Ib tug tshiab ransomware hu ua Nemty tau tshwm sim nyob rau hauv lub network, uas yog supposedly tus successor rau GrandCrab los yog Buran. Cov malware feem ntau yog muab faib los ntawm lub vev xaib PayPal cuav thiab muaj ntau yam nthuav dav. Cov ntsiab lus hais txog yuav ua li cas ransomware no ua haujlwm nyob rau hauv kev txiav.
Tshiab Nemty ransomware nrhiav tau los ntawm cov neeg siv Cuaj hlis 7, 2019. Cov malware tau muab faib los ntawm lub vev xaib , nws tseem ua tau rau ransomware nkag mus rau lub computer los ntawm RIG exploit kit. Cov neeg tawm tsam siv cov txheej txheem social engineering los yuam cov neeg siv kom khiav cov ntaub ntawv cashback.exe, uas nws tau liam tias tau txais los ntawm PayPal lub vev xaib. cov ntaub ntawv rau lub server. Yog li ntawd, tus neeg siv yuav tau upload cov ntaub ntawv encrypted rau Tor network nws tus kheej yog tias nws npaj siab them tus nqe txhiv thiab tos kom decryption los ntawm cov neeg tawm tsam.
Ntau qhov tseeb nthuav txog Nemty qhia tias nws tau tsim los ntawm tib neeg lossis los ntawm cybercriminals txuam nrog Buran thiab GrandCrab.
- Zoo li GandCrab, Nemty muaj lub qe Easter - qhov txuas mus rau ib daim duab ntawm Lavxias Thawj Tswj Hwm Vladimir Putin nrog kev tso dag dag. Cov cuab yeej cuab tam GandCrab ransomware muaj cov duab nrog tib cov ntawv nyeem.
- Cov lus artifacts ntawm ob qhov kev pab cuam taw qhia rau tib cov neeg sau lus Lavxias.
- Qhov no yog thawj ransomware siv tus yuam sij 8092-ntsis RSA. Txawm hais tias tsis muaj qhov tseem ceeb hauv qhov no: tus yuam sij 1024-ntsis txaus los tiv thaiv kev nyiag.
- Zoo li Buran, ransomware tau sau rau hauv Object Pascal thiab muab tso ua ke hauv Borland Delphi.
Kev soj ntsuam zoo li qub
Kev ua phem ntawm txoj cai phem tshwm sim hauv plaub theem. Thawj kauj ruam yog khiav cashback.exe, PE32 executable ntaub ntawv nyob rau hauv MS Windows nrog ib tug loj ntawm 1198936 bytes. Nws cov cai tau sau rau hauv Visual C ++ thiab muab tso ua ke thaum Lub Kaum Hli 14, 2013. Nws muaj cov ntaub ntawv khaws cia uas tau muab tshem tawm thaum koj khiav cashback.exe. Lub software siv lub tsev qiv ntawv Cabinet.dll thiab nws cov haujlwm FDICreate(), FDIDestroy() thiab lwm yam kom tau txais cov ntaub ntawv los ntawm .cab archive.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
Tom qab unpacking lub archive, peb cov ntaub ntawv yuav tshwm sim.
Tom ntej no, temp.exe yog launched, ib tug PE32 executable ntaub ntawv nyob rau hauv MS Windows nrog ib tug loj ntawm 307200 bytes. Cov cai tau sau rau hauv Visual C ++ thiab ntim nrog MPRESS packer, ib lub hnab ntim khoom zoo ib yam li UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
Cov kauj ruam tom ntej yog ironman.exe. Thaum pib, temp.exe decrypts cov ntaub ntawv embedded nyob rau hauv temp thiab renames nws mus rau ironman.exe, ib tug 32 byte PE544768 executable ntaub ntawv. Cov cai tau muab tso ua ke hauv Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
Cov kauj ruam kawg yog rov pib dua cov ntaub ntawv ironman.exe. Thaum lub sijhawm khiav, nws hloov nws cov lej thiab khiav nws tus kheej los ntawm kev nco. Qhov no version ntawm ironman.exe yog phem thiab yog lub luag hauj lwm rau encryption.
Attack vector
Tam sim no, Nemty ransomware tau muab faib los ntawm lub vev xaib pp-back.info.
