ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Qhib ProLock: kev tshuaj xyuas ntawm kev ua ntawm cov neeg ua haujlwm ntawm tus tshiab ransomware siv MITER ATT&CK matrix

Qhib ProLock: kev tshuaj xyuas ntawm kev ua ntawm cov neeg ua haujlwm ntawm tus tshiab ransomware siv MITER ATT&CK matrix

Qhib ProLock: kev tshuaj xyuas ntawm kev ua ntawm cov neeg ua haujlwm ntawm tus tshiab ransomware siv MITER ATT&CK matrix

Kev vam meej ntawm ransomware tawm tsam ntawm cov koom haum thoob ntiaj teb yog ua rau ntau thiab ntau tus neeg tawm tsam tshiab nkag mus rau hauv qhov kev ua si. Ib qho ntawm cov players tshiab no yog ib pab pawg siv ProLock ransomware. Nws tshwm sim nyob rau lub Peb Hlis 2020 ua tus ua tiav rau PwndLocker program, uas tau pib ua haujlwm thaum kawg ntawm 2019. ProLock ransomware tawm tsam feem ntau yog tsom rau cov koom haum nyiaj txiag thiab kev noj qab haus huv, tsoomfwv cov koomhaum, thiab cov khw muag khoom. Tsis ntev los no, ProLock cov tswv lag luam tau ua tiav ib qho ntawm cov tuam txhab ATM loj tshaj plaws, Diebold Nixdorf.

Hauv no ncej Oleg Skulkin, tus kws tshaj lij ntawm Computer Forensics Laboratory ntawm Group-IB, suav nrog cov tswv yim yooj yim, cov txheej txheem thiab cov txheej txheem (TTPs) siv los ntawm ProLock cov tswv lag luam. Kab lus xaus nrog kev sib piv rau MITER ATT&CK Matrix, cov ntaub ntawv pej xeem uas suav nrog cov phiaj xwm tawm tsam siv los ntawm ntau pawg neeg ua phem hauv cybercriminal.

Tau txais kev nkag mus thawj zaug

Cov neeg ua haujlwm ProLock siv ob lub ntsiab lus tseem ceeb ntawm kev cuam tshuam thawj zaug: QakBot (Qbot) Trojan thiab tsis muaj kev tiv thaiv RDP servers nrog cov password tsis muaj zog.

Kev cuam tshuam los ntawm kev nkag mus rau sab nraud RDP server yog qhov nrov heev ntawm cov neeg ua haujlwm ransomware. Feem ntau, cov neeg tawm tsam yuav nkag mus rau lub server cuam tshuam los ntawm peb tog, tab sis nws kuj tuaj yeem tau txais los ntawm cov tswv cuab ntawm lawv tus kheej.

Ib qho kev nthuav dav ntxiv ntawm kev cuam tshuam thawj zaug yog QakBot malware. Yav dhau los, qhov Trojan no tau cuam tshuam nrog lwm tsev neeg ntawm ransomware - MegaCortex. Txawm li cas los xij, tam sim no nws tau siv los ntawm ProLock cov tswv lag luam.

Feem ntau, QakBot tau faib los ntawm kev tshaj tawm phishing. Lub phishing email tuaj yeem muaj cov ntaub ntawv txuas nrog Microsoft Office lossis txuas rau cov ntaub ntawv nyob hauv huab cia kev pabcuam, xws li Microsoft OneDrive.

Tseem muaj cov xwm txheej paub txog QakBot tau thauj khoom nrog lwm Trojan, Emotet, uas tau paub dav dav rau nws txoj kev koom tes hauv kev sib tw uas faib Ryuk ransomware.

Kev ua tau zoo

Tom qab rub tawm thiab qhib cov ntaub ntawv muaj kab mob, tus neeg siv tau ceeb toom kom tso cai rau macros khiav. Yog tias ua tiav, PowerShell tau pib, uas yuav tso cai rau koj rub tawm thiab khiav QakBot payload los ntawm cov lus txib thiab tswj server.

Nws yog ib qho tseem ceeb kom nco ntsoov tias tib yam siv rau ProLock: lub payload raug rho tawm los ntawm cov ntaub ntawv BMP los yog JPG thiab loaded rau hauv lub cim xeeb siv PowerShell. Qee qhov xwm txheej, txoj haujlwm tau teem tseg yog siv los pib PowerShell.

Batch tsab ntawv khiav ProLock los ntawm lub sijhawm ua haujlwm:

schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.bat

Consolidation nyob rau hauv lub system

Yog tias nws tuaj yeem cuam tshuam rau RDP server thiab nkag mus tau, ces cov nyiaj siv tau raug siv los nkag mus rau lub network. QakBot yog tus cwj pwm los ntawm ntau yam kev sib txuas ua ke. Feem ntau, Trojan no siv qhov yuam sij khiav thiab tsim cov haujlwm hauv lub sijhawm teem sijhawm:

Qhib ProLock: kev tshuaj xyuas ntawm kev ua ntawm cov neeg ua haujlwm ntawm tus tshiab ransomware siv MITER ATT&CK matrix
Pinning Qakbot rau lub kaw lus siv Khiav npe yuam sij

Qee qhov xwm txheej, pib cov folders kuj tseem siv: ib qho shortcut tau muab tso rau ntawd uas taw qhia rau bootloader.

