nā lawelawe, me nā mea e pili ana i ka palekana, e like me CSFalconService ( CrowdStrike Falcon). me ke kauoha kū upena.
A laila, e like me nā ʻohana ransomware he nui, hoʻohana nā mea hoʻouka vssadmin e holoi i nā kope o Windows a kau i ko lākou nui i ʻole e hana ʻia nā kope hou:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedHoʻohui ʻo ProLock i ka hoʻonui .proLock, .pr0Laka ai ole ia, .proL0ck i kēlā me kēia faila i hoʻopili ʻia a waiho i ka faila [Pehea e hoʻihoʻi hou ai i nā faila].TXT i kēlā me kēia waihona. Aia i loko o kēia faila nā ʻōlelo aʻoaʻo e pili ana i ka wehe ʻana i nā faila, me kahi loulou i kahi pūnaewele kahi e pono ai ka mea i hōʻeha ʻia e hoʻokomo i kahi ID kūʻokoʻa a loaʻa ka ʻike uku:
Loaʻa i kēlā me kēia manawa o ProLock ka ʻike e pili ana i ka nui o ka pānaʻi - i kēia hihia, 35 bitcoins, ʻo ia hoʻi ma kahi o $312.
hopena
Nui nā mea hoʻohana ransomware e hoʻohana i nā ala like e hoʻokō ai i kā lākou mau pahuhopu. I ka manawa like, ʻokoʻa kekahi mau ʻenehana i kēlā me kēia hui. I kēia manawa, ke ulu nei ka nui o nā hui cybercriminal e hoʻohana ana i ka ransomware i kā lākou hoʻolaha. I kekahi mau hihia, hiki i nā mea hoʻohana like ke komo i ka hoʻouka ʻana me ka hoʻohana ʻana i nā ʻohana like ʻole o ka ransomware, no laila e ʻike nui mākou i ka uhi ʻana i nā hana, nā ʻenehana a me nā kaʻina hana i hoʻohana ʻia.
Ka palapala ʻāina me ka palapala ʻāina ʻo MITER ATT&CK
ʻOna
ʻano hana
Komo mua (TA0001)
Nā lawelawe mamao o waho (T1133), Hoʻopili i ka Spearphishing (T1193), Link Spearphishing (T1192)
Hoʻokō (TA0002)
Powershell (T1086), Scripting (T1064), Mea hoʻohana (T1204), Windows Management Instrumentation (T1047)
Hoʻomau (TA0003)
Nā Kī Kakau / Kōpili Hoʻomaka (T1060), Hana Hoʻonohonoho ʻia (T1053), Nā moʻokāki kūpono (T1078)
Palekana pale (TA0005)
Hoʻopaʻa inoa (T1116), Deobfuscate/Decode Files a ʻIkepili (T1140), Hoʻopau i nā Mea Hana Palekana (T1089), Holoi Kōnae (T1107), Masquerading (T1036), Hoʻoheheʻe Kaʻina (T1055)
Loaʻa i ka hōʻoia (TA0006)
ʻO ka hoʻolei ʻana i ka hōʻoia (T1003), Brute Force (T1110), Hopu Hoʻokomo (T1056)
ʻIke (TA0007)
ʻIke moʻokāki (T1087), ʻike ʻike Domain Trust (T1482), ʻike waihona a me ka papa kuhikuhi (T1083), ka nānā ʻana i ka lawelawe ʻoihana pūnaewele (T1046), ka ʻike ʻana i ka Pūnaewele (T1135), ka ʻike pūnaewele mamao (T1018)
Ka neʻe ʻana o ka ʻaoʻao (TA0008)
Kaʻina Papamaʻa Mamao (T1076), Kope Waihona Mamao (T1105), Kaʻana like ʻana o Windows Admin (T1077)
ʻOhi (TA0009)
ʻIkepili mai Pūnaehana Kūloko (T1005), ʻIkepili mai Network Shared Drive (T1039), Data Staged (T1074)
Kauoha a me ka Mana (TA0011)
Ua hoʻohana mau ʻia (T1043), lawelawe pūnaewele (T1102)
Hoʻopau (TA0010)
Hoʻopili ʻia ka ʻikepili (T1002), hoʻololi i ka ʻikepili i ka moʻokāki Cloud (T1537)
Ka hopena (TA0040)
Hoʻopili ʻia ka ʻikepili no ka Impact (T1486), Kāohi Pūnaewele Hoʻihoʻi (T1490)
Source: www.habr.com