Cov kab mob tag nrho tuaj yeem pom ntawm sandbox.
chaw
Cashback.exe - qhov pib ntawm kev tawm tsam. Raws li twb tau hais lawm, cashback.exe unpacks .cab cov ntaub ntawv nws muaj. Nws mam li tsim ib daim nplaub tshev TMP4351$.TMP ntawm daim ntawv %TEMP%IXxxx.TMP, qhov twg xxx yog tus lej ntawm 001 txog 999.
Tom ntej no, tus yuam sij sau npe raug teeb tsa, uas zoo li no:
βrundll32.exeβ βC:Windowssystem32advpack.dll,DelNodeRunDLL32 βC:UsersMALWAR~1AppDataLocalTempIXPxxx.TMPββ
Nws yog siv los rho tawm cov ntaub ntawv unpacked. Thaum kawg, cashback.exe pib txheej txheem temp.exe.
Temp.exe yog theem thib ob hauv kab kab mob
Qhov no yog cov txheej txheem tsim los ntawm cov ntaub ntawv cashback.exe, thib ob ntawm kev tua tus kab mob. Nws sim rub tawm AutoHotKey, lub cuab yeej rau kev khiav cov ntawv sau rau ntawm Windows, thiab khiav WindowSpy.ahk tsab ntawv nyob rau hauv cov khoom siv ntawm cov ntaub ntawv PE.
Cov ntawv WindowSpy.ahk decrypts cov ntaub ntawv temp hauv ironman.exe siv RC4 algorithm thiab lo lus zais IwantAcake. Tus yuam sij los ntawm tus password yog tau siv MD5 hashing algorithm.
temp.exe ces hu rau tus txheej txheem ironman.exe.
Ironman.exe - Kauj ruam peb
Ironman.exe nyeem cov ntsiab lus ntawm cov ntaub ntawv iron.bmp thiab tsim cov ntaub ntawv iron.txt nrog lub cryptolocker uas yuav raug tso tawm tom ntej.
Tom qab no, tus kab mob loads iron.txt rau hauv lub cim xeeb thiab rov pib dua li ironman.exe. Tom qab no, iron.txt yog deleted.
ironman.exe yog ib feem tseem ceeb ntawm NEMTY ransomware, uas encrypts cov ntaub ntawv ntawm lub computer cuam tshuam. Malware tsim mutex hu ua kev ntxub.
Thawj qhov nws ua yog txiav txim siab thaj chaw ntawm lub computer. Nemty qhib qhov browser thiab pom tus IP ntawm . Ntawm qhov chaw [IP]/countryName Lub teb chaws raug txiav txim los ntawm tus IP tau txais, thiab yog tias lub khoos phis tawj nyob hauv ib qho ntawm cov cheeb tsam tau teev tseg hauv qab no, kev ua tiav ntawm malware code nres:
- Zog ntawm Guj kuj
- Belarus
- Ukraine
- Kazakhstan
- Tuam Tshoj
Feem ntau, cov neeg tsim khoom tsis xav kom nyiam cov koom haum tub ceev xwm hauv lawv lub teb chaws nyob, thiab yog li tsis txhob zais cov ntaub ntawv hauv lawv qhov "tsev" txoj cai.
Yog tias tus neeg raug tsim txom tus IP chaw nyob tsis nyob rau hauv cov npe saum toj no, ces tus kab mob encrypts tus neeg siv cov ntaub ntawv.
Txhawm rau tiv thaiv cov ntaub ntawv rov qab, lawv cov duab ntxoov ntxoo luam tawm raug tshem tawm:
Nws mam li tsim ib daim ntawv teev cov ntaub ntawv thiab cov folders uas yuav tsis raug encrypted, nrog rau cov npe ntawm cov ntaub ntawv txuas ntxiv.
- qhov rais
- $RECYCLE.BIN
- rsa ua
- NTDETECT.COM
- lwm
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktop.ini
- SYS CONFIG.
- BOOTSECT.BAK
- khavmuav
- programdata
- cov ntaub ntawv
- osoft ua
- Cov Ntaub Ntawv
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY Obfuscation
Txhawm rau nkaum URLs thiab kos cov ntaub ntawv teeb tsa, Nemty siv lub hauv paus 64 thiab RC4 encoding algorithm nrog cov lus tseem ceeb fuckav.