Kev tiv thaiv bypass

Los ntawm kev sib txuas lus nrog cov lus txib thiab tswj cov neeg rau zaub mov, QakBot sim hloov kho nws tus kheej ib ntus, yog li txhawm rau kom tsis txhob raug kuaj pom, tus malware tuaj yeem hloov nws tus kheej tam sim no nrog ib qho tshiab. Cov ntaub ntawv ua tiav tau kos npe nrog kev cuam tshuam lossis kos npe kos npe. Tus thawj payload loaded los ntawm PowerShell yog khaws cia rau ntawm C&C server nrog qhov txuas ntxiv PNG. Tsis tas li ntawd, tom qab ua tiav nws yog hloov nrog cov ntaub ntawv raug cai calc.exe.

Tsis tas li ntawd, txhawm rau zais kev ua phem, QakBot siv cov txheej txheem ntawm kev txhaj tshuaj rau hauv cov txheej txheem, siv explorer.exe.

Raws li tau hais, ProLock payload tau muab zais hauv cov ntaub ntawv BMP los yog JPG. Qhov no tseem tuaj yeem suav tias yog ib txoj hauv kev los tiv thaiv kev tiv thaiv.

Tau txais daim ntawv pov thawj

QakBot muaj keylogger functionality. Tsis tas li ntawd, nws tuaj yeem rub tawm thiab khiav cov ntawv sau ntxiv, piv txwv li, Invoke-Mimikatz, PowerShell version ntawm lub npe nrov Mimikatz utility. Cov ntawv sau zoo li no tuaj yeem siv los ntawm cov neeg tawm tsam kom pov tseg cov ntawv pov thawj.

Network txawj ntse

Tom qab tau txais kev nkag mus rau cov nyiaj tau txais txiaj ntsig, ProLock cov neeg ua haujlwm ua haujlwm tshawb xyuas lub network, uas tuaj yeem suav nrog kev txheeb xyuas chaw nres nkoj thiab kev tshuaj xyuas ntawm Active Directory ib puag ncig. Ntxiv rau ntau cov ntawv sau, cov neeg tawm tsam siv AdFind, lwm lub cuab yeej nrov ntawm pawg ransomware, los sau cov ntaub ntawv hais txog Active Directory.

Kev txhawb nqa network

Kev lig kev cai, ib txoj hauv kev nrov tshaj plaws ntawm kev txhawb nqa network yog Chaw Taws Teeb Desktop Protocol. ProLock tsis muaj kev zam. Cov neeg tawm tsam txawm muaj cov ntawv sau hauv lawv lub arsenal kom tau txais kev nkag mus rau tej thaj chaw deb ntawm RDP rau cov hom phiaj.

BAT tsab ntawv rau kev nkag tau ntawm RDP raws tu qauv:

reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f

Txhawm rau tshem tawm cov ntawv sau tseg, ProLock cov tswv siv lwm cov cuab yeej nrov, PsExec cov nqi hluav taws xob los ntawm Sysinternals Suite.

ProLock khiav ntawm cov tswv siv WMIC, uas yog kab lus hais kom ua haujlwm nrog Windows Management Instrumentation subsystem. Cov cuab yeej no kuj tau dhau los ua neeg nyiam ntawm cov neeg ua haujlwm ransomware.

Kev sau cov ntaub ntawv

Zoo li ntau lwm tus neeg ua haujlwm ransomware, pab pawg siv ProLock sau cov ntaub ntawv los ntawm kev sib cuam tshuam hauv lub network kom lawv muaj feem tau txais tus nqe txhiv. Ua ntej exfiltration, cov ntaub ntawv khaws tseg yog archived siv 7Zip utility.

Exfiltration

Txhawm rau upload cov ntaub ntawv, ProLock cov neeg siv siv Rclone, cov cuab yeej hais kom ua haujlwm tsim los synchronize cov ntaub ntawv nrog ntau cov kev pabcuam huab cia xws li OneDrive, Google Drive, Mega, thiab lwm yam. Cov neeg tawm tsam ib txwm hloov npe cov ntaub ntawv ua tiav kom zoo li cov ntaub ntawv raug cai.

Tsis zoo li lawv cov phooj ywg, ProLock cov tswv lag luam tseem tsis muaj lawv lub vev xaib los tshaj tawm cov ntaub ntawv raug nyiag los ntawm cov tuam txhab uas tsis kam them tus nqe txhiv.