Cov txheej txheem decryption siv CryptStringToBinary yog raws li hauv qab no
Kev mus yuam kev
Nemty siv peb txheej encryption:
- AES-128-CBC rau cov ntaub ntawv. 128-ntsis AES tus yuam sij yog randomly generated thiab siv tib yam rau tag nrho cov ntaub ntawv. Nws yog khaws cia rau hauv cov ntaub ntawv configuration ntawm tus neeg siv lub computer. IV yog randomly generated rau txhua cov ntaub ntawv thiab muab cia rau hauv ib tug encrypted ntaub ntawv.
- RSA-2048 rau cov ntaub ntawv encryption IV. Ib khub tseem ceeb rau kev sib kho yog tsim. Tus yuam sij ntiag tug rau kev sib kho yog khaws cia rau hauv cov ntaub ntawv teeb tsa ntawm tus neeg siv lub computer.
- RSA-8192. Tus yuam sij rau pej xeem yog tsim rau hauv qhov kev pab cuam thiab siv los encrypt cov ntaub ntawv teeb tsa, uas khaws cov yuam sij AES thiab tus yuam sij zais cia rau RSA-2048 kev sib kho.
- Nemty thawj zaug tsim 32 bytes ntawm random cov ntaub ntawv. Thawj 16 bytes yog siv los ua tus yuam sij AES-128-CBC.
Qhov thib ob encryption algorithm yog RSA-2048. Cov khub tseem ceeb yog tsim los ntawm CryptGenKey() muaj nuj nqi thiab imported los ntawm CryptImportKey() muaj nuj nqi.
Thaum tus khub tseem ceeb rau qhov kev sib kho tau tsim, tus yuam sij pej xeem raug xa mus rau MS Cryptographic Service Provider.
Ib qho piv txwv ntawm tus yuam sij pej xeem tsim tawm rau kev sib tham:
Tom ntej no, tus yuam sij ntiag tug raug xa mus rau hauv CSP.
Ib qho piv txwv ntawm tus yuam sij ntiag tug tsim rau kev sib ntsib:
Thiab qhov kawg los RSA-8192. Lub ntsiab tseem ceeb ntawm pej xeem yog khaws cia rau hauv daim ntawv encrypted (Base64 + RC4) nyob rau hauv .data seem ntawm cov ntaub ntawv PE.
Tus yuam sij RSA-8192 tom qab base64 decoding thiab RC4 decryption nrog tus password fuckav zoo li no.
Yog li ntawd, tag nrho cov txheej txheem encryption zoo li no:
- Tsim 128-ntsis AES tus yuam sij uas yuav siv los encrypt tag nrho cov ntaub ntawv.
- Tsim ib qho IV rau txhua cov ntaub ntawv.
- Tsim ib khub tseem ceeb rau kev sib ntsib RSA-2048.
- Decryption ntawm tus yuam sij RSA-8192 uas twb muaj lawm siv base64 thiab RC4.
- Encrypt cov ntsiab lus siv AES-128-CBC algorithm los ntawm thawj kauj ruam.
- IV encryption siv RSA-2048 public key thiab base64 encoding.
- Ntxiv ib qho encrypted IV mus rau qhov kawg ntawm txhua cov ntaub ntawv encrypted.
- Ntxiv tus yuam sij AES thiab RSA-2048 kev sib kho tus yuam sij rau kev teeb tsa.
- Cov ntaub ntawv teeb tsa tau piav qhia hauv ntu hais txog lub khoos phis tawj uas muaj tus kab mob no tau encrypted siv tus yuam sij pej xeem tseem ceeb RSA-8192.
- Cov ntaub ntawv encrypted zoo li no:
Piv txwv ntawm cov ntaub ntawv encrypted:
Sau cov ntaub ntawv hais txog tus kab mob lub computer
Lub ransomware sau cov yuam sij rau decrypt cov ntaub ntawv muaj kab mob, yog li tus neeg tawm tsam tuaj yeem tsim tus decryptor tiag tiag. Tsis tas li ntawd, Nemty sau cov neeg siv cov ntaub ntawv xws li username, computer name, hardware profile.
Nws hu rau GetLogicalDrives(), GetFreeSpace(), GetDriveType() ua haujlwm los sau cov ntaub ntawv hais txog cov tsav ntawm lub khoos phis tawj muaj kab mob.