Ua tiav lub hom phiaj kawg

Thaum cov ntaub ntawv raug tshem tawm, pab pawg xa ProLock thoob plaws hauv lub lag luam network. Cov ntaub ntawv binary yog muab rho tawm los ntawm cov ntaub ntawv nrog rau qhov txuas ntxiv PNG los yog JPG siv PowerShell thiab txhaj rau hauv nco:

Qhib ProLock: kev tshuaj xyuas ntawm kev ua ntawm cov neeg ua haujlwm ntawm tus tshiab ransomware siv MITER ATT&CK matrix
Ua ntej tshaj plaws, ProLock tshem tawm cov txheej txheem teev tseg hauv daim ntawv teev npe (interestingly, nws tsuas yog siv rau XNUMX tsab ntawv ntawm cov txheej txheem npe, xws li "winwor"), thiab txiav cov kev pabcuam, suav nrog cov kev cuam tshuam txog kev ruaj ntseg, xws li CSFalconService ( CrowdStrike Falcon). siv cov lus txib net nres.

Tom qab ntawd, zoo li ntau lwm tsev neeg ransomware, cov neeg tawm tsam siv vssadmin tshem tawm Windows duab ntxoov ntxoo luam thiab txwv lawv qhov loj kom tsis txhob luam tawm tshiab:

vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded

ProLock ntxiv txuas ntxiv .proLock, .pr0 xauv los yog .proL0 khw rau txhua cov ntaub ntawv encrypted thiab tso cov ntaub ntawv [YUAV QHOV TSEEB].TXT mus rau txhua daim ntawv tais ceev tseg. Cov ntaub ntawv no muaj cov lus qhia yuav ua li cas decrypt cov ntaub ntawv, suav nrog qhov txuas mus rau qhov chaw uas tus neeg raug tsim txom yuav tsum nkag mus rau tus ID tshwj xeeb thiab tau txais cov ntaub ntawv them nyiaj:

Qhib ProLock: kev tshuaj xyuas ntawm kev ua ntawm cov neeg ua haujlwm ntawm tus tshiab ransomware siv MITER ATT&CK matrix
Txhua qhov piv txwv ntawm ProLock muaj cov ntaub ntawv hais txog tus nqi txhiv - qhov no, 35 bitcoins, uas yog kwv yees li $ 312.

xaus

Ntau tus neeg ua haujlwm ransomware siv cov kev zoo sib xws kom ua tiav lawv lub hom phiaj. Nyob rau tib lub sijhawm, qee cov tswv yim tshwj xeeb rau txhua pab pawg. Tam sim no, muaj coob tus cybercriminal pawg siv ransomware hauv lawv cov phiaj xwm. Qee qhov xwm txheej, tib tus tswv lag luam tuaj yeem koom nrog kev tawm tsam siv cov tsev neeg sib txawv ntawm ransomware, yog li peb yuav pom ntau qhov sib tshooj hauv cov tswv yim, cov tswv yim thiab cov txheej txheem siv.

Daim ntawv qhia nrog MITER ATT & CK Mapping

Tsov tom neeg
Txheej txheem

Initial Access (TA0001)
Kev Pabcuam Sab Nraud (T1133), Spearphishing Txuas (T1193), Spearphishing Txuas (T1192)

Kev Ua Haujlwm (TA0002)
Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)

Kev ua siab ntev (TA0003)
Registry Run Keys / Startup Folder (T1060), Teem caij ua haujlwm (T1053), Cov Nyiaj Tau Los (T1078)

Kev Tiv Thaiv Kev Tiv Thaiv (TA0005)
Kev Kos Npe (T1116), Deobfuscate/Decode cov ntaub ntawv lossis cov ntaub ntawv (T1140), Disabling Security Tools (T1089), Cov ntaub ntawv tshem tawm (T1107), Masquerading (T1036), Txheej Txheem Txhaj Tshuaj (T1055)

Daim ntawv pov thawj (TA0006)
Daim ntawv pov thawj pov thawj (T1003), Brute Force (T1110), Kev nkag mus ntes (T1056)

Discovery (TA0007)
Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)

Lateral Movement (TA0008)
Tej thaj chaw deb Desktop raws tu qauv (T1076), Chaw taws teeb ntaub ntawv luam (T1105), Windows Admin Shares (T1077)

Collection (TA0009)
Cov ntaub ntawv los ntawm Local System (T1005), Cov ntaub ntawv los ntawm Network Sib Koom Tsav (T1039), Cov Ntaub Ntawv Qib (T1074)

Hais kom ua thiab tswj (TA0011)
Feem ntau Siv Chaw nres nkoj (T1043), Web Service (T1102)

Exfiltration (TA0010)
Cov ntaub ntawv Compressed (T1002), Hloov Cov Ntaub Ntawv rau Huab Account (T1537)

Kev cuam tshuam (TA0040)
Cov ntaub ntawv Encrypted rau Impact (T1486), Inhibit System Recovery (T1490)

Tau qhov twg los: www.hab.com

Ntxiv ib saib