Cov ntaub ntawv sau tau muab khaws cia rau hauv cov ntaub ntawv teeb tsa. Tom qab txiav txim siab txoj hlua, peb tau txais cov npe ntawm cov tsis muaj nyob hauv cov ntaub ntawv teeb tsa:
Piv txwv configuration ntawm ib tug kab mob computer:
Lub configuration template tuaj yeem sawv cev raws li hauv qab no:
{"General": {"IP":"[IP]", "Lub teb chaws":"[Lub teb chaws]", "ComputerName":"[ComputerName]", "Username":"[Username]", "OS": "[OS]", "isRU":false, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_", "UserID":"[ UserID]", "key": [key]", "pr_key": [pr_key]
Nemty khaws cov ntaub ntawv khaws tseg hauv JSON hom hauv cov ntaub ntawv %USER%/_NEMTY_.nemty. FileID yog 7 lub cim ntev thiab tsim tawm los. Piv txwv li: _NEMTY_tgdLYrd_.nemty. Lub FileID kuj tseem ntxiv rau qhov kawg ntawm cov ntaub ntawv encrypted.
nqe txhiv lus
Tom qab encrypting cov ntaub ntawv, cov ntaub ntawv _NEMTY_[FileID]-DECRYPT.txt tshwm rau ntawm lub desktop nrog cov ntsiab lus hauv qab no:
Thaum kawg ntawm cov ntaub ntawv muaj encrypted cov ntaub ntawv hais txog tus kab mob lub computer.
Kev sib txuas lus network
Cov txheej txheem ironman.exe rub tawm Tor browser faib los ntawm qhov chaw nyob thiab sim rau nruab nws.
Nemty mam li sim xa cov ntaub ntawv teeb tsa mus rau 127.0.0.1:9050, qhov uas nws xav tias yuav pom qhov ua haujlwm Tor browser npe. Txawm li cas los xij, los ntawm lub neej ntawd Tor npe mloog ntawm qhov chaw nres nkoj 9150, thiab chaw nres nkoj 9050 yog siv los ntawm Tor daemon ntawm Linux lossis Kws Tshaj Lij Pob ntawm Windows. Yog li, tsis muaj cov ntaub ntawv xa mus rau tus neeg tua neeg lub server. Hloov chaw, tus neeg siv tuaj yeem rub tawm cov ntaub ntawv teeb tsa manually los ntawm kev mus saib Tor decryption kev pabcuam ntawm qhov txuas uas tau muab hauv cov lus nqe txhiv.
Txuas rau Tor npe:
HTTP GET tsim kev thov rau 127.0.0.1:9050/public/gate?data=
Ntawm no koj tuaj yeem pom qhov qhib TCP chaw nres nkoj uas siv los ntawm TORlocal npe:
Nemty decryption kev pabcuam ntawm Tor network:
Koj tuaj yeem xa cov duab encrypted (jpg, png, bmp) los kuaj qhov kev pabcuam decryption.
Tom qab no, tus neeg tawm tsam thov kom them tus nqe txhiv. Nyob rau hauv cov ntaub ntawv ntawm tsis them nyiaj tus nqi yog ob npaug.
xaus
Tam sim no, nws tsis tuaj yeem decrypt cov ntaub ntawv encrypted los ntawm Nemty yam tsis tau them tus nqe txhiv. Qhov version ntawm ransomware no muaj cov yam ntxwv zoo ib yam nrog Buran ransomware thiab cov GandCrab uas tsis muaj hnub nyoog: muab tso ua ke hauv Borland Delphi thiab cov duab nrog tib cov ntawv. Tsis tas li ntawd, qhov no yog thawj tus encryptor uas siv 8092-ntsis RSA tus yuam sij, uas, dua, tsis ua rau muaj kev nkag siab, txij li tus yuam sij 1024-ntsis txaus rau kev tiv thaiv. Thaum kawg, thiab nthuav, nws sim siv qhov chaw nres nkoj tsis ncaj ncees rau Tor cov kev pabcuam hauv zos.
Txawm li cas los xij, kev daws teeb meem ΠΈ tiv thaiv Nemty ransomware los ntawm kev ncav cuag cov neeg siv PCs thiab cov ntaub ntawv, thiab cov neeg muab kev pabcuam tuaj yeem tiv thaiv lawv cov neeg siv khoom ... puv muab tsis tau tsuas yog thaub qab, tab sis kuj tiv thaiv siv , tshwj xeeb thev naus laus zis raws li kev txawj ntse txawj ntse thiab kev coj tus cwj pwm uas tso cai rau koj los cuam tshuam txawm tias tseem tsis tau paub txog malware.
Tau qhov twg los: www.hab.com